sample-linux_2

Windows Systems and Artifacts and Analysis: WK4Course Name: CYB652

Professor: Vernon McCandlishDate: 2/09/2015

Examiner Name: Raymond Gonzales

Table of ContentsList of Illustrative Materials............................................................................................................3

Figures.........................................................................................................................................3Tables...........................................................................................................................................3

Graded Lab Assessment..................................................................................................................4Observations of Results and Findings.........................................................................................4

Lnk-parse-1.0.pl.......................................................................................................................4Lslnk.pl....................................................................................................................................5Lnkanalyzer.exe.......................................................................................................................5

Discussion of Results...................................................................................................................7Conclusion.......................................................................................................................................9Appendix A....................................................................................................................................11

of 22

List of Illustrative Materials

FiguresFigure 1: lnk-parse-1.0.pl Output for Mawg.jpg.lnk.......................................................................5Figure 2: lslnk.pl Output for Mawg.jpg.lnk in UTC........................................................................5Figure 3: lnkanalyser.exe Output for Mawg.jpg.lnk........................................................................6Figure 4: Local times of Sunset.jpg.lnk...........................................................................................7Figure 5: Irregular time offsets for Sunset.jpg.lnk in UTC.............................................................8Figure 6: Tracker Data Block for temp.lnk.....................................................................................9Figure 7: Win7 SP1: lnk-parse-1.0.pl – Mawg.jpg.lnk..................................................................11Figure 8: Win7 SP1: lslnk.pl – Mawg.jpg.lnk...............................................................................11Figure 9: Win7 SP1: lnkanalyser.exe – Mawg.jpg.lnk..................................................................12Figure 10: Ubuntu: lnk-parse-1.0.pl – Mawg.jpg.lnk...................................................................12Figure 11: Ubuntu: lslnk.pl – Mawg.jpg.lnk................................................................................13Figure 12: Win7 SP1: lnk-parse-1.0.pl – Sample Pictures.lnk......................................................13Figure 13: Win7 SP1: lslnk.pl – Sample Pictures.lnk...................................................................14Figure 14: Win7 SP1: lnkanalyser.exe – Sample Pictures.lnk......................................................15Figure 15: Ubuntu: lnk-parse-1.0.pl – Sample Pictures.lnk.........................................................15Figure 16: Ubuntu: lslnk.pl – Sample Pictures.lnk.......................................................................16Figure 17: Win7 SP1: lnk-parse-1.0.pl – Sunset.jpg.lnk...............................................................16Figure 18: Win7 SP1: lslnk.pl – Sunset.jpg.lnk.............................................................................17Figure 19: Win7 SP1: lnkanalyser.exe – Sunset.jpg.lnk...............................................................18Figure 20: Ubuntu: lnk-parse-1.0.pl – Sunset.jpg.lnk..................................................................18Figure 21: Ubuntu: lslnk.pl – Sunset.jpg.lnk................................................................................19Figure 22: Win7 SP1: lnk-parse-1.0.pl – temp.lnk........................................................................19Figure 23: Win7 SP1: lslnk.pl – temp.lnk.....................................................................................20Figure 24: Win7 SP1: lnkanalyser.exe – temp.lnk........................................................................21Figure 25: Ubuntu: lnk-parse-1.0.pl – temp.lnk...........................................................................21Figure 26: Ubuntu: lslnk.pl – temp.lnk.........................................................................................22

TablesTable 1: Data Folder and Link Files to be analyzed........................................................................4Table 2: Tracker Data Block Details Explained..............................................................................9

of 22

Graded Lab Assessment

Observations of Results and Findings

Throughout the lab the examiner performed various exercises with each of the parsing tools on a sample link file in order to gain familiarity with the capabilities of each of the parsing tools. The tools used by the examiner to parse the link files were: lnk-parse-1.0.pl, lslnk.pl, and lnkanalyser.exe. The parsing tool lnkanalyser.exe was a tool that was selected by the examiner to replace the lab recommended lp.exe parsing tool. The lnkanalyzer.exe tool can be found and downloaded from the woanware website: http://www.woanware.co.uk/forensics/lnkanalyser.html. Each of the parsing tools provided the examiner with information that identified the file’s: MAC times, working paths, volume ID and serial number, and file’s size.

Using the various parsing tools the examiner performed the requested examination of the provided link files. The name of the data folder and the names of the link files to be analyzed can be seen in table 1.

