Shell Items, Eventlogs, Forensics

Transcription

1 Shell Items, Eventlogs, Forensics Georgi Nikolov today

2 Shell Items

3 What are shell items? Figure 1:

4 Shell Items Overview Data or file holding information for accessing another file Serves as a pointer to a file/program/folder Attributes Type of Drive Target is On Path of Target file Target Metadata

5 Recent Documents Remember the recent documents we saw catalogued in the registry? Figure 2: Do you remember?

6 Recent Documents Shortcut Files (.lnk) LNK files are automatically created by Windows in Recent folder Users\<user>\AppData\Roaming\Microsoft\Windows\Recent Non-executable files opened generate TWO linkfiles One link file for the target file One link file for parent folder of target file

7 Recent Documents Shortcut Files (.lnk) (cont.) Link file points to Target file MAC times Volume Information (Name, Type, Vol.Serial#) Fixed, Removable, Network Target Original Path & Location Each link file has: The time and date the link file was created The time and date the link file was last modified

8 Recent Documents Shortcut Files (.lnk) (cont.) In Win8/8.1 and further URL link files are created when a website is accessed via: The Run Dialog The Windows search charm From a lnk file From a link in an application

9 Jump Lists Figure 3: A list of previously visited items/locations

10 Win7 - Win10 Jump Lists Right-click on a program or task Lists of recently accessed items/files a user can jump to Items may be present in list even after being deleted

11 Automatic Destinations Location C:\Users\<user>\AppData\Roaming\Microsoft\Windows\ Recent\AutomaticDestinations Contains a list of applications sorted by AppID Files have: Creation Time = First time item added to the AppID file. First time of execution of application, with the file open Modification Time = Last time item added to the AppID file. Last time of execution of application, with the file open

12 AppIDs Each application has unique identifiers but not unique to the system Unique identifiers are universal across all the Windows systems (table of AppIDs matched to Applications)

13 Tracking Folder/Directory Usage Win7-Win10 Shellbags Shellbags contain information about accessed folders Windows uses the Shellbag keys to store preferences for the GUI folder display Can track user activity by examining which folders have been accessed Shellbags also can contain information about files in the accessed folders

14 Event Log Analysis

15 Windows Events Centralized recording of information about: Software Hardware Operating system functions Security Multiple events compromise an event log

16 A collection of Event logs Figure 4:

17 Event Log Analysis What happened? When it happened? What user was involved? What systems were involved? Which resources were accessed?

18 Event Log Definition Any significant occurrence in the system or in a program that requires users to be notified, or an entry added to a log [1] [1]

19 Where to find the event logs In Windows NT/2000/XP/Server 2003 first logs introduced in NT 3.1 in 1993 *.evt file format %systemroot%\system32\config Files: SecEvent.evt, AppEvent.evt, SysEvent.evt In Windows Visa/7-10/2008/2012/2016 *.evtx file format %systemroot%\system32\winevt\logs Remote log server Files: Security.evtx, Application.evtx, System.evtx

20 Where to find the event logs (cont.) Event logs location can be retrieved from the registry HKLM\SYSTEM\CurrentControlSet\Services \EventLog\Application HKLM\SYSTEM\CurrentControlSet\Services \EventLog\System HKLM\SYSTEM\CurrentControlSet\Services \EventLog\Security

21 How event logs work Logs are implemented using circular buffer The buffer loops around Eventually oldest entries are overwritten by newest ones In previous versions logs are stored locally In newer versions logs can be sent to remote servers (! ) Important to remember to check external servers

22 *.evtx Log File format Memory efficiency, less costly to log XML format good for filtering Improved messaging Expanded number of event logs

23 Types of Event logs Security System access control and security settings information events based on audit and group policies Application Custom events related to Windows services, drivers, resources, ect. software events unrelated to OS custom application logs

24 Extra types of Event logs Directory Service standard on domain controllers records events logged by Active Directory and its related services File Replication Service standard on domain controllers records updates between the domain controller infrastructure DNS Server standard on servers running the DNS service records DNS administrative information (zone management, start/stop of DNS service)

25 Applications and Services Logs Introduction of new format opens the way to more specialised event logs In addition to Application, System and Security over 60 other event log types Specialised logs go further back in time than the 3 major event logs New logs can be broken into three categories: Setup : identifies what Windows security updates, patches and hotfixes have been added to the system Forwarded Events : Windows Collection Service is responsible for collecting logs from remote systems to a collector system Applications and Services : compromises the new custom logs introduced in newer versions of Windows

26 Applications and Services Logs (cont.) Figure 5:

27 Security logs Most commonly reviewed in forensics analysis Failure and success can be audited Only updated by the LSASS process Security logs record: Account Logon, Account Management, Directory services, Logon Events, Object Accces, Policy Change, Privilege Use, Process Tracking, System Events

28 What is Recorded? Account Logon Account Mgmt Directory Service Logon events Object Access Policy Change Privilege Use Process Tracking System Events

29 Event Types Error Warning Information significant problem occured: loss of data or functionality not significant problem, may indicate future problem successful operation of application, driver or service Success audit audited security event completed successfully Failure audit audited security event completed unsuccessfully

30 s

31 Forensics Figure 6:

32 Why do we need Forensics? High amount of phishing attacks Users have low understanding of security measures Can contain User specific information Insight into what events happened

33 Have you been pwned? Figure 7:

34 Important questions Where are the files stored? ex. Host-based , servers, cloud-based , mobile How to acquire them? What information can we find?

35 Where are the files stored Host-based s data stored on local machine local stored s almost always assoiciated with an client potentially password protected deleted archives

36 Local clients Microsoft Outlook Mozilla Thunderbird Information over client stored in registry: NTUSER.DAT\Unreadmail

37 Microsoft Outlook File extension : *.pst" Archive stored by default in (can be quite big): %USER%\AppData\Local\Microsoft\Outlook Data about client stored in registry Encryption/obfuscation enabled by default

38 Mozilla Thunderbird File extension : *.mbox" Archive stored by default in (can be quite big): %USER%\AppData\Roaming\Thunderbird\Profiles\<Profile name>\" Data about client stored in registry Encryption/obfuscation enabled by default

39 How to acquire the data Microsoft Outlook (cont.) Use of dedicated tools to parse the *.pst" files readpst - transforms PST files to MBOX pffexport - extracts PST files to readable format Mozilla Thunderbird (cont.) s stored in MIME format s can be accessed easily through the User s profile folder

40 What information can we find? Who sent the ? address IP address Contextual clues When was it sent? Header date and time Mail server timestamps

41 What information can we find? (cont.) Where was it sent from? IP address/isp Geo-location Mail server domain Message ID Is there relevant content? Message body Attachments Address book Calender entries

42 What information can we find? (cont.) Figure 8:

43 Review major forensic principles 1. Review installed applications 2. Locate and acquire local archives 3. Identify and export the mailboxes 4. Process and review using forensic tools 5. Export relevant files from archive