tag:blogger.com,1999:blog-77923222071094346142024-02-19T04:43:07.043-08:00dig4n6This blog is dedicated to computer forensic research and topics that I come across that I feel are both beneficial to the forensic community and interesting/useful information to read. This is my own personal opinion and work and does not reflect any entity except for myself unless expressed otherwise.Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-7792322207109434614.post-39302488038174726792013-07-25T12:59:00.002-07:002013-07-25T13:04:17.360-07:00VDI-in-a-Box Analysis Results<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="MsoNormal">
Despite the fact that my capstone thesis was complete over
three months ago, it’s been a struggle to make this post. That being said, hopefully this blog post doesn't appear too much like a paper, but it was pretty hard to avoid doing. The full paper, as of right now, is not publically
available, but hopefully will be some time in the near future. Please reach out with any questions relating
to the research, the subject, my process, or anything. <o:p></o:p><br />
<br /></div>
<div class="MsoNormal">
Although it was previously highlighted in my prior blog
posts, I feel that it is necessary to outline the importance of this research
again with a little more detail. <o:p></o:p><br />
<br />
<b>Note: Clicking the pictures will enlarge them. I formatted most easy enough to read, but some need enlarging.</b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<i>Why is this important
to us? <o:p></o:p></i></div>
<div class="MsoNormal">
<i><br /></i></div>
<div class="MsoNormal" style="margin-left: .5in;">
Technology is an ever-evolving
creature. In the world of digital
forensics, attempting to keep up to speed with the constant changes is an
absolute must. Doing so will make not
only for a better investigator, but a greater impact on the work that needs to
be done. With the recent boom in the terms
“cloud computing” and “virtualization,” digital forensic examiners find
themselves needing to immerse into a new era of the investigation age. According to the State of SMB IT Report,
written by Spiceworks, the trends in the adoption of virtualization and cloud
computing have been on a constant rise.
Moving back to the first half of 2010, 44% of small to midsized
businesses (SMB’s) were using virtualized products. Progressing forward, it is estimated that nearly
79% of SMB’s will be using virtualized platforms, (Sweeney).</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiju9B-kKKtAcn5uhgsj3O_Cmn26LnxJ1uY3QrltwZQSmoghJOAGYbBWDOIJFzu_Qo1585HBNqKP61Fl_PHCtPRx_dJ3iufdspkn5tUvTQBjmHechKtYB_E18hvTVFxbRI0Fsod2ICLIcJE/s1600/pic1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="321" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiju9B-kKKtAcn5uhgsj3O_Cmn26LnxJ1uY3QrltwZQSmoghJOAGYbBWDOIJFzu_Qo1585HBNqKP61Fl_PHCtPRx_dJ3iufdspkn5tUvTQBjmHechKtYB_E18hvTVFxbRI0Fsod2ICLIcJE/s640/pic1.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 1: State of SMB IT Report, November 2012,
Spiceworks (Source: Sweeney)</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
With such a dramatic increase in
the implementation of virtualized software, it is extremely pertinent that
digital forensic investigators begin to understand the logic of the systems and
what evidence can be found on them.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
Two of the most common companies
that investigators will see in practice are VMware and its patented VMware
Workstation, as well as Citrix and its XenDesktop and VDI-in-a-Box
platforms. The low long-term cost of
these products allow for small and large companies alike to implement and
maintain these technologies. According
to Phil Hochmuth of Forbes, “Providers of VDI technology say their systems can
save between 30% and 50% of the current cost for IT administrators to manage,
patch, upgrade and support employees' PCs in a client/server environment. By
some estimates, this could cut the annual per-desktop support cost from around
$530 to $376--a savings which can add up for the larger the organization,” (Hochmuth<a href="http://www.forbes.com/2010/01/12/desktop-virtualization-software-business-intelligence-hochmuth.html"></a>). With an increased return on investment,
companies that deploy VDI’s will quickly advertise and transition partner
companies to similar technologies. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
Unfortunately with all good comes
some bad and implementation of cloud computing is no different. As virtualization becomes more prevalent in
business practice, malicious code and malware will quickly take a turn towards
attacking cloud computing. “Attackers
will go where users go, so it should come as no surprise that mobile platforms
and cloud services will be high-risk targets for attacks and breaches in 2013.
