|
|
|
Daily Blog 170 Solving Sunday Funday 12 1 13 Part 4 USN Anaysis of non outlook attachments |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : Hello Reader, We've talked quite a bit about the USN Journal by this point in its use to analyze attachment access from Outlook 2007 on Windows 7. Today I wanted to extend the discussion to what the USN Journal contains when a non outlook 2007 attachment is accessed. The USN Journal seems simple when you first review it, but the underlying meaning of its reasons codes are not as simple as they appear. I created a file in c users suspect documents called 'test.txt' and populated it with one line of information. This is what the USN Journal shows for that initial creation and save File Creation This is where it gets interesting, notice the first line says the reason coed is File_Create, this is in fact what happened at this point. However as line 2 with USN number 2363040 shows we have another File_Create reason code here with a close. This is tricky though as the file is not being created again at this point, just the handle being closed from the initial creation. Based on our testing we can see we have three more file_create reason codes listed at 23693488, 23693568, and 23693648. File Deletion What is even stranger than the file_create is the file_delete we see in USN 23693120, the file was not deleted. The file handle that was used to create and then open the file was. This is important to understand and can greatly affect your conclusions when you are looking at USN data, so always check your assumptions carefully as to when a file is actually being created and deleted against other sources such as the logfile, mft and timestamps from shell items. File Modification You can see when I placed data into the notepad document in USNs 23693568 and 23693658 shows the Data_Extend reason code. Data_Extend will be seen whenever additional data is written to a file. File Close Within this USN log you would think I have closed this file three times within the same minute. The first close is seen on USN 23693040 and refers to when the file was first created. The second close is seen on USN 23683120 is when the file handle was closed from the creation. The third close on USN 23694560 is from when I saved the file after changing its contents. At this point I have created a text file, opened it in notepad and added a line of text to it. I left it open at this point for 4 hours and then went back and added one more line of data as can be seen below As you would expect and saw in the prior section I have a data_extend again, but this time we also have a data_overwrite. If the prior contents of a file are being changed you will see a data_overwrite. I then saved my changes resulting in the close that you see in USN 23975120 and closed the application. Lastly I waited 13 minutes and then deleted the file from the file system using a shift delete within explorer to skip the recycle bin as seen below In this case I actually did delete the file, but there is nothing special about this reason code that separates it from the same code was saw when I first created the file. Here again you as an examiner need to look into what the USN reason code is actually referring to. Conclusions The USN Journal shows without additional analysis that a file called test.txt was accessed by me during this time frame. We can also state that files are modified and changed when Data_extend and Data_overwrite as these only seem to be logged on file content changes. These facts are something you can rely on and testify to. What the USN Journal needs additional analysis to verify is The total time of usage of the file as a file close open does not correspond to the total time a file is open for When a file is created for the first time as the USN records all file handles as creates. When a file is deleted from the file system as file handle closes also create these reason codes. We can reach these additional analysis points with analysis comparing these files to their timestamps and actions from other artifacts on the system. Tomorrow let's do just that and show how to determine the actual creation and deletion times.
Les mots clés de la revue de presse pour cet article : outlook
Les videos sur SecuObs pour les mots clés : solving
Les derniers articles du site "Hacking Exposed Computer Forensics Blog" :
- Automating DFIR - How to series on programming libtsk with python Part 10
- Automating DFIR - How to series on programming libtsk with python Part 9
- Forensic Lunch 2 27 15 - Ben LeMere, Lee Whitfield and Robin Keir
- Automating DFIR - How to series on programming libtsk with python Part 8
- Automating DFIR - How to series on programming libtsk with python Part 7
- Automating DFIR - How to series on programming libtsk with python Part 6
- Automating DFIR - How to series on programming libtsk with python Part 5
- Automating DFIR - How to series on programming libtsk with python Part 4
- Automating DFIR - How to series on programming libtsk with python Part 3
- Automating DFIR - How to series on programming libtsk with python Part 2
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
