Forensic analysis of Windows hosts using UNIXbased tools

1
Forensic analysis of Windows hosts using
UNIX-based tools

• Source Digital Investigation (2004) 1, 197-212
• Writer Cory Altheide
• Reporter Yao
• Professor Shiuh-Jeng, Wang

2
Tools

• SMART for Linux ( ARSData company )
• --- a commercial software
• Autopsy ( by Brain Carrier )
• --- a free, open source software

3
Properties of the SMART for Linux

• Support for several image compression format.
• The ability to recover deleted files.
• The ability to mount split image files.
• Support for NTFS and FAT file format.

4
Properties of the Autopsy

• A web-based wrapper for the Sleuthkit.
• A modular, extensible design which allows for
  easy end-user extension, and reduces the
  likelihood of encountering a single point of
  failure.
• Support for NTFS and FAT file format.

5
Deleted file recovery

• Both tools perform recovery of deleted files on
  FAT and NTFS systems, however, Autopsys NTFS
  recovery is somewhat rudimentary compared to
  SMARTs.
• When compared to recovering deleted files from a
  FAT file system, recovery on NTFS file systems
  seems almost trivial.

6
Unallocated space

• Both tools allow for the extration of unallocated
  space to some degree, although the extraction
  performed by SMART is far more granular and
  customizable.
• foremost is a very good tool for performing
  file carving against recovered unallocated or
  otherwise unstructured space.

7
Keyword searching

• SMART
• --- simple term search
• --- Unicode term search
• Autopsy
• --- lack of Unicode support

8
Window file examination

• Trojan Defense
• --- use Clam Antivirus and F-prot to scan
• mounted volume for known malicious
  code.

9
Pasco, Galleta, and Rifiuti

• Rifiuti parses INFO2 files from the Recycle Bin.
• --- INFO2 file is an index of the former
  metadata
• Galleta parses Internet Explorer cookies.
• --- a plain text file
• Pasco parses Internet Explorer history files.
• --- an index.dat file stores data about a
  users
• web surfing history

10
Email files

• LibPST is a library for parsing Outlook PST
  files.
• Readpst read PST input and produces a number of
  specifiable output format. ( by default, is the
  mbox format )
• LibDBX parses Outlook Express DBX files.
• Readoe produces valid mbox files.

11
Processing Windows Registry hives

• Regviewer --- stable
• Chntpw
• Regedit
• Kregedit --- unstable

12
An up-and coming forensic tool

• FLAG is a very ambitious forensics utility
  originally created by the Australian Department
  od Defense.
• PyFLAG is a complete rewrite of FLAG using the
  Python programming language.
• Equipped with the MySQL database backend,
  reconstruction of TCP streams from imported
  capture files, importation of arbitrary log files.

13
Conclusion

• The current tools will continue to develop, and
  new tools will emerge.
• As Linux continues to grow and mature as an
  operating system, the public demand for
  interoperability will grow along with it.