Scribd
Upload
70 views35 pages

6 Application Analysis

The document summarizes topics discussed in a digital forensics lecture, including analyzing application data from email clients, web browsers, Microsoft Word, and PDFs. Various tools were presented that can extract metadata and hidden data from these applications, such as passwords, web histories, document edits, and embedded files. Legal issues around unauthorized access of systems and privacy were also briefly covered.

Uploaded by

Saic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views35 pages

6 Application Analysis

The document summarizes topics discussed in a digital forensics lecture, including analyzing application data from email clients, web browsers, Microsoft Word, and PDFs. Various tools were presented that can extract metadata and hidden data from these applications, such as passwords, web histories, document edits, and embedded files. Legal issues around unauthorized access of systems and privacy were also briefly covered.

Uploaded by

Saic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

Digital Forensics

Lecture 6
0011 0010 1010 1101 0001 0100 1011

Application Analysis
Current, Relevant Topics
• HP’s
0011 0010 1010private investigators
1101 0001 0100 1011 fraudulently used the identities of
the victims to get login credentials to access online telephone
records without authorization.
• Title 18 Section 1030(a)(4) – felony!
• The investigation resulted in unauthorized use of AT&T's
computer systems by third-party investigators to gain access to
the phone records of seven board members, nine reporters, and
two HP employees. While such techniques fall under the broad
category of deception to gain information, or "pretexting,"
computer crime statutes clearly define the activity as
unauthorized access, or "hacking." The investigators also
tailed several directors and reporters and sent forged
documents to one reporter that would phone home the Internet
address of anyone to whom the reporter forwarded the
document.
Robert Lemos, SecurityFocus 2006-09-22
This Week’s Presentations

• Moses Schwartz: Email Analysis -


0011 0010 1010 1101 0001 0100 1011

Client and Web


• Johnathan Ammons: Web Analysis
• James Guess: IRC Analysis
Next Week’s Presentations

• Kelcey Tietjen: Wireless Network Traffic


0011 0010 1010 1101 0001 0100 1011

• David Burton: Collection and Analysis of


Network Traffic
• David Burton: Network Devices: Routers,
Switches, … (EC)
Lecture Overview
0011 0010 1010 1101 0001 0100 1011
Legal/Policy
Findings/ Reporting/
Preparation Collection Analysis
Evidence Action

• Application Analysis Overview


• E-mail
• Web Browsers
• Microsoft Word
• Portable Document Format
• Tools et cetera
Module 1
0011 0010 1010 1101 0001 0100 1011

Application Analysis Overview


Types of Hidden Application Data

• Metadata
0011 0010 1010 1101 0001 0100 1011

– information about a file or its contents that


software stores in the file
• Hidden Data
– content the author or editors add to files that may
be hidden in some circumstances
• Really Hidden Files
– files you can not find with Explorer at all and can
only find with DOS if you know where to look
Module 2
0011 0010 1010 1101 0001 0100 1011

E-mail

What data may be found?


What can be found?
• Sender
0011 0010 1010 1101 0001 0100 1011

• Date / Time
• Subject
• Communication Path
• Contents
Client-based E-mail
• MS Outlook PST
0011 0010 1010 1101 0001 0100 1011

– ReadPST ↑ will convert the PST into RFC-


compliant UNIX mail
• MS Outlook Express
– readDBX ↑ will extract the contest of a DBX
files into RFC-compliant UNIX mail
• UNIX E-mail
– grep expression on the simple text file

↑from SourceForge
Client-based E-mail
• Netscape Navigator
0011 0010 1010 1101 0001 0100 1011

– grep expression on the simple text file


• AOL
– proprietary format: PFC
– E-mail Examiner, EnCase, FTK
– FTK decodes email archive, retrieves e-mail
and other information such as favorites
Web-based E-mail
• Yahoo
0011 0010 1010 1101 0001 0100 1011

– recover e-mail from Internet cache


– files that contain rendered html that was on screen
• ShowFolder – lists subject lines, sender alias, message
dates, and sizes
• ShowLetter – opened e-mail
• Compose – e-mail to which the user is replying before
an modification is done
– search
• input type=hidden name=Body value=
Web-based E-mail
• Hotmail
0011 0010 1010 1101 0001 0100 1011

– use the same tools to find information in files


• Hotmail
• doaddress
• getmsg – the e-mail message
• compose
• calendar
– search
• /cgi-bin/dasp/E?N?/?hotmail_+#+.css\
Module 3
0011 0010 1010 1101 0001 0100 1011

Web Browsers

What metadata and hidden data may be found?


Web Browsers
• Internet Explorer
0011 0010 1010 1101 0001 0100 1011
– Cookies\index.dat – audit trail for installed cookies
– Local Settings\History\History.IE5\index.dat –
history for the last day IE was used
– Local
Settings\History\History.IE5\MSHistXXXXXXX
XXXX\index.dat – history rollup for older usage
– Local Settings\Temporary Internet Files\
Content.IE5\index.dat – audit trail for include files
– UserData\index.dat – audit trail for automatic
Windows accesses to the internet
NOTE: Files in C:\Documents and Settings\<username>
Pasco – converts the data into a tab-delimited format (Foundstone)
Web Browsers
• Internet Explorer - Cookies
0011 0010 1010 1101 0001 0100 1011
– Cookies\index.dat – audit trail for installed cookies
– Fields of metadata
• SITE – URL that the cookie came from
• VARIABLE – name stored in cookie
• VALUE – value stored
• CREATION TIME – time of cookie creation
• EXPIRE TIME – time of cookie expiration
• FLAGS – flags set for the cookie

galleta – converts the data into a tab-delimited format (Foundstone)


Web Browsers
• Mozilla / Firefox
0011 0010 1010 1101 0001 0100 1011

– MORK – Mozilla history format (Mork.pl utility)


– Windows
• Application Data\Mozilla\Profiles\<profile
name>\history.dat
– Linux
• ~/.Mozilla/Profiles/<profile name>/history.dat
– gives access time, # accesses, URL
– tools can provide more information, e.g.,
NetAnalysis
Web Browsers
• Mozilla / Firefox - Cookies
0011 0010 1010 1101 0001 0100 1011

– cookies.txt in the profiles directory


– human readable
• web site of origin
• variable name
• value
• etc.
Web Browsers
• Mozilla / Firefox – Cache browsing
0011 0010 1010 1101 0001 0100 1011

– make the cache read-only


– fire up Mozilla
– enter URL about:cache
0011 0010 1010 1101 0001 0100 1011
0011 0010 1010 1101 0001 0100 1011
Web-based E-mail
• NoTrax
0011 0010 1010 1101 0001 0100 1011

– Secure Anonymous Stand Alone Tabbed Web


Browser.
– Blowfish encryption of cache & erases the cache
during and after each browser session using secure
deletion methods.
– Erases Cookies during and after each browser
session using secure deletion methods.
– Erases the Windows Swap file on shutdown.
– No log files created.
Module 4
0011 0010 1010 1101 0001 0100 1011

Microsoft Word

What metadata and hidden data may be found?


MS Word
• metadata
0011 0010 1010 1101 0001 0100 1011 • hidden data
– Older versions – quick save data
• every file name saved under • look in binary editor
• run “strings –u” to get names • open and use undo
– If document won’t open, – Word 97 – MAC address
then metadata may have • PID_GUID
been modified – Excel spreadsheet
– who edited document • when you drag data you get
– file path the entire spreadsheet
• change .doc to .xls and open
– version of Word used
– full images
– when created
• when a frame is shrunken
– GUID (MAC based)Beware
of of track changes
• when matches background
machine used to create color
Module 5
0011 0010 1010 1101 0001 0100 1011

Portable Document Format (PDF)


PDF
• metadata
0011 0010 1010 1101 0001 0100 1011 • hidden data
– under document properties – text with background set to
– document title the same color as text
– author – very large or small fonts
– subject
– creation date
– creation program
Module 6
0011 0010 1010 1101 0001 0100 1011

Tools, et cetera
Tools & Claims
• SecretExplorer
0011 0010 1010 1101 0001 0100 1011

– locate web form autocomplete data for IE,


passwords for websites, Outlook account and
identity passwords, dial-up passwords
• Document Inspector
– search for hidden content: comments, revisions,
versions, annotations, document properties,
personal information, XML data, headers,
footers, watermarks, hidden text
Tools & Claims, cont.
• Document Detective
0011 0010 1010 1101 0001 0100 1011

– search for and remove hidden data: color on


color text, thumbnails, bookmarks, very large
or small images, very large or small fonts in
MS Word, Excel, and PowerPoint
• snipurl.com/3osw
– delete hidden text and comments
• rdhtool
– Office 2003 tool to strip all metadata
File Formats
• How do we find file format information for
0011 0010 1010 1101 0001 0100 1011

(proprietary) files?
– Wotsit
• http://www.wotsit.org/search.asp
Module 7
0011 0010 1010 1101 0001 0100 1011

IRC
IRC (Internet Relay Chat)
• Many platforms
0011 0010 1010 1101 0001 0100 1011

– Amiga, Atari, BeOS, Java, Unix, Windows,


PalmOS, OS/2, Mozilla, etc…
– Over 150 different client programs
• mIRC advertised for Windows
• Network application
• IRC Proxies
IRC
• Channels
0011 0010 1010 1101 0001 0100 1011

– Listed or Unlisted
• DCC – direct client connection
– Private communications
– File exchanges
– Bypasses IRC server
• Little evidence on server
IRC
• Log files
0011 0010 1010 1101 0001 0100 1011

– Usually user configured


– Browser cache can contain info
• Identify IRC clients
• Network information
– Routes, connections
– Port 6667 (default, can be anything)
• Tools
– msgsnarf – Knoppix
– DataGrab – LE, now obsolete
Questions?
0011 0010 1010 1101 0001 0100 1011

After all, you are an investigator

You might also like