File Name MD5CYB652.2014.Spring.Week4.Samples.zip 8b605addb191d2d79682a174bfbe7a56Mawg.jpg.lnk f46942cca5621ef29ef1b1de9ccdb2eeSample Pictures.lnk 44ecaa892a3ec3b14b32de7fbbad0bbcSunset.jpg.lnk ad7b92ff1524c1107d553429aa40b53etemp.lnk ba967bee1a535f8fb490f252bbdcb9ea

Table 1: Data Folder and Link Files to be analyzed

Lnk-parse-1.0.pl

Lnk-parse-1.0.pl is a command line based parsing tool that is capable of parsing data from link files on both Windows and Linux based OS. When using the tool on Windows the MAC times were outputted using the machine’s local time; while the Linux OS presents the MAC times in UTC. When the lnk-parse-1.0.pl tool was used to parse data from the four provided link files, the tool would output: file name, link flags, file attributes, MAC times, file length, volume type, volume serial number, and the base path. An example of the lnk-parse-1.0.pl tool’s output for the Mawg.jpg.lnk file can be seen in figure 1. Screenshots of the link file’s outputs can be viewed in Appendix A.

of 22

Figure 1: lnk-parse-1.0.pl Output for Mawg.jpg.lnk

Lslnk.pl

Lslnk.pl is another command line based parsing tool that is capable of parsing link files on both Windows and Linux based OS and the output is unaffected. When the examiner used the lslnk.pl tool to parse data from the provided link files, the examiner noticed that the lslnk.pl tool provides almost identical parsed metadata outputs about each of the files. But, the examiner noticed that the lslnk.pl tool provides its MAC times in UTC instead of the host computer’s local time like the previous tool. An example of an lslnk.pl output can be seen in figure 2 below. Screenshots of the link file’s outputs can be viewed in Appendix A.

Figure 2: lslnk.pl Output for Mawg.jpg.lnk in UTC

Lnkanalyzer.exe

The lnkanalyzer.exe tool was selected by the examiner in order to replace the lp.exe parsing tool that was unable to be used in the lab. Like the previous tools, lnkanalyzer.exe provides the examiner with various parsed metadata about the .lnk file. However, unlike the other tools the

of 22

lnkanalyze.exe tool provides the examiner with new parsed information called, “Tracker Data Block” as seen in figure 3.

Figure 3: lnkanalyser.exe Output for Mawg.jpg.lnk

The Tracker Data Block provides information that can be used to identify the local machine’s name and identify if a link file has been moved or copied from its original location. Understanding and analyzing this information can provide the examiner with additional insight about the link file associated with the original file. Screenshots of the link file’s outputs can be viewed in Appendix A.

When using the various tools on the link files the examiner was able to view and analyze the metadata and other artifacts for each of the files. The examiner observed an anomaly within the MAC times when the file, “Sunset.jpg.lnk” was parsed with lnk-parse-1.0.pl and lslnk.pl. The examiner noticed that the time offset for the “last modification” timestamp did not correspond to the creation and last access times of the file.

of 22

Discussion of Results

During the lab the examiner used various parsing tools on the provided link files in order to examine the data contained within each of the link files. The examiner observed and analyzed the various capabilities of each of the tools when parsing the link files and analyzed the various outputs from each of the parsing tools. The examiner observed when using the parsing tools throughout the lab, not one tool was capable of providing all of the information that was available within the link files. But, each of the tools used throughout the lab was able to provide data that could be analyzed to confirm the findings of each of the tools.

An example of this was seen when the lnk-parse-1.0.pl and lslnk.pl and lnkanalyser.exe tools were used to parse data from the various link files. All the tools provided similar outputs from the link files; but only the lnk-parse-1.0.pl tool provided file times that corresponded to the machine’s local time, while the lslnk.pl and lnkanalyser.exe tools provided the file’s times in UTC. Using the capabilities of each of these tools to analyze the link files allows the examiner to compare and confirm outputted parsed data. The benefit of having tools that provide output data based on the local machine’s time and UTC is that the file’s offset times can be calculated and determined by the examiner. Using this additional information can help the examiner determine the physical location of the local machine that was used to create the link files. An additional benefit of knowing the offset MAC times for the files allows the examiner to identify any anomalies within the link files. While performing the examination on the link files the examiner came across such an anomaly with an individual file. When the examiner parsed the file, “Sunset.jpg.lnk” the examiner noticed an anomaly within the MAC times of the link file. As seen in figures 4 and 5 the file’s MAC offset times do not match throughout the file.

Figure 4: Local times of Sunset.jpg.lnk

of 22

-7-7+5

Figure 5: Irregular time offsets for Sunset.jpg.lnk in UTC

While the creation and last accessed times have an offset of UTC -7 the last modified time has an offset of UTC +5. , which leads the examiner to believe that anti-forensic measures may have possibly been used on this specific file and additional analysis on this file would be required. When an anomaly like this is seen in an investigation it’s a sign of possible data tampering by the user, which would require the examiner to perform additional analysis on the file in order to confirm or disregard this suspicion.

