Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

NIST Data Leakage 04 Email USB

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 45

Investigate Data Leakage

Case
Keywords: emails (libpff), USB,
• Evidence is
generated
from each
layer
• User
activities=
Applications+
OS+
Device driver Disk/Memory

https://windsongtraining.ca/the-technology-layer-cake-users-apps-os-and-hardware/
Objectives
• Email forensics (Application Layer)
• Device forensics (Device driver Layer)
18. What application was used for e-mail
communication?
rip.pl installer plugin; grep for Outlook

List of email clients


• https://en.wikipedia.org/wiki/Comparison_of_email_clients
19. Where is the e-mail file located?
20. What was the e-mail account used by
the suspect?

OST (Offline Storage Table)

-r: Recursive on directory entries


-F: Display only files

$ End of string, or end of line in multi-line pattern


21. List all e-mails of the suspect. If possible,
identify deleted e-mails.
• Install email extracting tool: libpff
• Copy .ost file from a DD image
• Extract email via libpff
libpff
• libpff is a library to access the Personal Folder File (PFF) and the
Offline Folder File (OFF) format.
• These format are used by Microsoft Outlook to store email, contacts and
other data.
• Support file types
• PAB (Personal Address Book)
• PST (Personal Storage Table)
• OST (Offline Storage Table)
• https://github.com/libyal/libpff
Install pffexport tool

Verify installation
(Optional) Alternative Installation from
source code
Download libpff via wget

Extract contents of tar.gz


(Optional) Alternative Installation from
source code
Copy email to current directory

Extract emails via pffexport

Verify the default output directory


Access a message in suspect’s Mailbox
IPM_SUBTREE
interpersonal message, • Inbox
or IPM, subtree. Created • Outbox
by MAPI • Sent Items
• Deleted Items

Messaging Application Programming Interface (MAPI) creates a tree of folders beneath


the root folder of a message store for all clients that send messages to and receive
messages from human, rather than computer, recipients.
Access a message in suspect’s IPM_SUBTREE
Device driver forensics
Device drivers
• A device driver is a software program
• that allows an operating system to communicate with and control a Application
specific hardware device, such as a printer, scanner, or graphics card. OS
• acts as an interface between the hardware and the operating Device Drivers
system, providing a standard way for software programs to access
and use the device's functions. Hardware
• Two types of device drivers
• bundled with the operating system
• provided by the device manufacturer and installed as part of the
operating system's setup process.
• device drivers are essential for the proper functioning of
hardware devices
• without them, the operating system would not be able to use those
devices.
22. List external storage devices attached to
PC.
What are we looking for?

Possible Device Name Volume Name Serial No. First Connected Connected Time
Time After Reboot
Answer
SanDisk Cruzer   4C530012450531101593 2015-03-23 2015-03-24
Fit USB Device 14:31:10 Mon 09:38:00 Tue
SanDisk Cruzer IAMAN $_@ 4C530012550531106501 2015-03-24 2015-03-24
Fit USB Device 09:58:32 Tue 09:58:33 Tue
How does PC recognize a device?

A driver, or device driver, is a set of


files that tells a piece of hardware how
to function by communicating with a
computer's operating system.

1. Manufactory mails with contains


2. Copy from to
3. Execute
4. Restart
5. Now PC recognizes
22.0 Understand Plug and Play (PnP)
Manager
• When a USB is plugged in, the PnP Manager finds
device ID (Hardware ID or Compatible ID)
• PnP receives the event => enumerates devices from
firmware (of a device) => device ID
• PnP locates the appropriate driver for the device
• Queries the device descriptor (.inf) uses device IDs
• PnP loads that driver use .inf
• Once the device has been identified
• Multiple registry keys will be generated
USB Mass Storage device
Class (MSC) communication
protocols
Disk, Partition, Volume, Mountpoint
partition start/end section • Vendor, Product, Serial #
• Disk/drive signature
(assigned by Win OS)

physical layer

Logical layer

Logical volume: Volume name, Drive


letter, Volume serial number XXXX-
XXXX (generated when format a
volume)

