#ForensicMania S01E02 – MISC

Well, hello and welcome to the second episode for Season 1 of #ForensicMania.

Today we are looking at answering the ‘Misc’ section of questions from the 2018 MUS CTF, putting our four tools head-to-head with some analysis work.

Why are we doing this? To give you, the reader, a view on how different commercial tools compare with digital forensic analysis.

To recap, in Episode 1 – Processing we processed our evidence file with the four tools, after which the scoring looked as follows: Axiom took a narrow lead with 10 coins, while Blacklight was chomping at its heels with 9. In third place was EnCase with 7 coins and bringing up the rear of the pack was FTK with 5.

Sidenote_ Check out Craft Beer Forensicator @kevinpagano3 (https://www.stark4n6.com/2019/02/ctf-review-magnet-user-summit-2018-part.html) who did a writeup of the CTF with free tools.

Scoring

“How will the scoring work this round” I hear the masses scream from the districts. For the ‘Misc’ section, we have 2 coins up for grabs for each question, that is, if the tool gets to the correct answer with an acceptable amount of effort, 2 coins are awarded. However, if the tool hides the answer under a rock, but you can still get to it, or if the answer is only halfway there, only 1 coin will be awarded. Finally, 0 coins for wrong answers.

This means we have a total of 22 coins up for grabs in this round.

So… will Axiom keep it’s narrow lead or trip over its connections? Does Blacklight know how to spell Shimcache? Can EnCase parse web histories? And FTK, will it fly, or just try to sell me Quin-C instead?

So many questions, so little time. Let’s dig in!


Question 1

Timezone: What is the system’s timezone set to?

Correct Answer: Mountain Standard Time


AXIOM

Axiom parses this key as an Operating System artifact:

Coins: 2


Blacklight

Under Blacklight’s “System” section, open the registry sections and it shows you the “TimeZoneInformation” registry key:

Coins: 2


EnCase

Following processing, EnCase has a ‘Case Analyzer’ option which provides various reports about artifacts identified. One of these shows the Time Zone:

Coins: 2


FTK

Navigate to the System hive in the folder structure, right-click to open with Registry Viewer, hit the ‘Common Areas’ toggle, and Bob’s your uncle:

However, this is an obvious artifact that could be shown more easily to the investigator in the ‘System Information’ tab, than having to open it with Registry Viewer first.

Coins: 1


Question 2

File Sequence Number: What is the MFT file sequence number for the Python27\python.exe file? [This is not the MFT entry number]

Correct Answer: 1


AXIOM

Axiom does not parse MFT file sequence numbers.

Coins: 0


BlackLight

Blacklight shows the correct value in the “Data Structure” view for the file:

Coins: 2


EnCase

EnCase doesn’t parse the $MFT. However, if you’ve attended EnCase training at some stage, you would’ve probably have received an EnScript (“NTFS Single MFT Record & Attributes”) that will do this for you. Unfortunately, as this isn’t included as stock with EnCase, it doesn’t exist for most users (and it’s also not available in the Guidance App store).

Coins: 0


FTK

FTK doesn’t parse MFT file sequence numbers.

Coins: 0


Question 3

FileName Lookup: What is the name of the file that has MFT entry of 86280?

Correct Answer: $USNJrnl.


AXIOM

in the ‘File System’ view, you can filter on ‘MFT record number’ to get to the desired file:

Coins: 2


Blacklight

Blacklight allows you to filter all files based on “File System ID”, which is the MFT Record Number:

Coins: 2


EnCase

EnCase shows the ‘MFT record number’ in the columns under the label ‘File Identifier’. So just show all files, and sort according to the ‘File Identifier’ to get to the answer:

Coins: 2


FTK

You can get to this quite easily by listing all entries and sorting according to MFT Record Number in the columns.