When using the lnkanalyser.exe tool on the various link files the examiner was provided information about the file’s “Tracker Data Block.” The Tracker Data block provides the examiner with specific information that is unique to the link file. As example of the Tracker Data Block can be seen in figure 6 and an explanation of the Tracker Data Block can be found in table 2.

of 22

Figure 6: Tracker Data Block for temp.lnk

Tracker Data Block ExplanationMachineId:vernmcc-965f0ee

Identifies the name of the local machine that created the link file

NewVolumeId: 225ED670286A3846BD4A2A8C1314D862

Identifies the current volume where the file is stored

NewObjectId:0FAB4C438D03E2118B46000C2901A78E

Identifies the current ID associated with the file

NewObjectId Timestamp:9/21/2012 1:40:02 AM

Identifies the current file’s creation timestamp

NewObjectId Sequence Number:2886

Identifies in what sequence the file was created

NewObjectId MAC Address:00:0C:29:01:A7:8E

MAC address of the host computer

BirthVolumeId: 225ED670286A3846BD4A2A8C1314D862

Original volume ID that is assigned to the created file

BirthObjectId: 0FAB4C438D03E2118B46000C2901A78E

Original object ID that is assigned to the MFT for the created file

BirthObjectId Timestamp:9/21/2012 1:40:02 AM

Original timestamp that is assigned to the created file

BirthObjectId Sequence Number:2886

Original sequence number that is assigned to the created file

BirthObjectId MAC Address:00:0C:29:01:A7:8E

Original MAC address that is assigned to the created file

Table 2: Tracker Data Block Details Explained

By analyzing the information contained within the Tracker Data Block the examiner can identify additional useful metadata information about the link file. This additional information can provide additional insight about the file that has already been parsed by the previous forensic tools.

Conclusion

After completing the analysis of the link files with the various parsing tools, the examiner was able to gain further insight and understanding about the full capabilities of each of the parsing tools. Throughout, the lab the examiner fully exercised each of the parsing tools on each of the link files in order to collect various metadata about each of the link files. Having used the various parsing tools throughout the lab on the link files the examiner was able to collect various output data from each of the link files. With these findings the examiner was able to compare output data from each of the tools and verify various metadata findings. It was through the use of various parsing tools that the examiner was able to determine the link files’: MAC times, working paths, volume ID and serial number, file sizes, machine ID, and determine whether the file had been moved from its original location. By understanding the capabilities of each of the tools and what the outputted metadata means, the examiner was able to determine the time zone offset from the local machine as UTC -7; as well as discover possible evidence of data tampering occurring on one of the provided link files. Now understanding what possible metadata contents

of 22

can be stored in link files; the examiner now understands the importance of using parsing tools to perform analysis on link files that are discovered during a forensic investigation.

of 22

Appendix A

Figure 7: Win7 SP1: lnk-parse-1.0.pl – Mawg.jpg.lnk

Figure 8: Win7 SP1: lslnk.pl – Mawg.jpg.lnk

of 22

Figure 9: Win7 SP1: lnkanalyser.exe – Mawg.jpg.lnk

Figure 10: Ubuntu: lnk-parse-1.0.pl – Mawg.jpg.lnk

of 22

Figure 11: Ubuntu: lslnk.pl – Mawg.jpg.lnk

Figure 12: Win7 SP1: lnk-parse-1.0.pl – Sample Pictures.lnk

of 22

Figure 13: Win7 SP1: lslnk.pl – Sample Pictures.lnk

of 22

Figure 14: Win7 SP1: lnkanalyser.exe – Sample Pictures.lnk

Figure 15: Ubuntu: lnk-parse-1.0.pl – Sample Pictures.lnk

of 22

Figure 16: Ubuntu: lslnk.pl – Sample Pictures.lnk

Figure 17: Win7 SP1: lnk-parse-1.0.pl – Sunset.jpg.lnk

of 22

Figure 18: Win7 SP1: lslnk.pl – Sunset.jpg.lnk

of 22

Figure 19: Win7 SP1: lnkanalyser.exe – Sunset.jpg.lnk

Figure 20: Ubuntu: lnk-parse-1.0.pl – Sunset.jpg.lnk

of 22

Figure 21: Ubuntu: lslnk.pl – Sunset.jpg.lnk

Figure 22: Win7 SP1: lnk-parse-1.0.pl – temp.lnk

of 22

Figure 23: Win7 SP1: lslnk.pl – temp.lnk

of 22

Figure 24: Win7 SP1: lnkanalyser.exe – temp.lnk

Figure 25: Ubuntu: lnk-parse-1.0.pl – temp.lnk

of 22

Figure 26: Ubuntu: lslnk.pl – temp.lnk

of 22

sample-linux_2

Documents