Unit-5

Volatile data
Volatile data is information that’s temporarily stored in a computer’s RAM while the
system is running. It is critical in computer forensics and cybersecurity, for real-time
analysis and investigation. Unlike non-volatile data, volatile data is lost when the
computer is powered off.

Volatile Data use cases:

 Computer Forensics. In digital forensics, investigators capture and analyze volatile
data. They gather evidence, identify active processes, and uncover recent user
activity.

 Cybersecurity. Analysts can examine volatile memory to identify running processes,

malicious code, and unauthorized activities.

 Computer Memory Management. Operating systems use volatile memory to store

data that is currently being used by running applications. Memory management
techniques help optimize system performance.

 Process Scheduling: Operating system allocates time slices to each process to

ensure fair sharing of the CPU. This allows processes to execute without interfering
with each other.

 Cache Management: The CPU cache is a small but ultra-fast memory used to store
frequently accessed data and instructions. Cache management help optimize data
access and minimize cache misses, improving system performance.

 Virtual Memory: It extends the available address space beyond physical RAM. It
allows processes to use more memory than physically available by swapping data
between RAM and disk storage.

 Volatile Data Persistence: Volatile data is temporary and lost when the system is
turned off. However, certain data can be saved for a short period if a system crashes
 or unexpectedly shuts down. Some operating systems use mechanisms like “crash
dumps” to capture specific volatile data before shutting down.

 Hibernation and Sleep Modes: The system saves the content of volatile memory to
non-volatile storage before powering off or entering low-power states. When the
system resumes, it restores the saved data back into RAM so users can continue
from where they left off.

Examples of Volatile Data:

 Running processes: Information about active programs and system tasks.

 Open network connections: Details about current network connections.

 System environment variables: Temporary variables used by the operating system.

 Clipboard content: Text or data temporarily stored on the clipboard.

 RAM cache: Cached data stored in volatile memory for faster access.

What is Non-volatile Data?

Non-volatile data refers to data that is stored in a persistent manner, meaning it
remains intact and accessible even in the event of system restarts or power failures.
It is designed to provide durability and reliability to business data, ensuring it is not
lost or corrupted during unexpected events.

How Non-volatile Data Works

Non-volatile data is typically stored in persistent storage media such as solid-state
drives (SSDs), hard disk drives (HDDs), or non-volatile memory (NVM) technologies.
These storage devices retain data even when they are not powered, allowing the
data to be accessed again once the system or device is powered on.

Why Non-volatile Data is Important

Non-volatile data is crucial for businesses as it ensures the durability and reliability of
their critical data. By storing data in a non-volatile manner, businesses can protect
against data loss or corruption during unexpected events such as power failures or
system crashes. It enables businesses to maintain data integrity and continue
operations without significant disruptions.

The Most Important Non-volatile Data Use

Cases
Non-volatile data finds application in various use cases across different industries.
Some of the most important use cases include:

 Data Backup and Recovery: Non-volatile data storage allows businesses to create
regular backups of their data and recover it in case of data loss or system failures.
 Data Archiving: Non-volatile storage is often used for long-term data archiving, allowing
businesses to retain and access historical data for compliance, audit, or analysis
purposes.
 Distributed File Systems: Non-volatile data plays a critical role in distributed file
systems that enable efficient storage and retrieval of large-scale data across multiple
nodes or clusters.
 Highly Available Systems: Non-volatile storage is essential for building highly available
systems that can withstand hardware or software failures without losing critical data.

Analyzing the Windows Registry for

Evidence

What Is the Registry?

The registry is a database of stored configuration information about the users, hardware, and
software on a Windows system. Although the registry was designed to configure the system,
to do so, it tracks such a plethora of information about the user's activities, the devices
connected to system, what software was used and when, etc. All of this can be useful for the
forensic investigator in tracking the who, what, where, and when of a forensic investigation.
The key is just knowing where to look.

Hives
Inside the registry, there are root folders. These root folders are referred to as hives. There
are five (5) registry hives.

 HKEY_USERS: contains all the loaded user profiles

  HKEYCURRENT_USER: profile of the currently logged-on user
 HKEYCLASSES_ROOT: configuration information on the application
used to open files
 HKEYCURRENT_CONFIG: hardware profile of the system at startup
 HKEYLOCAL_MACHINE: configuration information including hardware
and software settings

Registry Structure
The registry is structured very similarly to the Windows
directory/subdirectory structure. You have the five root keys or hives and
then subkeys. In some cases, you have sub-subkeys. These subkeys then
have descriptions and values that are displayed in the contents pane. Very
often, the values are simply 0 or 1, meaning on or off, but also can contain
more complex information usually displayed in hexadecimal.
Accessing the Registry
On our own system—not in a forensic mode—we can access the registry by
using the regedit utility built into Windows. Simply type regedit in the search
window and then click on it to open the registry editor like that below.

