Index

Note: Page numbers followed by “f” and “b” refer to figures and boxes, respectively.

A
Access control list (ACL), 127
Acme Consulting, 286, 288
ACMru key, 5, 151
Acquired images, 233–235
ASCII timelines, 212–213
Event Log file extraction, 87
historical Registry data, 152
installed AV applications, 186
malware detection, 182
multiple antivirus scans, 189–192
timeline analysis, 220, 247
timeline creation, 227
timeline creation on XP, 233–235
VSCs, 66b, 68b
batch files, 70
diskpart command, 64b
FTK Imager, 59f
image file formats, 73b
LiveView, 60b
overview, 59–73
ProDiscover, 71–73, 71f, 72f, 72f
ProDiscover BE, 66
VHD method, 61–65, 62f
VMDKs and SIFT, 68
VMWare method, 65–68, 67f
Acquisition process
F-Response, 44–45
incident response, 43
Active Directory, 57–58
F-Response VSC, 57
incident response questions, 32
ActivePerl
time fomats, 232b
time stomping example, 82
timeline creation, 232
ActiveState
analysis system set-up, 24
diff, 162b
time fomats, 232b
timeline creation, 232
Admin logs, characteristics, 91
Administrator-level privileges Internet activity analysis, 204
AT jobs, 206
malware artifacts, 181–182
malware detection, 204
scheduled tasks, 101–102
Adobe, 272–273
Adobe Reader, 266
Advanced persistent threat (APT), law firm targets, 2
Allan, Alasdair, 114
Alternate data stream (ADS), 80, 197
Carbon Black log example, 39
“knowing what to look for,”, 198
malware detection, 196–199
Poison Ivy RAT, 197
stealth ADSs, 198–199
Alternatestreamview.exe, 196–197
Altheide, Cory, 24, 116, 217
Alvarez, Victor Manuel, 194
Analysis
case notes, 279–284
documenting, 281–284
goals, 276–279
reporting, 284–294
body, 287–291
executive summary, 285–287
format, 284–285
Analysis concepts
analysis principles, 6–18
cloud environment implementation, 21b
convergence, 19–20
documentation, 18–19
overview, 4–22
virtualization, 20–22
Windows versions, 4–6
Analysis principles
absence of artifacts, 16b
direct/indirect artifacts, 13–16
goals, 7–9
Internet history information, 14b–15b
least frequency of occurrence, 16–18
Locard’s exchange principle, 11
overview, 6–18
speculation, 11–13
tool validation myth-odology, 9–11
tools vs. processes, 9
ZeroAccess, 15b
Analysis system
open-source tools, 24
set-up, 22–25
SIFT usage example, 22
Analytic logs, characteristics, 91
Android (Google)
location information, 116
Skype, 113
USB device analysis, 135
Anti-forensic tools, 272–273
Anti-forensics
definition, 76–77
time stomping, 82
Anti-malware applications, detection analysis, 187
Anti-spyware applications
mixing protection mechanisms, 188
Antivirus (AV) software
application configuration, 187
Application Event Logs, 184
Event Log files, 87
event parsing into timeline, 246
hibernation files, 110–111
indepth malware detection, 192–193
log file analysis, 184–189, 186
log time formats, 216
logs, 87, 112–113
malware artifacts, 182
malware write-ups, 190–192
multiple scanning techniques, 189–192
packed files, 193–195
prefetch files, 99–100
Registry analysis, 203–204
seeded sites, 207–208
testing for malware execution, 208
timeline analysis, 220–221
timeline creation, 226
Apache, Log2timeline framework, 213
AppCompatCache value, 203–204
Appevent.evt, XP/2003 systems, 90
Apple products
See also specific products
application files, 114–116, 115f
iPod Touch backup, 115
malware persistence mechanism, 177
Skype, 113
timeline analysis via visualization, 246
AppleSoftwareUpdate task, 101
Application analysis
basic considerations, 253–254
data exfiltration, determining, 267–271
defrag, running, 266–267
demonstrating user access to files, 257–260
detecting system time change, 264–265
finding something new, 271–273
HowTos, 254–273
IE browser analysis, 260–264
overview, 253–254
Software hive, 142–145
Windows shortcuts and USB devices, 255–257
Application Event Log, 233–238
analysis, 184
AV logs, 88
characteristics, 91
example, 87
expert tips, 36
incident response data collection, 44
installed AV applications, 186
prefetch files, 99–100
timeline creation on Windows, 7–8, 234
timeline creation on XP, 233–235
Application files
Android devices, 116
antivirus logs, 112–113
Apple products, 114–116, 115f
file analysis, 111–118
image files, 116–118
Skype logs, 113, 114f
SQLite databases, 111
Application prefetching
See also Prefetch files
enabling, 97b
expert tips, 181
purpose, 97b
timeline analysis data sources, 215
Application programming interface (API), 10
analysis system set-up, 23
Apple product application files, 114–116
Event Log file parsing, 88
Internet history information, 14b–15b
Log Parser tool, 93, 236
scheduled tasks, 101–102
time stamp alteration, 82–83
time stomping example, 82–83
timeline analysis, 214–215, 217–218
timeline creation on Windows, 7–8, 236
VSCs in acquired images, 59–60
WiFi geolocation mapping, 146–147
WinInet, 14
Artifact basics
absence as artifact, 16b
concealing via virtualization, 20–22
direct artifacts, 13–16
incident response data collection, 41–42
indirect artifacts, 13–16
order of volatility, 11
searching tips, 90b
sources, 6
speculation, 11–13
timeline analysis, 221
ASCII timelines, 212–213, 244
Assumptions, analysis principles, 12
At.exe
.job files, 206
scheduled tasks, 101
vs. schtasks.exe, 103
Atkinson, Jared, 100
Aubuchon, Kurt, 156
Audio visual (AV) applications, 37
Auditing functionality
Carbon Black, 39
incident preparation, 37–38
Windows 7 settings, 38f
AutomaticDestinations folder, jump lists, 105, 108
Automation, VSC access, 68–71
AutoRuns tool
initial infection vector, 177–178
malware persistence mechanism, 177–178
Autostart mechanism, malware persistence, 175–176
AV
See Antivirus (AV) software; Audio visual (AV) applications
AVERT Stinger, 190, 191f
AVG scanner, multiple AV scans, 189