The rapid rise in malware on Android in 2012 confirms this,” (Powledge). As attackers move towards cloud services and
online platforms, it becomes more necessary to not only secure them better, but
to be able to analyze and examine what happened after an attack and where
vulnerabilities lie. According to
Symantec, “the median cost of downtime for an SMB is $12,500 per day,” (Powledge). If a small sized business can lose this much
money while being down for such a short period of time, imagine the
ramifications if a large company like Amazon was hit for even two hours. It simply cannot be overstated enough;
digital forensic examiners must be prepared for this to happen as it is
inevitable.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<i>So, what are virtual
desktop environments?<o:p></o:p></i></div>
<div class="MsoNormal">
<i><br /></i></div>
<div class="MsoNormal" style="margin-left: .5in;">
A Virtual Desktop Infrastructure is
simply cloud computing. Virtualization changes the information
technology work place. Desktops and
workstations can be set up, configured, and dispersed in merely minutes instead
of hours or days. Costs are reduced
after initial investment while security and machine integrity are
increased. The user experience becomes
easier than before, allowing for employees to remotely connect and work from
anywhere. Centralized storage provides
administrators and incident responders with a plethora of information at their
fingertips in the event of an emergency or breach.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
An extremely popular company in the
VDI business is Citrix. Through their
products of XenDesktop, XenApp, and VDI-in-a-Box, Citrix has emerged as a
forerunner, and major companies all over are to use their products. According to Eric Savitz of Forbes in his
article entitled Citrix Shares Rally As Q4 Results Crush Street Estimates, “the
enterprise software company posted revenue of $740 million, up 19% from a year
ago, and ahead of the Street consensus at $705.7 million,” (Savitz<a href="http://www.forbes.com/sites/ericsavitz/2013/01/30/citrix-shares-rally-as-q4-results-crush-street-estimates/"></a>). It’s rather clear by these numbers that the
investment into cloud computing is booming and that all sizes of companies are
transitioning. Citrix is among the top
in VDI providers, and as such, is the focal point of this research.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<i>Now we understand why
this is important and what they are, so what am I doing?<o:p></o:p></i></div>
<div class="MsoNormal">
<i><br /></i></div>
<div class="MsoNormal" style="margin-left: .5in;">
VDI-in-a-Box is a unique toolset
that provides a network administrator with all of the tools necessary to deploy
a VDI to a business. Through the use of
only a few physical machines, VDI-in-a-Box can be successfully setup and
running in a very short time. Considering
small to midsized businesses are the target audience for this product and that
so many are making the transition already, VDI-in-a-Box version 5.2.0 is the
software that is being analyzed. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp-DLVSNNCXiQQwQ6uq6ny44i1eg2wfUrHTAWdB9RjMiFgcNQmEAgMtcRcpm3xLcdlLfk_Oo5Xteq4ivL27dRCKHFksZzN5mSVLId0icKwbN6CA0cbYBv05ISQA5hLPmV7Z2PVM4bXiFYr/s1600/pic2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp-DLVSNNCXiQQwQ6uq6ny44i1eg2wfUrHTAWdB9RjMiFgcNQmEAgMtcRcpm3xLcdlLfk_Oo5Xteq4ivL27dRCKHFksZzN5mSVLId0icKwbN6CA0cbYBv05ISQA5hLPmV7Z2PVM4bXiFYr/s640/pic2.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 2: Citrix VDI-in-a-Box Version 5.2</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<i>How did I go about
doing this then?<o:p></o:p></i></div>
<div class="MsoNormal">
<i><br /></i></div>
<div class="MsoNormal" style="margin-left: .5in;">
Acquisition of a Citrix Virtual
Desktop Infrastructure required a great deal of trial and error. Due to being unable to use some of the
enterprise level tools because of licensing limitations, or the software not
supporting remote imaging of a server, Windows Secure Copy (WinSCP) over port
22 was used to capture a live image.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
The XenServer itself, being the
physical hypervisor, was the primary target to acquire in hopes of finding all
the virtual machines stored on it. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_3" o:spid="_x0000_i1060" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\Capture.PNG"
style='width:189.75pt;height:245.25pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image005.png"
