Giter Club home page Giter Club logo

digital-forensics's Introduction

Purpose

The purpose of the REPO is to store information regarding the Digital Forensics unit from TAFE Advanced Diploma. This includes, scripts, information, images etc.

Scripts

ChromeHistory.py

This script has been developed to enhance my understanding of the locations for important information regarding URL history in the Chrome Web Browser

About the script (Justification)

When I write a program I like to justify the use of certain technologies over others. And to gain more understanding the usescases and purposes of technologies

  1. Object Orrientation The use of object orientation has been used in my sscript to allow for more modules to be imported into the class that conduct futher analysis. It allows me to keep more control over the class variables and modules. It also removes the practice of using mulitple parameters in class functions and instead replaces it with the self object allowing for greater readability and less violations of the DRY principle

  2. SubProccesses Module The subporccesses module was used to execute commands on the windows system and to discover the username of the user running the script.

Future Additions

In the future I will be adding more modules to allow more information to be pulled from the Chrome history data such as Time-Visited or find the most common URL typed.

digital-forensics's People

Contributors

migden avatar

Stargazers

avatar

Watchers

avatar

digital-forensics's Issues

Internet Browser Forensics.md

Internet Browser Forensics

Introduction

The internet is one main reason why computers and smartphones have become so popular. This module will teach you how to access web history from windows computers and utilize it in a investigation

Objectives

  • Learn what files and folders are associated with web history
  • Learn how to read data within the web history files
  • Learn how to view cached data

Learn what files are associated with chrome history

In order to view data revolving history in chrome, navigate to the path <user>/AppData/Local/Google/Chrome/User Data/Default.

Within this folder is a collection of useful information such as cookies, login data, and history.

Inside the above directory there is a folder called History. This file contains a range of information regarding history in the chrome browser. This file will wipe when history is cleared, and will not be updated when incognito mode is used. Within the file information such as:

  • URLs
  • ID
  • Title
  • Visit Counts
  • Last_Vist_Time
  • Redirects
  • Visit Duration
  • Keyword Searches
  • Downloads
  • Download path

Cookies and site data

In the chrome default folder another file exists called cookies. This contains all information that websites require to have when visited by the users such as:

  • Name
  • Role
  • Date Joined
  • Parameters
  • Shopping Cart
  • Cookie name.

Cached Files

Files and information that have been cached by google are stored in the Cache file. This can be images or website thumbnails

Firefox and Internet Explorer History

The format of Firefox and Internet Explorer web browser files are similar. The directories include <user>/AppData/Local/Microsoft/Windows, and for Firefox <user>/AppData/Local/Mozilla/FireFox/Profiles/<mozzila-version>

Email Analysis.md

Email Analysis

Introduction

emails are the most popular means of communications for businesses, it is essential to understand how they work and to learn how to investigate metadata related to emails.

Objectives
  • Learn what an email header is
  • Learn what type of data is stored in the email header and how to utilise it
  • Learn how to use Email Header Analyzer to parse email headers

Reading Email Headers

When reading email headers, it is always advised to start from the bottom. This is because the email passes through different servers during the transmission, and each one adds a header. This means the oldest data is at the bottom, and thus the original details.

Now we are at the bottom of the email, lets dissect the data.

Typically when we view emails metadata normally, it will contain recipients and senders email addresses, the subject, and the date sent.

However when analysing the headers of the emails will reveal more important details. Such as Message-ID, this can be used to determine the original sender. A communication provider can use this information to identify and learn the IP address of the sender. This can also be used to determine if the email was forwarded, or a reply

Furthermore continuing up the email source, we can see even more important information such as the Received header. The Received header provides the details about the first server that received the email.

The next headers are Received-SPF and DKIM-Signature, these are headers used to detect spoofing and tampered emails.

Scrolling up the email source to the top, we can also see the ARC headers, these are similar to SPF and DKIM. It can tell whether the email passed authenticity tests. The header X-Received displays the server that received the email, and Delivered-To shows the final server that delivered the message to the recipients inbox and the time of delivery

Tools of the Trade.md

Tools Used in Digital Forensics

FTK Imager

FTK imager allows you to take an image of Computer to aid in a digital forensics investigation, it allows you to compare hashes and provides a detail summary of the forensics image such as dates, description, hashing, integrity etc.

It also allows for analysis of forensics files such as RAM captures.

It saves as a .E01 mime type, this is the industry standard format for storing forensic imagery. This allows for further investigation using more advanced tools.

Magnet Process Capture

Magnet Process Capture allows for a full process capture on a machine, you can save to an output file for further examination.

