SlideShare une entreprise Scribd logo

6 application analysis

2
20news

Analysis on email

Technologie
1  sur  35
Télécharger pour lire hors ligne
0011 0010 1010 1101 0001 0100 1011 Digital Forensics Lecture 6 Application Analysis
0011 0010 1010 1101 0001 0100 1011 Current, Relevant Topics • HP’s private investigators fraudulently used the identities of the victims to get login credentials to access online telephone records without authorization. • Title 18 Section 1030(a)(4) – felony! • The investigation resulted in unauthorized use of AT&T's computer systems by third-party investigators to gain access to the phone records of seven board members, nine reporters, and two HP employees. While such techniques fall under the broad category of deception to gain information, or "pretexting," computer crime statutes clearly define the activity as unauthorized access, or "hacking." The investigators also tailed several directors and reporters and sent forged documents to one reporter that would phone home the Internet address of anyone to whom the reporter forwarded the document. Robert Lemos, SecurityFocus 2006-09-22
0011 0010 1010 1101 0001 0100 1011 This Week’s Presentations • Moses Schwartz: Email Analysis - Client and Web • Johnathan Ammons: Web Analysis • James Guess: IRC Analysis
0011 0010 1010 1101 0001 0100 1011 Next Week’s Presentations • Kelcey Tietjen: Wireless Network Traffic • David Burton: Collection and Analysis of Network Traffic • David Burton: Network Devices: Routers, Switches, … (EC)
0011 0010 1010 1101 0001 0100 1011 Lecture Overview • Application Analysis Overview • E-mail • Web Browsers • Microsoft Word • Portable Document Format • Tools et cetera Legal/Policy Preparation Collection Analysis Findings/ Evidence Reporting/ Action
0011 0010 1010 1101 0001 0100 1011 Module 1 Application Analysis Overview
0011 0010 1010 1101 0001 0100 1011 Types of Hidden Application Data • Metadata – information about a file or its contents that software stores in the file • Hidden Data – content the author or editors add to files that may be hidden in some circumstances • Really Hidden Files – files you can not find with Explorer at all and can only find with DOS if you know where to look
0011 0010 1010 1101 0001 0100 1011 Module 2 E-mail What data may be found?
0011 0010 1010 1101 0001 0100 1011 What can be found? • Sender • Date / Time • Subject • Communication Path • Contents
0011 0010 1010 1101 0001 0100 1011 Client-based E-mail • MS Outlook PST – ReadPST ↑ will convert the PST into RFC- compliant UNIX mail • MS Outlook Express – readDBX ↑ will extract the contest of a DBX files into RFC-compliant UNIX mail • UNIX E-mail – grep expression on the simple text file ↑from SourceForge
0011 0010 1010 1101 0001 0100 1011• Netscape Navigator – grep expression on the simple text file • AOL – proprietary format: PFC – E-mail Examiner, EnCase, FTK – FTK decodes email archive, retrieves e-mail and other information such as favorites Client-based E-mail
0011 0010 1010 1101 0001 0100 1011• Yahoo – recover e-mail from Internet cache – files that contain rendered html that was on screen • ShowFolder – lists subject lines, sender alias, message dates, and sizes • ShowLetter – opened e-mail • Compose – e-mail to which the user is replying before an modification is done – search • input type=hidden name=Body value= Web-based E-mail
0011 0010 1010 1101 0001 0100 1011• Hotmail – use the same tools to find information in files • Hotmail • doaddress • getmsg – the e-mail message • compose • calendar – search • /cgi-bin/dasp/E?N?/?hotmail_+#+.css Web-based E-mail
0011 0010 1010 1101 0001 0100 1011 Module 3 Web Browsers What metadata and hidden data may be found?
0011 0010 1010 1101 0001 0100 1011 • Internet Explorer – Cookiesindex.dat – audit trail for installed cookies – Local SettingsHistoryHistory.IE5index.dat – history for the last day IE was used – Local SettingsHistoryHistory.IE5MSHistXXXXXXX XXXXindex.dat – history rollup for older usage – Local SettingsTemporary Internet Files Content.IE5index.dat – audit trail for include files – UserDataindex.dat – audit trail for automatic Windows accesses to the internet Web Browsers Pasco – converts the data into a tab-delimited format (Foundstone) NOTE: Files in C:Documents and Settings<username>