Coins: 2


Question 4

FileTimestamp: What is the Standard Information Attribute’s Access timestamp of the Windows\Prefetch\CMD.EXE-89305D47.pf file? [UTC in YYYY-MM-DD hh:mm:ss format]

Correct Answer: 2018-04-26 15:48:40


The Access timestamp from the Standard Information Attribute is what is displayed by our tools. Check out more info about Standard Information Attributes here:

https://cyberforensicator.com/2018/03/25/windows-10-time-rules/
https://www.andreafortuna.org/cybersecurity/macb-times-in-windows-forensic-analysis/


AXIOM

Coins: 2


Blacklight

Coins: 2


EnCase

Coins: 2


FTK

Coins: 2


Question 5

VSN-C: What is the C: volumes’ serial number?

Correct Answer: 6C19-1B65


AXIOM

Shown nicely in the File System Information artifact

Coins: 2


Blacklight

So… Blacklight shows the Volume Serial Number for a specific volume in the “Details” section under “Disk View”. However, it shows the value in Big Endian (which you can then convert to Little Endian with another tool):

So, only halfway there.

Coins: 1


EnCase

When the volume is selected in the Tree view, it shows the volume serial for you:

Coins: 2


FTK

Head over to the file structure and navigate to the OS volume, and click on Properties:

Coins: 2


Question 6

YouTube Search: What term was searched in YouTube on 3/28/2018?

Correct Answer: “simpsons max power”.


AXIOM

Looking at ‘Web Related’ artifacts and applying a date filter for March 28th 2018, get’s you the answer:

Coins: 2


Blacklight

Hop on over to the “Internet” tab, and you’ll get the answer:

Coins: 2


EnCase

EnCase seems to be the tool that you hope the opposing party used when reviewing your client’s web histories… Cause there’s no way a sane person will enjoy using this for analysing internet artifacts.

I did a separate write-up about EnCase’s inability to parse Firefox histories correctly: https://www.dfir.co.za/2019/03/09/encase-you-were-hoping-to-parse-firefox/
After lodging a support ticket with OpenText, it’s been confirmed that EnCase currently can’t parse Firefox internet histories. Apparently, the upcoming release of v8.09 will have proper support.

Coins: A shocking 0


FTK

Head over to the “Internet/Chat” tab, sort by time and you get the Youtube search on the date:

Coins: 2


Question 7

Sleuthkit + PowerShell: Max Powers was playing with ways he could extract files using Sleuthkit and PowerShell. What was the exact command he used in attempting to extract the SRUM database?

Correct Answer: $inode = ifind -n /Windows/System32/sru/SRUDB.dat \\.\C: ; icat \\.\C: $inode > SRUDB.dat


For me, there’s two ways of approaching this one:

  1. Find the “ConsoleHost_history.txt” file which contains the PowerShell command history, and search in the file for “SRUDB.dat”.
  2. Search the entire case for “SRUDB.dat”, which will lead you to the “ConsoleHost_history.txt” file.

For this question we’ll go with door number 2, as I didn’t (and don’t) necessarily know this path or filename off by heart.


AXIOM

Searching for “SRUDB.dat” shows the “ConsoleHistory_history.txt” log listed as a Document artifact:

Coins: 2


Blacklight

Blacklight does not have an index search function, but only live searches. I ran a live search for ‘srudb.dat’ which took a few minutes to get to the Powershell log with the ifind command in it

Coins: 2


EnCase

Searching for “srudb.dat” in the indexed search provided a hit for the Console_history.txt file, showing the ifind command.

Coins: 2


FTK

Search for “SRUDB.dat” in FTK index search, which will get you bunch of hits, one of which is the “ConsoleHost_history.txt” file showing the command used.

Coins: 2


Question 8

Administrator Logon Count: How many times did Administrator logon to the system?

Correct Answer: 2018-04-11.


AXIOM

The ‘User Accounts’ artifact shows this for the Administrator account:

Coins: 2


Blacklight

Blacklight’s ‘Actionable Intel’ section gives you the Logon Count for each local user account:

Coins: 2


EnCase

EnCase’s ‘System Info Parser’ artifact does provide info about the local user accounts, however, there’s nothing about logon count:

You can view the SAM hive’s structure from within EnCase, but again, they want you to work for it. In order to get this value in EnCase, you need to go to offset 66-67 of the F value of the user’s subkey:

This then translates to the integer value of 14.

Again, a simple artifact that should be shown to the user in a much simpler way. I’m giving EnCase a 0 for this one, as having to highlight offsets of the F value, is just not ideal.