B

Backdoors
malware persistence mechanism, 175
scheduled tasks, 102
Windows services, 139
BackFlip phone, 116, 135
Background Intelligent Transfer Service (BITS), 139
BackupRestore key, 51
BagMRU key, 154
shellbags, 153, 155
Barrett, Diane, 21
Batch files
at.exe vs. schtasks.exe, 103
commands references, 70
timeline creation on Windows, 7–8, 237
BinText, 24–25, 89–90, 122
BitBucket key, 94
“Blackhole” name lookups, 188
Bluetooth, 141, 269, 271
Bodyfile, timeline analysis, 228, 231–232, 247
Bonfa, Giuseppe, 15, 180
BootCamp, analysis system set-up, 22
Brown, Christopher, 23, 56, 71, 204
Browser analysis, 143b, 187–188
Bthport.pl RegRipper plugin, 271
Bunting, Steve, 265
Bursztein, Elie, 146–147
Business models, 46–47

C

C6d3bf33.Windows.XP.Mode key, 161f
CacheSizeInMB, USB device analysis, 132
Caffrey, Aaron, 19, 172
Cain & Abel, UserAssist subkeys, 160
Canon EOS Digital Rebel XTi, image file analysis, 117
Carberp Trojan, 177–178
Carbon Black (Kyrus), 38, 39f, 40–41
Carrier, Brian, 19, 77
Carroll, Ovie, 165–166
Case, Andrew, 165
Case notes, 279–284
maintaining, 280
benefits of, 280
CCleaner, 272–273
Child processes, Carbon Black, 39
Chrome web browser (Google), 39, 145, 204
ClamAV, 194–195
ClamWin, 190, 190f
Classes subkeys, Software hive, 144f
“Classic emergency response service (ERS)” model, 46
Clausing, Jim, 194
“ClearBrowserHistoryOnExit,”, 262–263
Cloud computing, 21
COM structured storage, Registry as log file, 124
ComDlg32 Registry key, 269
ComDlg32 subkeys, via WRR, 151f
Command and control (C2) server, 15
Command line interface (CLI), 154–155
Comma-separate value (CSV) format
Event Log parsing, 88
event parsing into timeline, 245
Log Parser tool, 93
MFT analysis, 88
Sigcheck.exe tool, 195
timeline creation, 231, 236
WFP Checker, 196
Compile times, 199–200, 199f
Compliance
AV log analysis, 112
cloud implementation, 21b
Google-based malware research, 192
incident response, 31b
malware detection, 170
malware removal example, 34
and preparation, 34–35
Concise description, of incident, 279
Conficker, 174, 182, 203
Consequential artifacts, 14
Consolidated.db, Apple product application files, 114
Contextual information
analysis goals, 8
Event Log analysis, 88–89
file analysis, 76
historical Registry data, 152
jump list parser, 109
malware detection, 183
prefetch files, 99–100
Registry structure, 122
timeline analysis, 217, 224
approaches, 213–214
benefits, 219–221
case study, 250
concepts, 218
data source, 222–223
Lastwrite times, 224
modular approach, 226
TLN creation, 226
user field, 223–224
Contraband images
malware characteristics, 170–183
timeline analysis, 220
timeline approaches, 213–214
ControlSet
U3-enabled device analysis, 126b
USB subkey, 128
USB thumb drive, 131
Convergence, law enforcement and forensic analysis, 19–20
Coreflood bot, 208
CRC-32 algorithm, scheduled tasks, 150
Creation, 244b
Crimson Editor, analysis system set-up, 24
CSI, 11
CSIRP, incident preparation training, 45
.csv file, 240
CustomDestinations folder, jump lists, 108
Customer, 278
Customer needs, 278
Cyberbullying, as common problem, 2
Cybercrime
as common problem, 2
sophistication, 2
Cybercrime and Espionage (Gragido & Pirc), 172
Cyberstalking, as common problem, 2