o:title="Capture" cropbottom="12622f"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSnsDWoL3VAzsozgp4vtjsRuh_ny0nKgeTKQI8PyLi8hDRAD76LoumcubPqSYeJgeFPRvu9P-L9gGjlMfTQFwP7ZjV17XVaGe1dZfH4eGtHICW0u0VZWVq-knB0YTYbsv8UZt7K9lk3zyF/s1600/pic3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSnsDWoL3VAzsozgp4vtjsRuh_ny0nKgeTKQI8PyLi8hDRAD76LoumcubPqSYeJgeFPRvu9P-L9gGjlMfTQFwP7ZjV17XVaGe1dZfH4eGtHICW0u0VZWVq-knB0YTYbsv8UZt7K9lk3zyF/s320/pic3.png" width="198" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 3: XenCenter VM Pool</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
WinSCP is a program that gives a
user a graphical user interface to the secure copy protocol and will allow a
choice of what information to copy. By
entering a server address and administrative credentials, WinSCP will create a
secure connection to a remote location allowing information to be viewed or
duplicated. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_5" o:spid="_x0000_i1059" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\WinSCP_Login.png"
style='width:396.75pt;height:352.5pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image007.png"
o:title="WinSCP_Login"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_otIArV8sbpvuB-tHuhCuP7RCMqXDWy1folGwDsmZILqB_1wIq9V8OxUgCX8q0c08NhXKGkbPF4Reg93eDsu6H9PnQ-uJ-cNTvEj_ZHih_7sfZV2FdUovz5rdQqppp5MtBA8ceF_sloY4/s1600/pic4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="355" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_otIArV8sbpvuB-tHuhCuP7RCMqXDWy1folGwDsmZILqB_1wIq9V8OxUgCX8q0c08NhXKGkbPF4Reg93eDsu6H9PnQ-uJ-cNTvEj_ZHih_7sfZV2FdUovz5rdQqppp5MtBA8ceF_sloY4/s400/pic4.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 4: WinSCP Login Prompt</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
Once logged into the server, WinSCP
will provide the user with a side-by-side view of both the remote machine and
the local machine. At this point, the
entirety of the server folder structure was copied over from the server in an
attempt to create the closest to a logical image as possible. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_6" o:spid="_x0000_i1058" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\WinSCP.PNG"
style='width:501.75pt;height:235.5pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image009.png"
o:title="WinSCP"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsJ6WmelwezByXLUFyv2b1J99fqKjVDCyJ7TCxwh64RabYQOYpVp2WJShtBRz9wPOnAjhXGI9yTr3pI4PCexaaGGO7olETEL_aytcMLID9K9C8SdyjlKUpWS4GssS1K-6YhUb5afURLCP7/s1600/pic5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="299" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsJ6WmelwezByXLUFyv2b1J99fqKjVDCyJ7TCxwh64RabYQOYpVp2WJShtBRz9wPOnAjhXGI9yTr3pI4PCexaaGGO7olETEL_aytcMLID9K9C8SdyjlKUpWS4GssS1K-6YhUb5afURLCP7/s640/pic5.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 5: WinSCP File Transfer Session</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
It is important to note that
multiple errors occurred while copying files and folders from the server to the
examination machine. These errors would cause
the file being copied to fail and not copy successfully. The errors would typically read either “Can’t
create file…” or “…not a regular file.”<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_7" o:spid="_x0000_i1057" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\WinSCP_error.PNG"
style='width:333pt;height:137.25pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image011.png"
o:title="WinSCP_error"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-vgdFuRLDPToMRoKA_w2hLPZTOvpMjRtbJeS0ni5ZaG1gEX0sbM_mhalTYwe306KdkzX0gpFPQZAX3WSApGa0guZG-a5ULS4gknttGfqTTKoW5jdYsBvHEahmv-UMC33Nx-j5m0-4xNTk/s1600/pic6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-vgdFuRLDPToMRoKA_w2hLPZTOvpMjRtbJeS0ni5ZaG1gEX0sbM_mhalTYwe306KdkzX0gpFPQZAX3WSApGa0guZG-a5ULS4gknttGfqTTKoW5jdYsBvHEahmv-UMC33Nx-j5m0-4xNTk/s400/pic6.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 6: "Not a regular file" error
message</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_8" o:spid="_x0000_i1056" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\WinSCP_logfile_copyerror.PNG"
style='width:448.5pt;height:120pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image013.png"
o:title="WinSCP_logfile_copyerror" cropright="21350f"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPGDWbsYQpP8JArYv3c7wz3AP5SWzc0p2sMf26OHjPtBSQui2od2GXNK7YkVHJgVgRFT10ksaoAus9M3b6sLS7dUEwdQq1rnHzHECFAXISYgsBYabk9yoBIwGDU6kptXqZqKDK3PnJcLFl/s1600/pic7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPGDWbsYQpP8JArYv3c7wz3AP5SWzc0p2sMf26OHjPtBSQui2od2GXNK7YkVHJgVgRFT10ksaoAus9M3b6sLS7dUEwdQq1rnHzHECFAXISYgsBYabk9yoBIwGDU6kptXqZqKDK3PnJcLFl/s640/pic7.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 7: "Can't create file" error
