Upload File

sample-linux

10
Internet Artifacts: WK6 Course Name: CYB652 Professor: Vernon McCandlish Date: 2/21/2015 Examiner Name: Raymond Gonzales

Upload: raymond-gonzales

Post on 14-Feb-2017

59 views

Category:

Documents


4 download

Report

TRANSCRIPT

Page 1: SAMPLE-Linux

Internet Artifacts: WK6Course Name: CYB652

Professor: Vernon McCandlishDate: 2/21/2015

Examiner Name: Raymond Gonzales

Page 2: SAMPLE-Linux

Table of ContentsList of Illustrative Materials............................................................................................................3

Figures.........................................................................................................................................3Graded Lab Assessment..................................................................................................................4

Observations of Results and Findings.........................................................................................4SQLitebrowser.........................................................................................................................4SQLitebrowser vs SQLiteman.................................................................................................5

Discussion of Results...................................................................................................................6SQLitebrowser and SQLiteman...............................................................................................6SQLitebrowser vs SQLiteman.................................................................................................7

Conclusion.......................................................................................................................................8

Page 2 of 9

Page 3: SAMPLE-Linux

List of Illustrative Materials

FiguresFigure 1: Filtered SQLitebrowser output data for the cookies.sqlite file........................................4Figure 2: Output for the keyword “pumpkin” on the cookies.sqlite file.........................................5Figure 3: Output for visit count to websites and words used for Google search.............................5Figure 4: Output for values entered found on the formhistory.sqlite file........................................5Figure 5: SQLite browser output for formhistory.sqlite..................................................................5Figure 6: SQLiteman output for formhistory.sqlite.........................................................................6Figure 7: SQLite browser time data in epoch time..........................................................................6Figure 8: Converted Epoch output date and time............................................................................7Figure 9: Converted Epoch date and time and URL visit count......................................................7Figure 10: Item View tab within the SQLiteman tool.....................................................................7Figure 11: BLOB Preview Window within the sqliteman tool.......................................................8

Page 3 of 9

Page 4: SAMPLE-Linux

Graded Lab Assessment

Observations of Results and Findings

In order to identify a user's activities an examiner will analyze the cookies, formhistory, extensions, places, webappsstore, and search .sqlite files for internet artifacts. Artifacts discovered throughout this investigation shall provide the examiner with information and insight that will provide the examiner insight about the activities performed by the user.

Throughout the lab the examiner performed various exercises with the SQLiteman and SQLbrowser tools in order to gain familiarity with the examining capabilities of each of the tools. Using each of the tools on various sqlite files the examiner was able to examine and identify various internet artifacts that were created by the user’s previous activities. In the lab the examiner was provided with “test.zip” and was tasked with performing an analysis on the provided .zip file. After the test.zip file was unzipped by the examiner, the folder "Firefox Portable" was created within the examiner's WK6 directory.  Prior to performing any analysis on the provided data the examiner calculated and recorded the MD5 sum (d0e7388cf7a5b68e9b65dfdd0ba0695a) of the extracted folder. By knowing the MD5 sum prior to the analysis an examiner can then compare the calculated MD5 sum upon completion and verify that none of the data was altered throughout the investigation.

SQLitebrowser

Using the SQLite browser tool the examiner examined the sqlite files named, “cookies, places, formhistory” for specific internet artifacts within the sqlite data. The tool processed the sqlite data files and displayed the information in a human readable format; allowing the examiner to view and examine the data. In order to filter through all of the output data displayed by the tool the examiner would select the “Execute SQL” tab and input SQL string logic that would filter and alter the outputs of the tool. An example of this was performed when “SELECT host, value, datetime(lastAccessed/1000000,"unixepoch") FROM moz_cookies” was entered into SQL window of the tool, in order to modify the dateTime output into human readable format as seen in figure 1.

Figure 1: Filtered SQLitebrowser output data for the cookies.sqlite file

Using these strings to filter through the .sqlite data allows the examiner to quickly search and identify specific internet artifacts such as: website visits, keyword searches, various URL information, and inputted values within forms. Various strings were entered into the SQL

Page 4 of 9

Page 5: SAMPLE-Linux

window in order to filter specific artifacts. Examples of these modified outputs from the SQLite browser tool can be seen in figures 2-4.

