CMIT 424: Digital Forensics Analysis and Application

CMIT 424: Digital Forensics Analysis and Application

Lab 5: Reconstruct System Usage Using Registry and Other System Files

Before You Begin

1. Launch FTK

2. Restore the Lab 5 Case File from H:\CMIT424\Lab5\FTK Case Backup\Lab5 to C:\Cases

3. Examine the image using the FTK Examiner and Overview tabs. Note that there are carved files present in the image. ZIP files have also been expanded for you. (Refinement options for the Add Evidence job were: (a) Expand Compound Files: ZIP only and (b) Data Carve: BMP, GIF, JPG, PNG, PDF, MS OLE (documents).

4. Decide if you will use “bookmarks” to help you keep track of important files that you find as you work through this lab. It is highly recommended that you do so. You can use “bookmarks” to categorize and annotate files and then generate a “Bookmarks” report with your annotations.

One more important note: there is more information in this evidence file than you will have time to analyze for this lab. You should make sure that you cover the important areas discussed in each Guided Practice. But, you should also leave yourself enough time to write your report and document your findings. Do not get lost in the data!!!

Guided Practice #1: Analyzing the Windows Registry

In this part of the lab, you will use FTK and FTK Registry viewer to generate a report that you will use in your analysis of the Windows registry. Use your best judgment and information from your readings to select additional keys that can provide answers to the case questions about how the virtual machine was used. Then, add these keys to your registry reports. For more information about which keys you should look at, see http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots and http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry

As you work through this Guided Practice, “check” the files (in the File List pane) that are important and which have time/date information that can be used to construct a system usage timeline. You will use these “checked” files in Guided Practice #3.

Locate Registry Hive Files

1. Switch to the Overview tab in the Case Examiner window.

2. Expand the File Category node in the tree.

3. Click on the OS/File System Files node. Expand again to display the list of subcategories.

4. Click on Windows NT Registry to display the list of registry files in the File List pane.

5. Locate the System Hive in the File List pane. This file contains the HKEY_Local_Machine (HKLM) registry keys. Note the information displayed in the File Content pane.

SYSTEM Hive

6. Right-click on the System Hive in the File List pane. Select “Open in Registry Viewer” from the pop-up menu.

7. Find HKLM\System\ControlSet001\Control\ComputerName\ComputerName (Expand tree nodes by clicking on the plus signs to the left of the node names.)

8. Add this key to the registry report

9. Find HKLM\System\ControlSet001\Control\TimeZoneInformation\

10. Note that there are sub-keys with values displayed in the upper right pane of the display. Note also that the Key Properties, including “Last Written Time,” are displayed in the lower left pane.

11. Add this key to the registry report.

12. Collapse the “Control” node under ControlSet001.

13. Expand the “Enum” node.

14. Find HKLM\System\ControlSet001\Enum\USBSTOR

15. Expand the nodes under USBSTOR and review the information provided. Note that you can identify the manufacturer and product name / type from the information provided for the second and third entries under this node.

16. Click on the node below the “device” node. Review the information provided in the right hand pane (Sub Key names and values).

17. After you have finished your review, add this key “with children” to the registry report.

18. Find HKLM\System\Mounted Devices and add this key to your registry report.

19. From the Report menu, generate the registry report for your selected keys.

20. Enter SYSTEM Registry Report in the Report Title field. Enter Lastname_SYSTEM_RegistryReport in the Report Filename field. Note that the location of the report will be C:\Cases\Lab5\RegistryViewerReports.

21. Check the box to view the report, then click OK.

22. After the report opens, review the “Last Written Time” key properties for each set of keys. You will use these values later to update your timeline of events.

23. Close the Report and Registry Viewer windows and return to the FTK Case Examiner Window.

24. Locate the Software Hive. Click on its name in the File List pane to display information about this registry hive in the File Contents pane.

SOFTWARE Hive

25. Right-click on the Software Hive in the File List pane. Select “Open in Registry Viewer” from the pop-up menu.

26. In the Registry Viewer, find HKLM\Software\Microsoft\Windows NT\Current Version

27. Select the key to view its values. Note that the Key Properties pane gives the installation date. The Sub Keys and Values provide additional information about the operating system version, the registered owner, and other information which you will need for your summary report.