Information in the Registry with Forensic

Value
As a forensic investigator, the registry can prove to be a treasure trove of
information on who, what, where, and when something took place on a
system that can directly link the perpetrator to the actions being called into
question.
Information that can be found in the registry includes:
 Users and the time they last used the system
 Most recently used software
 Any devices mounted to the system including unique identifiers of
flash drives, hard drives, phones, tablets, etc.
 When the system connected to a specific wireless access point
 What and when files were accessed
 A list any searches done on the system
 And much, much more
Wireless Evidence in the Registry
Many hackers crack a local wireless access point and use it for their
intrusions. In this way, if the IP address is traced, it will lead back to the
neighbor's or other wireless AP and not them.
For example, back in January 2012, an Anonymous member, John Borrell III,
hacked into the computer systems of the Salt Lake City police department
and the Utah Chiefs of Police. The FBI was called in to investigate and they
traced the hacker back to the IP address of Blessed Sacrament Church's Wi-Fi
AP in Toledo, Ohio. The hacker had apparently cracked the password of the
church's wireless AP and was using it to hack "anonymously" on the Internet.
Eventually, the FBI was able to find the suspect through various investigation
techniques, mostly low-tech, exhaustive, detective work. It helped that John
Borrell had bragged on Twitter of his success as a hacker. Eventually, Mr.
Borrell was convicted and sentenced to two years in Federal prison.
When the FBI tracked down Mr. Borrell and seized his computer, they were
able to prove he had been connected to the church AP by examining his
registry. The forensic investigator simply had to look in the registry at this
location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
NetworkList\Profiles
There, you will find a list of GUIDs of wireless access points the machine has
been connected to. When you click on one, it reveals information including
the SSID name and the date last connected in hexadecimal. So, although Mr.
Borrell initially denied his involvement with this hack, this evidence was
conclusive and he eventually plead guilty.
You can see in this screenshot below showing the perpetrator had connected
to the "HolidayInnColumbia" SSID in November 2014.
The RecentDocs Key
The Windows registry tracks so much information about the user's activities.
In most cases, these registry keys are designed to make Windows run more
efficiently and smoothly. As a forensic investigator, these keys are like a road
map of the activities of the user or attacker.
One of those keys is the "RecentDocs" key. It tracks the most recent
documents used or opened on the system by file extension. It can be found
at:
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\RecentDocs
So, for instance, the most recently used Word documents would be found
under .doc or the .docx extension depending upon the version of Word they
were created in (each key can hold up to the last 10 documents). If we go to
the .docx extension, we see the last 10 Word documents listed under this
key.
When we click on one of those keys, it reveals information about the
document as seen below. We can view the document data in both hex, to the
left, and ASCII, to the right. In this case, it show that this document was a
Metasploit course outline.

In some cases, an attacker will upload a .tar file, so that is a good place to
look for breach evidence. In general, you won't see a .tar file extension on a
Windows machine, so the presence of an entry here would be something that
needs further investigation. Check the files in the .tar key and see what they
might reveal about the attack or attacker.
In civil or policy violation investigations, evidence might be found in the
various graphic file extensions such as .jpg, .gif, or .png.

TypedURLs Key
When the user types a URL in Internet Explorer, this value is stored in the
registry at:
 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
TypedURLs

When we open that key in the registry, it lists the last URLs that the user
visited with IE. This could reveal the source of malicious malware that was
used in the breach, or in civil or policy violation types of investigations, may
reveal what the user was looking for/at.

The values will run from urI1 (the most recent) to urI25 (the oldest).
IP Addresses
The registry also tracks the IP addresses of the user interfaces. Note that
there may be numerous interfaces and this registry key tracks each
interface's IP address and related information.
HKEY_LOCAL_MACHINE\System\Services\CurrentControlSet\services\Tcpip\
Parameters\Interfaces
As we can see below, we can find the IP address assigned to the interface,
the subnet mask, and the time when the DHCP server leased the IP. In this
way, we can tell whether the suspect was using that particular IP at the time
of the intrusion or crime.