D

Damn Small Linux, 21
Dang, Bruce, 150
DarkReading.com, 2–3
“Dashboard,” incident response report, 31
$DATA attributes, 79–80
Data breaches
analysis goals, 8–9
as common problem, 2
direct artifacts, 13
file analysis example, 76
incident response questions, 30–33
malware characteristics, 170–183
timeline analysis, 220
Data collection
incident preparation, 41–46
trusted advisor, 42
Data exfiltration
determining, 267–271
prefetch files, 181
Data files, malware persistence mechanism, 177
Data sources
data volume issues, 243
timeline analysis, 214–215, 222–223, 242–243
timeline analysis case study, 247–248
Data Time Control Panel applet, UserAssist keys, 159
Date Interpretation, 261
Date range information, Event Log files, 87–88
DateTime module, timeline analysis, 232b
Davis, Andrew, 203–204
Debug logs, characteristics, 91
Default User, Internet history information, 15
“Default User” profile, Internet activity analysis, 204
Defrag, running, 266–267
“Defragment Disk” button, 267
Dell laptops
acquired images, 71
analysis system set-up, 23
mmls.exe sample output, 229f
timeline creation, 228
Description field, timeline analysis, 224–225
DestList, 110
DestList stream, 107–108, 109
Device driver, system files in System Restore Points, 51
Device ID key, 126, 127, 132, 135–136
Device logs, 279
incident response, 36b
UserAssist subkeys, 160
Devices key, 132, 137–138
DevicesClasses disk device subkey, smart phones, 137
DHCP server, NetworkCards key, 148
Digital forensics and incident response (DFIR) community, 186–187
Digital Forensics with Open Source Tools (Altheide), 24
Digital signatures
malware detection, 195–196
malware persistence mechanism, 177
verification, 177
Dir command
ADS manipulation, 196–197
MFT record, 77
Direct artifacts
analysis principles, 13–16
definition, 13–16
vs. indirect, 15
Directory (folder) record, MFT, 77
Disk Defragmenter dialog box, 267
Disk signature, USB external drive analysis, 134, 134–135, 134f
Diskpart command, expert tips, 64b
Documentation
analysis concepts, 18–19
malware detection, 183
Documenting analysis, 281–284
Dolan-Gavitt, Brendan, 163–164
DOS 8.3, $FNA MFT record, 79
DOS partition, analysis goals example, 8
Dr. Watson logs, 188, 203
Driver events, USB device analysis, 127b
DumpIt (MoonSol), 42, 42f
DWORD, Event Log records, 89–90
Dynamic link library (DLL), 208
application prefetching, 97b
Carbon Black log example, 39–40
direct artifacts, 13
Event Log file extraction, 87
and IAT, 208
Log Parser tool, 93
malware artifacts, 182
malware persistence mechanism, 177
malware write-ups, 190–192
prefetch files, 97–98
Process Registry key, 5–6
W32/Crimea, 177

E

Echo command, file system tunneling example, 84
Email
malware initial infection vector, 173
malware propagation mechanism, 174
phishing training, 173b
server logs, 277
EMDMgmt key, 132f
USB device analysis, 132, 138
via WRR, 132f
EMDMgmt software hive, 255–256
Emergency Response Services (ERS) team, 281–282
EnCase
analysis system set-up, 23
image file formats, 73
timeline analysis case study, 247
VSCs in acquired images, 60
EnCase version, 281–282
ESENT key, malware write-ups, 190–192
Eset, multiple AV scans, 189
Event addition, 248f
Event ID
interesting artifact searches, 90b
timeline analysis, 224–225
timeline approaches, 213–214
Windows Event Log, 90–93
absence of artifacts, 16b
analysis system set-up, 23
analysis tip, 89b
Carbon Black example, 40–41
conversion, 93
file analysis, 86–94
Forwarded Event Log, 91
incident response, 36–37
incident response data collection, 44
indirect artifacts, 15–16
pagefile and unallocated space, 89–90
Perl script parser, 88
ProDiscover Basic Edition, 24
sources, 233–234
time formats, 215
timeline analysis, 222–223, 224–225
timeline analysis case study, 247–248
timeline analysis data sources, 215
timeline creation, 233–235
basic considerations, 233–238
sources, 234
Windows, 7–8, 235–238
Windows XP, 233–235
Ultimate Windows Security Event Log site, 88–89
Windows 7 example, 91f
XP format, 86f
XP/2003 formats, 5
Event sources, Event Log files, 87
EventID web site, Event Log parsing, 88
Eventmap.txt file, 238
Evidence Eliminator, 272–273
Evidence eliminator tools, expert tips, 163b
.evtx files, 237–238
Examination, goals of, 276–279
Excel, See Microsoft Excel
Exchange server, incident response questions, 32
Exchangeable image file (EXIF), 116–117
Executable files, malware persistence mechanism, 177
Executive summary, 285–287
EXIFTool, 116–117, 117
Expert tips
application logging, 37
application prefetching, 97b, 181
backslash in vhdtool.exe, 65
browser analysis, 143b
cloud environment implementation, 21b
coding skills, 203
current ControlSet, 126
data source volume, 243b
deleted Registry keys, 138b
device logs, 36b
DeviceClasses, 130b–131b
diff, 162b
diskpart, 64b
driver events, 127b
Event Log analysis, 89b
Event Log sources, 234
events file creation, 244b
evidence eliminators, 162b
find command, 235
F-Response VSC demo set-up, 57b
historical Registry data, 152b
image file formats, 73b
interesting artifacts, 90–93
Internet history information, 14b–15b
iPod Touch backup, 115b
.job files, 206
LiveView, 60b
Local Service Account Activity, 262
MRT Registry key, 185
NTFS file times, 228
NTOSBOOT-BOODFAAD.pf, 100
phishing training, 173b
prefetch and data exfiltration, 181
Recycle Bin bypass, 94b
Registry analysis, 222b
Registry structure, 122b
shellbags artifacts, 257
SQLite database access, 111
SSD drives, 98b
testing for malware execution, 208
timestomping manipulation, 215
tracking user activity, 154b
triage questions, 31b–32b
trusted advisor, 42
U3-enabled device analysis, 125
USB device analysis checklist, 125
UserAssist data, 158b
VHDs and VMs, 91b–92b
WiFi geolocation mapping, 146b–147b
Windows Defender logs, 186
Wow6432Node, 150b
Expert witness format (EWF) images, 24, 73, 247
Exploit-Monday.com, 198–199
Extensible markup language (XML) format
Apple product application files, 114–116
prefetch file parsing, 99–100
scheduled tasks, 102, 149
Task Scheduler files, 5
timeline analysis data sources, 215
Windows Event Logs, 90–93
External drives
drive/disk signature, 134f
imaging, 4
incident response, 42–43, 43
Registry analysis, 124–138
timeline analysis, 219
timeline creation, 231
USBStor and USB subkeys, 134f

