Forensic Lab 6
CMIT 424: Digital Forensics Analysis and Application
Lab 6: Analysis of Internet and Network Activity
Introduction
In this final lab for the course, you will perform a series of guided practice exercises in which you search for and recover Internet usage information from one or more forensic images and one or more packet capture (PCAP) files as provided by your instructor (see folder H:\CMIT424\Lab6 in the VDA). These exercises are different from earlier labs in the course since there are no step-by-step directions. Instead, you should read the guided practice information and then develop your own approach to performing the required analysis.
Your focus in this lab should be upon finding and documenting answers to the case questions as provided in the lab scenario. Your presentation of your findings should be succinct (clear and concise). This means that you will need to apply your best judgment as to which information should be included in your report and which information should be omitted.
The lab scenario and case questions are your starting point for this investigation. You must develop and execute your own strategy and procedure for conducting the required forensic examination. At a minimum, you should perform the following tasks:
· Document the system configuration for the virtual machine using registry files (computer name, operating system name, operating system version, and installation date, at a minimum).
· Analyze Windows registry files to find information related to Internet activity (including the IP address of the target computer).
· Find and analyze artifacts related to or containing electronic mail messages.
· Analyze the contents of the web-browsing histories and file caches for each of the installed web browsers. Your analysis should include (a) visited web pages, (b) searches and search terms, and (c) downloaded files.
· Using Internet tools such as WhoIS (http://www.who.is), determine the ownership and registration information for suspicious websites or domain names found in the browsing history, browser cache, or packet capture files.
· Using Wireshark, analyze the packet capture streams (pcap or pcapng files) found in the forensic image. Identify URLs, IP addresses, and domain names that were accessed.
· Construct a timeline showing significant Internet activity. Pay special attention to any timeline anomalies that may be present in the forensic image.
You will find that a large number of files in the forensic image have been wiped (contents set to 0x00). The contents of these files are not important to this lab and the wiping should not be reported as part of your examination. The directory information (file names and create/modify/access dates) for all files, including those that were wiped, is correct and accurately reflects system usage. The directory information is important to this lab and should be used in your analysis.
You are expected to use appropriate tools and techniques during your analysis of the provided files. Document your processes, procedures, and findings using a memo format report (five pages maximum). Provide your timeline of Internet usage (table format) and your analysis summary tables as attachments to your memo. The tables are not included in the maximum page count but you should include only the information necessary to explain or support your findings.
Before You Begin
An FTK Case Backup folder for Lab 6 has been provided in folder H:\CMIT424\Lab6\FKTK Case Backup\Lab6. Both the USB and the Virtual Hard Disk evidence files from the H:\CMIT424\Lab6 folder were added to the case. The only evidence refinement option used was “Expand Compound Files: Zip files.” To save time (approximately 45 minutes), you should restore this Case Backup to C:\Cases (instead of starting from scratch with a new case). Restoring the case requires approximately 5 minutes (longer if the systems are heavily loaded).
You *may* need to perform additional evidence processing using the “Evidence > Additional Analysis” menu in FTK.
The additional processing options are divided into three groups (tabs): (a) Hashing / Job Options, (b) Indexing / Tools, and (c) Miscellaneous. File signature analysis, data carving and “expand compound files” are under Miscellaneous.
Data carving is *not* recommended for the Virtual Hard Disk image (Lab6_Win7Prof.E01). You may, however, wish to carve for files in the USB image (Lab6-USB1.E01).
Guided Practice #1: Recovering and Triaging Evidence Related to Internet Activity
In this lab you will practice finding, recovering, and analyzing artifacts that contain information about a user's Internet activity. Such activity may include accessing webmail, browsing web pages, downloading files from web servers or FTP servers, sending and receiving electronic mail, sending and receiving chat or text messages (including Tweets), watching streaming video, etc. Internet activity can also include near real-time exchanges of information in text, audio, or video forms as chat, video conferencing, and webinars. Each of these types of activities will usually leave behind remnant information in the form of files, registry key values, or fragments of digital information left behind in slack space or unallocated space. Specific types of files and artifacts that we rely upon for documenting Internet activity include
· chat logs and history
· domain names
· electronic mail (messages and headers)
· Internet Protocol (IP) addresses
· uniform resource locators (URLs)
· web browser indexes, browser cookies, browsing history, and cached files
Forensic tools such as FTK and EnCase will identify and categorize artifacts containing remnants of Internet activity. FTK, for example, categorizes artifacts by browser type and then by data type (cookies, downloads, search keywords, URLs, etc.). These categories can be viewed on the Internet/Chat tab and from the Overview tab. Each of these tabs will provide a slightly different interpretation of the available artifacts.