Start Up Locations in the Registry

As a forensic investigator, we often need to find what applications or
services were set to start when the system starts. Malware is often set to
start each time the system restarts to keep the attacker connected. This
information can be located in the registry in literally tens of locations. We
will look at a just a few of the most commonly set keys.
Probably the most used location is:
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
Any software/locations designated in these subkeys will start every time the
system starts. Rootkits and other malicious software can often be found here
and they will start each time the system starts.

RunOnce Startup
If the hacker just wanted the software to run once at start up, the subkey
may be set here.
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunOnce
Start Up Services
The key below lists all the services that set to start at system startup. If the
key is set to 2, the service starts automatically; if it is set to 3, the service
must be started manually; and if the key is set to 4, the service is disabled.
 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
Start Legacy Applications
When legacy 16-bit applications are run, the program listed is run at:
 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WOW
Start When a Particular User Logs On
In the following key, the values are run when the specific user logs in.
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run
Storage Artifacts in the Registry
Often, the suspect will use a Flash drive or hard drive for their malicious
activities and then remove them so as not to leave any evidence. The skilled
forensic investigator, though, can still find traces of evidence of those
storage devices within the registry, if they know where to look.
The registry on a Windows system varies a bit from version to version. A
skilled, professional digital forensic investigator needs to be able to work
with nearly all versions of Windows and other operating systems. Since
Windows 7 is still the most widely used operating system, by far, I will be
demonstrating on it. Keep in mind, though, that this will vary slightly
between versions.
USB Storage Devices
Imagine a case where we suspect that someone installed a keylogger or
removed confidential information with a USB drive. How would we find
evidence that a USB storage device was inserted and used? To find evidence
of USB storage devices, we want to look at the following key.
HK_Local_Machine\System\ControlSet00x\Enum\USBSTOR
In this key, we will find evidence of any USB storage device that has ever
been connected to this system. Expand USBSTOR to see a listing of every USB
storage device ever connected to this system.

In the screenshot above, I have circled one suspicious looking USB device.
When we expand it, it reveals a unique identifier for that device. By clicking
on this identifier, we can find much more information about the device.
As you can see in the screenshot above, when we click on the USB storage
identifier, it reveals in the right-hand window the Global Unique Identifier
(GUID), the friendly name, and the hardware ID, among other things. This
may be exactly the evidence we need to tie the suspect to their activity on
this system!

Mounted Devices
If the suspect used any hardware device that must be mounted to either read
or write data (CD-ROM, DVD, hard drive, flash drive, etc.), the registry will
record the mounted device. This information is stored at:
HKEY_LOCAL_MACHINE\System\MountedDevices
As you can see below, when we click on this key, it provides us a long list of
every device ever mounted on that machine.
If we need further information on any of those mounted devices, we can
simply click on it, and it will open a small app that will enable us to read the
data in ASCII. As you can see, this device was an IDE CD-ROM manufactured
by Teac.

If there is not a TEAC CD_ROM on the system, the forensic investigator now
knows that they need to find this piece of hardware to find further evidence
of the crime.
The registry is a depository of volumes of information on what happened on
a Windows system, and by learning our way around it, we can reconstruct the
elements of a crime that it was used for.
Windows Registry Analysis
Registry File Acquisition
The Windows registry is a central hierarchical database intended to store
information that is necessary to configure the system for one or more users,
applications or hardware devices [2]. There are four main registry files:
System, Software, Security and SAM registry. Each registry file contains
different information under keywords. The structure of the Windows registry
is similar to file system directories. Registry files are located at the
“C:drive/windows/system32/config/” file path. Each registry contains lots of
forensically valuable information.
Investigating the Windows registry is quite a difficult task, because in order
to investigate it properly, the registry needs to be extracted from the
computer. Extraction of the registry file is not just a normal copy and paste
function. Since registry files store all the configuration information of the
computer, it automatically updates every second. In order to extract
Windows registry files from the computer, investigators have to use third-
party software such as FTK Imager [3], EnCase Forensic [4] or similar tools.
FTK Imager is oneo fthe most widely used tool for this task. Apart from using
third-party software, some reasearch has been carried out to demonstrate
how to extract registry information from Windows CE memory images [9]
and volatile memory (RAM) [10].

AccessData FTK Imager

AccessData FTK (Forensic Tool Kit) Imager is the most widely used
standalone disk imaging program to extract the Windows registry from
computer. Access Data FTK Imager 3.2.0.0 basically scans the hard drive in
order to identify various pieces of information. This tool can be used for a
variety of processes when extracting the Windows registry. These include:
 Physical Drive – Extract from a hard drive
 Logical Drive – Extract from a partition
 Image File – Extract from an image file
 Contents of a Folder – Logical file-level analysis only: excludes
deleted files and unallocated space
The steps to extract registry files from Access Data FTK Imager 3.2.0.0 are
as follows.