F

Facebook, initial infection vector, 172
FAT file systems
ADS manipulation, 196–197
file system tunneling, 84–85
multiple AV scans, 189–192
USB device analysis, 132
Fdisk, 22, 68b
File analysis, 76–86
antivirus logs, 112–113
Apple product application files, 114, 115f
application file prefetching, 97
application files, 111–118
at.exe vs. schtasks.exe, 103
basic considerations, 76
Event Log conversions, 93
Event Logs, 86–94
file system tunneling, 84–85
hibernation files, 110–111
image files, 116–118
interesting artifact searches, 90
jump lists, 104–110, 110f
MFT, 76–86
prefetch files, 97–100, 98f
Recycle Bin, 94b, 96f
scheduled tasks, 101–104, 102f
Skype logs, 113, 114f
SSD drive prefetch settings, 98
VHDs and VMs, 91b–92b
Windows Event Log, 90–93, 91f, 92f
File analysis, 117
File Entry Header, MFT, 80
File modifications, Carbon Black, 39
File record, MFT, 77
File Record Header, MFT record, 77
File System Forensic Analysis (Carrier), 19, 77
File system metadata, timeline creation, 227–233
File system tunneling, 84–85
File transfer protocol (FTP), 268, 269
$FILE_NAME attribute ($FNA)
file system tunneling example, 84–85
MFT record, 79
time stomping example, 83
timeline analysis, 217–218
timeline creation, 228
timestomping manipulation, 215
FilesNotToBackup, 52
FilesNotToSnapshot, 52
FILETIME objects
DestList stream, 107–108
Recycle Bin, 96–97
Registry nomenclature, 123
time formats, 215
time stamps, 77
time stomping, 82
timestomping manipulation, 215
FILETIME time stamp, 259
Find command, expert tips, 235
Firefox browser, 204, 215
First-in-first-out (FIFO) process, VSCs on live systems, 58b–59b
Fls.exe
Registry data and TLN creation, 239–240
timeline analysis case study, 247
timeline creation, 228, 228, 232–233
$FNA attributes, 80
Folder record, MFT, 77
Fonts directory, malware detection, 206–207
Forensic Acquisition Utilities, VSC access automation, 69
Forensic CaseNotes, for documentation, 19
ForensicKB.com, 227
ForensicsWiki, jump lists, 105
Format, 284–285
Forwarded Event Log, characteristics, 91
Foster, James C., 215
Frequency of occurrence
analysis principles, 16–18
Event Log files, 87
F-Response, 44–45, 57–59
F-Response Enterprise Edition (EE), 57
F-Response Enterprise Management Console (FEMC), 57–58, 58f
F-Secure blog, 200–201
Fsquirt.exe, 269
FTK Imager, 73, 233–234
analysis system set-up, 24
directory listing creation, 232f
file menu example, 231f
file system tunneling example, 84–85
functionality example, 44f
image partition table, 231f
incident response, 43
MBR infectors, 201–202
multiple AV scans, 189–192
Recycle Bin index file, 96f
time stomping example, 84–85
timeline analysis case study, 247
timeline creation, 227, 230, 230–231, 231–232
timeline creation on XP, 233–235
U3-enabled device analysis, 125
VSCs in acquired images, 59f
Windows 7 Recycle Bin, 96f
XP Recycle Bin, 95f