MountPoints: GUID of path or Volume


MountedDevices map to MP GUID: \??\
Volume\GUID
What information want to exam?
• Time
• First Connected Time (driver installed)
• Time USB Last Attached Volume
• Time USB Last Attached after reboot
• Vendor/ Product ID/ Serial #
• User Account
• Volume
• Mounted Volume GUID
• Assigned Volume Drive Letter
Unallocated Space
• physical space on a hard drive that doesn't belong to a partition.
• no programs can write to the space.
• the space doesn't exist to the operating system.
• need to either create a new partition using the space or expand an existing partition.
Evidence Source Types
• PnP Logs
• Windows Registry
• System Events
Locations to exam
Locations Time/Volume Serial # Vendor Product Product
assigned by Windows ID ID Serial #
SetupAPI Log First installed/Connected √ √ √
Time
HKLM\SYSTEM\ControlSet###\Enum\USBSTOR\ First Connected Time √ √ √
HKLM\SYSTEM\CurrentControlSet\Enum\USB Time Last Attached after
reboot
HKU\informant\SOFTWARE\Microsoft\ √
WindowsNT\CurrentVersion\EMDMgmt
HKU\informant\Software\Microsoft\Windows\ User Account that mounted
CurrentVersion\Explorer\MountPoints2\ volume, Time USB Last
Attached, Volume GUID
HKLM\SYSTEM\MountedDevices\ Volume GUID and Assigned
Volume
Locations to exam
• Device (setup) Classes
• HKLM\SYSTEM\ControlSet###\Control\DeviceClasses\{a5dcbf10-6530-11d2-
901f-00c04fb951ed}\
• HKLM\SYSTEM\ControlSet###\Control\DeviceClasses\{53f56307-b6bf-11d0-
94f2-00a0c91efb8b}\
• Volume Info Cache
• HKLM\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
• System Events
• \Windows\System32\winevt\Logs\System.evtx
22.1 SetupAPI
• The Plug and Play (PnP) manager logs information about device
installation in a plain-text log file to
• Verify the installation of a device
• Troubleshoot device installation problems.
• "device did not install"
• "wrong driver installed"
• "Exit status: FAILURE".
• Implemented in Windows Vista and later versions of Windows,
• Device installation: setupapi.dev.log
• Application installation: setupapi.app.log
• Default location %SystemRoot%\inf
22.1 SetupAPI Log
Find the log file “setupspi.dev.log” by default

Extract setupspi.dev.log
Search for usb installation evets

Two USB devices are discovered

VID/PID/Serial No:
• Vendor IDentification: 0781
• Product Identification: 5571
• Serial No 1: 4C530012450531101593
• Serial No 2: 4C530012550531106501
Can be used to restrict what USB devices can be utilized
within an environment.
Exam the timestamps of driver installation

serial #

Conclusion:
• Two USBs have been attached to the PC
• OS recognized USBs right after USBs were attached to the PC
22.2 Exam SanDisk Cruzer Fit USB registry
Search for SanDisk Cruzer Fit USB via product ID

Connected Time After Reboot


Lastwrite Time

• 'Z' stands for Zulu time, which is also GMT and UTC
• UTC-> EST convert: - 5 hours
• Note: the timestamps are incorrect (one hour off -6 hours)
22.3 Exam USBStor registry