28. Add this key to your registry report.

29. Explore the SOFTWARE hive to see if there is additional information that you wish to add to the registry keys report. If so, remember to “add key” or “add key with children” to the report.

30. From the Report menu, generate the registry report for your selected keys. Enter SOFTWARE Registry Report in the Report Title field. Enter Lastname_SOFTWARE_RegistryReport in the Report Filename field. Check the box to view the report, then click OK.

31. After the report opens, review the “Last Written Time” key properties for each set of keys. You will use these values later to update your timeline of events.

32. Close the Report and Registry Viewer windows and return to the FTK Case Examiner Window.

USER Hive

33. Locate the user profile NTUSER.DAT files. There will be multiple files. You will need to widen the File Path column to see where each of these files occurs. For your review, use only those files found under [root]/Users/….

34. These files contain the HKEY_Current_User or HKCU registry keys. Record the profile name for each of these files (from the file path). You will use the profile name to name the registry report file. You will also use these registry report files to construct your system usage timeline.

35. For each NTUSER.DAT file:

a. Add the file to your Registry Files bookmark and open it in Registry Viewer.

b. Using Edit > Find and Edit > Find Next (also F3), locate keys and key values that have forensic value. Focus on keys that have information required for your system usage timeline. These keys include:

i. Most Recently Used Lists (MRU)

ii. Typed URL Lists

iii. Recent Docs (note the drive letters as well as the file names)

c. As you find useful registry keys, add the keys to your registry report.

d. When you are finished your inspection of the registry, generate the registry report for the associated user profile. Enter [profilename] Registry Report in the Report Title field and Lastname_[profilename]_RegistryReport in the Report Filename field. Check the box to view the report, then click OK.

e. After the report opens, review the information.

f. Close the Report and Registry Viewer windows and return to the FTK Case Examiner Window.

Guided Practice #2: Analyzing Folders and Files to Investigate System Usage

As you work through this section, “check” the files (in the File List pane) which have time/date information that can be used to construct a system usage timeline. You will use these “checked” files in Guided Practice #3.

System Files

1. Click on the Overview tab. Expand the File Categories container.

2. Click on the Operating System files node to display the list of files in this category.

3. Using the File List pane and File Contents pane, find and review the types of files listed below. Note: FTK will provide an interpreted (formatted) display for certain types of system files. You may wish to snapshot or copy this information for later use in answering the case questions and preparing your system usage timeline. You should also review the file properties shown in the file contents pane.

a. Bootstat.dat (there are two; the file dates will tell you the date of the first boot after installation and the date/time of the last shutdown)

b. Page File (pagefile.sys)

c. System and user-level log files

d. User profiles (especially the recent files list and the contents of the desktop)

e. Link files (shortcuts)

f. Prefetch files

User Profiles

1. Return to the Explore tab and open the Evidence Items tree until you see Users. Expand this node. Identify the user profiles on the system. In this case, we have one “profile” which is not a standard profile – George Dean. We will want to examine this profile more closely.

2. Click on the Folder icon for “George Dean” in the Evidence Items tree. This will cause the contents of the folder to be displayed in the File List pane. Review the files and the metadata for each one (decide which items you will use to help construct your system usage timeline). At a minimum, you should look at the following:

· All files and folders listed under the desktop folder

· All files and folders listed in subfolders under the desktop folder

· Recent folder for user profile and all shortcut files listed under the recent folder

· Documents, downloads, pictures, and music folders for user profile

· All files and folders listed under each top-level folder (in the same file path)

· Find the Recycle bin for this user profile ($Recycle.bin). Then, identify all files and folders listed under $Recycle.bin

Note: The image file used in this lab may contain artifacts related to internet browsing. You should note the presence of these files in your report. No other processing of the browser history and browser cache files is required for this lab. (These artifacts will be processed and examined in Lab 6.)

Program Files (Applications)

1. Return to the Evidence tab. In the Evidence Items tree, open the nodes until you find [root]/Windows/ProgramData and [root/Windows/Program Files.

