Monday

First we got 2 files "jotunheim", an image of a suspected machine behind a DDoS attack on "hammmr" also an image of the targeted system. A web server to be precise.

FTK Imager (freeware) were presented as a means to extract data. Next up was a walk-though on the tools included in the SleuthKit. We used a virtual machine image "SIFT Workstation 2.14" inside a VMware VM to practice on these command tools. Other methods include "dd" and "dcfldd". We then use "md5sum" or equivalent to verify images.

We then used "parted" on the image files to list the partitions they contained, created loopback devices on them and mounted them read only

parted <image>
unit b // set unit type to binary
p // print

sudo losetup -o <binary offset> /dev/loop<X> <image> // create a loop back file to access the image as it was a physical connected device
mount -r /dev/loop<X> <path> // read only

We then started on a file system timeline by using the "fls" and "mactime" commands

fls -o <sector offset> -l -r -m "/" <image> > <file> // long format file details, recursive, time machine format
mactime -b <file> -d // comma delimited format

These can now be opened in excel as comma separated files. Other interesting commands mentioned are: "strings" and using "grep" combined with regex to search.

Thursday

The main focus today was Windows artifacts. We continued with the "jotunheim" attacker image looking at these locations:

• NTFS files system: We looked at the master file table ($MFT) finding meta data like short and long filename, sequence count, physical and logical size, date created, accessed, modified and metadata-updated, parent directory number.. and we looked at the values in a hex editor. Each entry in the $MFT is 1024 bytes long and the first entry refers itself. Data can be resident and non-resident. We were shown that you can have residual "slack" even in the $MFT. Be aware of little endian coding of bytes. The file $bitmap keeps track of allocated and unallocated allocation units on the disk (clusters). Remember there is a difference between a "partition" and a "volume". The backup boot record is placed inside the partition but outside the volume of the operating system. NTFS can have multiple streams. One particular use of additional streams (except from hiding stuff) is IE marking files "downloaded from a non-trusted zone".
  
• Registry: The registry is loaded from a few files inside "C:/Windows/System32/config" like SAM, SECURITY, system, software. NTUSER is located in the home directory ("C:\Documents and Settings\<user>" in XP) of each user and can override global set values. The hardware structure is build on loading of Windows and is not stored in a file since it might change. The registry is a hive of keys with a value, ordered in a hierarchy. We used RegRipper to parse the files for interesting artifacts like process run traces, recent files, IP-addresses etc.
  
• Event log Can be opend (in XP) by typing "eventvwr" in run. It has a section for application, security and system.
  
• Prefetch is used to keep track of resources (primarily dynamic libraries) a program requires often and is therefore loaded to RAM when the program is launched. There should be one file in "C:/Windows/prefetch/" for each program launched on the system. Execution count and last execution time is stored.
  
• Task schedule is used to have tasks performed at regular intervals. Could be used for malicious purposes.
  
• Driver installation log is updated with device information when they are connected. Device ID and time stamp. File "setupapi.log or setupapi.app.log".
  
• Shortcuts
  
• System volume info: Restore points might contain deleted files (in older Windows versions)
  
• Memory
  

TZwork - tools for parting windows artifacts

Friday

Today we started looking at the "hammmer" image. A Linux server claimed attacked by "jotunheim". We have looked at:

• /etc/passwd
  
• /etc/shaddow
  
• /etc/fstab
  
• .bash_history
  
• /var/log/wtmp utmp secure auth.log messages/syslog
  
• /var/log/audit/
  
• Restore deleted file from memory