message</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
Although there were errors on the
transfer, it did complete successfully and allowed for examination of the
drive. The most important item for
review were the virtual hard disks (VHD’s) that contained information relevant
to the golden images as well as virtual machines that had been created. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_9" o:spid="_x0000_i1055" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\user-authentication-VHD.png"
style='width:456pt;height:220.5pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image015.png"
o:title="user-authentication-VHD" cropbottom="36120f" cropright="18797f"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjG0PsbIopFMjnc1hOIeSf8PM0WCSFdW86y90yws1JsuNJz0sOmw0C7D7PaMVJXEJZHxnLzmcf-chkCYi5pZUfrpOmokxp846UI3wkZSiN0vSjHxFNpEOLPDuQVVDEryjqy1nr3_s0ZwwL/s1600/pic8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjG0PsbIopFMjnc1hOIeSf8PM0WCSFdW86y90yws1JsuNJz0sOmw0C7D7PaMVJXEJZHxnLzmcf-chkCYi5pZUfrpOmokxp846UI3wkZSiN0vSjHxFNpEOLPDuQVVDEryjqy1nr3_s0ZwwL/s640/pic8.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 8: Virtual Hard Disk Storage Location</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
These virtual hard disks are stored
in a location determined during the initial setup, and in this project they
were located at /var/run/sr-mount. Each
VHD is listed by a universally unique identifier (UUID). These UUID’s can be related back to specific
machines in different ways. If access to
the Citrix vdiManager is available, each virtual machines general properties
will list its UUID. This will be
extremely helpful when working with personal desktops as the VHD’s will not be
deleted, therefore finding the UUID through vdiManager would be a simple task. When working with pooled desktops, however, the
VHD files are destroyed after the machine is shut down.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
Pooled virtual hard disks being
destroyed was an obstacle that was easily overcome by the use of
snapshots, thus the virtual hard disks are now not destroyed. Much like VMware, Citrix allows
for the use of snapshots.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_10" o:spid="_x0000_i1054" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\snapshot_xencenterview.png"
style='width:240.75pt;height:99.75pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image017.png"
o:title="snapshot_xencenterview" croptop="19195f" cropbottom="15705f"
cropleft="13194f" cropright="11139f"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB3fQN3kyx7pMZl1VBHH14-QEa7GUPjNU61BV1ph6UCv-23TVV3ubZtlGDSXisq3S3XZIOOuoKy3vwoNGyFmfLk1MnZc935_T3yxxPhME7HjS3LikphyphenhyphenhNklTGKW31SSyhO3M_PLpTkKfw/s1600/pic9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB3fQN3kyx7pMZl1VBHH14-QEa7GUPjNU61BV1ph6UCv-23TVV3ubZtlGDSXisq3S3XZIOOuoKy3vwoNGyFmfLk1MnZc935_T3yxxPhME7HjS3LikphyphenhyphenhNklTGKW31SSyhO3M_PLpTkKfw/s400/pic9.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 9: XenCenter Snapshot View</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
Each of these snapshots will create
two VHDs. The user can determine which
VHD’s are snapshots by a command via the XenServer command line. From the root directory of the drive, the
command xe vdi-list is-a-snapshot=true will prompt a list of all virtual hard
disks that are snapshots.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_11" o:spid="_x0000_i1053" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\ssh-show_snapshots.png"
style='width:423pt;height:357.75pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image019.png"
o:title="ssh-show_snapshots"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOFvFbFksP2ri60w0hiCBuqV1uZQrHnXh1cFp82T3BNK-hQ2XUfErbCJYa_mgUcDqA4eaOuLZu3L2NldyOs4OG9z-n_DH38NWL-TcI7TRIkrFlwE5J3vkCppHM2wKOH1zoJK9bKQdybLxh/s1600/pic10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="541" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOFvFbFksP2ri60w0hiCBuqV1uZQrHnXh1cFp82T3BNK-hQ2XUfErbCJYa_mgUcDqA4eaOuLZu3L2NldyOs4OG9z-n_DH38NWL-TcI7TRIkrFlwE5J3vkCppHM2wKOH1zoJK9bKQdybLxh/s640/pic10.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 10: XenServer Snapshot List by Command Line
Instruction</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
The list of snapshots that is
returned will provide the UUID of each snapshot, a label of the golden image
that it was generated from, the storage repository UUID that is holding the
snapshot, and the virtual size of the snapshot.