2. Examine the contents of these folders. You should see a top-level folder for each software application installed on top of the Windows 7 installation (e.g., antivirus, utilities, word processing packages, web browsers). (Note: you can also identify software applications by looking for folders or links on the desktops under each user profile.)

a. Record the forensically interesting software applications (applications that are not part of the Windows operating system installation).

b. Review the file dates/times for each software application.

3. In your analysis, do not include any applications that have last modified dates occurring before the first boot date for this Windows 7 installation (these were installed as part of Windows 7).

Guided Practice #3: Using File System Metadata to Create a System Usage Timeline

Review Your Analysis Results

This guided practice depends upon the “checked files” which you identified in the first two Guided Practices for this lab. If you did not check files as you worked through those exercises, you will need to go back and do so before started this last Guided Practice.

After you have selected files, review your selections (your “checked” files). You should not have more than 100 “important” files in your checked files list. If you do, review the files that you have checked and determine which ones can be removed from your list. Use the Overview tab > File Items node to review your checked files.

Create an Inventory with Timeline Information

1. Create a file inventory containing the file system metadata for all checked files (do not include any other files):

a. Right-click in the file list pane.

b. Select Export File List Info from the pop-up menu.

c. In the export options window, select “All checked.”

d. Name your file yourlastname_Lab5_FileList.csv.

e. In the Save as type drop-down, select CSV (Comma delimited) (*.csv).

2. Open your inventory using Excel or another spreadsheet application.

a. Format the spreadsheet to give it a professional appearance.

b. Save your file inventory as an XLSX or XLS spreadsheet.

3. Examine the file system metadata shown in your file inventory. As you perform your examination, annotate your file inventory spreadsheet to record your analysis and/or findings.

4. Using your file inventory, create a table containing your system usage timeline. Suggested steps are as follows:

a. Use Excel’s sorting function to examine the timeline of system usage. First, sort your file inventory using by Creation Date and then by File Path.

b. Examine the spreadsheet entries to determine when files were created; draw conclusions as to when the Windows 7 operating system was installed, when software applications were installed, etc.

c. Sort your spreadsheet by Last Modified Date and File Path. Reexamine the spreadsheet entries to determine how and when the system was used (what activities or events occurred).

d. Highlight rows in the spreadsheet that contain information about significant events or that provide information that can be used to answer one or more of the case questions.

e. Transfer information from your spreadsheet into your timeline table.

5. Review the information provided by your examination of the registry files. Add significant event information to your timeline table (e.g., time and date that important registry keys were last written along with the key names and values).

Guided Practice #4: Report Writing

For this lab, you will prepare a summary report and a system usage timeline. Use the guidance from previous labs to assist you in deciding how to present your findings. Your “high level summaries” of your analysis results should be *summaries* not a compendium of every piece of information found in the image. Focus on providing data which provides support to your answers to the case questions. Irrelevant information should not be included.

Your deliverables are:

1. Incident Investigation Summary Report (5-8 pages with tables / screen shots)

Prepare a memo-format report summarizing answers to the case questions and providing documentation as to the tools, techniques, and procedures used in this lab. Your report should include high-level analysis summaries in table format for:

a. Registry Analysis & Values of Important Keys (GP#1)

b. System Usage Data (GP#2)

c. Meta Data Analysis of Important Files (GP#3)

2. System Usage Timeline (attachment to report)

This table was created in Guided Practice #3 of this lab.

Required Software

· Forensic Toolkit

· FTK Registry Viewer

· MS Excel (or equivalent spreadsheet application)

Deliverables

· Incident Investigation Summary Report

· System Usage Timeline

Grading for Lab Deliverables

1. Incident Investigation Summary Report 60%

a. Overview 15%

b. Findings & Answers to Case Questions 15%

c. Summary Tables 15%

d. Description of Analysis & Processing 15%

2. System Usage Timeline 25%

3. Professionalism 15% (formatting, grammar, spelling, punctuation, etc.)

Copyright © 2015 by University of Maryland University College. All Rights Reserved.


Comments are closed.