Coins: 0


FTK

FTK does have a ‘SAM Users’ section in their ‘System Information’ tab, but this only shows you SIDs and User Names. So, find the SAM in the tree structure. This will then show the content in readable way in the ‘Natural’ view pane, without having to open it with Registry Viewer:

Coins: 2


Question 9

Install Q: What day was the Go programming language installed on? [Answer format: YYYY-MM-DD

Correct Answer: 2018-04-11


AXIOM

This is recorded in the ‘Installed Programs’ artifact

Coins: 2


Blacklight

Blacklight did not list the Go Programming Language under it’s Application artifact:

But, you could however find it under the “Uninstall” registry key with the built in registry viewer:

Coins: 1


EnCase

EnCase lists installed software under: Artifacts > System Info Parser > Software.

However, Go was not listed by EnCase:

By manually traversing the SOFTWARE hive in EnCase, I got to the Uninstall key for Atom (based on what the other tools showed), but for the life of me I couldn’t figure out how to get actual data to be shown in EnCase for this key:

Coins: 0


FTK

The System Information tab shows this quite easily:

Coins: 2


Question 10

Who Installed Atom?: Which user installed Atom? [Answer is the complete SID not the username]

Correct Answer: “S-1-5-21-2801897208-1878083585-4182000528-1002”


For this question, I’m looking for proof that the Atom installer, AtomSetup_x64.exe, was downloaded (Chrome Web History) and that the file was executed by the user (Windows OS Artefact).


AXIOM

After searching for “Atom” in Axiom, you can get to the install file “AtomSetup-x64.exe”. In the connections view, it shows the installer being downloaded by the ‘maxpowers’ account in Chrome and then executed by the same account via the Shimcache:

In addition to the above, there is also a SRUM Application Resource Usage entry linking the installer to the profile.

To get the SID for the profile, head over to the ‘User Accounts’ tab which shows the SID for ‘maxpowers’:

Coins: 2


Blacklight

Blacklight recorded the installer being downloaded by the profile ‘maxpowers’ in Chrome:

You can then link the SID to the profile via the registry viewer:

However, there was no artifact recording AtomSetup-x64.exe being executed

Coins: 1


EnCase

I could not get to the downloading of the AtomSetup-x64.exe in it’s Chrome histories, nor any artefacts showing the execution of AtomSetup-x64.exe by ‘maxpowers’.

Coins: 0


FTK

The ‘Internet/Chat’ tab in FTK shows the ‘maxpowers’ profile downloading the setup file:

However, FTK did not have any artefacts showing the file was executed by the user profile.

The ‘Sam Users’ section then shows you SIDs mapped to usernames.

Coins: 1


Question 11

Deletion in LogFile: The $LogFile shows at LogFile Sequence Number [LSN] 4433927454 a file is deleted. What is the name of the file that was deleted?

Correct Answer: 7z.dll


AXIOM

Axiom parses the $LogFile entries, so you can search for 4433927454, which will take you to the 7z.dll entry in the ‘$LogFile Analysis’ artifact

Coins: 2


Blacklight

Blacklight did ‘parse’ the $LogFile, but not properly:

Coins: 0


EnCase

EnCase also ‘parsed’ the $LogFile, but doesn’t show LSN numbers:

Coins: 0


FTK

FTK doesn’t parse the $LogFile.

Coins: 0



And that’s it!

Scoreboard:

After a gruelling round, let’s have a look at the scoreboard for Episode 2:

Well, there you have it: Congratulations to Axiom for taking pole position once again. Taking second is BlackLight, with FTK following close behind in third.


Episode 3 coming soon!

EnCase you were hoping to parse Firefox

[Update 2019-03-10] I’ve added the version numbers of Axiom, Encase and FTK used. Also added details about EnCase Firefox support update coming in next release.

So, last night, after watching the Forensic Dinner (yeah yeah it’s the Forensic Lunch, but hello time zones) I was busy with some testing for #ForensicMania.

Dealing with a simple question ‘What was searched for in Youtube on xx date’, I came to bit of a speed bump in EnCase. In short, I couldn’t get to the answer in EnCase for Youtube web histories viewed in Firefox. It was late, so I wasn’t sure if I were to blame, or EnCase. With this, I stopped with the #ForensicMania stuff and thought, let’s do some targeted testing.