To verify that this command was accurately creating a list all snapshots,
a new snapshot was taken and the command again was run again. This appended a new entry to the end of the
list, and also created two new VHD’s on the server.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_12" o:spid="_x0000_i1052" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\new_snapshot_WinSCP.png"
style='width:440.25pt;height:255pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image021.png"
o:title="new_snapshot_WinSCP"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAUDsrNfSImFZNapQTCKpIGpZgGljS_H-fRkSM3RE99N9AvYPYCFLyXubM9IgPtT9lsXTpFOX3U-A0z9V8-Sl3P9OGopPAirTLWMLUMg_z-PUnaioQia94dGQwWcgzVS0qcbF70CUzY7xQ/s1600/pic12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="369" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAUDsrNfSImFZNapQTCKpIGpZgGljS_H-fRkSM3RE99N9AvYPYCFLyXubM9IgPtT9lsXTpFOX3U-A0z9V8-Sl3P9OGopPAirTLWMLUMg_z-PUnaioQia94dGQwWcgzVS0qcbF70CUzY7xQ/s640/pic12.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 11: New Virtual Hard Disk Creation</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_13" o:spid="_x0000_i1051" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\new_snapshot_after_snapshot_taken.png"
style='width:338.25pt;height:87.75pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image023.png"
o:title="new_snapshot_after_snapshot_taken"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpZb23JfyzCAsSS-x5AsF4w4DFO29_5vDsEIGkybk4oZlxMBJr_RBf801ZYBBrr9s7KaG68rug5q3FCXUGt8oUvQFnlPMc2aanKz8fdBtueovzYli9c9Cwlju9m_W6jt_4mZDVXqQv632P/s1600/pic11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpZb23JfyzCAsSS-x5AsF4w4DFO29_5vDsEIGkybk4oZlxMBJr_RBf801ZYBBrr9s7KaG68rug5q3FCXUGt8oUvQFnlPMc2aanKz8fdBtueovzYli9c9Cwlju9m_W6jt_4mZDVXqQv632P/s1600/pic11.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 12: New Snapshot Verification</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
When using Citrix VM Protection and
Recovery, two types of snapshots can be taken with three different scheduling
options. Disk-only snapshots can be
taken that will “store the VM's disks (storage) and metadata. They are
crash-consistent and can be performed on all VM types, including Linux VMs,” (Citrix
EDocs). Disk and memory snapshots are
also available which will “save the VM's disks (storage), metadata, and its
current memory state (RAM),” (Citrix EDocs).
Once the decision is made to either perform disk-only or disk and memory
snapshots, the administrator must choose whether to do hourly, daily, or weekly
snapshots. In any event, the snapshot
retention policy is limited to a maximum of 10 scheduled snapshots or until
archived, automatically deleting the oldest one when this number is exceeded. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_43" o:spid="_x0000_i1050" type="#_x0000_t75" alt="Description: C:\Users\EFLEIS~1\AppData\Local\Temp\SNAGHTML1469015.PNG"
style='width:307.5pt;height:168.75pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image025.png"
o:title="SNAGHTML1469015"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisnb7dkPeLP7qttRp3rGrX12UmBjktcLXFSX-39FHnRMsAwiBju9On4EcRN2QZccpoOTMePmpWPuB3i_j81veFphZLEoAEi5Ii7uSui4nnATcWeGlbl6E-53p_hkhVM2EwBUEHATu_VKUF/s1600/pic13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisnb7dkPeLP7qttRp3rGrX12UmBjktcLXFSX-39FHnRMsAwiBju9On4EcRN2QZccpoOTMePmpWPuB3i_j81veFphZLEoAEi5Ii7uSui4nnATcWeGlbl6E-53p_hkhVM2EwBUEHATu_VKUF/s400/pic13.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 13: Citrix VM Protection and Recovery</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
A daily or weekly archive schedule
can then be configured, independent from the scheduled snapshots, which will
archive all scheduled snapshots to a remote location for storage. Alternatively, all snapshots can be
automatically archived if the administrator wishes. When examining the archived virtual hard
disks, each archive folder is given a specific name. This naming convention will always be the VM
name followed by the first sixteen characters of the UUID. For example, if the VM name is Win7 and the
UUID is 6a88edee-5b42-453a-a60d-4605c689f338, the archive folder will be Win7_6a88edee-5b42-45. “This folder contains archived VM files, in
the YYYYMMDD-HHMM.xva form,” (Citrix RSS).<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
Depending on how this is done, the
investigator will need to link a user to a specific snapshot to alleviate the
need to sift through what could be hundreds of snapshots. One method would be to examine each virtual
hard disk file individually. Although
this will take quite some time, it will still provide accurate results. One benefit to this method is that no
information will be overlooked in the event that the suspect was using another
user account or username. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
On the domain controller with
XenCenter installed, running the command “xe vm-list –s <server> -u
<user> -pw <password>” provides a list of all virtual machines currently
being run. The virtual machine
vdiManager_Xen is the interface that the administrator interacts with to
initially configure the server, the machine that keeps activity logs, and the
web portal that users must access in order to spawn a virtual desktop.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_4" o:spid="_x0000_i1049" type="#_x0000_t75" style='width:468pt;
