In association with heise online

Forging ahead

The next morning, I first write down the hash values of both the hard disk and the image in the case log – orderly, etc … All further investigations are carried out using the images; the hard disks themselves are locked in a vault. X-Ways Forensics displays the contents in an Explorer-type window. A plug-in allows me to view the contents of commonly used file types on a preview screen. A gallery view helps with the examination of image collections.

Zoom The most recently opened documents reveal much about how a PC has been used

I now need to clarify whether Mr Steinbach's workstation was compromised and used as a springboard by the attacker, or whether Mr Steinbach himself was the one who snooped around on the executive's computer. First, I want to get a feel for how Mr Steinbach uses his machine: which programs he uses, which web sites he visits to obtain information, which file servers he stores his documents on, and so forth.

This task is simplified by Windows' efforts to make its users' work as comfortable as possible. For example, Explorer memorises which files and programs a user has accessed via "Most Recently Used" lists. It saves the ten most recently used files for every type of file extension; I therefore have ten DOCs, ten PDFs, ten JPGs and, if there are any JPEGs, ten of those as well. This information is stored in places such as Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs in the registry.

Zoom Every successful double click on an object ends up in the registry's UserAssist branch

Further information can often be found in the registry's UserAssist branch. For instance, if a user clicks on a .txt file, Windows will remember that it subsequently started the Notepad program. These entries remain available even if a program has been uninstalled, and the drive letter information tells me whether the program was launched from the local drive or from an external storage device. Those who use an extensive software collection can quickly accumulate a few hundred entries in this key.

I can't help but smile at the memory of winning a bet I made with a smart alec colleague of mine who refused to believe that Windows really does use ROT13 encryption. This primitive encryption method replaces every letter by the one that follows 13 places behind it in the alphabet, starting again at A once Z has been reached. Some Windows developers probably had a little fun there; of course, forensics tools immediately display the plain text.

The registry's UserAssist entries
Zoom The registry's UserAssist entries really are ROT13 encrypted.

Another part of the registry contains "bags" in which Windows stores specific directory viewing options such as the sort key or whether the directory was displayed in icon or list view. This directory list provides useful information on whether external hard disks or USB flash drives have been used.

We could continue this list of potential evidence almost indefinitely. The situation is aggravated by the registry being distributed across several files on the hard disk. Thankfully, X-Ways does the job of collecting all the individual pieces for me and generates a registry content report of the only user account and of the system-wide SYSTEM and SOFTWARE hives.

Mr Steinbach's tracks in the registry jungle are quite telling, because some of the files don't fit with the job of a system admin: for example, there is a salary list, two staff references for people who have left, and various staff rating sheets. All of these files are stored in a user profile subfolder. This folder contains a whole smorgasbord of information. In addition to the mentioned staff data I find an org chart, a telephone list, various photographs that were apparently taken at an office party, and several letters.

However, these files impressively demonstrate the limits of my capabilities. While I can track down files, I'm lacking the context to correctly interpret the meaning of my discoveries. I therefore talk to Mr Waldmann, who confirms that Mr Steinbach is exclusively responsible for maintaining certain servers, and that he does not hold a managerial position. The staff data definitely doesn't belong on his computer; Waldmann becomes particularly concerned when I mention the org chart, which turns out to be a confidential document belonging to senior management. However, it could still be that Mr Steinbach, perhaps, helped a colleague save some data from an unruly USB pen drive. That's a question we will need to clarify in a personal interview later.

Time stamps

First, however, I want to get an idea of the chronological sequence of Mr Steinbach's activities. For every file in an NTFS file system, the Master File Table (MFT) contains an entry that, apart from meta information such as the access privileges, also contains several time stamps. Even on a computer that is rarely used, this MFT will contain well over 10,000 entries. Those who keep their music collection there can easily create several hundred thousand entries.

Windows maintains four time stamps for every file, but only three of them are shown in Windows Explorer and via the DIR command: the time at which the file was created or modified, and the date of the latest access. Because they relate to file modification, access and creation, these time stamps are often called "MAC times". Access times have, probably for performance reasons, not been recorded since Windows Vista; this behaviour can also be triggered in older versions of Windows via the fsutil command line program. The fourth time stamp NTFS records is the time at which the MFT entry was last modified. This can happen, for example, when the file is extended by a further cluster.

Zoom The free TrID tool identifies unknown files using a comprehensive signature database

Fortunately, X-Ways offers various functions for managing such huge amounts of data. I can use filters to restrict my output to a certain time frame, file type or file size. In cases where some wily customer has modified the file extension – for instance camouflaging a zip archive as an executable file – the tool can check the file signature. A zip archive always begins with the letters "PK", while an executable program begins with "MZ". X-Ways produces over 160 signatures for commonly used file types. If a case involves more exotic file types, I use Marco Pontello's free TrID program.

The second day of investigations is coming to a close, and I arrange with Mr Waldmann that the file types will be matched without supervision. We lock our meeting room lab and agree to reconvene the following day.

Next: Cleaning up

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit