이 블로그 게시물은 Daniel Ogden 및 Alexis Brignoni와 공동으로 수행한 연구를 기반으로 합니다.
Geraldine Blay가 작성한 게시물
격리와 격리의 이 시기에 우리는 가상으로만 공유할 수 있습니다.iOS/MacOS 플랫폼에서 추억을 공유할 수 있는 방법 중 하나는 공유 앨범(이전에는 iCloud 사진 공유)을 사용하는 것입니다.공유 앨범을 통해 사용자는 선택한 사람들과 사진 및 비디오를 공유할 수 있으며 구독자는 자신의 사진 및 비디오를 추가하고 댓글을 달 수 있습니다.
1. 테스트 전화의 공유 앨범 - Apple ID와 연결된 이메일을 사용하여 두 명의 사용자와 공유합니다.
2. 다른 iOS 장치의 공유 앨범 - 테스트 전화에 공유됨.
3. 장치가 비행기 모드(및 네트워크 연결이 끊긴 상태)에 있는 동안 생성된 공유 앨범.따라서 수신자는 전화 추출이 완료되기 전에 요청을 수신/수락할 수 없습니다.
참고: 테스트의 이 특정 부분에서 흥미로운 일이 발생했습니다.전화기는 대략 8-10시간 후에 비행기 모드에서 해제되었고 앨범은 어디에도 없었습니다.앨범을 공유한 사용자가 알림을 받았지만 휴대전화에서 사라졌습니다.
4. 테스트 전화에서 생성된 공유 앨범 – 두 명의 사용자와 공유되었으며 그 중 한 명은 위의 항목 1에 언급된 첫 번째 앨범에 대한 초대를 이미 수락했습니다.
5. macOS에서 생성된 공유 앨범.초대장이 테스트 전화로 전송되었고 수락되었습니다. 전화에 표시된 앨범 제목을 볼 수 있었지만 사진이 전송되기 전에 전화가 비행기 모드로 전환되었습니다.** 휴대전화가 비행기 모드에서 해제되고 사진이 전송되어 차이점을 확인하기 위해 다른 추출도 수행되었습니다.**
6. 테스트 전화에서 공유 앨범이 생성되었고 다른 iOS 사용자에게 초대가 공유되었으며 전화가 비행기 모드로 설정되었습니다.우리는 테스트의 파트 3을 반복하는 것에 대해 궁금했습니다. 이번에는 전화기가 8-10시간이 아닌 짧은 시간 동안만 비행기 모드로 유지되었습니다.전에 남아있었습니다.
7. 사용자의 Apple ID와 연결된 전화 번호를 사용하여 사용자와 공유된 테스트 전화에서 공유 앨범이 생성되었습니다.
전체 파일 시스템 checkm8 추출(UFED 4 PC 사용)은 앨범이 생성되기 전에 기준선으로 획득되었습니다.또한 위에서 언급한 각 앨범이 생성된 후에 전체 파일 시스템 checkm8 추출을 얻었습니다.Physical Analyzer 7.35 및 iLEAPP v 1.6을 사용하여 추출을 처리했습니다.
결과
아래 스크린샷 은 기준 이미지를 촬영할 때PhotoCloudSharingData 디렉터리의 기본 구조를 보여줍니다. 이 시점에서 공유 앨범을 받거나 추가하지 않았습니다.여기에는 Caches 및 INFLIGHT_JOBS 하위 디렉터리와 서버 구성 파일이 포함되어 있습니다.
diskcacherepository.plist 파일 을 제외하고 Caches 하위 디렉토리는 비어 있습니다.
테스트 장치에서 공유 앨범이 생성되면 private/var/mobile/Media/PhotoData/PhotoCloudSharingData/디렉터리에 다음과 같은 몇 가지 항목이 포함됩니다.
DsID*(private/var/mobile/Media/PhotoData/PhotoCloudSharingData/<DsID>)로 명명된 하위 디렉토리 내에서 공유 앨범을 찾습니다.
*참고: iPhone Wiki에 따르면 DsID는 Directory Services Identifier를 나타내며 "AppleID 계정을 식별하는 방법"입니다(Apple 고객이 일련 번호를 가지고 있는 것처럼 생각하십시오 :-p).