0011 0010 1010 1101 0001 0100 1011 • Internet Explorer - Cookies – Cookiesindex.dat – audit trail for installed cookies – Fields of metadata • SITE – URL that the cookie came from • VARIABLE – name stored in cookie • VALUE – value stored • CREATION TIME – time of cookie creation • EXPIRE TIME – time of cookie expiration • FLAGS – flags set for the cookie Web Browsers galleta – converts the data into a tab-delimited format (Foundstone)
0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox – MORK – Mozilla history format (Mork.pl utility) – Windows • Application DataMozillaProfiles<profile name>history.dat – Linux • ~/.Mozilla/Profiles/<profile name>/history.dat – gives access time, # accesses, URL – tools can provide more information, e.g., NetAnalysis Web Browsers
0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox - Cookies – cookies.txt in the profiles directory – human readable • web site of origin • variable name • value • etc. Web Browsers
0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox – Cache browsing – make the cache read-only – fire up Mozilla – enter URL about:cache Web Browsers
0011 0010 1010 1101 0001 0100 1011
0011 0010 1010 1101 0001 0100 1011
0011 0010 1010 1101 0001 0100 1011• NoTrax – Secure Anonymous Stand Alone Tabbed Web Browser. – Blowfish encryption of cache & erases the cache during and after each browser session using secure deletion methods. – Erases Cookies during and after each browser session using secure deletion methods. – Erases the Windows Swap file on shutdown. – No log files created. Web-based E-mail
0011 0010 1010 1101 0001 0100 1011 Module 4 Microsoft Word What metadata and hidden data may be found?
0011 0010 1010 1101 0001 0100 1011 MS Word • metadata – Older versions • every file name saved under • run “strings –u” to get names – If document won’t open, then metadata may have been modified – who edited document – file path – version of Word used – when created – GUID (MAC based) of machine used to create • hidden data – quick save data • look in binary editor • open and use undo – Word 97 – MAC address • PID_GUID – Excel spreadsheet • when you drag data you get the entire spreadsheet • change .doc to .xls and open – full images • when a frame is shrunken • when matches background color Beware of track changes
0011 0010 1010 1101 0001 0100 1011 Module 5 Portable Document Format (PDF)
0011 0010 1010 1101 0001 0100 1011 PDF • metadata – under document properties – document title – author – subject – creation date – creation program • hidden data – text with background set to the same color as text – very large or small fonts
0011 0010 1010 1101 0001 0100 1011 Module 6 Tools, et cetera
0011 0010 1010 1101 0001 0100 1011 Tools & Claims • SecretExplorer – locate web form autocomplete data for IE, passwords for websites, Outlook account and identity passwords, dial-up passwords • Document Inspector – search for hidden content: comments, revisions, versions, annotations, document properties, personal information, XML data, headers, footers, watermarks, hidden text
0011 0010 1010 1101 0001 0100 1011 Tools & Claims, cont. • Document Detective – search for and remove hidden data: color on color text, thumbnails, bookmarks, very large or small images, very large or small fonts in MS Word, Excel, and PowerPoint • snipurl.com/3osw – delete hidden text and comments • rdhtool – Office 2003 tool to strip all metadata
0011 0010 1010 1101 0001 0100 1011 File Formats • How do we find file format information for (proprietary) files? – Wotsit • http://www.wotsit.org/search.asp
0011 0010 1010 1101 0001 0100 1011 Module 7 IRC
0011 0010 1010 1101 0001 0100 1011 IRC (Internet Relay Chat) • Many platforms – Amiga, Atari, BeOS, Java, Unix, Windows, PalmOS, OS/2, Mozilla, etc… – Over 150 different client programs • mIRC advertised for Windows • Network application • IRC Proxies
0011 0010 1010 1101 0001 0100 1011 IRC • Channels – Listed or Unlisted • DCC – direct client connection – Private communications – File exchanges – Bypasses IRC server • Little evidence on server
0011 0010 1010 1101 0001 0100 1011 IRC • Log files – Usually user configured – Browser cache can contain info • Identify IRC clients • Network information – Routes, connections – Port 6667 (default, can be anything) • Tools – msgsnarf – Knoppix – DataGrab – LE, now obsolete
0011 0010 1010 1101 0001 0100 1011 Questions? After all, you are an investigator