The next morning (today), I decided to do a quick and simple test:

  • Conduct a few searches in Chrome and Firefox
  • Parse the web histories with Axiom, EnCase and FTK
  • Compare the results

I fired up Chrome and Firefox, and made sure they were up to date:


With last night’s Forensic Lunch still fresh in my mind, I Googled the following between 11:00 and 12:00 on 2019-03-09.

The same searches were done with Chrome first, and then with Firefox.

Google search:Is lee whitfield brittish?
Result opened: “https://www.sans.org/instructors/lee-whitfield”

Google search:How do you spell british?
Result opened: “https://en.oxforddictionaries.com/spelling/british-and-spelling”

Google search:Where did Matt get the cool blue sunglasses?
Result opened: https://www.menshealth.com/style/a26133544/matthew-mcconaughey-blue-colored-sunglasses/

Google search:Why is no one having lunch on the Forensic Lunch?
Result opened: https://www.youtube.com/user/LearnForensics/videos

Youtube search: “drummer at the wrong gig”
Video played: https://www.youtube.com/watch?v=ItZyaOlrb7E

And then played this one from the Up Next bar:
https://www.youtube.com/watch?v=RvatDKpc0SU

Google search:Can you nominate yourself in the Forensic 4Cast awards?
Result opened: https://www.magnetforensics.com/blog/nominate-magnet-forensics-years-forensic-4cast-awards/


Following this, I created a logical image of the Chrome and Firefox histories on my laptop with EnCase. The total size for the histories were 3GB. (Yes, lots of historic stuff included there as well).

So the testing is pretty straight forward: Can I get to the above listed searches and web histories in Axiom, FTK and EnCase. Let’s see:


Axiom (v2.10)

Parsing the logical image in Axiom gave us the following for ‘Web related’ artifacts:

Chrome

Firefox

Result: Great Success


FTK (v7.0)

Same thing, processed the image and got the following from the ‘Internet’ tab:

Chrome

Firefox

Again: Great Success


Now, let’s fire up the ‘2019 SC Magazine Winner‘ for ‘Best Computer Forensic Solution‘…

EnCase (v8.08):

After processing the image with EnCase, we hobble on over to the ‘Artifact’ tab and open the ‘Internet Records’ section.

First up, Chrome histories:

Great, it works as expected.

Next up, Firefox (The browser with 840,689,200 active users in the past 365 days)

And this is where we ran into trouble: EnCase was able to parse Firefox Cookies and some cache files, but for the life of me I couldn’t get to any actual browsing histories.

I suspect that, as it’s shown on the processing window, EnCase only supports Firefox up until v51.0.0. The current Firefox version is v65.

Firefox version 51.0.0 was released to channel users on January 24th 2017. That is the same month when Ed Sheeran released his single “Shape of You”. (And now you can’t unsee the singing dentist guy covering the song)

What I’m trying to say is that Firefox v51 is old.

I’ve logged a query with OpenText about this and will update this post if and when I get feedback. (Really hoping this is something I’m doing wrong, but we’ll see.)

[Update 2019-03-10: EnCase v8.09, set for release in April, is said to have updated Firefox support]


What’s the point of this post?

  1. Test stuff. If something doesn’t look right, test it.
  2. You don’t need test images to test your tools. If you have a laptop or a mobile phone, then you have test data.
  3. Don’t assume stuff. If my results above are correct, there’s a good chance you could have missed crucial Firefox data if you were only relying on EnCase.
  4. If I’m wrong, then at least I’ll hopefully know pretty soon how to get EnCase to parse Firefox histories correctly… and someone else might learn something too.

#ForensicMania S01E01 – Processing

Welcome to Forensic Mania 2019 – Episode 1. If you’re new to #ForensicMania, catch the full lowdown here.


To recap, we are testing the latest versions of four of the big commercial forensic tools against the MUS2018 CTF image.

Side note_ Following my intro post, promises were made by certain Magnet folk (you can run but you can’t Hyde). So I reprocessed with the newly released version of Axiom, v2.10. If said promises aren’t kept, we might need to roll back to version 1.0.9 just for fun.


EPISODE 1

Today we’ll be running through processing the MUS forensic image with the four tools.


Analysis Workstation Details

For these tests, we will be using a Dell workstation, with the following specs:

  • Intel Xeon Gold 6136 CPU.
  • 128GB ram.
  • Windows 10 Pro.
  • OS Drive: 2.5″ AData SSD.
  • Case directories and the MUS2018 image file was located on separate Samsung M.2 SSDs.

How does the scoring work

The scoring for this section kept the adjudication committee deadlocked in meetings for weeks, grappling with the question: “How do you score forensic tools on processing, in a fair manor“. After a few heated arguments, the committee realised that this was not the NIST Computer Forensics Tool Testing Program, but a blog. With that pressure off, they created a very simple scoring metric.

First, to get everyone on the same page, consider the following: Say MasterChef Australia is having a pressure test, where each of the Top 25 need to bake a lemon meringue tart. Best tart wins an immunity pin.

Being the first contestant to separate your egg yolks from the whites is pretty cool, might even get some applause from the gantry. But, the proof will always be in the pudding, which is when you start whisking your whites for the meringue. If you did a messy job during the separation, you ain’t going to see firm glossy peaks forming, no matter how hard you whisk.

This then is typically where Maggie Beer and George comes walking over to your bench and drops a comment like “a good meringue is hard to beat“.
You get the point.


The Scoring System

In this round, the tools will be judged in two categories, each with 5 points up for grabs. These two categories are:

1_ Processing Progress Indication. We’ll be looking at how well the tool does at providing accurate and useful feedback during processing. “Does it matter?” you may ask… Well, it is the year of our Lord 2019. I can track the Uber Eats guy on my phone until he gets to my door. Similarly, I expect a forensic tool to at least provide some progress indication, other than just “go away, I’m still busy”.

2_ Time to Completion. Yes, the big one. Pretty straight forward. How long did it take to complete the processing task.

Points will be awarded in the form of limited edition (and much coveted across the industry) #ForensicMania challenge coins:

Side note_ I initially planned on putting a bunch more categories in adjudicating the processing phase (things like how customizable are the processing options, ease of use, can it make waffles etc) but it got a bit too complex and subjective. These tools have fairly different approaches to processing data, so let’s leave the nitpicking for next week when we start analyzing data.

This means there is a total of 10 points up for grabs in Episode 1.


Setting up processing

In order to keep these posts within a reasonable readable length, I’m not going to delve into each granular step that was followed. For each tool, I’ve provided the main points of what was selected in processing, as well accompanying screenshots.


Axiom

  • Full Searches on partitions, Unpartitioned space search on the unpartitioned space of the drive.
  • Keyword Search Types: Artifacts. Note: Axiom does not have the functionality to do a full text index of the entire drive’s contents, but only indexes known artifacts.
  • Searching of archives and mobile backups.
  • Hashing (MD5 and SHA1). Limited to files smaller than 500MB.
  • Enabled processing of the default custom file types.
  • All computer artifacts were selected
6 computer artifacts
Author: Jaco Swanepoel
« of 6 »

BlackLight

  • File Signature Analysis
  • Picture Analysis
  • Video Analysis
  • Hashing (MD5 and SHA1)
  • File Carving: All available file types were selected
  • Advanced Options: All available options were selected (see screenshots)
1 add ev
Author: Jaco Swanepoel
« of 4 »

EnCase

  • File Signature Analysis
  • Thumbnail Creation
  • Hash Analysis (MD5 & SHA1)
  • Expand Compound Files
  • Find Email
  • Find Internet Artifacts
  • Index text and Metadata
  • Modules:
  • System Info Parser (All artifacts)
  • File Carver (All predefined file types, Only in Unallocated and Slack)
  • Windows Event Log Parser
  • Windows Artifact Parser (Including Search Unallocated)
9 WindowsArtifacts
Author: Jaco Swanepoel
« of 9 »

FTK

For FTK, I used their built-in ‘Forensics’ processing profile, but tweaked it a bit.

