File Analysis Chapter 5 - PowerPoint PPT Presentation

About This Presentation
Title:

File Analysis Chapter 5

Description:

... \WINDOWS NetSetup.log c:\Winodws\Debug Task Scheduler Log SchedLgU.txt Enabling Firewall Logging Firewall Log Recycle Bin Recycle Bin recbin.exe INFO2 ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 63
Provided by: LynnA9
Learn more at: http://webpages.sou.edu
Category:

less

Transcript and Presenter's Notes

Title: File Analysis Chapter 5


1
File AnalysisChapter 5 Harlan Carvey
  • Event Logs
  • File Metadata

2
Event LogsLogging Events
  • Events
  • Logging Events
  • Event Log Format
  • Event Record Structure
  • Various Logs

3
Usual Event Logs
  • Application
  • Log of application errors, warnings and
    information
  • Security
  • Dropped Packets, Successful Connections
  • Logon/Logoffs
  • System
  • Various device events

4
Registry References - XP
5
Windows 7
Location of logs
6
Event Log Location - XP
7
Event Log LocationVista, Win7
  • CWindows-gtSystem32-gtwinevt-gtLogs

8
Location of Event Logs
9
App System Logging
  • On by default
  • Log size is 512 KB by default
  • Written by the application

10
Security Logging - XP
  • Not on by default
  • Log size is 512 KB by default
  • Control Panel Admin tools -gt Local Security Policy

11
Security LoggingWindows 7
12
Log Viewer
  • Event Viewer
  • Control Panel -gt Administrative Tools -gt Event
    Viewer
  • Application, Security and System logs available
  • Event Properties
  • DTG of the event
  • Important for some timelines

13
App Log
14
System Log
15
Security LogSuccess
16
Security LogFailure
17
Windows 7
18
(No Transcript)
19
(No Transcript)
20
Event Viewer
  • Convenient and pretty
  • Works only on live systems
  • Does not work on a forensics image
  • We have to parse the event logs

21
Event Logs
  • Binary Structure
  • Header and a series of records
  • Event ID formats
  • http//www.ultimatewindowssecurity.com/securitylog
    /encyclopedia/event.aspx?eventid528
  • Application logs are vendor specific
  • EventID.net is a good source for this info -
  • blogs.msdn.com/ericfiz/default.aspx
  • www.microsoft.com/technet/support/ee/ee_advanced.a
    spx

22
Event Log ConfigurationXP
  • Held in registry keys

23
Windows 7
24
Registry Viewer
  • Event message

25
Event Log File Format XP only
  • Event Log Header 12 DWORD values
  • Event Records Variable length
  • Windows 7 Vista
  • http//www.dfrws.org/2007/proceedings/p65-schuster
    .pdf
  • http//computer.forensikblog.de/files/talks/SANS_S
    ummit_Vista_Event_Log.pdf

26
Event Log Header Structure
Offset Size Description
0 4 bytes Size of the record (Header 0x30, Event 0xF4)
4 4 bytes Magic number 0x4C 66 4C 65 LfLe
16 4 bytes Offset within the .evt file of the oldest event record
20 4 bytes Offset within the .evt file of the next event record to be written
24 4 bytes ID of the next event record
28 4 bytes ID of the oldest event record
32 4 bytes Maximum size of the .evt file (from the registry)
40 4 bytes Retention time of event records (from the registry)
44 4 bytes Size of the record (repeat of the first DWORD)
27
Event Record Structure
Offset Size Description
0 4 bytes Size of the record (Header 0x30, Event 0xF4)
4 4 bytes Magic number 0x4C 66 4C 65 LfLe
8 4 bytes Record Number
12 4 bytes Time Generated
16 4 bytes Time written
20 4 bytes Event ID Locates message file/dll/exe
24 2 bytes Event type (0x01 error, 0x10 Failure, 0x08 Success, 0x04 Info, 0x02 Warning
26 2 bytes Number of strings
28 2 bytes Event category
30 2 bytes Reserved flags
32 4 bytes Closing record number
36 4 bytes String offset
40 4 bytes Length of user SSID
44 4 bytes Offset to the user SID within this event record
48 4 bytes Data length length of the binary data associated with this event record
52 4 bytes Offset to data
28
Carveys Help
  • Best not to depend on the Windows API to read
    the Event files
  • They can be corrupted
  • May miss the next to be over written
  • Provides summary stats
  • Provides output readable in Excel