Recommandé

iPhone forensics, without the iPhone
iPhone forensics, without the iPhoneiPhone forensics, without the iPhone
iPhone forensics, without the iPhonehrgeeks
 
Портфолио в начальной школе
Портфолио в начальной школеПортфолио в начальной школе
Портфолио в начальной школеAnutka Krylova
 
SMR kinase meeting October 2013
SMR kinase meeting October 2013SMR kinase meeting October 2013
SMR kinase meeting October 2013jpoverington
 
Python Metaclasses
Python MetaclassesPython Metaclasses
Python MetaclassesKisitu Augustine
 
Fisiología del embarazo
Fisiología del embarazoFisiología del embarazo
Fisiología del embarazoIldeberto Velazquez Vidal
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsMarco Alamanni
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 

Recommandé

iPhone forensics, without the iPhone
iPhone forensics, without the iPhoneiPhone forensics, without the iPhone
iPhone forensics, without the iPhonehrgeeks
 
Портфолио в начальной школе
Портфолио в начальной школеПортфолио в начальной школе
Портфолио в начальной школеAnutka Krylova
 
SMR kinase meeting October 2013
SMR kinase meeting October 2013SMR kinase meeting October 2013
SMR kinase meeting October 2013jpoverington
 
Python Metaclasses
Python MetaclassesPython Metaclasses
Python MetaclassesKisitu Augustine
 
Fisiología del embarazo
Fisiología del embarazoFisiología del embarazo
Fisiología del embarazoIldeberto Velazquez Vidal
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsMarco Alamanni
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...OWASP Turkiye
 
Introduction to KonanLink: Search clouds, emails, PCs & smartphones at once
Introduction to KonanLink: Search clouds, emails, PCs & smartphones at onceIntroduction to KonanLink: Search clouds, emails, PCs & smartphones at once
Introduction to KonanLink: Search clouds, emails, PCs & smartphones at onceWantaek Lim
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.pptAliAshraf68199
 
Cloudlytics - Analyze S3 & CloudFront Logs
Cloudlytics - Analyze S3 & CloudFront LogsCloudlytics - Analyze S3 & CloudFront Logs
Cloudlytics - Analyze S3 & CloudFront LogsCloudlytics
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics toolSreekanth Narendran
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libinlibinp
 
s07_bhavesh_ppt
s07_bhavesh_ppts07_bhavesh_ppt
s07_bhavesh_pptS V National Institute of Technology (SVNIT), Surat (NIT, Surat)
 
Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Computer Forensic Tools.pptx
Computer Forensic Tools.pptxComputer Forensic Tools.pptx
Computer Forensic Tools.pptxKomalNagre4
 
Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_sameSkyler Lewis
 
Oracle by Muhammad Iqbal
Oracle by Muhammad IqbalOracle by Muhammad Iqbal
Oracle by Muhammad IqbalYOUTH MEDIA AGENCY
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Fernando Tomlinson, CISSP, MBA
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Reality Net System Solutions
 
WHAT IS OUTLOOK MAIL.pptx
WHAT IS OUTLOOK MAIL.pptxWHAT IS OUTLOOK MAIL.pptx
WHAT IS OUTLOOK MAIL.pptxVignesh kumar
 
Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)Petter Skodvin-Hvammen
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsSam Bowne
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Contenu connexe

Similaire à 6 application analysis

[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...OWASP Turkiye
 
Introduction to KonanLink: Search clouds, emails, PCs & smartphones at once
Introduction to KonanLink: Search clouds, emails, PCs & smartphones at onceIntroduction to KonanLink: Search clouds, emails, PCs & smartphones at once
Introduction to KonanLink: Search clouds, emails, PCs & smartphones at onceWantaek Lim
 
Cloudlytics - Analyze S3 & CloudFront Logs
Cloudlytics - Analyze S3 & CloudFront LogsCloudlytics - Analyze S3 & CloudFront Logs
Cloudlytics - Analyze S3 & CloudFront LogsCloudlytics
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libinlibinp
 
Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Computer Forensic Tools.pptx
Computer Forensic Tools.pptxComputer Forensic Tools.pptx
Computer Forensic Tools.pptxKomalNagre4
 
Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_sameSkyler Lewis
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Reality Net System Solutions
 
WHAT IS OUTLOOK MAIL.pptx
WHAT IS OUTLOOK MAIL.pptxWHAT IS OUTLOOK MAIL.pptx
WHAT IS OUTLOOK MAIL.pptxVignesh kumar
 
Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)Petter Skodvin-Hvammen
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsSam Bowne
 

Similaire à 6 application analysis (20)

[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
 
Introduction to KonanLink: Search clouds, emails, PCs & smartphones at once
Introduction to KonanLink: Search clouds, emails, PCs & smartphones at onceIntroduction to KonanLink: Search clouds, emails, PCs & smartphones at once
Introduction to KonanLink: Search clouds, emails, PCs & smartphones at once
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
Cloudlytics - Analyze S3 & CloudFront Logs
Cloudlytics - Analyze S3 & CloudFront LogsCloudlytics - Analyze S3 & CloudFront Logs
Cloudlytics - Analyze S3 & CloudFront Logs
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X Systems
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
 
s07_bhavesh_ppt
s07_bhavesh_ppts07_bhavesh_ppt
s07_bhavesh_ppt
 
Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
Computer Forensic Tools.pptx
Computer Forensic Tools.pptxComputer Forensic Tools.pptx
Computer Forensic Tools.pptx
 
Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_same
 
Oracle by Muhammad Iqbal
Oracle by Muhammad IqbalOracle by Muhammad Iqbal
Oracle by Muhammad Iqbal
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X Systems
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
 
WHAT IS OUTLOOK MAIL.pptx
WHAT IS OUTLOOK MAIL.pptxWHAT IS OUTLOOK MAIL.pptx
WHAT IS OUTLOOK MAIL.pptx
 
Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X Systems
 

Dernier

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Dernier (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