Step 1 – Open “Access Data FTK Imager 3.2.0.0”.

Figure 1 : Main Window – Access Data FTK Imager 3.2.0.0

Step 2 – Click on “Add Evidence Item” button.

Figure 2 : Select Source Window – Access Data FTK Imager 3.2.0.0

Step 3 – Select “Logical Drive” radio button.

Figure 3 : Select Source Window – Access Data FTK Imager 3.2.0.0

Step 4 – Select source drive.

Fig
ure 4 : Select Drive Window – Access Data FTK Imager 3.2.0.0

Step 5 – Scan “MFT” by expanding “Evidence Tree”.

 F
igure 5 : FS Progress Window – Access Data FTK Imager 3.2.0.0

Step 6 – Go to windows/system32/config/.

Figure 6 : Extracted Information Window – Access Data FTK Imager 3.2.0.0

Step 7 – Export registry file by clicking “Export Files” button.

Figure 7 : Export File Pop Up Window – Access Data FTK Imager 3.2.0.0

Step 8 – Select the destination folder.

Figur
e 8 : Browse For Folder Window – Access Data FTK Imager 3.2.0.0

Registry Structure
The structure of the Windows registry is similar to file system directories.
Both the Windows registry and the file system are organized in a tree
structure [5]. The Windows registry stores all configuration settings as keys
[6]. The registry updates its stored configurations according to the changes
which are made while hardware and software are being used. In Windows
XP, 2000 and 2003 (Windows NT based operating systems) the registry
files are stored in the configuration folder located at Windows\System32\
Config folder.
As mentioned above, the structure of the Windows registry is similar to
Windows folders and files. Each main folder is known as a “Hive”. Hives
are made of a combination of sub folders, called “Keys”. These Keys
contain Sub Keys with configuration information.

Figure 9 : Registry Structure (c) Help.comodo.com, 2019

The figure above shows a Registry Editor window of a computer. It shows

the internal structure of the registry. A Hive is a logical group of keys, sub
keys and values in the registry that has a set of supporting files containing
backups of its data [7]. There are five main Hives:
 HKEY_CLASSES_ROOT (HKCR)
 HKEY_USERS (HKU)
 HKEY_CURRENT_USER (HKCU)
 HKEY_LOCAL_MACHINE (HKLM)
 HKEY_CURRENT_CONFIG (HKCC)
Registry Hive and its supporting files are unique to each other. According to
Microsoft, the hives and supporting files are [7]:
 HKEY_CURRENT_CONFIG – System, System.alt, System.log,
System.sav
 HKEY_CURRENT_USER – Ntuser.dat, Ntuser.dat.log
 HKEY_LOCAL_MACHINE\SAM – Sam, Sam.log, Sam.sav
 HKEY_LOCAL_MACHINE\Security – Security, Security.log,
Security.sav
 HKEY_LOCAL_MACHINE\Software – Software, Software.log,
Software.sav
  HKEY_LOCAL_MACHINE\System – System, System.alt,
System.log, System.sav
 HKEY_USER\.DEFAULT – Default, Default.log, Default.sav
In the HKEY_LOCAL_MACHINE Hive, there are five main Keys. Each Key
contains Sub Keys with configuration information. These are:
 HARDWARE
 SAM (Security Accounts Manager)
 SECURITY
 SOFTWARE
 SYSTEM

Figure 10 : The files in the Windows\System32\Config folder and their associations with the hives (c)
Help.comodo.com, 2019

Figure 10 shows the information contained in the Software, System, SAM,

Security, Default and Userdiff files and their respective associated file
names.
Registry hive files are allocated in 4096-byte blocks starting with a header,
or base block, and continuing with a series of hive bin blocks. Each hive bin
(HBIN) is typically 4096 bytes [5].

