Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

FOR 500 - GIAC > 500.4 - Email, Key Additional Artifacts, and Event Logs > Flashcards

500.4 - Email, Key Additional Artifacts, and Event Logs Flashcards

1
Q

E-mail Forensics Overview

A
  • Who, When, Where, Relevant
  • Host-based, servers, Cloud, Mobile
  • What can we Analyze?
    • Mail Header, Message Body, Attachment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

E-mail Headers

A
  • Message-ID - Unique Fingerprint
    • Received - Who sent the email - Start @ bottom - In reverse order
    • X-Originating-IP - Client IP Address (Public = Off)
    • X-Mailer - What client program generated the email
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Email Authenticity

A
  • Valid SPF & DKIM increases trust
  • Sender Policy Framework (SPF) - Validate sending IP Address to Orig. Domain
  • DomainKeys Identified Mail (DKIM) - Verifies that message content has not changed via Dig. Signal
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Message-ID Threading (References and In-Reply-To)

A
  • Message - IDs can be used to identify related emails (thread) via Refs & In-Reply to
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Extended MAPI Headers

A
  • Tracks Add’tl timestamps, unique IDs, Last Action)

- Messaging Architecture - Core component of Exchange & Outlook

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Host-Based E-mail

A
  • On Local Machine, Identify email locations, deleted email archives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Microsoft Outlook - File Ext: (.PST)

A
  • Email Archive stored by default,
  • Encrypted/Obfuscation by default
  • Up to 5GB saved

Location

  • “User”\AppData\Local\Microsoft\Outlook (2010 & earlier)
  • “User”\Documents\Outlook (2013/2016)
  • HKCU\Software\Microsoft\WindowsNT\CurrentVersion\WindowsMessagingSubSystem\Profiles\Outlook
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Offline Folder Files (.OST)

A
  • Cached Exchange Mode (Offline mail access)
  • Syncs with Server
  • Locally Stored, 50 GB

Location
- C:\Documents&Settings"User”\Local Settings\Application Data\Microsoft\Outlook

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Outlook Attachment Recovery

A
  • Uses a “Secure Temp Folder” to open attachments
    • Located under Internet Explorer cache folders - Temporary Internet Files (-Win10) and INetCache (+IE11)
  • Previewed and Opened attachs. Can be recovered
  • Prior to 2007, attachments persisted until Disk Cleanup
  • After 2007 attachments remain only if message/outlook is closed before the attachment

Location

  • AppData\Local\Microsoft\Windows\Temporary Internet Files\ Content.Outlook
  • AppData\Local\Microsoft\Windows\INetCache\Content.outlook (IE11+)
  • HKCU\Software\Microsoft\Office"Version”\Outlook\Security\OutlookSecureTempFolder
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

E-mail Encryption

A
  • Individual message encryption is most common
    • Uses public-key protocol like Secure MIME (S/MIME) or PGP/ MIME (.pgp, .p7m file extensions)
  • Not decrypted en route
  • Encrypted messages will show …
  • – Begin PGP Message —
  • – End PGP Message —
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Microsoft Exchange (.edb, ese, .stm)

A
  • Is a database for Users Mailbox,
  • (2007 +) in .EDB format
    • Extensible Storage Engine (ESE) format & previously .EDB & .STM files composed database
  • .EDB stores mail, attachments, contacts, Journal, notes, tasks, calendar, & address book entries
  • .log files contain messages not yet written to .EDB
  • Can be exported in .PST file format

Location
- C:\ProgramFiles\Microsoft\ExchangeServer\Mailbob\FirstStorageGroup\MailboxDatabase.edb

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

“Recoverable Items” in Exchange

A
  • Deletions - Items removed from users Deleted Items Folder; Deleted mail from POP or IMAP accounts
  • Purges - Temp location for hard-deleted items from Deletions folder & items that exceed retention period
  • Discovery Hold - Deleted items from mailboxes placed hold
  • Versions - Copy-on-write changes to items in active mailboxes placed on hold
  • Audits - Audit log entries for mailboxes with auditing enabled
  • Calendar Logging - Calendar changes when calendar logging is enabled
  • Message Tracing - log showing message defaults of sent & received mail
  • Email retained for 14 days, & mailboxes for 30days
  • 2010 includes indexing & retention for ALL deleted objects
    • Maintains versions of emails
    • Can freeze logs to prevent deletion
    • Unread emails still in “transit”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Online Acquisition Windows Server Backup