G

Garner, George M., Jr., 69
Geek Squad thumb drive, 125, 129
Global positioning systems (GPSs), 1–2, 116, 118
Globally unique identifier (GUID), 129f, 263–264
MRT Registry key, 185
scheduled tasks, 149
smart phones, 136–137
Software hive application analysis, 142
USB device analysis, 128, 130b–131b
USB external drive analysis, 134–135
via WRR, 129f
Gmtime() function, timeline time formats, 222
“Go kit,” incident response, 33–34
Goals
accomplisment, 277–278
defining, 277
Google Code site, 115, 194
Google Maps, WiFi geolocation mapping, 146, 147f
Google searches, malware information, 192
Google’s Chrome browser
IE browser analysis, 260
Gragido, Will, 172
Granularity, timeline analysis, 226
Graphical user interface (GUI), 240
Grep command, timeline data volume, 243b
Group Policy Object (GPO), 127
Gudjonsson, Kristinn, 213, 239–240
“{GUID}.dat.”, 264

H

Hacking Case image, timeline creation, 227, 228
Hale, Jason, 159
Harbour, Nick, 177
Hard drive image
See also Acquired images
analysis goals, 7–9
Event Log file extraction, 87
incident response example, 35
learning to image, 4
Harrell, Corey, 70, 80, 203–204
Harvey, Phil, 116–117, 117
HBGary, 2–3, 177–178
Hensing, Robert, 204
Heyne, Frank, 196–197
Hibernation files
file analysis, 110–111
Registry analysis, 163–164
Registry keys, 52
Hierarchical File System (HFS) [Macintosh], 196–197
Higbee, Aaron, 173
Higgins, Kelly Jackson, 2–3
Historical UserAssist Data, 160
HowTos, 254–273
Human resources (HR), 276
HxD hex editor, analysis system set-up, 24
Hyper Text Markup Language (HTML) format
prefetch file parsing, 99–100
seeded sites, 208
Hypothesis testing, time stamps, 81b

I

$I files, ProDiscover Basic Edition, 23
$I30 Index Attributes, overview, 85
Icat (TSK tool), SIFT VM usage example, 22
Identifiers (IDs)
driver events, 127b
Event Log files, 87
interesting artifact searches, 90
Identity theft, as common problem, 2
IE browser analysis, 260–264
Illicit images, malware characteristics, 171–172
Image File Execution Options key, indirect artifacts, 14
Image file formats, examples, 73b
Image files, file analysis, 116–118
ImDisk, 233–234
multiple AV scans, 189–192
timeline creation on XP, 233–235
VSCs in acquired images, 60
Windows services, 140–141
Imm32.dll, W32/Crimea, 177
Import address table (IAT), 208
Incident preparation
auditing functionality, 37–38, 38f
basic considerations, 29–41
data collection, 41–46
employee training, 45–46
importance, 33–36
logs, 36–41
questions, 30–33
Incident response
acquisition process, 43
application logging, 37
Carbon Black, 38, 39f
compliance, 31b, 34
consultants vs. IT staff, 32
data breach questions, 30–33
device logs, 36
example case, 33
F-Response, 44–45
incident scoping, 32–33
malware characteristics, 170–183
malware propagation mechanism, 174
malware removal process, 34
mock incidents, 45b–46b
MoonSol DumpIt example, 42, 42f
outside consultant questions, 31b–32b
overview, 27
speculation issues, 11–13
speed, 34
temporal proximity, 30
“triage” questions, 31b–32b
trusted advisor, 42
Incident triage, 278–279
Index attributes, NTFS $I30, 85
Index card, 276
Index file, Recycle Bin, 95, 96f
Index.dat file, 260
indirect artifacts, 14
Internet activity analysis, 204, 205–206
Internet history information, 14
Registry keys, 52
Indirect artifacts
analysis principles, 13–16
definition, 14
vs. direct, 14
INFO2, 24, 95
See also Recycle Bin
Infrastructure-as-a-service (IaaS), 21
Initial infection vector, 272b
malware characteristics, 172–174
vs. propagation mechanism, 174
Inkanalyzer, jump lists, 108
Install key, Software hive application analysis, 142
Instant Messaging (IM), 113
Interfaces key, NetworkCard key, 148
Internet, 279
Internet, early worms, 16–17
Internet Evidence Finder (IEF) tool, 260
Internet Explorer (IE), 100, 260
browser analysis, 143b, 260
Internet activity analysis, 204
Internet history information, 14b–15b
jump lists, 104
Internet Explorer 8, 264
Internet Explorer 9, 264
Internet history information
expert tips, 14b–15b
Log2timeline framework, 213
malware detection, 204
Internet History Viewers
ProDiscover Basic Edition, 24
ProDiscover example, 205f
Internet Information Server (IIS), 215
Intrusion detection system (IDS), 46
Intrusions
antivirus log analysis, 112
as common problem, 2
frequency of occurrence, 16–18
incident response questions, 30–33
interesting artifact searches, 90
scheduled tasks, 103
timeline analysis, 220–221
IOS 4, application files, 114
IP address
Carbon Black, 40–41
NetworkCards key, 148
time analysis, 223
timeline approaches, 213–214
iPad (Apple), 113, 114
for case notes, 281
iPhone (Apple), 113, 114
iPhoneBackupBrowser, Apple product application files, 115
iPod (Apple), application files, 114
iPod Touch (Apple), 136
application files, 114
backup tip, 115b
image files, 116–118
Skype, 113
unique instance ID, 136
USB device analysis, 136
iTunes, 266
iTunes application
application files, 114
malware persistence mechanism, 177
scheduled tasks, 101
VSCs in acquired images, 63–64