Magnet RAM Capture

Magnet RAM Capture downloads all memory in RAM for further investigation with tools like FTK imager

REDLINE

REDLINE is an advanced tool that allows you to analyse forensics information such as RAM, memory dumps, processes etc. It can furthermore be utilised to create custom Indicators Of Compromise (IOC). IOCs allow for rules to be designed that can be used to scan file systems or memory for indicators of malicious activity such as Malware

Recycle Bin Forensics.md

Recycle Bin Forensics

The recycle bin is a very popular artefact that stores deleted files. From the users side, the files are simply there. But from a forensic examiners perspective, the recycle bin can differentiate who deleted what and provide other information that helps to understand the user behaviour.

Forensics with Autopsy

Open Autopsy and create a new case, then import the file system image.

Navigate to the RECYCLER folder, in this folder multiple folders will be included, each contains files that unique users have deleted. The name of the folder is uniquely identified to the user, using a SID or Security Identifier. The SID can be broken down into computer, then user identifier.

The last section of the SID is the user identifier called a RID, individual RIDs can be found in the contents of the SAM file.

Enter the folder and select and export all files found. Then navigate to the command line and utilising the command rifiuti, which is an tool that examines INFO2 files (MS Windows recycle Bin files).

rifiuti ~/Desktop/Cases/FOR_LAB_009/Export/Lab9-1/INFO2 > ~/Desktop/Cases/FOR_LAB_009/Export/Lab9-1/INFO2.txt

From there we can now examine the file metadata for the files found in the recycle bin.

Picture File Analysis.md

Extracting EXIF Data from Picture Files

Picture files are very common, especially now that almost every person owns a powerful recording device, the smartphone.

To view the EXIF data of any picture file the following can be conducted;

exiftool cool_picture.png

EXIF data includes:

  • Permissions
  • Edit dates
  • file size
  • file type
  • camera information
  • software versions
  • image resolution
  • GPS data

Carving Pictures from the Thumbs.db file

Thumbs.db is a hidden database file that contains smaller images of picture files within a folder. This file is created when the user views the picture thumbnail inside certain folders. The Thumbs.db file can be a gold mine, especially if the picture files within the folder are already deleted.

In order to carve images from the thumbs.db file, open your favorite hexadecimal editor. From here just search to file for numerous file headers such as a jpg file header, and if any matches occur, find the offset to the file footer then extract the file.

Steganography and Alternate Data Streams.md

Steganography

New anti-forensic techniques are always being discovered and utilized to hide, manipulate, and destroy data. Steganography is one such technique. it is very effective in hiding data in plain sites. It is commonly used for transmitting illicit files and communicating secretly.

Hiding information

Adding data to a file or taking away data from a file can change the hash value and file size. So if any modifications to a common file like a system file, means an experienced investigator will be able to determine that something is different about the file.

Opening up your favorite hex editor, you can write messages in plain text anywhere that has a NULL value

Extracting a file from another file

You can extract a file from another file via the analysis of file headers and footers, scanning the file hexadecimal values for other file header values can be a good indicator that a file is hidden. files can then be scraped by finding the offset to the file footer and extracting the whole file.

Alternate Data Streams - Hiding messages in a file's Data Steam

There are many anti-forensics techniques out there. Hiding data within Alternate Data streams (ADS) is another simple anit-forensics method that can be done with very little investment

The following can be done to create ADS files.

Open CMD , navigate to the desired file such as legitemate_program.exe. Then type the following; type legitemate_program.exe > legitemate_program.exe:secret.txt

It was a simple as that, to open the file you can type, notepad legitemate_program.exe

Detection

To detect if a file has an ADS you can enter the command dir /r into the cmd prompt and it will highlight any files with the ADS atributes.

Metadata and Link File Analysis.md

Metadata and link file analysis

Objectives

  • Learn the difference between file system metadata and embedded metadata
  • Understand what data link files store and how to extract them
  • Learn how to use link file metadata to determine if files were executed and where they stored

Exporting Link files

After importing a file system image into FTK imager. Navigate to the Documents and Settings file to view all users and user files. In the users recent file directory, there is multiple .lnk files, these are symbolic files that reference a file and can provide a shortcut.

To analyse file creation and modification dates, view to file properties tab. For further examination export the files by highlighting and right-clicking then export

Analysing

For further analysis we will be using DART.

In DART.exe navigate to Windows Forensics -> LINK file previewer.

From here import the exported files from FTK Imager

Metadata Extraction

For files that you want to view the Metadata for, the tool MetaExtractor can be used, Import files such as .pdf or .txt. The view important information such as date modified, access, created. etc.

Windows Forensics.md

Windows Registry Forensics

What is the Windows Registry?