A
  • Used with Win 2008 + / Exchange 2007 +
  • Uses Volume shadow copies
    • ensures database consistency
    • can not backup and restore individual mailboxes
    • Exchange databases must be stored together
  • Backups stored as VHD files
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Unified Audit Logs in O365

A
  • Search & Export logs
    • Exchange Online, Sharepoint Online, OneDrive for Buisness, Azure AD
  • Not enabled by default
    • has to be turned on for EACH user - 90 day retention
  • No default logging for owners, viewed messages only for Admin users, No logg off events, IP & client included
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Webmail Forensics

A
  • Emails normally stored on ISP servers
    • Possible exception for POP or IMAP
  • User IP address & subscriber info may be available for ISP
  • Look for webmail addresses
  • Cached copies can be recovered
  • Can perform keyword searching & carving of webmail fragments
  • Protected storage & auto complete functions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Compressed Webmail Remnants

A
  • Webmail is often compressed
  • Cache may not be in HTML format
  • File signature analysis might be required to identify compressed zip files
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Mobile E-mail

A
  • Mobile devices receive email from a webmail or corporate server
    • Mail often stored in both locations
  • Consider Mobile Device Management (MDM)
    • Phone, SMS/MMS, BBM, & PIN metadata logs
    • MDM, like BlackBerry UEM & Global Relay, may archive content (Android/Blackberry only)
  • Look for local backup copies
    • .PST, Blackberry .BBB/.IPD, and Android .ab files
    • iOS “Apple Computer” folder or search for manifest.plist
18
Q

Windows Search Database (.edb)

A
  • Collects - Files, emails, Content related items

Location

- C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windos.edb (Win7+)
- C:\Document&Settings\AllUsers\AppsData\Microsoft\SearcData\Apps\Windows\Windows.edb (XP)
19
Q

ESE NT Utlities - Windows.edb

A
  • esentutl tool is uses for defragmentation, recovery, interegty checking, data dumping, and repair for ESE databases
20
Q

Thumbnail Forensics - thumbs.db (2)

A
  • Hidden file in directory where images on machine exits stored in smaller thumbnail graphics
  • thumbs.db catalogs pictures in a folder & stores a copy of the thumbnail even if the pictures were deleted
    • WinXP - Automatically created anywhere
    • Win7/8/10 - Automatically created anywhere accesses via a UNC path (local to remote)
      • GoPro - Displays on camera screen
  • Includes thumbnail of pic/doc, Last Mod (XP), Original filename (XP)

Location
- C:\Users"user”\Documents (Win7)
-

21
Q

Win7/Win8/Win10 Thumbcache

A
  • Thumnails only (S-32,M-96,L-256, XL - 1024),
  • Location MIGHT be stored, Date/Time not stored

Location
- C:\Users"user”\AppData\Local\Microsoft\Windows\Explorer

22
Q

Mapping Filenames to Thumbcache

A
  • Windows.edb & Thumbcache

- CANNOT be dirty, must be recovered

23
Q

Recycle Bin Forensics

A
  • Hidden Systems Folder
    • Subfolder is created with users SID
    • Contains recovery files
  • “Recycler” 2000/NT/XP/2003 - before Vista
    • Hidden file in a directory called “INFO2”
    • INFO2 contains deleted time & original filename
    • INFO2 maps the recycle bin filename to the time & date that the file was deleted as well as the true filename of the file (Full path name, time, & date)
  • Filename in both ASCII & UNICODE
    • “$Recycle.bin” Vista+
    • Deleted time & original filename contained in separate files for each deleted recovery file
24
Q

Win7/Win8/Win10 Recycle Bin

A
  • Under $Recycle.bin & SID
    • Files Proceded by $I###### & contain Orig. path & name, and recycled/deleted data & time
    • Files Proceded by $R###### contains the actual file recovery data or original file that has been moved into the recycle bin
25
Q

Parsing Recycle Bin (recbin.exe)

A
  • parse contents of $INFO2 or $I files
26
Q

Windows 10 Timeline (4)

A
  • Visible
    • Edge (Browsing History)
    • Office 2016 suite (files accessed)
    • Windows Photo viewer (photos viewed)
    • Other Windows Apps & more promised

Not Visible

  • App exe
  • Focus count per application

Location

  • C:\Users\AppData\Local\ConnectedDevicesPlatform\L.\ActivitiesCache.db
  • WxtCmd.exe
27
Q

Windows Prefetch Superfetch (5)