J

Java, 271–272
.Job files, 206
“Journey into IR” blog, 70
JPEG files, Software hive application analysis, 144
Jump List Extractor, 108
Jump List LNK stream, 256
Jump List Viewer, 109, 110f
Jump Lists, 272–273
AutomaticDestinations folder, 105, 108
CustomDestinations folder, 108
DestList stream, 107–108
file contents, 106–107
file structure, 108
incident response data collection, 44, 100
information value, 107b–108b
LNK file, 107, 107f
MiTeC Structured Storage Viewer, 105–106, 106f, 107
naming, 105
overview, 104–110
parsing tools, 108, 109, 110f
Registry as log file, 124
VMPlayer example, 104f
JumpLister, 108

K

Kernel32.dll
PE file compile times, 199–200
time stamp alteration, 82–83
time stomping example, 82–83
timeline analysis data sources, 214–215
KeysNotToRestore, 52
Keystroke loggers, 13, 41
Keyword searches, file analysis, 76
“Kitchen sink” timeline approach, overview, 213–214
KnowledgeBase (KB) article 191656
globally unique identifier (GUID), 263–264
Kornblum, Jesse, 175, 202
Kovar, David, 80

L

Lads.exe, 196–197
Larson, Troy, 5–6, 108
Last Access Time, overview, 78b–79b
LastTestedTime value, USB device analysis, 132
LastVisited MRU key, user hives, 150–151
LastVisitedPidMRULegacy key, user hives, 151
LastWrite time, 127, 140–141, 271–272
device ID, 126
historical Registry data, 152
iPod Touch, 136
Legacy_*\0000 keys, 180
LEGACY_IMDISK, 140–141
MRT Registry key, 185
Registry data and TLN creation, 239
Registry nomenclature, 123
smart phone, 135–136, 137
Software hive application analysis, 142–143
time formats, 215
timeline analysis, 217–218, 223, 224
TypedPaths key, 161
USB device analysis, 128, 130b–131b, 132
USB external drive analysis, 134, 135
USBStor subkey, 132
WordWheelQuery, 152
Law enforcement officers (LEOs)
forensic analysis convergence, 19–20
malware characteristics, 171–172
Least frequency of occurrence
timeline analysis via visualization, 246
Lee, Rob, 22, 56, 65, 68, 93, 105–106, 125, 138, 212–213
Legacy_* keys, 180, 180f
Legacy_* service key, ZeroAcess rootkit, 180
LEGACY_IMDISK, Windows services, 140–141
LinkInfo block, 282–283
Linux
analysis system set-up, 22
for case notes, 281
Event Log parsing, 88
open source tools, 24
Skype, 113
time fomats, 222
Little-endian hexadecimal format, Recycle Bin, 96–97
Live systems
Software hive application analysis, 144
VSC access, 55f
basic considerations, 58b–59b
F-Response, 57–59, 58f
overview, 53–59
ProDiscover, 56
WMI class Win32_ShadowCopy, 54
LiveView
overview, 60b
VSCs in acquired images, 59–60, 65–66
LNK files, 107f, 256, 282–283
jump lists, 108
timeline analysis, 242
USB device analysis, 129
via WFA, 107f
XPMode, 159b
Loaded modules, Carbon Black, 39
Local Service Account Activity, 262
LocalService
Internet history information, 15, 205, 205f
timeline analysis, 223–224
Locard’s exchange principle, basic concept, 11
Location information
Android devices, 116
Apple products, 114–116
Log analysis, 184–185
AV application configuration, 187–188
Dr. Watson logs, 188
installed AV applications, 186
malware detection, 184–189
Windows Defender, 186
Log files
See also Event Logs (.evt)
application logging, 37
auditing functionality, 37
AV products, 88
Carbon Black, 38, 39f
incident response, 36–41
mock incidents, 45–46
Registry as, 124
timeline analysis, 217, 242
Log Parser tool, 236
$LogFile, 85–86
Logparser command, 237
Logparser tool, 92–93
Log2timeline framework, characteristics, 213
Lui, Vincent, 215