Issues in Registry Analysis

There are few main issues that investigators have to face when analyzing
registry files.
  Data Completeness – The amount of information required for the
investigation will depend on the type of the investigation. Some
investigations require more information than others. Because of this,
investigators should ensure that all the data is present and complete.
If this is not the case, the investigation may take extra time to
complete and therefore be more costly. Missing Data – Missing data
reduces the accuracy of the investigation. Missing data can be sorted
into three categories of randomness [8]:
 Missing completely at random (MCAR)
 Missing at random (MAR)
 Missing not at random (MNAR)
 Extracting Data – At present there is no technique to view registry
files in real time. With the currently available technology,
investigators can only take an image of a registry file. The
disadvantage of this is investigators cannot collect further information
after they have captured the registry file.
 Lack of Knowledge About Keys – Registry files store data with a
unique key. Some investigators do not know all the keys which are
stored in the registry files. This can lead to missing a lot of
information. There are also some instances in which it is not possible
to find out about certain keys and stored information.
 Registry File Format – Registry files are stored in the
“C:drive/windows/system32/config/” file path and they must be ripped
and converted into a readable format before being used in an
investigation.

What is a browser cache, and why

is it important?
In common parlance, caching means placing something in
storage (usually in secret) on the chance that it may come in
useful later (e.g. a weapons cache). A browser or Web cache
does exactly that, except with program and website assets.
When you visit a website, your browser takes pieces of the
page and stores them on your computer's hard drive. Some of
the assets your browser will store are:

 Images - logos, pictures, backgrounds, etc.

 HTML
  CSS
 JavaScript

In short, browsers typically cache what are known as "static

assets" - parts of a website that do not change from visit to
visit.

What to cache and for how long is determined by the website.

Some assets are removed from your machine in a few days
while others may remain in your cache for up to a year.

When many people hear that websites are storing assets on

their machines without their knowledge or permission, they
get a bit nervous. After all, we're placing a great deal of trust
in Web developers, hoping that they won't put anything
destructive or malicious on our devices.

The benefits of browser caching far outweigh the risks. Good

firewalls, virus scanners and common sense are all you need
to keep your machine safe.

Tool for decoding web-browser

caches for forensic analysis
1. Cache View is a Windows tool for decoding web-browser caches. Cyber-
crime investigators from around the world are using this tool for fast analysis
of suspect web-browsing activity.
Visit the Cache View homepage http//www.webcacheview.com/
2. Free tool Pasco from foundstone is good as well.

3. Quietly mentioning Delve on THE FARMER'S BOOT CD has the capability

to parse Internet Explorer, Opera, and Mozilla web cache (cookies and
histories) as well. A simple point-and-click GUI on a truly designed and
optimized for forensics Linux boot CD. www.forensicbootcd.com
4. NetAnalysis, http//www.digital-detective.co.uk, while quite a bit more costly,
will extract and correctly parse all of the MSIE index records. It also features a
tool named HistEx, which can retrieve index records from u/c.
1) What are cookies?
Cookies are small data files that are sent from the server when a
user views a website, and which are stored on the user's computer or
terminal. Cookies and access analysis tools and similar technologies
enable us to identify a user's computer or terminal when the user is
visiting the site, and to collect data such as the history of the user's
visits. This data does not include any information that would allow the
individual user to be identified.

What are analytics cookies?

Analytics cookies or performance cookies are used to track website visitors
and their user behaviour. This data is then used to improve the way the
website works and in turn, used to improve user experience. Google
Analytics (GA) cookies are one of the most common analytics cookies set
by websites. GA cookies collect anonymous information, including the
number of visitors to the site, unique visitors where visitors have come to
the site from and the pages they visited.
Analytics cookies require active user consent as per the ePrivacy Directive
and GDPR rules in the EU and UK. However French DPA, CNIL allows
consent exemptions for analytics cookies, provided certain conditions are
met.

Cookies
Cookies are small text files that are stored on your device when you
download a website or perform an action on the website. The cookies’
contents will then be shared between your browser, the website and
various services. They are used to ensure that the website and various
services work optimally. They are not used to identify you as an individual.

Browser forensics: Google

chrome
Browsers have become an inherent part of our virtual life and we all make use of
browsers for surfing the internet in some or the other way. Also, browsers can be
used not only for surfing, we can make use of browsers for navigating through the
file system of the OS.
You might have observed by default browsers store data like search queries,
username, password, form data, emails, credit card data and other sensitive
information. Also, browsers do contain downloaded media like Images, Videos,
Exe’s, documents etc. Bookmarks and browser history gives an idea of the user's
surfing habit and interest.
You might have realised the browser stores a lot of sensitive information about
the user and its surfing habit. Thus they play a very important role in forensics
due to the nature and amount of data they store with them.