29
evtstats.exe
Lots of events
30
lsevt.exe
Entry for each of the 2464 Event Records
31
lsevt2.exe
Entry for each of the 2464 Event Records Puts it
into an Excel readable format
lsevt f event_file c gt save_file.csv
32
Excel Open .csv file
33
Change Format
Choose Delimited
34
Identify Separators
Harlans stuff is separated by semicolons. With
Perl knowledge you could change it.
35
Excel Manipulatible
36
Information
37
Other Logs
  • IE Browsing History
  • Set Up
  • XP Firewall
  • Recycle Bin
  • Shortcut Files

38
IE Browsing History
  • Index.dat files
  • DiscoverPro
  • NetAnalysis
  • Index dat spy
  • SuperWinSpy
  • Be careful !!!

39
NetAnalysis
40
Set Up Logs
  • Setuplog.txt
  • Setupact.log
  • SetupAPI.log
  • Netsetup.log

41
Setuplog.txtC\WINDOWS
42
Setupact.log C\WINDOWS
43
SetupAPI.log C\WINDOWS
44
NetSetup.logc\Winodws\Debug
45
Task Scheduler LogSchedLgU.txt
46
Enabling Firewall Logging
  • Control Panel -gt Security Center -gt Windows
    Firewall -gt Advanced
  • Follow your nose

47
Firewall Log
  • C\WINDOWS\pfirewall.log

48
Recycle Bin
  • C\RECYCLER
  • Each user gets his own folder
  • Use the users SID
  • Each has its own INFO2 file

49
Recycle Bin
50
recbin.exe
51
INFO2 File Structure
  • Header
  • 16 bytes
  • Final 4 bytes (DWORD) is the size of each record
  • 0x320 (little endian) 800 bytes
  • Records
  • Record at offset 264 within the record
  • Drive designator at offset 268
  • 2 C\, 3D\, etc
  • File size in clusters at offset 280

52
Open INFO2 in WinHex
  • Very hard
  • File -gt Open
  • Navigate to C\RECYCLER
  • Open it
  • Select a SID file
  • Open it. It may say you dont have privileges
  • Type \INFO2
  • Try again!
  • Maybe

53
INFO2 Record Size
Record size 0x00320 80010
Size in clusters 0x0001
Drive indicator 0x0002
54
File MetadataMAC Times
OS - OS Action From To Create time Modification time
FAT to FAT Copy C\ C\ Updated Unchanged
FAT to FAT Move C\ C\ Unchanged Unchanged
FAT to NTFS Copy Updated Unchanged
FAT to NTFS Move Unchanged Unchanged
NTFS to NTFS Copy C\ C\ Updated Unchanged
NTFS to NTFS Move C\ C\ Unchanged Unchanged
55
Word Documents
  • Document location
  • Statistics
  • Magic number
  • Version and Language
  • Last 10 authors
  • MACPS times
  • Modified, accessed, created, printed, saved

56
MeargeStreams
  • Insert a spreadsheet into a word document
  • Call it .doc you see the Word document
  • Call it .xls you see the spreadsheet
  • All sorts of uses
  • Smuggling out forecasts
  • Sharing pictures on the corporate server

57
PDF Files
  • Similar metadata as Word docs.
  • Easily accessed
  • File -gt Properties

58
Image Filesexif Data
59
(No Transcript)
60
Original Photo off of the camera
After Photoshop manipulation
61
Tweet Metadata
62
ADS Alternative Data Streams
  • Native to NTFS
  • Permits data file to contain scripts, or
    executable code
  • No NT native tools to detect them
  • Native tools to create and launch them
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "File Analysis Chapter 5 " is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!