이러한 각 공유 앨범( 기기 소유자의 Apple ID에서 공유되었거나 기기 소유자의 APPLE ID와공유되었는지 여부에 관계 없이 )은 별도의 GUID로
·DCIMLastDirectoryNumber (해당 앨범에 둘 이상의 DCIM 디렉토리가 있는 경우)
·DCIMLastFileNumber: DCIM 디렉토리에 있는 사진의 수를 나타냅니다.또한 이미 존재하는 공유 앨범에 사진이나 비디오를 추가하면 추가된 항목 수만큼 DCIM_CLOUD.plist의 DCIMLastFileNumber 필드가 증가함 을확인 했습니다 .
공유 앨범 내에 둘 이상의 DCIM 디렉토리가 있는 경우 어떤 일이 발생하는지 알아보려면 추가 테스트가 필요합니다.
- 앨범 제목, CloudOwnerHashedPersonID, 클라우드 소유자 이메일, 이름 및 성, 해당 앨범에 대한 공개 URL 활성화 여부, 구독 날짜(앨범이 해당 사용자와 공유된 경우) 및 클라우드 관계 상태*가 포함된Info.plist*.
CloudOwnerHashedPersonID는 아래에 설명 된 cloudSharedPersonInfos.plist 에도 나타납니다.
**참고: CloudRelationshipState 필드에 대해서는 더 많은 연구가 필요 합니다.테스트에서 "0"과 "2" 값만 찾을 수 있었습니다."Cloud Relationship State"가 "0"인 앨범도 테스트 사용자가 만든 앨범이었고 관계 상태가 "2"인 앨범은 그녀와 공유 된 앨범이었습니다.그러나 이것은 완전한 우연의 일치일 수 있으며 더 많은 테스트가 필요합니다.
- 해당 앨범의 사진/비디오가 포함된 하위 폴더.해당 디렉토리의 명명 규칙은 100CLOUD***로 나타납니다.
***참고: 공유 앨범에 이러한 디렉토리가 둘 이상 있을 수 있습니다.아직 충분한 사진/비디오가 포함된 앨범을 만들지 않았습니다. 테스트할 항목 목록에 있지만 이 블로그 게시물을 계속 지연하고 싶지는 않았습니다.위에서 언급한 DCIMLastDirectoryNumber 필드가 이와 관련이 있다고 생각합니다 .
기본 PhotoCloudSharingData 디렉토리에는diskcacherepository.plist 및 sharedAssetsPrefetchCount.plist가 포함된 Caches 라는 하위 디렉토리도 있습니다.
PhotoCloudSharingData 디렉터리에도 있는 중요한 데이터를 포함할 수 있는 다른 파일 은 다음과 같습니다.
- serverconfiguration :maxnum.ownedAlbums, maxnum.photosPerAlbum및 maxnum.commentsPerPhoto와 같은 구성 설정을 포함합니다 .
- cloudSharedEmails.plist: 이 장치와 앨범을 공유한 Apple ID와 연결된 이메일을 포함합니다(앨범이 공유되었기 때문에 테스트 장치에서 사용된 AppleID 포함).
- cloudSharedPersonInfos.plist: 테스트에서 앨범이 공유되는 즉시 이 plist는 ********-****-****-******** 형식의 GUID를 채웁니다. *******, 앨범을 공유한 사용자의 APPLE ID 이메일(초대에 사용된 경우 전화번호)이 포함됩니다.그러나 이 사용자가 공유 앨범 초대를 수락하는 경우 CloudOwnerHashedPersonID를 사용하여 다른 항목이 생성되며 여기에는 APPLE ID와 연결된 이름, 성 및 전체 이름이 포함됩니다.
In the path \Users\<username>\AppData\Local\Microsoft\Windows\Notifications you can find the database appdb.dat (before Windows anniversary) or wpndatabase.db (after Windows Anniversary).
Inside this SQLite database you can find the Notification table with all the notifications (in xml format) that may contain interesting data.