  • Hashing (MD5 & SHA1)
  • Expand all available compound file types
  • Flag Bad Extensions
  • Search Text Index
  • Thumbnails for Graphics
  • Data Carving (Carving for all available file types)
  • Process Internet Browser History for Visualization
  • Generate System Information
3 carving opts
Author: Jaco Swanepoel
« of 3 »

To give each tool a fair chance, the MUS image was processed twice with each.


Results: Processing Progress Indication.

Here are the results for each tool’s ability to provide the user with adequate feedback regarding what is being processed:

Axiom

Axiom’s processing window is quite easy to make sense off. It shows which evidence source is currently processing (partition specific), as well as which ‘search definition’ it’s currently on. During the testing, the percentage progress indicators also seemed to be reliable.

In the category of “Processing Progress Indication”, the adjudication committee scored Axiom: 5 out of 5.


BlackLight

BlackLight also has a great granular processing feedback window. For each partition, it shows what it’s busy with processing as well as progress indicators. These were deemed reliable with the tests.

In the category of “Processing Progress Indication”, the adjudication committee scored Blacklight: 5 out of 5


EnCase


EnCase’s processing window seems a bit all over the show. More like something you’ll look at for diagnostic info, not processing progress. It was a bit difficult to gauge what it was actually busy with. It does have a progress indicator showing a ‘percentage complete’ value, however, this was quite unreliable. When processing the MUS image, it hit 99% complete quite quickly and then continued processing for another hour at 99%, before completing. This happened with both tests. I again processed the same image on a different workstation and got similar results.

In the category of “Processing Progress Indication”, the adjudication committee scored EnCase: 3 out of 5.


FTK

FTK’s processing window is quite straight forward. Perhaps too much so. It does have an overall process bar, although not entirely accurate, and shows which evidence item (e01) it’s currently processing. However, because you have no idea what it’s actually busy with processing, it remains a waiting game to see how many files it discovers, processes and indexes. And once you think it’s done, you get a surprise with a couple hours of “Database Optimization”.

In the category of “Processing Progress Indication”, the adjudication committee scored FTK: 3 out of 5.



Results: Time To Completion.

These are pretty straight forward. How long did it take to process the MUS image with the above noted processing settings?

Axiom

Axiom took 52 minutes and 31 seconds to process the MUS image. Following this, the ‘building connections’ process took another 17 minutes and 25 seconds.

This gave Axiom a total of 1 hour, 9 minutes and 56 seconds.


BlackLight

BlackLight took 1 hour flat to process the image. Following this, the option was available to carve the Pagefile for various file types. This added another 14 minutes and 30 seconds.

This gave BlackLight a total of 1 hour, 14 minutes and 30 seconds.



EnCase

EnCase took 1 hour, 23 minutes and 25 seconds.

No additional processing required, all jobs were completed in one go.


FTK

FTK took 59 minutes and 9 seconds to process and index the image. That’s faster than all the others… But, before you celebrate: Following the processing, FTK kicked off a “Database Optimization” process. This took another 2 hours and 17 minutes! Although it’s enabled by default, you can switch off this process in FTK’s database settings. However, according to the FTK Knowledge BaseDatabase maintenance is required to prevent poor performance and can provide recovery options in case of failures.” Seems like it’s something you rather want to run on your case.

This gave FTK a total of 3 hours, 12 minutes and 9 seconds.


Let’s dish out some coins:

For winning the time challenge, Axiom gets 5/5

Not too much separated BlackBag and EnCase from Axiom, both gets 4/5

And, bringing up the rear, taking almost 3 times as long as the others, FTK with 2/5


Before we look at the totals for this week, here is the result of the poll from last week:

Pretty much in line with what we saw this week…

Here’s your scoreboard after S01E01 of #ForensicMania


What’s Next?

Tune in next week to see if Axiom can keep it’s narrow lead, whether BlackLight knows what to do with a Windows image and if FTK can pick itself up by it’s dongles. We’ll start with analyzing the MUS image, so stay tuned for all the drama, first and only on The Swanepoel Method.

Side note_ It is still early days. Don’t go burning (or buying) any dongles after this post alone. The proof will be in the analysis capabilities of these tools, so check back next week.