Why browser forensics

With the help of Browser Forensics and with the assistance of forensics tools one
can extract sensitive data and chosen keywords from most web browsers. One
can retrieve deleted data and keywords, check whether history was cleared,
retrieve artifacts like Cookies, Downloads data, History, Saved Password, websites
visited etc. Also, Browser Forensics helps a lot to understand how an attack on a
system was conducted, helping in finding the source of
Malwares/Adwares/Spywares, Malicious Emails and Phishing Websites etc.
There are many web browsers available like Chrome, Firefox, Safari, IE, Opera etc.
depending upon the platform being used. In this post, we will be learning about
how to conduct forensics for Google Chrome Browser.

Chrome
Google Chrome is one of the most popular browsers of all the browsers available.
It runs on all platforms and has been developed by google.
Few salient features offered by chrome -

1) Can be integrated with all google services

2) Password synchronization between various devices

3) Plugins and extensions availability

4) Incognito mood support

Google chrome artifacts

An artifact is a remnant or trace left behind on the computer which helps to identify
the source of malicious traffic and attack conducted onto the system. Few examples
include cache data, History, Downloads etc.
Chrome stores these artifacts inside specific folders in the operating system. The file
location for every browser is different but the file format remains the same. Following
are the common artifacts stored by Chrome –

1) Navigation History – This reveals navigation history of the user. It can be used to
track whether a user has visited any malicious URL or not.

2) Autocomplete Data – This reveals data that has been used on various forms and
search terms etc. It is used with Navigation History for more insight.

3) Bookmarks - Self Explanatory

4) Add-ons, Extensions and Plugins - Self Explanatory

5) Cache – Contains cache data from various websites like Images, Javascript Files etc

6) Logins - Self Explanatory

7) Form Data - Self Explanatory

8) Favicons - Self Explanatory

9) Session Data - Self Explanatory

10) Thumbnails - Self Explanatory

11) Favorites - Self Explanatory

12) Sensitive data - Self Explanatory

Various artifacts and its location

Following are the location of various artifacts where one can have a look while doing
forensics investigation on Chrome –

1) Profile Path – This contains the majority of the artifacts and profile data of the
user.

Location –

C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefault

C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultData

2) Downloads + Navigation History + Search History – This is stored in SQLite

Database form
Location –

C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataDefaultHistory

C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataHistory

3) Cookies – This is also stored in SQLite Database form

Location –

C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultCookies

C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataCookie
s

4) Cache

Location –

C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultCache

C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataCache

5) Bookmarks – Stored in JSON Format

Location –

C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultBookmarks

C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataBookm
arks

Tools
Now we know different artifacts and their location let’s see what all tools can be used
for performing Browser Forensics –

 DB Browser – For opening .sqlite files.

 Nirsoft – Web Browser Tools
 BrowsingHistoryView
 ESEDatabaseView
 Sysinternals Strings
 OS Forensics
 Magnet IEF (Internet Evidence Finder)
 Browser History Viewer
  Browser History Examiner (Free Trial)
 Hindsight
 libsedb (Library to access the Extensible Storage Engine (ESE) Database File (EDB)
format)
 Web Browser Add-ons View (Use to view installed extensions and add-ons)
 The Lazagne Project

Exploring the intricacies of

recycle bin forensics
Recycle bin forensics is a specialized branch of digital forensics that focuses on the
retrieval and analysis of deleted files from the recycle bin or trash folder. This
intriguing technique holds the potential to unlock a treasure trove of evidence,
shedding light on cybercrimes and aiding in the investigation process.

To comprehend the intricacies of recycle bin forensics, it's essential to grasp how the
recycle bin functions.

When you delete a file on your computer, it often finds its way to the recycle bin or
trash folder. It's a convenient feature that allows you to recover accidentally deleted
files with a simple click. But did you know that even after you empty the recycle bin,
traces of those files may still linger on your system?

Welcome to the fascinating realm of recycle bin forensics, where digital detectives
can uncover valuable information and shed light on a user's activities.

Location of Deleted files

C:\RECYCLED Win 95/98/Me

C:\RECYCLER Win NT/2000/ XP

C:\$Recycle.bin Win Vista and later

Metadata file

INFO2(Win 95/98/Me)

C:\RECYCLER\SID*\INFO2 (Win NT/2000/XP) (SID denotes security identifier)

 Windows Vista and later

C:\Recycle.bin\SID*\$I******(Contains Metadata)

C:\Recycle.bin\SID*\$R******(Contents of deleted file)

Both files will be renamed to a random 6-character value. These directories are
hidden by default; however, you can access them using command prompt with
elevated privileges (Run as administrator) on your windows system using
command dir /a.