Figure 2: Output for the keyword “pumpkin” on the cookies.sqlite file

Figure 3: Output for visit count to websites and words used for Google search

Figure 4: Output for values entered found on the formhistory.sqlite file

SQLitebrowser vs SQLiteman

Within the lab the examiner was instructed to use the sqliteman tool to process and analyze the formhistory.sqlite file that had been previously analyzed using the SQLitebrowser tool. The goal of using both tools on the same sqlite data was to demonstrate to the examiner the differences between both of the tools. From initial observations and comparisons of the tools the examiner saw no variances or differences between the outputs of either of the tools. The biggest differences seen by the examiner between the tools was how each of the tools presented their output data for the formhistory.sqlite file. The SQLiteman appeared to be more organized in how the output data was presented and had additional tabs and features that the SQLitebrowser did not. As seen in figures 5 and 6 the SQLiteman tool possesses additional features that SQLitebrowser does not possess for performing additional analysis on sqlite data.

Page 5 of 9

Page 6: SAMPLE-Linux

Figure 5: SQLite browser output for formhistory.sqlite

Figure 6: SQLiteman output for formhistory.sqlite

Discussion of Results

SQLitebrowser and SQLiteman

During the lab the examiner used the tools SQLitebrowser and SQLiteman to examine the provided sqlite files for specific internet artifacts. Using the capability to input SQL strings into both of the tools the examiner was able to examine and identify all of the specific internet artifacts within the lab. The examiner was tasked with identifying: words and phrases inputted into Google searches, specific keywords, URLs visited, the visit count of the URLs, and form data inputted within the cookies, places, and formhistory sqlite files provided. This was done by inputting specific SQL strings into both of the tools in order to filter out any unnecessary data within the sqlite files. Being able to control and alter the output display for either of the tools helps the examiner analyze and process the data in a timely manner. An example of how the SQL strings can assist the examiner with their analysis process can be seen in figure 7.

Page 6 of 9

Page 7: SAMPLE-Linux

Figure 7: SQLite browser time data in epoch time

Prior to any SQL strings being inputted into the tools to convert the time, the output times for the tools will be displayed in epoch time. Reading the times in epoch is not an efficient way to view and analyze the time information for internet artifacts during an investigation. By using the SQL string, “--- datetime(xxxx/1000000,”unixepoch”) on any field of time (lastUsed, firstUsed, etc) the epoch time output will be converted into a human readable format as seen in figure 8.

Figure 8: Converted Epoch output date and time

Throughout, the analysis of the provided sqlite files there were several occasions when multiple SQL strings were used in order to help display the output data in a desired format. When performing analysis on the “places.sqlite” file the examiner was tasked with discovering what the amount of times specific URLs were visited by the user. By inputting the SQL string, “SELECT url, datetime(last_visit_date/1000000,”unixepoch”), visit_count FROM moz_places” into the SQL string window, the output window displayed the times in a human readable format and displayed the amount of visits for each URL as seen in figure 9.

Figure 9: Converted Epoch date and time and URL visit count

Viewing the data in this organized manner allows the examiner to sort through all of the data in an organized way which can help the examiner identify other various artifacts that may be relevant to the investigation.

SQLitebrowser vs SQLiteman

When analyzing and comparing the tools SQLitebrowser and SQLiteman the examiner identified several differences between the tools. Outside of visual differences the examiner identified that

Page 7 of 9

Page 8: SAMPLE-Linux

the SQLiteman tool had additional capabilities to easily isolate and view the outputted data via the “Item View” tab as seen in figure 10.

Figure 10: Item View tab within the SQLiteman tool

An additional feature that the SQLiteman tool has that the SQLitebrowser tool does not is the BLOB viewer feature as seen in figure 11.

Figure 11: BLOB Preview Window within the sqliteman tool

BLOB is short for Binary Large OBject. A BLOB is a large amount of binary data that is stored and collected as a single object in a database management system. (Common BLOB artifacts can be images and multi-media objects) The BLOB viewer allows the examiner to view a visual preview of the BLOB data that can be identified by the examiner.

Conclusion

After completing the analysis of the sqlite files with the various tools, the examiner was able to gain insight and understanding about the full capabilities of each of the tools. Throughout, the lab the examiner exercised the capabilities of each of the tools on the sqlite files in order to discover various internet artifacts within each of the sqlite data files. Using the capability to enter various strings within each of the tools the examiner was able to examine and identify: inputted words and phrases for Google searches, identify URLs associated with keywords, identify which URL had more than one visit, suspicious browsing behavior, data inputted into forms, and convert Unix epoch time into human readable time. Being able to use the strings when performing analysis on sqlite files allows the examiner the ability to accurately expedite their analysis on specific internet artifacts of interest during an investigation. By comparing and

Page 8 of 9

Page 9: SAMPLE-Linux

understanding the capabilities of each of the SQLiteman and SQLbrowser tools the examiner can decide on the best way to implement each of the tools when performing analysis on various sqlite data files. With all of the findings discovered from internet artifact analysis, the examiner can create a detailed timeline report about the events and actions that were performed by a specific user.