Timeline
Timeline is a Windows characteristic that provides chronological history of web pages visited, edited documents, executed applications... The database resides in the path \Users\<username>\AppData\Local\ConnectedDevicesPlatform\<id>\ActivitiesCache.db This database can be open with a SQLite tool or with the tool WxTCmdwhich generates 2 files that can be opened with the toolTimeLine Explorer.
ADS/Alternate Data Streams
Files downloaded may contain the ADS Zone.Identifier indicating how was downloaded (from the intranet, Internet...) and some software (like browser) usually put even moreinformation like the URL from where the file was downloaded.
File Backups
Recycle Bin
In Vista/Win7/Win8/Win10 the Reciclye Bin can be found in the folder $Recycle.bin in the root of the drive (C:\$Reciycle.bin). When a file is deleted in this folder are created 2 files:
Having these files you can sue the tool Rifiuti to get the original address of the deleted files and the date it was deleted (use rifiuti-vista.exe for Vista – Win10).
Shadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use. These backups are usually located in the \System Volume Information from the roof of the file system and the name is composed by UIDs as in the following image:
Mounting the forensics image with the ArsenalImageMounter, the tool ShadowCopyView can be used to inspect a shadow copy and even extract the files from the shadow copy backups.
The registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore contains the files and keys to not backup:
The registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS also contains configuration information about the Volume Shadow Copies.
Office AutoSaved Files
You can find the office autosaved files in : C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\
Shell Items
A shell item is an item that contains information about how to access another file.
Recent Documents (LNK)
Windows automaticallycreates these shortcuts when the user open, uses or creates a file in:
When a folder is created, a link to the folder, to the parent folder and to the grandparent folder is also created.
These automatically created link files contain information about the origin like if it's a fileor a folder, MACtimes of that file, volume information of where is the file stored and folder of the target file. This information can be useful to recover those files in case they were removed.
Also, the date created of the link file is the first time the original file was firstused and the datemodified of the link file is the lasttime the origin file was used.
In this tools you will find 2 set of timestamps: FileModifiedDate, FileAccessDate and FileCreationDate, and LinkModifiedDate, LinkAccessDate and LinkCreationDate. The first set of timestamp references the timestamps of the link file itself. The second set references the timestamps of the linked file.
You can get the same information running the Windows cli tool: LECmd.exe
In this case the information is going to be saved inside a CSV file.
Jumplists
These are the recent files that are indicated per application. It's the list of recent files used by an application that you can access on each application.
They can be created automatically or be custom.
The jumplists created automatically are stored in C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\. The jumplists are named following the format {id}.autmaticDestinations-ms where the initial ID is the ID of the application.
The custom jumplists are stored in C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestination\ and they are created by the application usually because something important has happened with the file (maybe marked as favorite)
The created time of any jumplist indicates the first time the file was accessed and the modified time the last time.
It's possible to identify that a USB device was used thanks to the creation of:
Note that some LNK file instead of pointing to the original path, points to the WPDNSE folder:
The files in the folder WPDNSE are a copy of the original ones, then won't survive a restart of the PC and the GUID is taken from a shellbag.
Registry Information
Check this page to learn which registry keys contains interesting information about USB connected devices.
setupapi
Check the file C:\Windows\inf\setupapi.dev.log to get the timestamps about when the USB connection was produced (search for Section start).
USB Detective
USBDetective can be used to obtain information about the USB devices that have been connected to an image.
Plug and Play Cleanup
The 'Plug and Play Cleanup' scheduled task is responsible for clearing legacy versions of drivers. It would appear (based upon reports online) that it also picks up drivers which have not been used in 30 days, despite its description stating that "the most current version of each driver package will be kept". As such, removable devices which have not been connected for 30 days may have their drivers removed. The scheduled task itself is located at ‘C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup’, and its content is displayed below:
The task references 'pnpclean.dll' which is responsible for performing the cleanup activity additionally we see that the ‘UseUnifiedSchedulingEngine’ field is set to ‘TRUE’ which specifies that the generic task scheduling engine is used to manage the task. The ‘Period’ and ‘Deadline’ values of 'P1M' and 'P2M' within ‘MaintenanceSettings’ instruct Task Scheduler to execute the task once every month during regular Automatic maintenance and if it fails for 2 consecutive months, to start attempting the task during. This section was copied fromhere.