height:332.25pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image027.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNn5G6aJ5_JLcx-u1yIOeB1v5LL0K4wCLyuZeWTSVcnY2aaxt9w3Xk6kHU7OtPOCoRybivewDsNqjuAisqL-DBUG5kabyudbzUxHsjObnzm9GpO6thNkMl0tqPAsVI4-fokQsZeOQVLJPm/s1600/pic14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNn5G6aJ5_JLcx-u1yIOeB1v5LL0K4wCLyuZeWTSVcnY2aaxt9w3Xk6kHU7OtPOCoRybivewDsNqjuAisqL-DBUG5kabyudbzUxHsjObnzm9GpO6thNkMl0tqPAsVI4-fokQsZeOQVLJPm/s1600/pic14.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 14: XenCenter Command Line VM List</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
Still being SSH connected into the
XenServer, under the directory /var/run/nonpersistent/xenops/VM, the
investigator can locate and view the configuration files for the vdiManager. This will point to the virtual hard disk that
retains these records.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_22" o:spid="_x0000_i1048" type="#_x0000_t75" style='width:468pt;
height:162pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image029.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh26Vb1m9qD-KulFn1gDQZPjeainB7LWRAuCur9zDIGRBa78scxjqEy0ohyQtTFPpgmjaOgreBQ6-mPhxpdRb1_V4PcuXVzQesBtxFcWD-lvhUXEt5xoSN9MT8-JM-KhVT8HIdGMi-qxmR_/s1600/pic15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh26Vb1m9qD-KulFn1gDQZPjeainB7LWRAuCur9zDIGRBa78scxjqEy0ohyQtTFPpgmjaOgreBQ6-mPhxpdRb1_V4PcuXVzQesBtxFcWD-lvhUXEt5xoSN9MT8-JM-KhVT8HIdGMi-qxmR_/s640/pic15.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 15: vdiManager Configuration File</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
This configuration file will first
list the same UUID found when the XenCenter command was used. In the middle of the log is the VDI UUID,
with the storage repository UUID being listed, followed by \/, and then the
vdiManager’s UUID. Within the
/var/run/nonpersistent/xenops/VM directory are two files, vdb.xvda and
vdb.xvdb. The first of these (.xvda)
will correspond this information again, linking the two UUID’s.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_38" o:spid="_x0000_i1047" type="#_x0000_t75" style='width:468pt;
height:75pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image031.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfJY-EtH4ZaEeDWYsP2oreDTZvBeD1WDTgVH7l7wmxp3e3ex97sJguJsyZou421rzXjYVUHmekxOB18jJKag1L89g6vhh9GCkRa94SeVnpLPAfc_-Ivl4DfA004ek85dTKmFzmRkWEk5vQ/s1600/pic16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfJY-EtH4ZaEeDWYsP2oreDTZvBeD1WDTgVH7l7wmxp3e3ex97sJguJsyZou421rzXjYVUHmekxOB18jJKag1L89g6vhh9GCkRa94SeVnpLPAfc_-Ivl4DfA004ek85dTKmFzmRkWEk5vQ/s640/pic16.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 16: vdiManager Virtual Hard Disk Verification</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
Once this is achieved, examination
of the virtual hard disks can begin. The
investigator should now be able to extract and examine the vdiManager machine
as well as all of the snapshots that were taken. Unfortunately, when examining a VHD in EnCase,
it is not recognized as a normal operating drive and therefore does not have
any form of folder structure. Rather, it
is all listed as unallocated and must be manually parsed. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<i>What can I find from this?<o:p></o:p></i></div>
<div class="MsoNormal">
<i><br /></i></div>
<div class="MsoNormal" style="margin-left: .5in;">
There is a great deal of
information that is recoverable from the XenServer. Some of these files are relevant to the
server itself and will depict information about the XenServer, while others
reflect the vdiManager. A plethora of
virtual machine information is also recoverable <b>as long as a snapshot is present</b>. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<a href="http://www.blogger.com/blogger.g?blogID=7792322207109434614" name="_Toc353474383"></a><b>XenServer
Files</b><b><o:p></o:p></b></div>
<div class="MsoNormal">
<a href="http://www.blogger.com/blogger.g?blogID=7792322207109434614" name="_Toc352933838"><b><br /></b></a></div>
<div class="MsoNormal" style="margin-left: .5in;">
The first file of interest from the
XenServer is xensource-inventory, located in /etc. This file contains information related to the
actual server itself and would be useful in an investigation. The installation date of the server is
recoverable, but more importantly, the primary disk and backup partition
locations are located within this file as well.
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_29" o:spid="_x0000_i1046" type="#_x0000_t75" style='width:468pt;
height:160.5pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image033.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrG1qPAPtEuOLX7VM2E5LmvzEbfusn00C3NVI7aZRnuz9mccplVcKmKTmgl0w885UYq22QDXzP2fBVuiKJ_qex2doFo-oCENl2HfLh7y5h-LgbA9E3LjdgaJ2xAKNbZWYKIF_CcBvMIDqo/s1600/pic17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrG1qPAPtEuOLX7VM2E5LmvzEbfusn00C3NVI7aZRnuz9mccplVcKmKTmgl0w885UYq22QDXzP2fBVuiKJ_qex2doFo-oCENl2HfLh7y5h-LgbA9E3LjdgaJ2xAKNbZWYKIF_CcBvMIDqo/s640/pic17.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 17: XenServer Disk and Installation Details</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
The next file of interest is
located again in /etc and is the timezone file.