Recycle bin forensics assumes a critical role in digital investigations, enabling law
enforcement agencies, cybersecurity experts, and forensic analysts to piece together
the puzzle. By analyzing deleted files, forensic professionals can reconstruct a
timeline of events, unearth vital evidence, and recover seemingly lost data, aiding in
the pursuit of justice.

Unveiling the secrets hidden within the recycle bin requires specialized tools and
techniques. Forensic software empowers investigators to extract deleted files, even
after the recycle bin has been emptied. Through careful analysis of file metadata,
paths, and content, digital detectives can gain insights into file origins, modifications,
and deletions, painting a clearer picture of the user's activities.

One such utility we will be using is $IPARSE which can be downloaded here.

Steps to find metadata related to a deleted file ($I****** file)

 Run command prompt as administrator

 cd .. (Twice)

 after that use command dir /a and check if you are able to see $RECYCLE.BIN
directory

 cd $RECYCLE.BIN to go inside the directory and use command dir /a

now you will see multiple entries starting with S in the list of directories.
 To check users associated with the SID directories you can use command wmic
useraccount get name,sid

It will list all the users associated with SID's. After that copy any SID by selecting and
using ctrl C (as well you can use tab key to autocomplete the SID after typing first
few characters of SID).

Now, to move into the SID directory:

cd SID (paste the copied value)

for example, if the SID directory name was S-1-5-32

 cd S-1-5-32
after that use command dir /a to list the components of that directory you shall see $I
and $R files. In certain cases, only $I****** file will be available.

For illustration purposes, we are using files acquired from other systems.
 Now, create a folder and give a path to copy the file. Syntax would be file name
"path" ($IABTIOW.doc "D:\Desktop\Test files\i files\TEST\Output”), you can
alternatively use the copy command.

 Copy the file/folder name (while inside the said directory) and copy to path (where
you wish to copy the said file or folder). The path can be copied by going in folder
and clicking the address bar - your file will be copied and the associated software will
try to open it, but won't be able to open (like photos app for png/jpeg files)

 Extract and run the $Iparse utility you downloaded. Browse the directory/folder you
copied $I files in. Now, browse to the directory where you want to put the result file at
and provide a file name.
Click on save. After that, you should be able to see an interface like below:

Then click parse. It will display the file for you if it has successfully parsed it - the
output file will be in .tsv format. You can open the .tsv file with notepad or notepad+
+. Now, you will be able to see details pertaining to the said $I file.

While recycle bin forensics is a powerful tool, it is not without its challenges and
limitations. As time progresses and new files are created and deleted, older
remnants in the recycle bin may be overwritten, making the recovery of certain
deleted files more challenging or even impossible. Additionally, the effectiveness of
recycle bin forensics can vary based on the operating system and file system in use,
presenting unique obstacles.

To protect sensitive information and thwart potential recovery through recycle bin
forensics, implementing secure data deletion practices is vital. Merely emptying the
recycle bin offers no guarantee of permanent erasure. Instead, employing
specialized file shredding or disk wiping tools can ensure that deleted data is
securely overwritten, rendering it irretrievable.

In conclusion, recycle bin forensics is a remarkable field that uncovers the hidden
remnants of deleted files, holding the potential to transform investigations. As we
navigate the digital landscape, understanding the power of recycle bin forensics
reminds us of the importance of safeguarding our digital footprint. Through
knowledge, diligence, and secure practices, we can protect our sensitive information
and fortify the realm of cybersecurity for the benefit of all.

Which forensic tool can be used to do file

signature mismatch analysis?
OSForensics™ can identify files whose contents do not match their file extension.
Uncover a user's attempt at concealing photos, documents or other evidence (also
known as "dark data") by using the Mismatch File Search!