Figure 6-1. FTK Internet/Chat Tab
Figure 6-2. Internet/Chat Files Viewed from Overview Tab
Electronic mail messages found by FTK can be viewed using the Email tab and the Overview tab (expand the nodes for File Category > Email).
Automatic identification of email artifacts will not find content that occurs in file slack space and unallocated disk sectors. Yet, these locations may contain significant amounts of information about email communications. The indexed search in FTK or simultaneous search in WinHex specialist can be used to find email artifacts from anywhere in the forensic image. A basic search strategy can be developed around keywords that are normally found in email headers. Suggested keywords include:
· Recipient
· Sender
· From:
· Subject:
Figure 6-3. FTK Indexed Search for Email Using Keywords
After looking for the basic keywords, you should also consider searching for email headers using Internet header keywords such as:
· Delivered-To
· DKIM-Signature
· Return-Path
· MIME-Version
Note: Searching for hyphenated keywords requires use of a search function that will treat the hyphen as a normal character. Live search within FTK and simultaneous search within WinHex Specialist both allow search strings that include hyphens and other special characters and, thus, can be used for this search.
Figure 6-4. FTK Live Search Using Internet Email Header Keyword "DKIM-Signature"
As you recover and analyze artifacts for Internet activity, you should make note of domain names, IP addresses, URLs, etc., that are suspicious or that appear to have significance with respect to answering the case questions. You should then research the ownership, history, and usage information for these items.
Guided Practice #2: Researching Internet Resources
As part of a forensic examination, the examiner should investigate ownership and use of domain names, IP addresses, and URLs recovered during the examination to determine if such information is of use in answering questions that may arise about Internet activity.
To begin your research, you should identify the IP addresses and MAC addresses used by the computer system you are investigating. For computers running Microsoft Windows, you can usually obtain the IP addresses assigned to the computer using the SYSTEM registry key (HKEY_SYSTEM) ControlSet001\Services\Tcpip\Parameters\Interfaces. If there are multiple network interfaces, there will be multiple subkeys under this key, each corresponding to a separate network interface card or virtual network interface. In our example, there was one active network interface, and that interface was assigned the IP address 192.168.241.132 by the DHCP server with IP address was 192.168.241.2. These IP addresses are in a reserved, nonroutable (private addressing) range, which usually means they are usable only within a local area network. The three nonroutable ranges are 10.x.x.x, 172.16.x.x, and 192.168.x.x.
Figure 6-5. Registry Keys Containing TCP/IP Addressing Information
If you are starting your research using a routable IP address, you can find out the associated domain names and registrars by using the lookup services provided by Internet Assigned Names Authority (IANA) (https://www.iana.org/whois) or Who.IS (http://www.who.is).
If you are starting your research from a domain name, the ownership information and associated IP addresses can be obtained from Internet registrars and IANA, http://www.iana.org. IANA also provides a listing of the root domains (also referred to as top-level domains or TLDs) and the sponsoring organizations for each. A more detailed profile for a domain name—including current ownership, ownership and registration history, DNS server names, server names (e.g., email, web, ftp) and associated IP addresses and address ranges—can be obtained from lookup services such as http://who.is.
In addition to researching domain name registration and associated IP addresses, you may also need to research the contents of web pages at a specific point in time. The Internet Archive (http://www.archive.org ), also referred to as the Wayback Machine, contains copies of web pages that were found by its web crawlers ("spiders"). This archive is searchable by URL. If the requested page has been archived, you can then search by date of retrieval. For example, if you wanted to research the home page for http://www.umuc.edu as it existed on April 20, 2011, you could do so by searching for the domain name and then clicking on the year in the history bar. Next, you would select the closest retrieval date that occurred before your date of interest. In the example shown below, that date would be April 18, 2011.