The Windows registry is a collection of databases that contains system configuration data. This could include hardware, software or user configuration information.

Furthermore, it can contain data about recently used files, programs run, or devices connected to the system.

This is vital to a forensics investigation standpoint.

Structure of the Registry

Currently Windows System Contains the following 5 Root keys:

  1. HKEY_CURRENT_USER
  2. HKEY_USERS
  3. HKEY_LOCAL_MACHINE
  4. HKEY_CLASSES_ROOT
  5. HKEY_CURRENT_CONFIG

To view these you can open regedit.exe

HKEY_CURRENT_USER

Contains the root configuration information for the user who is currently logged on.

HKEY_USERS

Contains all the actively loaded user profiles on the computer

HKEY_LOCAL_MACHINE

Contains configuration information particular to the computer

HKEY_CLASSES_ROOT

Provides a view of the registry that merges information from HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE

HKEY_CURRENT_CONFIG

Contains information about the hardware profile that is used by the local computer

Structure

The registry contains two basic elements: keys and values. Registry keys are container objects similar to folders. Registry values are non-container objects similar to files.

Keys may contain values and subkeys.

E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows refers to the subkey "Windows" of the subkey "Microsoft" of the subkey "Software" of the HKEY_LOCAL_MACHINE root key.

Windows Registry Hives

A hive is a logical group of keys, subkeys, and values in the registry that is a set of supporting files loaded into memory when the operating system is started or a user logs in.

If you are accessing a live system, you will be able to access the registry using regedit.exe. However, if you only have access to a disk image, you must know where the registry hives are located. The majority are stored in C:\Windows\System32\Config

Hives containing User Information

Apart from hives located in C:\Windows\System32\Config, to hives containing user information can be found in the user profile directory. The hives are;

  • NTUSER.DAT
  • USRCLASS.DAT

These are hidden files that store information about the user that is ran when the user logs in or a specific action is conducted

The Amcache Hive

Apart from the above files, there is another very important hive called the AmCache hive. It is located in C:\Windows\AppCompat\Programs\Amcache.hve. Window creates this hive to save information on program that were recently run on the system

Data Acquisition

When preforming forensics, we will either encounter a live system or an image taken of the system. Though we can view the registry through the registry editor, the forensically correct method is to acquire a copy of this data and preform analysis on the copy. However, when we go to copy the registry hives we can't because it is restricted.

Programs for acquiring these files are:

  • KAPE
  • Autopsy
  • FTK Imager

Exploring Windows Registry

Once we have extracted the registry hives, we need a tool to view these files as we would in the registry editor. Since the registry editor only works with live systems.

The following are tools that can be used to analyse registry hives:

  • Registry Viewer
  • Zimmerman's registry explorer
  • RegRipper

Recent Files

Windows maintains a list of recently opened files for each user. As we might have seen when using Windows expklorer, it shows us a list of recently used files.

This information is stored in the NTUSER hive and can be found at the location NTUSED.DATA\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Office Recent FIles

Similar to the recent docs maintained by windows explorer, Microsoft Office also maintains a list of recently opened documents. This list is also in the NTUSER hive. It can be found in the following location NTUSER.DAT\Software\Microsoft\Office\{VERSION}

Shellbags

When any user opens a folder, it opens in a specific layout. Users can change this layout according to their preferences. These layouts can be different for different folders. This information is stored in the following locations:

  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

User Assist

Windows keeps log of applications that have been ran on the system, as well as statistical data regarding these applications. However There is multiple different hives that provide different pros and cons regarding program execution logging.

UserAssist

Present in the NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorere\UserAssist\{GUID}\Count. GUID standing for Global Unique Identifier.

While UserAssist provides execution information, any program run via the command line cannot be viewed

AmCache

Includes execution path. installation, execution and deletion times, and SHA1 hashes of the executed programs. It is located at C:\Windows\appcompat\Programs\Amcache.hve

BAM/DAM

Background Activity Monitor or BAM keeps tabs on the activity of background applications. Similar Desktop Activity Moderator or DAM, is part of Microsoft Windows that is responsible for optimizing power consuption.

They are located in the:

  • SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
  • SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}

External Devices/USB decive Forensics

When preforming forensics on a machine, often the need will arise to identify if any USB or removable drives were attached to the machine.

Device Identification

The following locations keep track of USB keys plugged into a system;

  • SYSTEM\CurrentControlSet\Enum\USBSTOR
  • SYSTEM\CurrentControlSet\Enum\USB

User files location

The directory C:\Documents and Settings holds the information on users created in the Windows system such as files and settings.

This is handy when analysing file system dumps to view user information

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.