Page 9 of 9


Mastering Embedded Linux Programming - Sample Chapter

Mastering Linux Network Administration - Sample Chapter

Red Hat Enterprise Linux Troubleshooting Guide - Sample Chapter

Kali Linux Wireless Penetration Testing Essentials - Sample Chapter

iptables:The Linux Firewall Administration Programcatalogue.pearsoned.ca/assets/hip/us/hip_us_pearsonhighered/sample... · iptables:The Linux Firewall Administration ... now a term

Mastering Kali Linux Wireless Pentesting - Sample Chapter

Linux Environment- Linux Basics

Building a Sample CGI Applicationof the linux-2.6.17.1 directory into the linux-2.6.x directory in the uClinux-dist (this directory must be created because it was removed duri ng the

Linux Basics - Linux/VM

Learning Linux Binary Analysis - Sample Chapter

Malware, Trojans & Back Doors SAMPLE - Mile2® - … · 2012-07-13 · Malware, Trojans & Back Doors SAMPLE SAMPLE CONTENT CONTENT SAMPLE ... Linux or UNIX •-nc -L -p 1234 -e

Linux: Basics OF Linux

Embedded Linux Projects Using Yocto Project Cookbook - Sample Chapter

Getting Started - Fujitsu€¦ · Oracle Solaris Solaris Red Hat(R) Enterprise Linux(R) 5(for Intel Itanium) Linux(Itanium) ... Each sample explains the following two methods as a

E 30279 HOB · Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Option

Universal Acceptance Testing Social Media · 2017-10-26 · Social Media Universal Acceptance Testing ... Windows Osx IOS Android Linux. Sample use cases from UASG004. Sample use

Credit Hours SAMPLE - CSU Global · 2019. 1. 3. · Testout LabSim Linux+ LPIC-1 · Chapter 1 in CompTIA Linux+™ Powered by Linux Professional Institute Study Guide Exam LX0-103

linux training | linux training videos | linux training pdf | red hat linux (operating system)

Sample GNU Linux Magazine Ed1 v2

Scheduling Linux Scheduling Linux Scheduling Policy Classification Of Processes In Linux Linux Scheduling Classes Process States In Linux

BPF Observabilityvger.kernel.org/netconf2018_files/BrendanGregg_netconf...Linux Events & BPF Support Linux 4.3 Linux 4.7 Linux 4.9 Linux 4.9 Linux 4.1 BPF stacks Linux 4.6 BPF output

NVIDIA Jetson Linux Driver Package€¦ · The Jetson Linux sample root filesystem contains and uses systemd. To suspend the system from the command line, enter the command: systemctl

UNIX and Linux Implementation Toolset User Guide Gen 8 5-ENU/Bookshelf... · Sample Procedure for Controlling Application Access Using Multiple UNIX or Linux ... Chapter 11: Troubleshooting

Linux+ Guide to Linux Certification Chapter Fifteen Linux Networking

A Sample GNU/Linux Application - GitHub Pagesmentorembedded.github.io/.../alp-ch11-sample-application.pdf · 2018-01-26 · 220 Chapter 11 A Sample GNU/Linux Application n Modules

SAMPLE - SCEM Staff Linux Serverzhuhan/current/vuws/current-sample... · SAMPLE FINAL EXAM ... Logical Data Independence refers to the immunity of conceptual schema ... tables should

Learning Linux Shell Scripting - Sample Chapter

Web Penetration Testing with Kali Linux - Second Edition - Sample Chapter

The definiTive guide To Linux The Linux ... - Linux Tutorial

Linux 2.4 - Linux/VM

Getting started Linux DF PROFI II - KUNBUS · Getting started Linux 11 / 12 Sample Program Tabelle 1: Commands Using DF PROFI II as DP Master You have loaded a valid PROFIBUS configuration

Kali Linux Wireless Penetration Testing Beginner's Guide - Sample Chapter

Red Hat Enterprise Linux Server Cookbook - Sample Chapter

Linux Sample Interview Questions

Linux Manual de Linux