M

Mac, for case notes, 281
Mac OS X
alternate data streams, 196–197
analysis system set-up, 22
Event Log parsing, 88
open source tools, 24
MAC time stamps, jump list files, 106
MACB times
definition, 78
time stomping example, 78
timeline analysis, 224–225
timeline creation, 227–228
Mac-daddy script, 212–213
MACE times, 78, 227–228
Macintosh Hierarchal File System (HFS), 80
MacOS X, Skype, 113
Magic numbers, Event Logs, 86, 89–90
Main.db, Skype, 113–114, 114f
Malicious activity
direct vs. indirect artifacts, 15
incident response data collection, 41–42
sophistication, 2
Malicious Software Removal Tool (MRT)
antivirus log analysis, 112–113
log analysis, 184–185
Malware
basic problem, 170
direct artifact, 13–16
Event Log files, 87
frequency of occurrence, 16–18
incident response process, 34
incident response questions, 30–33
interesting artifact searches, 90
Internet history information, 15
MUICache key, 157
prefetch files, 99–100
scheduled tasks, 102, 150
system files in System Restore Points, 51
testing via virtualization, 22
Trojan defense, 172
Malware artifacts
AV write-ups, 190–192
indirect, 13
overview, 179–182
persistence mechanisms, 179
prefetch files, 180
seeded sites, 207–208
Windows version, 181
The Malware Analyst’s Cookbook and DVD (Ligh et al.), 111, 163–164, 194–195, 198–199, 208
Malware characteristics
artifacts, 179–182
evolution, 180
initial infection vector, 172–174
memory scraper, 176
multiple persistence mechanisms, 178
overview, 170
persistence mechanism, 175–179
propagation mechanism, 174–175
Malware detection, 196, 197, 197f, 234
alternate data streams, 196–199
AV vendor write-ups, 190–192
coding skills, 203
digital signatures, 195–196
Dr. Watson logs, 188
event parsing into timeline, 245–246
file system locations, 206–207
Googled malware information, 192
indepth techniques, 192–207, 208
Internet activity, 204–206
“knowing what to look for,”, 198
log analysis, 184–189
MBR infectors, 200
mixing protection mechanisms, 188
multiple antivirus scans, 189–192
overview, 183–209
packed files, 193–195
PE file compile times, 199–200, 199f
phishing training, 173
Poison Ivy RAT, 197
Registry analysis, 203–204
scheduled tasks, 206
seeded sites, 207–208
System Event Log, 206
testing for execution, 208
timeline analysis, 217, 219, 220–221
timeline creation on XP, 234
WFP, 196, 197f
Managed subkey, values, 146
Manifest.mbdb (Apple), 114–115
Manifest.mdbx (Apple), 114–115
Master file table (MFT)
antivirus log analysis, 112
file analysis, 76–86
file system tunneling, 84–85
$FNA, 79
incident response data collection, 41–42, 43
Last Access Time, 78b–79b
NTFS $I30 Index Attributes, 85
record characteristics, 77, 79–80
$SIA and $FNA extraction, 79
$SIA time stamps, 80
SIFT VM usage example, 22b
speculation issues, 12–13
time stamps, 78
alteration, 82–83
parsing script, 80
time stomping, 82
example, 82–83
timeline analysis, 217–218, 224–225
data sources, 214–215
timeline creation, 227–228, 242
timestamping manipulation, 215
Mbdbdump.exe, Apple product application files, 115
MBR infectors, 200, 201–202
McAfee antivirus (AV) products, 191f
additional functionality, 187–188
log analysis, 184
McAfee/Foundstone site, analysis system set-up, 24–25
multiple AV scans, 189
Stinger UI, 191f
timeline analysis, 222–223
McKinnon, Mark, 105
MD5 hash, 196
Carbon Black, 39
malware persistence mechanism, 177
MBR infectors, 202
WFP, 196
Mebroot, 200
Media access control (MAC) address
NetworkList, 146
time analysis, 223
WiFi geolocation mapping, 146, 146b–147b
Memory
malware persistence mechanism, 175
Registry analysis, 163–164
Memory scraper
direct artifacts, 13
example, 176
MenuOrder, 156–157, 263
Metadata, 79
ASCII timeline creation, 212–213
EXIF, USB device analysis, 135
EXIFTool, 116–117, 117
files without, 116–117
Log2timeline framework, 213
MFT $FNA, 79
MFT overview, 76–77
PE file compile times, 199
prefetch files, 98, 100
timeline analysis, 217–218
case study, 247–248
timeline approaches, 213–214
timeline creation, 227–233
UserAssist subkeys, 159
MetroPipe Portable Virtual Privacy Machine, 21
Metz, Joachim, 261
Microscanner
MRT as, 184–185
multiple AV scans, 190
Microsoft, in documentation, 282–283
Microsoft Developer Network (MSDN), 203–204
Microsoft Excel
Event Log parsing, 88
event parsing into timeline, 245
Log Parser tool, 93
rip.pl output, 164
timeline analysis, 218
timeline creation on Windows, 7–8, 236
Microsoft KnowledgeBase (KB) articles, 184–185, 196
136517, Recycle Bin, 95
172190, file system tunneling, 84
172218, host file redirection, 188
188768, FILETIME objects, 123
222193 WFP, 196
299648
NTFS file times, 228
$SIA time stamps, 81
299656, NoLMHash value, 122
313565, scheduled tasks, 101–102
320031, Recycle Bin bypass, 94
813711, shellbags, 152–153
814596, schtasks.exe, 103
890830 MRT, 184–185
891716, MRT Registry key, 185
923886, Windows Defender logs, 186
927521, driver events, 127b
2305420, scheduled tasks, 150
Event Log parsing, 88
Microsoft Malware Protection Center (MMPC) blog, 195–196
Microsoft Office, jump lists, 105–106
Microsoft Office 2003, Registry as log file, 124
Microsoft Office 2007, 233–234
metadata file EXIFTool, 116–117
timeline creation on XP, 233–235
Windows Event Logs, 90–93
Microsoft Office Professional, Carbon Black uses, 41
Microsoft Word
for documentation, 18–19
jump lists, 104–110
timeline analysis, 218
“triage” questions worksheet, 31b–32b
UserAssist subkeys, 159
Microsoft/SysInternals site, analysis system set-up, 24–25
Mission: Impossible, 33
MiTeC, 282
MiTeC Structured Storage Viewer, 105–106, 106, 106f
MiTeC Windows File Analyzer (WFA), 107, 107f
MiTeC Windows Registry Recovery (WRR) tool
ComDlg32 subkeys, 151f
current ControlSet, 125–126
EMDMgmt subkey values, 132f
RegIdleBackup key values, 149f
Registry analysis, 121–122
Software hive root, 142f
Tree subkeys, 149f
USBStor device subkey properties, 126f
USB subkey properties, 129f
USB subkeys, 129f
USBStor subkeys, 126f
Virtual PC key path, 161f
volume GUID, 129f
Windows services analysis, 139, 139f
WordWheelQuery, 152
Wow6432Node key, 143
Mlink command, VSCs on live systems, 55, 56
Mmls.exe
sample output, 228f, 229f
timeline analysis case study, 247
timeline creation, 228
Mock incidents, response testing, 42, 45–46
Modular approach, TLN creation, 226
MojoPac, 21
MokaFive, 21
Most frequently used (MFU) list, 107–108
Most recently used (MRU) list, 258
DestList stream, 107–108
historical Registry data, 152
jump list parsing, 109
timeline analysis, 223
timeline analysis data sources, 242–243
VSCs in acquired images, 63–64
WordWheelQuery, 151
MountedDevices key, 255
PGPDisk and TrueCrypt volumes, 130, 130f
smart phones, 136, 138
USB device analysis, 128
USB external drive analysis, 134
Mounting
images for AV scans, 189–192
VHD files, 91b–92b
MountPoints2 key
LastWrite time, 130b–131b
smart phones, 137
USB external drive analysis, 135
USB thumb drive, 131
Mozilla Firefox
IE browser analysis, 260
MRT Registry key, 185
MRT Registry key, expert tips, 185
Mrt.log, antivirus log analysis, 112–113, 184–185
MRUListEx value, 153
historical Registry data, 152
MS Office, 272–273
for case notes, 281
MS SysInternals utilities, Software hive application analysis, 142
MS Word, for case notes, 281
Mueller, Lance, 227, 247
MUICache key, 157
example contents, 157f
malware detection, 203
malware write-ups, 190–192
user hives, 157
Multiple cases, 280
M-unition blog, 177
MySpace, initial infection vector, 172

