6 application analysis
DESCRIPTION
Analysis on emailTRANSCRIPT
0011 0010 1010 1101 0001 0100 1011
Digital ForensicsLecture 6
Application Analysis
0011 0010 1010 1101 0001 0100 1011
Current, Relevant Topics• HP’s private investigators fraudulently used the identities of
the victims to get login credentials to access online telephone records without authorization.
• Title 18 Section 1030(a)(4) – felony!• The investigation resulted in unauthorized use of AT&T's
computer systems by third-party investigators to gain access to the phone records of seven board members, nine reporters, and two HP employees. While such techniques fall under the broad category of deception to gain information, or "pretexting," computer crime statutes clearly define the activity as unauthorized access, or "hacking." The investigators also tailed several directors and reporters and sent forged documents to one reporter that would phone home the Internet address of anyone to whom the reporter forwarded the document.
Robert Lemos, SecurityFocus 2006-09-22
0011 0010 1010 1101 0001 0100 1011
This Week’s Presentations
• Moses Schwartz: Email Analysis -Client and Web
• Johnathan Ammons: Web Analysis • James Guess: IRC Analysis
0011 0010 1010 1101 0001 0100 1011
Next Week’s Presentations
• Kelcey Tietjen: Wireless Network Traffic• David Burton: Collection and Analysis of
Network Traffic• David Burton: Network Devices: Routers,
Switches, … (EC)
0011 0010 1010 1101 0001 0100 1011
Lecture Overview
• Application Analysis Overview• E-mail• Web Browsers• Microsoft Word• Portable Document Format• Tools et cetera
Legal/Policy
Preparation Collection Analysis Findings/Evidence
Reporting/Action
0011 0010 1010 1101 0001 0100 1011
Module 1
Application Analysis Overview
0011 0010 1010 1101 0001 0100 1011
Types of Hidden Application Data
• Metadata– information about a file or its contents that
software stores in the file• Hidden Data
– content the author or editors add to files that may be hidden in some circumstances
• Really Hidden Files– files you can not find with Explorer at all and can
only find with DOS if you know where to look
0011 0010 1010 1101 0001 0100 1011
Module 2
What data may be found?
0011 0010 1010 1101 0001 0100 1011
What can be found?
• Sender• Date / Time• Subject• Communication Path• Contents
0011 0010 1010 1101 0001 0100 1011
Client-based E-mail
• MS Outlook PST– ReadPST ↑ will convert the PST into RFC-
compliant UNIX mail• MS Outlook Express
– readDBX ↑ will extract the contest of a DBX files into RFC-compliant UNIX mail
• UNIX E-mail– grep expression on the simple text file
↑from SourceForge
0011 0010 1010 1101 0001 0100 1011• Netscape Navigator– grep expression on the simple text file
• AOL– proprietary format: PFC– E-mail Examiner, EnCase, FTK– FTK decodes email archive, retrieves e-mail
and other information such as favorites
Client-based E-mail
0011 0010 1010 1101 0001 0100 1011• Yahoo– recover e-mail from Internet cache– files that contain rendered html that was on screen
• ShowFolder – lists subject lines, sender alias, message dates, and sizes
• ShowLetter – opened e-mail• Compose – e-mail to which the user is replying before
an modification is done– search
• input type=hidden name=Body value=
Web-based E-mail
0011 0010 1010 1101 0001 0100 1011• Hotmail– use the same tools to find information in files
• Hotmail • doaddress• getmsg – the e-mail message• compose• calendar
– search• /cgi-bin/dasp/E?N?/?hotmail_+#+.css\
Web-based E-mail
0011 0010 1010 1101 0001 0100 1011
Module 3
Web Browsers
What metadata and hidden data may be found?
