• All answers must be in complete sentences for full credit.
• Reminder: Use these tools in VMware only. Use on other machines may be in violation of law or policy and use on your own machine may have unpredictable results.

Objective:

• The purpose of this exercise is to give you more experience with Windows forensics by having you examine the Internet History, analyze the Windows Registry, and work with the Recycle Bin and Event Logs.

In your Windows VMWare:

Software to Install:

• Download and install an EXIF viewer program
  • Exif Viewer: https://download.cnet.com/EXIF-Viewer/3000-2193_4-75912951.html

OR

• Exif Data Viewer: http://www.exifdataviewer.com/

• Install Browser History viewer program
  • NirSoft: http://www.nirsoft.net/
  • Download and install the BrowsingHistoryView tool to pull your internet history, cache, cookies, passwords, and searches
  • Read the information provided on the website prior to downloading and installing the programs
• Install Browser Password Viewer
  • NirSoft: http://www.nirsoft.net/
  • Download and install WebBrowserPassView
• Install a registry viewer
  • Registry Viewer: http://accessdata.com/product-download
  • Download Registry Viewer®
• Install Windows Registry Recovery
  • Windows Registry Recovery: http://www.mitec.cz/wrr.html
  • Download Windows Registry Recovery
  • The download button is at the bottom, use the “free for education” version

Preparation:

• In your VMWare – make sure you are logged in as an admin account
• Launch Internet Explorer and Firefox or Chrome
• Type in some URLs such as: gmu.edu www.cnn.com
• Create a bookmark for a website
• Go to Google and search for: extortion
• Open Notepad and create a file called “exigent.txt” that contains this text: “I’ve done it before and I’ll do it again. Save As… to save it to the Desktop and then Exit. Move this file to the Recycle Bin and Empty the Recycle Bin.
• Open Notepad and create a file called “scienter.txt” that contains this text: “I knew it was wrong but I did it anyway!” Move this file to the Recycle Bin, but do not empty the Recycle Bin.
• Change your settings so you can search for Hidden Files/Folders in Windows 10:
• In the search bar next to your Window’s menu, type “File Explorer Options” in the Search Box
• Select Change Search Options for Files and folders from the options that appear
• When the folder options window opens, go to the “View” tab and check “Show hidden files, folders, or drives”
• Uncheck the “Hide protected operating system files” box
• ANSWER QUESTION 1

Internet History

• First, we will examine the Internet History.
• This is stored by user account in cache folders for each browser.
  • For example, C:\Users\Default\AppData\Local\Microsoft\Windows\WebCache
  • Location and file names will depend on the OS and Browser
• My Computer and Explorer will not display this complete path, but you can see it if you Go to Start-> Run-> cmd and move to that directory.

Step 1:

• Generate some internet traffic using IE and Firefox or Chrome (searches, visit websites, log into an account, etc.)
• Use the NirSoft BrowsingHistoryView tool to view your internet history
• ANSWER QUESTION 2

Step 2:

• Log into some accounts you have such as GMU or Google and save the password in your browser
• Use the WebBrowserPassView tool to see if you can recover any of the saved passwords

Step 3:

• We can get more information by using FTK imager to extract the file and then use the FTK toolkit or Autospy to examine WebCacheV24.dat/WebCacheV01.dat or your cache file from Firefox or Chrome.
• This will not work if your computer is accessing the file. Restart your VMWare if needed (do not open your browser) and then complete the following steps.
• Launch AccessData Imager (Right click and run as administrator)
• File->Add Evidence Item->Contents of a Folder->Browse and find your WebCacheV24.dat/WebCacheV01.dat file or your cache file from Firefox or Chrome.
• Once Imager has the folder, open all the folders until you find index.dat/WebCacheV24.dat/WebCacheV01.dat and select it (likely path: \Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat)
  • Choose File->Export Files and Export WebCacheV24.dat/WebCacheV01.dat or your cache file from Firefox or Chrome to the desktop
• Now open FTK Toolkit or Autospy and start a new case
  • Enter “dummy data” and accept the program defaults
  • Choose Add Evidence->Individual File->browse and open WebCacheV24.dat/WebCacheV01.da or your cache file from Firefox or Chrome >next->finish
• Click on Total File Items
  • Double click on index.dat under Filename in the lower window
  • You should be able to review the history in the upper right hand window
• ANSWER QUESTION 3 (Note: If you get an “error” here it may be because the file is in use by the account you are using. Skip and answer the question.)

Windows Registry Analysis

• The Windows Registry contains information about software installation and the last use of software that is often of forensic value.
• Normally a user uses the Control Panel and Properties to make changes to the Registry. The registry is made up of “keys” which act like folders. (HKEY is short for “handler to key”)

o   HKEY_CLASSES_ROOT

• HKEY_CLASSES_ROOT stores information about registered applications.

o   HKEY_CURRENT_USER

• HKEY_CURRENT_USER stores settings for the user currently logged in.

o   HKEY_LOCAL_MACHINE

• HKEY_LOCAL_MACHINE stores general settings for all users on the computer.

o   HKEY_USERS

• HKEY_USERS contains subkeys corresponding to the HKEY_CURRENT_USER keys for each registered user on the machine.

o   HKEY_CURRENT_CONFIG

• HKEY_CURRENT_CONFIG contains configuration information regenerated when the system boots.

Step 1: Regedit

Note: Use caution, editing the Registry directly can result in an unstable system

• Go to Start->Run and enter: cmd
• At the prompt, type: regedit.exe to run the Registry Editor
• Look under HKEY_CURRENT_USER->Software->Microsoft->Internet Explorer->Typed URLs to view URLs the user has actually typed in.
  • Imagine this scenario: The subject of an investigation claims that spyware caused child porn to be downloaded to his machine.  If it can be shown that he actually typed in the URL, then his defense is weakened.
• You can exit Regedit.

Step 2: NTUSER.dat

• Help finding the NTUSER.dat file:
  https://www.techwalla.com/articles/what-is-the-ntuserdat-file
• Often, when examining an acquired disk image, you will want to examine the registry that applies to a particular user.
• This information is stored in a file called NTUSER.dat.
• There is an NTUSER.dat file for each user.
• We can’t access that file right now since it is in use, so we will have you go to the Control Panel and create a new limited account.
• Log off and login to your new account
• Launch Internet Explorer and type in a few URLs
• Then log off and log back into your original account.
• Open the Registry Viewer Application (click OK when it complains about the lack of a dongle)
  • File->Open the NTUser.dat file (not the Log file)
• Open the file and drill down to Software->Microsoft->IE->TypedURLs
  • ANSWER QUESTIONS 4 – 7

Step 3: Use WRR to Examine the NTUser.dat File

• Launch Windows Registry Recovery (WRR)
• Choose File->Open
• Browse until you locate your new account
• Find and open the file NTUSER.dat (not the text file, which contains the log)
• Choose RawData
• Choose Software->Microsoft->IE->TypedURLs

Recycle Bin

• When files are sent to the Recycle bin, they are stored in a folder called Recycled (FAT systems), Recycler (XP), or $Recycle.Bin (Vista, Windows 7, 8, 10).
  • Note that you can delete a file by holding down the shift key while deleting to avoid sending it to the Recycle Bin.
  • $Recycle.Bin

$I08C8KJ.jpg

• Administrative file. This is actually a text file, despite the extension. Forensic information includes the file size and date and time of deletion.

$R08C8KJ.jpg

• Actual file

Step 1:

• Read the information here:
  • http://dereknewton.com/2010/06/recycle-bin-forensics-in-windows-7-and-vista/
  • https://lcdiblog.champlain.edu/2015/03/28/windows-10-recycle-bin-activity-introduction/
  • https://atalaysblog.wordpress.com/2019/03/19/recycle-bin-forensics/

Step 2:

• Note: \$Recycle.Bin\%SID%, where %SID% is the SID
• Launch AccessData Imager
  • Add evidence item->Contents of a Folder->Next->Browse to \$Recycle.Bin\%SID%, where %SID% is the SID
  • Open and export the folders/files you see.
• Now launch AccessData FTK or Autopsy
  • Start a new case and enter dummy data
  • Accept the defaults
  • Choose Add Evidence->Individual file->Continue and browse to open the file(s) you exported ->OK->Next->Finish
  • The $I files should be the information about the original file
  • $R files are the original file
• ANSWER QUESTIONS 8 AND 9

Windows Event Logs

• The MMC, Microsoft Management Console, contains a number of tools for monitoring and managing systems.
• One of these is the Windows Event Viewer.
• The Event Viewer displays 3 types of logs by default: Application, Security, System.
• All users can view application and system logs, but only administrators can view security logs (which are turned off by default.)
  • Application log: This log contains events generated by applications. For example, a spreadsheet program might save a file missing or corrupted error in this log.
  • Security log: The system administrator can specify which events to log. Login attempts are commonly logged here.  File management may also be logged.
  • System log: This logs stores events relating to system components, such as errors produced by drivers.
• 5 types of events are logged:
• Error-a serious problem, such as a service that fails to start or data that has been lost.
• Warning-a possible problem, such as low space.
• Information-an event that is new or successful, such as loading a new driver.
• Success Audit-a security event, such as a login attempt, that succeeds.
• Failure Audit-a security event, such as a login attempt, that fails.