A
  • WinXP+ = C:\Windows\Prefetch
  • Increases performanceof system by pre-loading code pages
  • Cache manager monitors all files & direct. & maps them into a .pf file
  • Shows app exe (what & when)
  • XP -7 limited to 128 files , 1024 limit for Win8+
  • Disabled on systems with SSD, enabled by default otherwise
  • Win10 - Prefetch files are compressed
  • layout.ini files contains original path names of files located in prefetch
28
Q

Prefetch Analysis

A
  • Date/Time .exe was first exe
    • Creation date of .pf file - 10 secs
  • Date/Time of last .exe
    • Exact time stored in .pf file as well as the exact time
    • Win8+ - last 8 times
    • Last mod date of .pf file - 10 secs
29
Q

What can SRUM tell us?

A
  • Processes Ran - AppID & path, user executing path, app energy usage, bytes sent, bytes received
    • Network activity - network interface, network name, byes sent/recieved, connections time/duration
    • App Push Notifcation - AppID, User, payload size
    • Energy Usage - Charge capacity, charge level, time
30
Q

SRUM Database & Registry Locations

A
  • 30 to 60 days of historical system performance
  • Networks connected to, duration of connection, and bandwidth usage per hour
  • Apps run , user account responsible for each, and application & bytes sent/received per application per hour
  • App push notifications & payload size of each notification
  • Energy usage including battery charge & CPU cycles

Location

  • SOFTWARE\Microsoft\WindwosNT\CurrentVersion\SRUM\Extensions
  • C:\Windows\System32\SRU
31
Q

SRUM Registry Keys

A
  • Under SRUM Registry Keys there are 3 subkeys
    • Parameters
    • Telemetry
    • Extensions
  • Temporary data is written to 5 subkeys in Windows 8.1 & 6 key in Windows 10 that correspond to the tables in the SCRUM database
32
Q

Windows Events

A
  • Records:
    • Software
    • Hardware
    • OS functions
    • Security
  • Multiple events = event log
33
Q

Event Log Analysis

A
  • What - Event ID, Event Cat. , Description
    • Date/Time - Timestamp
    • Users Involved - User account, Description
    • Systems involved - Hostname, IP Address
    • Resources accessed - Files, folders, printers, services
34
Q

Where to find Event Logs

A
  • NT/Win2000/XP/Server2003
    • .evt file type)
    • %Systemroot%\System32\Config
    • Filenames - SecEvent.evt, AppEvent.evt, SysEvent.evt
  • Win Vista, 7-10 & Server 2008, 2012, 2016
    • .evtx file type
    • Remote log server
    • Filenames - SecEvent.evtx, Application.evtx, SysEvent.evtx - %Systemroot%\System32\winevt\logs
35
Q

.evtx Log Format

A
  • Memory efficiencies - Cost affective,
  • XML & Filtering
  • improved Messaging
    • IP Address
    • EventIDs changed
  • Expanded # event logs
    • increased granularity of audit controls
36
Q

Types of Event Logs

A
  • Security - Records access control & security settings, events based on audit/ group policy (failed logon/folder acc)
  • System - Events realted to windows services, systems components, drivers, resources (service stopped/system rebooted)
  • Application - Software events unrelated to OS (SQL server fails to access a database)
  • Custom - Custom App logs (Server logs w/ directory service, DNS server, & file replication service)
37
Q

Applications and Services Logs

A
  • Stored with standard events
    • %Systemroot%\System32\winevt\logs
  • Setup - Records installation & update info for Wins
  • Fwd Events - Repository for events retroeved from systems
  • Apps & Serv - Over 60 logs, (Tsk scheduler, RDP, Win Firewall, Win defender)
38
Q

Security Log

A
  • Most commonly reviewed log in forensics
    • User auth/logon,
    • behavior & actions,
    • File/folder/share access,
    • Security settings
  • Failure and success can be audited
    • Detailed logging can be enabled on specific user accounts
  • Only LSASS updates
39
Q

What is Recorded? Security Event Categories

A
  • Account Logon
  • Account Mgt
  • Directory Service
  • Logon events
  • Object access
  • Policy change
  • Privilege user
  • Process tracking
  • System events
40
Q

Event Types

A
  • Error
  • Warning
  • Information
  • Success Audit
  • Failure Audit
41
Q

Identifying Logon Sessions

A
  • Use Logon ID to link logon w/ a log off and determine session length
  • Session time = (25m)

FOR 500 - GIAC (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions