Forensic Blogs

An aggregator for digital forensics blogs

by

Application Analysis Update 1

Introduction

This project focuses on searching for artifacts left by common desktop applications. We will be analyzing each application within Windows 10. It is the second most popular version of windows. We began by generating data on virtual machines with the chosen applications. The next step is to use various forensic tools to extract information that could be of forensic interest. This includes any artifacts that could be relevant either for security or for use in a forensic investigation.

Analysis: Web App Security

In this project, we will be analyzing artifacts left by three different apps: Steam, Lastpass, and Fitbit.  Based on LastPass’s emphasis on security, we expect that it will yield the least amount of artifacts. Likewise, Steam is notorious for not keeping chatlogs on the user’s side, whether PC or on a mobile device. As such, it would make sense to assume that the amount of information stored on the host is minimal. But, Fitbit may save crucial information on the host for offline use of the app.

Choosing the Applications

In narrowing the list of possible applications down, there were many reasons why we chose each app. This includes its large number of users, how important it was that the application is secure, as well as for other traits based on the purpose of the app.

Steam

Application

The first app, Steam, is a gaming and social media platform common on PCs. It has a massive user base of over 125 million. Steam is well known for not retaining chat logs. Steam saves achievements on the servers rather than the host. Due to the large amount of information that the app could store on the host, our team chose it as a viable candidate. Our team is planning to look for artifacts related to in game actions as well as any action done on Steam (Wishlist, login info, Screenshots, etc). Our team will also be looking for any artifacts that have any personal information as well as information about friends of that user.     

Last Pass

Application

LastPass is a password manager that is available as a desktop and mobile app, as well as an extension on many browsers. The application is popular for its security, as well as the simple design. It has a user base of over 7 million people. LastPass can contain passwords for many websites, making it a target for attacks. It is also available without purchasing the subscription, making it even more popular.

Fitbit

Fitbit is a brand of fitness tracker. The device syncs using Bluetooth to a personalized account through a PC or mobile device. Fitbit has a user base of over 10 million people, and is popular among a variety of ages. The information is viewable online, on a mobile device, or through the desktop application. Fitbit logs movement and allows users to log other health information in the app. Fitbit then uses this information to display progress over time.

Conclusion

As of now, all teams have made excellent progress on analyzing the artifacts generated by the applications. We hope that the artifacts we generate will help us determine potential threats and dangers to the apps we are using. The results from the information our team has gathered are not finalized yet. But we are eager to share our results with you when they are.   

Like all members of the LCDI, we welcome and encourage feedback. To give us any feedback you have, use the comment section below.

You can read our past research into other applications here.

Like the Leahy Center for Digital Investigation (LCDI) on Facebook and follow us on Twitter to get notified of more project updates.

The post Application Analysis Update 1 appeared first on The Leahy Center for Digital Investigation.

by

VMWare Analysis Update 1

Introduction

The VMWare Analysis team is researching the differences between a Windows 7 machine and Windows 7 virtual machine (VM) as well as the changes between a Windows 10 machine and VM. The end goal for this project is a quad comparison between the both operating system versions and their respective VMs.  

VMWare/Physical Machines Used

Three VMs have been set up for this project: a Windows 7 VM; Windows 10 VM; and a SANS SIFT VM running Ubuntu. The SANS SIFT is a free VM built by SANS DFIR (Digital Forensics and Incident Response). It has a variety of Digital Forensics tools, such as Volatility and Bulk Extractor. This VM is being used for memory forensics analysis of the four machines. The VMWare Analysis team is going to be extracting, analyzing, and comparing Windows artifacts. These include Prefetch files, LNK files, Jump Lists, and Windows Memory.

Progress

Thus far, the team has completed datagen and analysis of the Windows 7 machine and Windows 7 VM. Both machines used the same data generation process to keep the results consistent. There are a few specific things that we analyze for the comparisons. One is network information within the registries. Another is what changes VMware tools makes to the virtual machine. And the last is general information on artifacts. This includes where the system stores them and what information they reveal about the system.