Step 1:

• Read the article:
  • https://techgenix.com/monitoring-troubleshooting-event-logs/
• Check out this site where you can look up events:
  • https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
• exe (a tool for combining logs for analysis)
  • https://support.microsoft.com/en-us/kb/824209

Step 2: Event Viewer

• Start-> Administrative Tools->Event Viewer (or search “Event Viewer)
• Double-click on the Application Logs and view some of the different types of alerts.
• Under Administrative Tools, open Local Security Policy, then open the Local Policy Folder and look under Audit Policy
• Right-click Audit Account Logon Events
• Choose Properties and then select the click box next to Failure and click OK
• Now Log off, but don’t shut down, and try to login a couple of times using bogus logins and passwords
• Then login as your original ID and go back to the Event Viewer
• This time open the Security Log
• Can you find the Failure Audit for your failed login attempts? If you see a lot of events, you can use View->Filter to control what is displayed.
• Double click on each event to see which login account is associated with failed login attempt.
• ANSWER QUESTIONS 10 AND 11

EXIF data:

• Exchangeable Image File (exif) is a protocol for storing information about digital image files. Many applications can read this data.
• It includes information about the camera or application used to create the image.

Step 1:

• Make a folder on the desktop and name it Images
• Then launch a browser and login to Blackboard and download the data files for lab 3 to this folder
• Use Exif Viewer to examine the exif data
  • Open the files in the lab 3 folder
  • Click the Info button or View->Info Pane for detailed information
  • Spend a few minutes experimenting with this application
• You can get some of this same information by checking the file properties. (Right click the file->Properties->Summary.)
• Note that newer cameras (2004 and later) can record GPS location with the exif data in GPX format (GPS eXchange Format).
• ANSWER QUESTIONS 12-14

Geotagging:

• Read the following articles:
  • https://digicamhelp.com/taking-photos/geotags-compromise-your-security-and-privacy/
  • http://www.forensichandbook.com/tag/geotagging/
  • http://articles.forensicfocus.com/2013/04/10/mobile-device-geotags-armed-forces/
  • http://www.networkworld.com/community/blog/i-can-stalk-u-geotagged-pics-worth-more-1000-

thumbs.db/thumbcache.db:

• db/thumbcache.db are files created by the operating system that are used to show thumbnails of files or movies. A thumbs.db/thumbcache.db file may be present even if the original image has been moved or deleted.

Step 1:

• Open the Pictures folder with My Computer.
• Under view, choose Large Icons.
• This will generate the thumbnail images that are stored in the thumbcache.db.

Metadata:

• Metadata is information about a file that is stored with a file.
• You can use your Hex editor or FTK Imager to view file Metadata.
• Each file type has a consistent file header.
• See this document for a list of the common hex signatures: https://sceweb.sce.uhcl.edu/abeysekera/itec3831/labs/FILE%20SIGNATURES%20TABLE.pdf
• For example, 97-2003 version MS documents (.doc, .ppt, .xls) start with:

\xD0 \xCF \x11 \xE0 \xA1 \xB1 \x1A \xE1 \x00 \x00

Step 1:

• Create a folder on the desktop called Office Documents
• Create two files, a word file and an excel file in office (save them as 97-2003 file versions) and save them in this folder (Note – if you don’t have office installed on your VMWare, create the documents and email them to yourself to open in VMWare)
• Open FTK Imager
  • Add Evidence Item->Contents of a Folder and browse to add the Office Documents folder
  • Open the files and then click the Text icon on the toolbar
  • You should be able to find the author and application associated with the file
  • By clicking on the explorer tool (eyeglasses) you can see the Metadata.

Link files/ Recent

• Files with a .lnk extension are created when files are opened in Windows.
• Link files store the path to the file and the application used to create it. Link files may sometimes be created by software at install time.
• The creation date is when the original file was first opened.
• If a file was opened after a .LNK file already exists, then the Creation Date of the .LNK file and the Last Modified Date of the .LNK file can be considered the first and last time the file was opened.
• Open your Documents folder in Imager.
  • Can you see any .lnk files?