N

Nano-timelines, creation, 226
National Institute of Standards and Technology (NIST), timeline creation, 227
Network diagrams, 279
Network interface card (NIC), 148
NetworkCards key, 148, 148f
Networked environments, malware persistence mechanism, 178
NetworkList key, 145–148, 147f
NetworkService, timeline analysis, 223–224
NodeSlot value, 154, 257
NoLMHash value, Registry analysis, 122
Notepad++, 266
NTFS file system
ADS manipulation, 196–197
alternate data streams, 196–197
file system tunneling, 84
file times, 228
$FILE_NAME attribute, 79
$I30 Index Attributes, 85
Last Access Time, 78
MBR infectors, 201
MFT, 76–86
multiple AV scans, 189–192
time stamps, 81
NTFS Master File Table (MFT), 9
Ntfswalk, 80–81
NTOSBOOT-BOODFAAD.pf, expert tips, 100
Ntpwedit tool, 60
NTUSER.DAT hive, 153, 160, 258–259, 259
shellbags, 155
smart phones, 137
Software hive application analysis, 143
timeline analysis, 221, 224
case study, 248
data sources, 242–243
U3-enabled device analysis, 125
USB device analysis, 125
USB external drive analysis, 135
USB thumb drive, 131
UserAssist subkeys, 158
Virtual PC, 160
VSC access automation, 70
VSCs in acquired images, 63, 162–163
NTUSER.DAT hives, 203–204, 257, 262
NTUSER.DAT Registry hive, 280–281
NTUSER.DAT Registry hive file, 156, 262–263
NukeOnDelete value, Recycle Bin bypass, 94

O

ODiag.evt, timeline creation on XP, 233–234
Office documents, 277
Offline Files Cache, Registry keys, 52