Considering time zones are extremely important to any forensic
investigation, examining this artifact will be very helpful as it lists in
plaintext the time zone that the server is set for.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_30" o:spid="_x0000_i1045" type="#_x0000_t75" style='width:468pt;
height:160.5pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image035.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzF9UCJfQgW1Aup1cokS6a805LTOhQHedK3sApomka05AoBi2DqiqK8EhFgTnarEHyJ3NoAjUEXHhJL0cwH0O4Tg40D2koVTpnaN6aKqtHM6WQCPOy42hY4kIzcxKCvtaPGN_t6lhqMbM4/s1600/pic18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzF9UCJfQgW1Aup1cokS6a805LTOhQHedK3sApomka05AoBi2DqiqK8EhFgTnarEHyJ3NoAjUEXHhJL0cwH0O4Tg40D2koVTpnaN6aKqtHM6WQCPOy42hY4kIzcxKCvtaPGN_t6lhqMbM4/s640/pic18.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 18: XenServer Timezone Details</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
The last file pertaining to
information from the server is the bash history. Bash is a unix command-line interpreter, or
shell, that will allow for a user to input commands and information into a
system. It is comparable to the Windows
command line. The bash history can be
located at /root and is named .bash_history.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_16" o:spid="_x0000_i1044" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\root_.bash_history.PNG"
style='width:468pt;height:76.5pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image037.png"
o:title="root_.bash_history"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR-RHNjcuYi3MxoCHaRTPA01xaxxUBLgMas7HL0QuGzO4NoMFXivKTN7rMtuJ6UELB2qAcx9FlNne_rYKBq34G5dji-ZvsIrXHsmjSWVWml9vjsKhC2sPXrhn1weKtBW5pNs2Va27rd2D9/s1600/pic19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR-RHNjcuYi3MxoCHaRTPA01xaxxUBLgMas7HL0QuGzO4NoMFXivKTN7rMtuJ6UELB2qAcx9FlNne_rYKBq34G5dji-ZvsIrXHsmjSWVWml9vjsKhC2sPXrhn1weKtBW5pNs2Va27rd2D9/s640/pic19.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 19: Bash History</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<a href="http://www.blogger.com/blogger.g?blogID=7792322207109434614" name="_Toc352933839"></a><b>vdiManager
Files</b><b><o:p></o:p></b></div>
<div class="MsoNormal">
<a href="http://www.blogger.com/blogger.g?blogID=7792322207109434614" name="_Toc353474384"><b><br /></b></a></div>
<div class="MsoNormal" style="margin-left: .5in;">
When
examining the vdiManager virtual hard disk, the investigator is capable of
pulling all users that were associated to the drive, what templates the user
was assigned to, the groups the user was a part of, the user’s ID in Citrix,
and more. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape id="Picture_x0020_28"
o:spid="_x0000_i1043" type="#_x0000_t75" style='width:287.25pt;height:359.25pt;
visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image039.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEDyxLhxv8l1E0T358iK8Otf9tvIBzdr4t4Tem35TFz_ez-_xuT7-XgQrUvWxtMN4jIcURNNTu1VJ8WP3bF2GbMbIhgLv8Q0DEp1d5x5XsFZRK3h678wJzbZioAFed6YLI9E0QGMtVP9NQ/s1600/pic20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEDyxLhxv8l1E0T358iK8Otf9tvIBzdr4t4Tem35TFz_ez-_xuT7-XgQrUvWxtMN4jIcURNNTu1VJ8WP3bF2GbMbIhgLv8Q0DEp1d5x5XsFZRK3h678wJzbZioAFed6YLI9E0QGMtVP9NQ/s400/pic20.png" width="318" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 20: vdiManager User
Entries</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
This
VHD also contained logs in reference to the spawning of virtual machines,
including the time and date that it was created. The log will list the user that connected,
the machine IP address that the connection originated from, the template the
user logged in with, and the MAC address that the created virtual machine was
given. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape id="Picture_x0020_40"
o:spid="_x0000_i1042" type="#_x0000_t75" style='width:468pt;height:157.5pt;
visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image041.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEQkpkzfiQMoxD9UWmRd4lzT8ogBVxEjHfxkdSBRcX_FMV6lRt2TsWtq3U7olPGaux_8hbKHKhIvCcfAvoprNy_EEs7z5osRowj5RdEuubaGLtTpEeac8TAEvBrdXE2GpxcFd36y4YU9wA/s1600/pic21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEQkpkzfiQMoxD9UWmRd4lzT8ogBVxEjHfxkdSBRcX_FMV6lRt2TsWtq3U7olPGaux_8hbKHKhIvCcfAvoprNy_EEs7z5osRowj5RdEuubaGLtTpEeac8TAEvBrdXE2GpxcFd36y4YU9wA/s640/pic21.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 21: vdiManager User Connection</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
Further