File Analysis (Windows Forensic

Analysis)
File Signature Analysis
During an investigation, you might come across files with unusual extensions or
files with familiar extensions that are in unusual locations. In such cases, you can
use file signature analysis to determine the nature of these files as well as gain some
insight into an attacker’s technical abilities. One way to determine the true nature of
files, regardless of their extension, is through file signature analysis.
File signature analysis pertains to collecting information from the first 20 bytes of a
file and looking for a specific signature or "magic number" that will tell you the type
and function of the file. Different file types have different signatures, and these
signatures are independent of the file extension. In fact, often the bad guy will
change the extension of a file so that when it’s viewed in Windows Explorer, the file
will appear with an icon that effectively masks the contents and intent of the file.
Once, long ago, on a system far, far away, I was analyzing an IRCbot that I dubbed
the russiantopz bot (www.securityfocus.com/infocus/1618). This IRCbot
deposited a number of files on the infected system and gave those files .drv and .dll
extensions, so when an administrator viewed those files, they would appear to be
ominous files that most administrators simply do not open. After all, in most cases
when an administrator opens a file with one of those extensions in a hex editor, all
he sees is a bunch of binary "stuff." During my analysis, I actually opened those files
and was able to see that they contained text information, specifically configuration
information and actions that the bot would perform when sent a command.
Forensic analysis tools such as ProDiscover allow the investigator to readily
perform file signature analysis and easily view the results. When such tools perform
the analysis, they get the file’s extension and compare the signature associated with
that extension to the information contained in the first 20 bytes of the file. For
example, Windows portable executable (PE) files will begin with the letters MZ (a
reference to Mark Zbikowski [http://en.wikipedia.org/ wiki/Mark_Zbikowski], a
Microsoft architect), which are located at the first two bytes of the PE file.
Executable files can have .exe, .dll, .sys, .ocx, or .drv (to name a few) file extensions,
as seen in the headersig.txt file used by ProDiscover as its "database" of file
extensions and signatures. In short, if a file has an executable extension, you should
expect to see a valid executable signature. Files that do not have valid signatures
that match their extensions are flagged for further investigation.
Image files such as JPEG and GIF files also have their own signatures. The
signature for a JPEG file is JFIF, and the signature for a GIF file is GIF87a or
GIF89a. Figure 5.10 illustrates the signature for a PDF document, or %PDF-,
followed by the version of the Portable Document Format for the file.
Figure 5.10 PDF File Signature

The sigs.pl Perl script located on the accompanying DVD will allow you to perform
file signature analysis on live systems. The script will examine a file, a directory of
files, or all the files in a directory structure to determine whether the file signatures
match the file extensions. The script uses that headersig.txt file from Technology
Pathways as its default "database" of file signatures; however, other listings of the
same format can be used. As the script parses through the files, it will determine
whether the file signature matches the extension, but it will also alert the investigator
if the file extension is not found in its "database." If this is the case, the script will
provide the extension and the signature so that the investigator can update her
database, if she deems it necessary to do so. By default, the script sends its output
to the console in comma-separated value (.csv) format so that it can be redirected to
a file and opened in Excel for easy analysis.

File Signature Analysis

A signature analysis is a process where file headers and extensions are compared
with a known database of file headers and extensions in an attempt to verify all files
on the storage media and discover those that may be hidden. As we know, each file
under Windows® has a unique signature usually stored in the first 20 bytes of the file.
We can check the original file signature of any file by examining it with Notepad ®.
In Chapter 2, we showed you how to manually investigate for hidden files by
examining their signatures. In the following we will automate this process by using a
free tool called HexBrowser.
HexBrowser is a tool that identifies file types. It does not care about file extensions,
but opens each file to look for signatures inside them, which will be used to
determine the exact type of each file. It now recognizes more than 1000 different file
formats. HexBrowser shows detailed information about each file, or a hex or text
dump of the beginning of each file. You can download this program
from http://www.hexbrowser.com (see Fig. 6.61).
Executable File Analysis
(Windows Forensic Analysis)
Introduction
At times during an investigation you may come across a suspicious executable
file on which you would like to perform some analysis to get an idea of what it does
or what function it performs. Many times, an intruder may leave scripts or
configuration files behind, and these files are generally text files that can be opened
and viewed. In the case of scripts, some knowledge of programming may be
necessary to fully understand the function of the file.
In next topic, we discussed file signature analysis, a method for determining
whether a file has the correct file extension based on the file’s type. This is one of
the simplest means of obfuscation an attacker uses to hide or mask the presence of
files on a compromised system; by changing the filename and extension, the
attacker can (many times, correctly) assume that if the administrator discovers the
file, she won’t be very eager to access it and determine its true nature if the file has
an extension such as .dll.
In this topic, we will discuss ways in which you, as the investigator, can attempt to
determine the nature of an executable file. I will present tools and techniques you
can use to gather information about an executable file, and get clues about its
purpose. This discussion will not be simply about malware analysis; rather, I will
present techniques for analyzing executable files in general, of which malware may
be just one class of executable file. In this topic, we will discuss several analysis
techniques, but we will stop short of any discussion of disassembling the code, or
using tools such as IDA Pro (www.hex-rays.com/idapro/).