0011 0010 1010 1101 0001 0100 1011• Internet Explorer
– Cookies\index.dat – audit trail for installed cookies– Local Settings\History\History.IE5\index.dat –
history for the last day IE was used– Local
Settings\History\History.IE5\MSHistXXXXXXXXXXX\index.dat – history rollup for older usage
– Local Settings\Temporary Internet Files\Content.IE5\index.dat – audit trail for include files
– UserData\index.dat – audit trail for automatic Windows accesses to the internet
Web Browsers
Pasco – converts the data into a tab-delimited format (Foundstone)NOTE: Files in C:\Documents and Settings\<username>
0011 0010 1010 1101 0001 0100 1011• Internet Explorer - Cookies
– Cookies\index.dat – audit trail for installed cookies– Fields of metadata
• SITE – URL that the cookie came from• VARIABLE – name stored in cookie• VALUE – value stored• CREATION TIME – time of cookie creation• EXPIRE TIME – time of cookie expiration• FLAGS – flags set for the cookie
Web Browsers
galleta – converts the data into a tab-delimited format (Foundstone)
0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox– MORK – Mozilla history format (Mork.pl utility)– Windows
• Application Data\Mozilla\Profiles\<profile name>\history.dat
– Linux• ~/.Mozilla/Profiles/<profile name>/history.dat
– gives access time, # accesses, URL– tools can provide more information, e.g.,
NetAnalysis
Web Browsers
0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox - Cookies– cookies.txt in the profiles directory– human readable
• web site of origin• variable name• value• etc.
Web Browsers
0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox – Cache browsing– make the cache read-only – fire up Mozilla– enter URL about:cache
Web Browsers
0011 0010 1010 1101 0001 0100 1011
0011 0010 1010 1101 0001 0100 1011
0011 0010 1010 1101 0001 0100 1011• NoTrax– Secure Anonymous Stand Alone Tabbed Web
Browser.– Blowfish encryption of cache & erases the cache
during and after each browser session using secure deletion methods.
– Erases Cookies during and after each browser session using secure deletion methods.
– Erases the Windows Swap file on shutdown. – No log files created.
Web-based E-mail
0011 0010 1010 1101 0001 0100 1011
Module 4
Microsoft Word
What metadata and hidden data may be found?
0011 0010 1010 1101 0001 0100 1011
MS Word
• metadata– Older versions
• every file name saved under• run “strings –u” to get names
– If document won’t open, then metadata may have been modified
– who edited document– file path– version of Word used– when created– GUID (MAC based) of
machine used to create
• hidden data– quick save data
• look in binary editor• open and use undo
– Word 97 – MAC address• PID_GUID
– Excel spreadsheet • when you drag data you get
the entire spreadsheet • change .doc to .xls and open
– full images • when a frame is shrunken • when matches background
colorBeware of track changes
0011 0010 1010 1101 0001 0100 1011
Module 5
Portable Document Format (PDF)
0011 0010 1010 1101 0001 0100 1011
• metadata– under document properties– document title– author– subject– creation date– creation program
• hidden data– text with background set to
the same color as text– very large or small fonts
0011 0010 1010 1101 0001 0100 1011
Module 6
Tools, et cetera
0011 0010 1010 1101 0001 0100 1011
Tools & Claims
• SecretExplorer– locate web form autocomplete data for IE,
passwords for websites, Outlook account and identity passwords, dial-up passwords
• Document Inspector– search for hidden content: comments, revisions,
versions, annotations, document properties, personal information, XML data, headers, footers, watermarks, hidden text
0011 0010 1010 1101 0001 0100 1011
Tools & Claims, cont.
• Document Detective– search for and remove hidden data: color on
color text, thumbnails, bookmarks, very large or small images, very large or small fonts in MS Word, Excel, and PowerPoint
• snipurl.com/3osw– delete hidden text and comments
• rdhtool– Office 2003 tool to strip all metadata
0011 0010 1010 1101 0001 0100 1011
File Formats
• How do we find file format information for (proprietary) files?– Wotsit
• http://www.wotsit.org/search.asp
0011 0010 1010 1101 0001 0100 1011
Module 7
IRC
0011 0010 1010 1101 0001 0100 1011
IRC (Internet Relay Chat)
• Many platforms– Amiga, Atari, BeOS, Java, Unix, Windows,
PalmOS, OS/2, Mozilla, etc…– Over 150 different client programs
• mIRC advertised for Windows• Network application• IRC Proxies
0011 0010 1010 1101 0001 0100 1011
IRC
• Channels– Listed or Unlisted
• DCC – direct client connection– Private communications– File exchanges– Bypasses IRC server
• Little evidence on server
0011 0010 1010 1101 0001 0100 1011
IRC
• Log files– Usually user configured– Browser cache can contain info
• Identify IRC clients• Network information
– Routes, connections– Port 6667 (default, can be anything)
• Tools– msgsnarf – Knoppix– DataGrab – LE, now obsolete
0011 0010 1010 1101 0001 0100 1011
Questions?
After all, you are an investigator