What is that?
22.4 External Memory Device Management
• When you insert a flash device like a USB key into a system
• EMDMgmt (i.e., a part of ReadyBoost) service looks at the device to determine its
performance characteristics
• e.g., it's capabilities and see if it's suitable for use
• Stores the results of its test in HKLM\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Emdmgmt.
• Contains Volume serial number
• ReadyBoost consists of a service implemented in
• %SystemRoot%\System32\Emdmgmt.dll
• that runs in a Service Host process, and
• %SystemRoot%\System32\Drivers\Ecache.sys
• a volume filter driver,
Volume serial number
• The volume serial number is written to the volume by
Windows each time it is formatted.
• This value is calculated using the current date and
time, and can be easily viewed by opening a command
prompt to the volume (i.e., C:\, D:\, etc.) and typing
the vol command.
22.5 MountPoints2
• A volume mount point is a drive or volume in Windows that is mounted to a folder
that uses the NTFS file system.
• A mounted drive is assigned a drive path instead of a drive letter.
• Volume mount points enable you to exceed the 26-drive-letter limitation.
• By using volume mount points, you can graft, or mount, a target partition onto a folder on
another physical disk.
• MountPoints2 is a registry entry that stores data to USB devices/ removable hard
drives
• USB keys (removable device seen so far)
• autorun actions for various devices.
• Contain GUID of a mount point
• May need to correlate the Volume entries to those found in the MountedDevices entries that
begin with "\??\Volume{GUID}"
four mountpoint GUID
22.6 Mounted Devices
• Devices attached to computer
root
• Persistent volume name
• Drive letter
• GUID (unique internal identifier of a folder1 folder2

mount point)
• Disk/Drive Signature file1 file2
mounting
GUID
point
• Device types include
• USB storage devices
don’t have to have a drive letter
• DVD/CDROM Vol 1
Disk Signature
C: Vol 2
Show MountedDevices use plugin

• The Drive/Disk Signature is a


unique ID number that Windows
C: is the main partition, writes to a specific location inside
Disk has two partitions the Master Boot Record (MBR) on
the first sector of every hard drive
that it sees
• We can use Drive signature to
group disk and volumes
• One disk-> multiple volumes

GUID of a mount point


Show MountedDevices using hivexsh
View more details of mounted devices via hivexsh
little endian: in bytes, Hex
Partition 1: 0x 10,00,00
Partition 2: 0x 06,50,00,00

in sectors, Dec
Partition 1: 2048
Partition 2: 206848
22.7 Device (setup) classes
• Devices are grouped into a device setup class
• If devices have similar manner of set up and configuration
• SCSI media changer devices are grouped into the MediumChanger device setup
class.
• Microsoft defines setup classes for most devices.
• OEMs can define new device setup classes, but only if none of the existing
classes apply.
• For example, a camera vendor does not have to define a new setup class
because cameras fall under the Image setup class.
• The device setup class GUID defines the ..\CurrentControlSet\Control\
DeviceClass\{ClassGuid} registry key
Show device setup classes and particular devices under the classes

Connected Time After Reboot


22.8 Volume information Cache
• Windows Search registry is to help search function
• VolumeInfoCache is a sub-key of Windows Search
Exam Volume Infor Cache from
Windows Search

time to write to the registry

Which USB?
check timestamp
Show Volume information Cache using hivexsh
Possible Device Name Volume Name Serial No. First Connected Time Connected Time
(Local time) After Reboot
Answer
SanDisk Cruzer   4C530012450531101593 2015-03-23 14:31:10 2015-03-24
Fit USB Device Mon 09:38:00 Tue
SanDisk Cruzer IAMAN $_@ 4C530012550531106501 2015-03-24 09:58:32 2015-03-24
Fit USB Device Tue 09:58:33 Tue

Considerations - ‘First Connected Time’ can be identified from SetupAPI Log. ( C:\Windows\inf\setupapi.dev.log)
 
HKLM\SYSTEM\MountedDevices\
HKLM\SYSTEM\ControlSet###\Enum\USBSTOR\
HKLM\SYSTEM\ControlSet###\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}\
HKLM\SYSTEM\ControlSet###\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\
……
HKU\informant\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
HKLM\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache\E:
> timestamp: 2015-03-24 09:58:34 Tue
> value: VolumeLabel
> data: ‘IAMAN $_@’
\Windows\System32\winevt\Logs\System.evtx (Event ID: 20001, 20003…)
……

You might also like