Figure 6-6. Wayback Machine Search Results for www.umuc.edu (year = 2011)
Clicking on the date in the calendar will cause the archived page to be loaded and displayed. You should be aware that the archive may not contain copies of all page elements, but in general, you should be able to see enough of the web page to determine its content. By inspecting the page source, you will be able to recover metadata elements (if present) that list author, ownership, and other information about the page.
Figure 6-7. Archived Web Page from April 18, 2011, for www.umuc.edu
Guided Practice #3: Using External Viewer Programs
Internet activity can result in a large variety of files and file types being downloaded onto a computer system. There are limitations to the file types and formats that forensics tools can display using a built-in viewer. For this reason, you may find it necessary to use external viewer programs to inspect the contents of files that contain information about Internet activity.
You may be able to locate and download appropriate viewer software from the Internet. Open-source software is easily located and downloaded using an Internet search engine. For proprietary file types, many vendors will provide a free viewing-only utility. Microsoft, for example, provides free viewers for Microsoft Office files in Excel, Power Point, or Word format. You can download these viewers from the Microsoft Download Center (http://www.microsoft.com/en-us/download/search.aspx?q=viewer), or you may need to find a utility provided by a third party. One such utility is the Database Browser for SQLite, which is available from http://sqlitebrowser.org/ Additional sources of viewing utilities include
· Apple https://www.apple.com/downloads
· Adobe http://www.adobe.com/downloads.html
· CNET Downloads http://www.download.cnet.com
· Forensics Wiki http://www.forensicswiki.org/wiki/Tools
· SourceForge http://sourceforge.net
Note: You should verify that any software downloaded from the Internet is free of malware before using it for a forensic examination.
If you cannot locate a matching software version for download from the Internet, look for the associated software application or appropriate viewer program in the forensic image itself. If found, you may be able to export the required files and then load them on a dedicated workstation or virtual machine (a VM sandbox is highly recommended). Next, export the file or files that require this application for viewing and transfer to the sandbox where you will perform your inspection and analysis. Launch the application and review the copies of your files. Make sure you update your chain-of-custody log to track the movement of the exported files. Your forensic report should also include documentation of what viewers were used and the source from which the viewer software was obtained.
Note: For licensed software, you should ensure that you comply with the end-user license agreement (EULA) and then delete all copies from the sandbox system at the conclusion of your examination.
Guided Practice #4: Network Forensics with Wireshark
As a forensic analyst, you may be asked to review and make sense out of network packet captures. The packet capture files, commonly referred to as PCAP files, will contain information captured from TCP/IP packets transmitted to and from network hosts connected to a specific network segment. This information can be used to reconstruct Internet activity for specific network hosts. (A "network host" is equivalent to a workstation, laptop, or other device that is connected to a network.)
Before spending time analyzing a packet capture file, you should check to make sure that packets sent to or from your target IP address are present in the file. This can be quickly accomplished in a number of ways, but we will use a filter for this example. On the filter bar, enter the expression ip.addr eq 192.168.241.132, then click Apply. If the IP address is not present in the capture file, the packet capture stream display will be empty.
Figure 6-8. Applying an IP Address Filter in Wireshark
Once you have verified that the packet capture file contains packets to or from your target IP address, you can apply additional filters to find packets that are of interest to your examination. Commonly used filter expressions can be viewed using the Analyze > Display Filters menu item. These display filters can be used to quickly build filter expressions that allow you to view the packets associated with specific values for header fields in packets, specific types of protocols, etc.
Figure 6-9. Wireshark Display Filter, Default Profile
A more detailed list of filter expressions and prompts can be accessed using the "Expression" button on the Filter menu bar or from within the Display Filters pop-up window. Click this button to display a list of prompts for advanced filters. These filter expressions are most useful when you need to filter by the contents of specific fields within packets or by specific protocols.
As your examination proceeds, you may need to recover and analyze TCP/IP sessions ("conversations"). First, select the "Conversations > IPV4" item from the Statistics menu. Then sort the list of conversations by IP address (click on the "Address" column). Scroll down to find the target IP address in the "Address A" column. In the "Address B" column you will see the IP addresses for network hosts that the target computer system communicated with.