Emails
The emails contains 2 interesting parts: The headers and the content of the email. In the headers you can find information like:
Also, inside the References and In-Reply-To headers you can find the ID of the messages:
Windows Mail App
This application saves the emails in HTML or text. You can find the emails inside subfolders inside \Users\<username>\AppData\Local\Comms\Unistore\data\3\. The emails are saved with .dat extension.
The metadata of the emails and the contacts can be found inside the EDB database: \Users\<username>\AppData\Local\Comms\UnistoreDB\store.vol
Change the extension of the file from .vol to .edb and you can use the tool ESEDatabaseView to open it. Inside the Message table you can see the emails.
Microsoft Outlook
When Exchange servers or Outlook clients are used there are going to be some MAPI headers:
In the Microsoft Outlook client all the sent and received messages, contacts and calendar data is stored in a PST file in:
The registry path HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messagin Subsystem\Profiles\Outlook indicates the file that is being used.
When Microsoft Outlook is configured usingIMAP or using an Exchange server, it generates a OST file that stores almost the same info as the PST file. It keeps the file synchronized with the server for the last 12 months, with a max file-size of 50GB and in the same folder as the PST file is saved.
Thunderbird stores the information in MBOXfiles in the folder \Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles
Thumbnails
When a user access a folder and organised it using thumbnails, then a thumbs.db file is created. This db stores the thumbnails of the images of the folder even if they are deleted. in winXP and WIn8-8.1 this file is created automatically. In Win7/Win10, it's created automatically if it's accessed via an UNC path (\IP\folder...).
It is possible to read this file with the tool Thumbsviewer.
Thumbcache
Beginning with Windows Vista, thumbnail previews are stored in a centralized location on the system. This provides the system with access to images independent of their location, and addresses issues with the locality of Thumbs.db files. The cache is stored at %userprofile%\AppData\Local\Microsoft\Windows\Explorer as a number of files with the label thumbcache_xxx.db (numbered by size); as well as an index used to find thumbnails in each sized database.
The Windows Registry Contains a lot of information about the system and the actions of the users.
The files containing the registry are located in:
From Windows Vista and Windows 2008 Server upwards there are some backups of the HKEY_LOCAL_MACHINE registry files in %Windir%\System32\Config\RegBack\. Also from these versions, the registry file %UserProfile%\{User}\AppData\Local\Microsoft\Windows\USERCLASS.DAT is created saving information about program executions.
Tools
Some tools are useful to analyzed the registry files:
Recovering Deleted Element
When a key is deleted it's marked as such but until the space it's occupying is needed it won't be removed. Therefore, using tools like Registry Explorer it's possible to recover these deleted keys.
Last Write Time
Each Key-Value contains a timestamp indicating the last time it was modified.
SAM
The file/hive SAM contains the users, groups and users passwords hashes of the system. In SAM\Domains\Account\Users you can obtain the username, the RID, last logon, last failed logon, login counter, password policy and when the account was created. In order to get the hashes you also need the file/hive SYSTEM.
Inside the registry NTUSER.DAT in the path Software\Microsoft\Current Version\Search\RecentApps you can subkeys with information about the application executed, last time it was executed, and number of times it was launched.
BAM
You can open the SYSTEM file with a registry editor and inside the path SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID} you can find the information about the applications executed by each user (note the {SID} in the path) and at what time they were executed (the time is inside the Data value of the registry).
Windows Prefetch
Prefetching is a technique that allows a computer to silently fetch the necessary resources needed to display content that a user might access in the near future so resources can be accessed in less time.
Windows prefetch consist on creating caches of the executed programs in order to be able to load them faster. These caches as created as .pf files inside the path: C:\Windows\Prefetch. there is a limit of 128 files in XP/VISTA/WIN7 and 1024 files in Win8/Win10.
The file name is created as {program_name}-{hash}.pf (the hash is based on the path and arguments of the executable). In W10 these files are compressed. Note that the sole presence of the file indicates that the program was executed at some point.
The file C:\Windows\Prefetch\Layout.ini contains the names of the folders of the files that are prefetched. This file contains information about the number of the executions, dates of the execution and filesopen by the program.