6 application analysis

  • 1. 0011 0010 1010 1101 0001 0100 1011 Digital Forensics Lecture 6 Application Analysis
  • 2. 0011 0010 1010 1101 0001 0100 1011 Current, Relevant Topics • HP’s private investigators fraudulently used the identities of the victims to get login credentials to access online telephone records without authorization. • Title 18 Section 1030(a)(4) – felony! • The investigation resulted in unauthorized use of AT&T's computer systems by third-party investigators to gain access to the phone records of seven board members, nine reporters, and two HP employees. While such techniques fall under the broad category of deception to gain information, or "pretexting," computer crime statutes clearly define the activity as unauthorized access, or "hacking." The investigators also tailed several directors and reporters and sent forged documents to one reporter that would phone home the Internet address of anyone to whom the reporter forwarded the document. Robert Lemos, SecurityFocus 2006-09-22
  • 3. 0011 0010 1010 1101 0001 0100 1011 This Week’s Presentations • Moses Schwartz: Email Analysis - Client and Web • Johnathan Ammons: Web Analysis • James Guess: IRC Analysis
  • 4. 0011 0010 1010 1101 0001 0100 1011 Next Week’s Presentations • Kelcey Tietjen: Wireless Network Traffic • David Burton: Collection and Analysis of Network Traffic • David Burton: Network Devices: Routers, Switches, … (EC)
  • 5. 0011 0010 1010 1101 0001 0100 1011 Lecture Overview • Application Analysis Overview • E-mail • Web Browsers • Microsoft Word • Portable Document Format • Tools et cetera Legal/Policy Preparation Collection Analysis Findings/ Evidence Reporting/ Action
  • 6. 0011 0010 1010 1101 0001 0100 1011 Module 1 Application Analysis Overview
  • 7. 0011 0010 1010 1101 0001 0100 1011 Types of Hidden Application Data • Metadata – information about a file or its contents that software stores in the file • Hidden Data – content the author or editors add to files that may be hidden in some circumstances • Really Hidden Files – files you can not find with Explorer at all and can only find with DOS if you know where to look
  • 8. 0011 0010 1010 1101 0001 0100 1011 Module 2 E-mail What data may be found?
  • 9. 0011 0010 1010 1101 0001 0100 1011 What can be found? • Sender • Date / Time • Subject • Communication Path • Contents
  • 10. 0011 0010 1010 1101 0001 0100 1011 Client-based E-mail • MS Outlook PST – ReadPST ↑ will convert the PST into RFC- compliant UNIX mail • MS Outlook Express – readDBX ↑ will extract the contest of a DBX files into RFC-compliant UNIX mail • UNIX E-mail – grep expression on the simple text file ↑from SourceForge
  • 11. 0011 0010 1010 1101 0001 0100 1011• Netscape Navigator – grep expression on the simple text file • AOL – proprietary format: PFC – E-mail Examiner, EnCase, FTK – FTK decodes email archive, retrieves e-mail and other information such as favorites Client-based E-mail
  • 12. 0011 0010 1010 1101 0001 0100 1011• Yahoo – recover e-mail from Internet cache – files that contain rendered html that was on screen • ShowFolder – lists subject lines, sender alias, message dates, and sizes • ShowLetter – opened e-mail • Compose – e-mail to which the user is replying before an modification is done – search • input type=hidden name=Body value= Web-based E-mail
  • 13. 0011 0010 1010 1101 0001 0100 1011• Hotmail – use the same tools to find information in files • Hotmail • doaddress • getmsg – the e-mail message • compose • calendar – search • /cgi-bin/dasp/E?N?/?hotmail_+#+.css Web-based E-mail
  • 14. 0011 0010 1010 1101 0001 0100 1011 Module 3 Web Browsers What metadata and hidden data may be found?
  • 15. 0011 0010 1010 1101 0001 0100 1011 • Internet Explorer – Cookiesindex.dat – audit trail for installed cookies – Local SettingsHistoryHistory.IE5index.dat – history for the last day IE was used – Local SettingsHistoryHistory.IE5MSHistXXXXXXX XXXXindex.dat – history rollup for older usage – Local SettingsTemporary Internet Files Content.IE5index.dat – audit trail for include files – UserDataindex.dat – audit trail for automatic Windows accesses to the internet Web Browsers Pasco – converts the data into a tab-delimited format (Foundstone) NOTE: Files in C:Documents and Settings<username>
  • 16. 0011 0010 1010 1101 0001 0100 1011 • Internet Explorer - Cookies – Cookiesindex.dat – audit trail for installed cookies – Fields of metadata • SITE – URL that the cookie came from • VARIABLE – name stored in cookie • VALUE – value stored • CREATION TIME – time of cookie creation • EXPIRE TIME – time of cookie expiration • FLAGS – flags set for the cookie Web Browsers galleta – converts the data into a tab-delimited format (Foundstone)
  • 17. 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox – MORK – Mozilla history format (Mork.pl utility) – Windows • Application DataMozillaProfiles<profile name>history.dat – Linux • ~/.Mozilla/Profiles/<profile name>/history.dat – gives access time, # accesses, URL – tools can provide more information, e.g., NetAnalysis Web Browsers
  • 18. 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox - Cookies – cookies.txt in the profiles directory – human readable • web site of origin • variable name • value • etc. Web Browsers
  • 19. 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox – Cache browsing – make the cache read-only – fire up Mozilla – enter URL about:cache Web Browsers
  • 20. 0011 0010 1010 1101 0001 0100 1011
  • 21. 0011 0010 1010 1101 0001 0100 1011
  • 22. 0011 0010 1010 1101 0001 0100 1011• NoTrax – Secure Anonymous Stand Alone Tabbed Web Browser. – Blowfish encryption of cache & erases the cache during and after each browser session using secure deletion methods. – Erases Cookies during and after each browser session using secure deletion methods. – Erases the Windows Swap file on shutdown. – No log files created. Web-based E-mail
  • 23. 0011 0010 1010 1101 0001 0100 1011 Module 4 Microsoft Word What metadata and hidden data may be found?
  • 24. 0011 0010 1010 1101 0001 0100 1011 MS Word • metadata – Older versions • every file name saved under • run “strings –u” to get names – If document won’t open, then metadata may have been modified – who edited document – file path – version of Word used – when created – GUID (MAC based) of machine used to create • hidden data – quick save data • look in binary editor • open and use undo – Word 97 – MAC address • PID_GUID – Excel spreadsheet • when you drag data you get the entire spreadsheet • change .doc to .xls and open – full images • when a frame is shrunken • when matches background color Beware of track changes
  • 25. 0011 0010 1010 1101 0001 0100 1011 Module 5 Portable Document Format (PDF)
  • 26. 0011 0010 1010 1101 0001 0100 1011 PDF • metadata – under document properties – document title – author – subject – creation date – creation program • hidden data – text with background set to the same color as text – very large or small fonts
  • 27. 0011 0010 1010 1101 0001 0100 1011 Module 6 Tools, et cetera
  • 28. 0011 0010 1010 1101 0001 0100 1011 Tools & Claims • SecretExplorer – locate web form autocomplete data for IE, passwords for websites, Outlook account and identity passwords, dial-up passwords • Document Inspector – search for hidden content: comments, revisions, versions, annotations, document properties, personal information, XML data, headers, footers, watermarks, hidden text
  • 29. 0011 0010 1010 1101 0001 0100 1011 Tools & Claims, cont. • Document Detective – search for and remove hidden data: color on color text, thumbnails, bookmarks, very large or small images, very large or small fonts in MS Word, Excel, and PowerPoint • snipurl.com/3osw – delete hidden text and comments • rdhtool – Office 2003 tool to strip all metadata
  • 30. 0011 0010 1010 1101 0001 0100 1011 File Formats • How do we find file format information for (proprietary) files? – Wotsit • http://www.wotsit.org/search.asp
  • 31. 0011 0010 1010 1101 0001 0100 1011 Module 7 IRC
  • 32. 0011 0010 1010 1101 0001 0100 1011 IRC (Internet Relay Chat) • Many platforms – Amiga, Atari, BeOS, Java, Unix, Windows, PalmOS, OS/2, Mozilla, etc… – Over 150 different client programs • mIRC advertised for Windows • Network application • IRC Proxies
  • 33. 0011 0010 1010 1101 0001 0100 1011 IRC • Channels – Listed or Unlisted • DCC – direct client connection – Private communications – File exchanges – Bypasses IRC server • Little evidence on server
  • 34. 0011 0010 1010 1101 0001 0100 1011 IRC • Log files – Usually user configured – Browser cache can contain info • Identify IRC clients • Network information – Routes, connections – Port 6667 (default, can be anything) • Tools – msgsnarf – Knoppix – DataGrab – LE, now obsolete
  • 35. 0011 0010 1010 1101 0001 0100 1011 Questions? After all, you are an investigator