Figure 6-10. Wireshark IPv4 Conversations List Sorted by IP Address
Processing Hint: If there are a large number of IP addresses, you can use the Copy button to copy the entire list of conversations to the Windows clipboard in CSV (comma-separated value) format. Paste the clipboard contents into a document file using Microsoft Word. Then, convert to table format (Insert > Table > Convert Text to Table) using "comma" as the separator. Double-check to make sure you have the same number of columns as displayed in the conversations list, then click OK. Edit your table to remove the extraneous commas.
Figure 6-11. Wireshark Conversations List as a Microsoft Word Table (partial)
Another method for recovering TCP/IP sessions begins with a packet of interest. For this example, we will begin by finding packets containing the text string google that were formatted using the http protocol. Our search filter would be (http and (tcp contains "google"))
Figure 6-12. Packet Filter Results for (http and (tcp contains "google"))
We then scroll through the filtered packet capture stream to find a packet of interest. Right-clicking on the packet brings up a context menu from which we select "Follow TCP Stream. "
Figure 6-13. TCP Stream
Using the "tcp contains xxx" filter will allow you to perform keyword searches within the packet stream. Consider the case where your examination of a packet stream requires you to find and document file transfers. You can construct a filter that looks for file names or file extensions in the TCP packets. For example, if you wanted to find conversations containing Internet search engine queries or results, you could use the filter expression tcp contains "search?"(for Bing searches) or you could filter by the URL of the search engine, e.g., tcp contains www.google.com
Or, perhaps you are interested in finding file transfers (downloads) involving executable files. You could use the filter: tcp contains "exe"
Figure 6-14. Packets Containing Text String "exe"
Inspecting the payload of a selected packet (see Figure 6-14) shows us that a file was downloaded from http://download-installer.cdn.mozilla.net/pub/firefox/releases/32.0.2/win32/en-US/Firefox%20Setup%2032.0.2.exe. If we investigate further, perhaps using a Google search or by visiting the URL itself, we find that this file contains the installation package for a version of the Firefox browser.
Finally, you may find it helpful to combine search terms into a single, complex filter expression. To do this, enclose each search term in parentheses, e.g., (tcp contains "keyword"), and then use Boolean operators between the terms. For example, to find http packets that contain search queries for Google or Bing, you could use the filter expression http and ((tcp contains "google") or (tcp contains "bing")). Remember to use parentheses to enclose terms and operators so that the expression evaluates correctly.
Guided Practice #5: Report Writing
For this lab, you are expected to write an incident summary report using the reporting writing skills and techniques learned in earlier labs in the course. You will need to decide how much supporting information to include in your report.
The use of tables and bullet lists to summarize information is encouraged but, these formats should not at the expense of clarity. If a paragraph’s worth of explanation is required – put the information in a paragraph! (Not in a cell within a table or a bullet within a bullet list.) In your reports and tables, you should clearly identify which items were found in which evidence files.
Deliverables
1. Incident Investigation Summary Report: a memo-format report summarizing answers to the case questions and providing documentation as to the tools, techniques, and procedures used in this lab. Your memo should include sufficient supporting information and “summary tables” to substantiate your assertions about the data in a way that makes it easy to understand (a) the case, (b) the case questions, and (c) your answers / findings in regards to the case and case questions.
2. Your report should include high-level analysis summaries in table format for:
1. network activity (MAC addresses, IP addresses, domain names, etc.)
2. email and webmail
3. web browsing history
4. ownership/registration information for suspicious websites or domain names
5. names and contents of suspicious files
6. timeline for Internet and Network Activity
Note: Your “high level summaries” of your analysis results should be *summaries* not a compendium of every piece of information found in the image. Focus on providing data which provides support to your answers to the case questions. Irrelevant information should not be included.
Grading for Lab Deliverables
1. Incident Investigation Summary Report 50%
a. Overview 15%
b. Findings & Answers to Case Questions 15%
c. Description of Analysis & Processing 15%
d. Evidence Handling (including use of hash values) 5%
2. High Level Summaries (attachments or internal to memo) 35%
a. network activity (MAC addresses, IP addresses, domain names, etc.) 5%
b. email and webmail 5%
c. web browsing history 5%
d. ownership/registration information for suspicious websites or domain names 5%
e. names and content summaries for suspicious files 10%
f. timeline for Internet and Network Activity 5%
3. Professionalism (formatting, grammar, spelling, punctuation, etc.) 15%
Copyright © 2015 by University of Maryland University College. All Rights Reserved.