To inspect these files you can use the tool PEcmd.exe:
Superprefetch has the same goal as prefetch, load programs faster by predicting what is going to be loaded next. However, it doesn't substitute the prefetch service. This service will generate database files in C:\Windows\Prefetch\Ag*.db.
In these databases you can find the name of the program, number of executions, filesopened, volumeaccessed, completepath, timeframes and timestamps.
You can access this information using the tool CrowdResponse.
SRUM
System Resource Usage Monitor (SRUM) monitors the resourcesconsumedby a process. It appeared in W8 and it stores the data en an ESE database located in C:\Windows\System32\sru\SRUDB.dat.
It gives the information:
This information is updated every 60mins.
You can obtain the date from this file using the tool srum_dump.
Shimcache, also known as AppCompatCache, is a component of the Application Compatibility Database, which was created by Microsoft and used by the operating system to identify application compatibility issues.
The cache stores various file metadata depending on the operating system, such as:
The Amcache.hve file is a registry file that stores the information of executed applications. It's located in C:\Windows\AppCompat\Programas\Amcache.hve
Amcache.hve records the recent processes that were run and lists the path of the files that’s executed which can then be used to find the executed program. It also record the SHA1 of the program.
You can parse this information with the tool Amcacheparser
The most interesting CVS file generated if the Amcache_Unassociated file entries.
RecentFileCache
This artifact can only be found in W7 in C:\Windows\AppCompat\Programs\RecentFileCache.bcf and it contains information about the recent execution of some binaries.
You can extract them from C:\Windows\Tasks or C:\Windows\System32\Tasks and read them as XML.
Services
You can find them in the registry under SYSTEM\ControlSet001\Services. You can see what is going to be executed and when.
Windows Store
The installed applications can be found in \ProgramData\Microsoft\Windows\AppRepository\ This repository has a log with each application installed in the system inside the database StateRepository-Machine.srd.
Inside the Application table of this database it's possible to find the columns: "Application ID", "PackageNumber", and "Display Name". This columns have information about pre-installed and installed applications and it can be found if some applications were uninstalled because the IDs of installed applications should be sequential.
It's also possible to find installed application inside the registry path: Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\ And uninstalledapplications in: Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deleted\
Windows Events
Information that appears inside Windows events:
The logs are located in C:\Windows\System32\config before Windows Vista and in C:\Windows\System32\winevt\Logs after Windows Vista.
Before Windows Vista the event logs were in binary format and after it, they are in XML format and use the .evtx extension.
The location of the event files can be found in the SYSTEM registry in HKLM\SYSTEM\CurrentControlSet\services\EventLog\{Application|System|Security}
These event register the accesses and give information about the security configuration. they can be found in C:\Windows\System32\winevt\Security.evtx.
The max size of the event file is configurable, and it will start overwriting old events when the maximum size is reached.
Events that are registered:
Events related to the user authentication:
EventID
Description
4624
Successful authentication
4625
Authentication error
4634/4647
log off
4672
Logon with admin permissions
Inside the EventID 4634/4647 there are interesting sub-types:
The Status and sub status information of the event s can indicate more details about the causes of the event. For example take a look to the following Status and Sub Status Codes of the Event ID 4625:
Recovering Windows Events
It's highly recommended to turn off the suspicious PC by unplugging it to maximize the probabilities of recovering the Windows Events. In case they were deleted, a tool that can be useful to try to recover them is Bulk_extractor indicating the evtx extension.
Identifying Common Attacks with Windows Events
Brute-Force Attack
A brute-force attack can be easily identifiable because several EventIDs 4625 will appear. If the attack was successful, after the EventIDs 4625, an EventID 4624 will appear.
Time Change
This is awful for the forensics team as all the timestamps will be modified. This event is recorded by the EventID 4616 inside the Security Event log.
USB devices
The following System EventIDs are useful:
The EventID 112 from DeviceSetupManager contains the timestamp of each USB device inserted.
Turn Off / Turn On
The ID 6005 of the "Event Log" service indicates the PC was turned On. The ID 6006 indicates it was turned Off.
Logs Deletion
The Security EventID 1102 indicates the logs were deleted.