VMWare

The team was having troubles generating Prefetch data for Notepad, Notepad ++, and Adobe Reader. After a few minutes of troubleshooting, the team discovered that the Prefetch folder only allows up to 168 “.pf” files at one time. The folder had reached capacity and could not fit files for those applications.

Conclusion

So far, the only identified difference between the VM and the Machine is in the prefetch files. The Windows 7 Machine had 140 prefetch files, while the VM only had 114. It is also noted that the VM image contained a prefetch for VMware (VMTOOLSD.EXE-CD82EC13.pf). The physical machine did not.

VMWare

In the upcoming weeks, the VMware analysis team is planning on starting the Windows 10 physical machine and VM. Once we complete data generation and analysis, we’ll start comparing differences between the virtual machine and physical machine. We’ll also compare Windows 10 and Windows 7.

Like the Leahy Center for Digital Investigation (LCDI) on Facebook and follow us on Twitter to get notified of more project updates.

The post VMWare Analysis Update 1 appeared first on The Leahy Center for Digital Investigation.

by

Enfuse 2017 Reflection – Felisa Charles: Know Normal, Find Evil

Introduction

I am truly grateful to have be chosen by the Leahy Center for Digital Investigation (LCDI) to represent Champlain College at Enfuse 2017, a digital forensics conference hosted by Guidance Software. The knowledge I gained in just 4 days was immeasurable. By the end I walked away with a tremendous amount of new experience that I’ll be able to utilize in my field of study. I most appreciated that the speakers would stick around after their sessions to share further knowledge with whoever wants to hear it. Also, I was fortunate to be able to introduce myself to professionals in the fields of forensics, networking and cyber security. One highlight was meeting Former White House CIO Theresa Payton, who spoke to us about being a woman in technology. I truly hope to attend another Enfuse conference during my time at Champlain.

Know Normal, Find Evil

One of my favorite sessions was presented by by Jacob Williams – a forensic analyst from Rendition Infosec – titled “Know Normal, Find Evil–Windows 10 Edition”. This session emphasized the importance of understanding normal and suspicious operating system (OS) behaviors.

“Someone who doesn’t know what a $100 bill looks like is an easy mark for a counterfeit,” he said.

Therefore, if you don’t know how a system should look like when operating properly you will be an easy target for malware. Since Windows 10 is the newest edition of an expansive Windows OS family, Williams suggested that you should know the differences in their respective processes. For instance, WinRT(Windows runtime), a platform of Windows 8 was renamed to UWP(Universal Windows Platform) in Windows 10.

Best Practices for Investigators

In the end,I was able to take away several points from the session:

Know what’s new, and what’s different in every OS. What are the normally scheduled tasks in each OS? (Like wsappx – ws service starts to update an app) How should the system react to these tasks? (like svchost.exe having a high CPU usage), Learn what processes belongs to which services, how they work and the correlation between parent/child relations.

As an illustration, the speaker went over one of the new processes introduced by Windows 10 that investigators need to understand, the process called backgroundtaskhost.exe. This process is usually located in C:\Windows\System32 folder, but Malware can disguise itself as backgroundtaskhost.exe. If the application is located in another folder, an investigator should see it as a threat.

Conclusion

I chose this class because of its name: I had a pretty good idea of what I was getting into as I took my seat. Though this is just a snippet of what I’ve learned from this session, I was overwhelmed by how much an investigator has to learn about an OS and the fact that little details are important. The driving point of the session was that as long as you know the norm of an OS, you’ll be able to identify non-familiar behaviors; and all of these behaviors are suspects.

For more updates on Enfuse 2017 and research projects, like us on Facebook and follow us on Twitter.

The post Enfuse 2017 Reflection – Felisa Charles: Know Normal, Find Evil appeared first on The Leahy Center for Digital Investigation.