investigation of these logs provides more information on user interaction with
virtual machines, specifying when a user logged both in and out of a desktop,
what IP address it was given, what template it was provisioned from, and what
vdiServer it accessed. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape id="Picture_x0020_37"
o:spid="_x0000_i1041" type="#_x0000_t75" style='width:468pt;height:124.5pt;
visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image043.png"
o:title="" cropbottom="33062f"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoX-PqgN3BkOUiAfQf0DZwaIgGYYIaUX47uR8uEVcoR9VzkKfeHXgQ8VMDvQw9sKw11KnxdiQlZLraW2julwCqhdlWQGIbgZrhMAeK4P1nwoC_yJonE0Tj8kUe2GOBL5_AKWim8_8raD2B/s1600/pic22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoX-PqgN3BkOUiAfQf0DZwaIgGYYIaUX47uR8uEVcoR9VzkKfeHXgQ8VMDvQw9sKw11KnxdiQlZLraW2julwCqhdlWQGIbgZrhMAeK4P1nwoC_yJonE0Tj8kUe2GOBL5_AKWim8_8raD2B/s640/pic22.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 22: vdiManager Connection Log</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
This
log file is also able to be obtained via the vdiManager web portal. Within the admin menu is a View Audit Log
function that provides an excel spreadsheet containing user activity.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<b>Virtual Machine
Files</b><b><o:p></o:p></b></div>
<div class="MsoNormal">
<a href="http://www.blogger.com/blogger.g?blogID=7792322207109434614" name="_Toc353474385"><b><br /></b></a></div>
<div class="MsoNormal" style="margin-left: .5in;">
The virtual hard disk files are the
focal point of investigation when attempting to uncover information from
non-persistent machines. The
non-persistent VHD’s will be destroyed when the reset policy is set, either at
logout or on a schedule. Due to this,
snapshots of these hard disks are necessary to uncover potential evidence. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
Each virtual hard disk contains a
header that points to its parent drive.
Although EnCase was listing these pointers at the beginning and making
it relatively easy to navigate between, server-side verification of this was
completed. Running the command xe
vdi-list params will provide a list of metadata about each virtual hard
disk. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_14" o:spid="_x0000_i1040" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\command to pull list of drives.png"
style='width:468pt;height:33.75pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image045.png"
o:title="command to pull list of drives"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLeNDqsMFOKHagTuKCX993Zvvi1elZ6ArzDYX53N-ulwPK0cY7h0YbAHhuHbSiwrbw-W_8wbcmf72Jba5aC-hlE0MKtkYXDODuE_ZPNvaQcNLENb2V3rRcRtxLC0Wm-8gRfWdrll8cNQZL/s1600/pic23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="46" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLeNDqsMFOKHagTuKCX993Zvvi1elZ6ArzDYX53N-ulwPK0cY7h0YbAHhuHbSiwrbw-W_8wbcmf72Jba5aC-hlE0MKtkYXDODuE_ZPNvaQcNLENb2V3rRcRtxLC0Wm-8gRfWdrll8cNQZL/s640/pic23.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 23: VDI-List Parameters
Command</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
This command can populate a list
that will tell the user the UUID of the virtual disk, whether it is a snapshot
or not, the time of the snapshot if one was taken, the number of snapshots
taken, and the virtual hard disks parent.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_33" o:spid="_x0000_i1039" type="#_x0000_t75" style='width:382.5pt;
height:324.75pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image047.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnh5IOnuRp1sFljSEvDiEx2b1ZUrrbLbrjWk-cbD5dnRzSLLkgWObPcJ8a7GKZTbYOrDO-f6sevezx5uDLVchdOly9JZK7Nqlcf0REC3YtAx25Kaxnk5CoY9liCM8weKTxJIA6tlek-XMo/s1600/pic24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="543" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnh5IOnuRp1sFljSEvDiEx2b1ZUrrbLbrjWk-cbD5dnRzSLLkgWObPcJ8a7GKZTbYOrDO-f6sevezx5uDLVchdOly9JZK7Nqlcf0REC3YtAx25Kaxnk5CoY9liCM8weKTxJIA6tlek-XMo/s640/pic24.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 24: Parent UUID Verification</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
By proving that the virtual disk
with the UUID of b54cb669-f4e6-44a9-8b97-2038aa7ea7a2 has the parent with the
UUID of 8edd0321-2f59-4fcb-9a1e-634fd5d68d37, the results being displayed by
EnCase were verified and thus trustworthy.</div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
<o:p></o:p><!--[if gte vml 1]><v:shape
id="Picture_x0020_34" o:spid="_x0000_i1038" type="#_x0000_t75" style='width:419.25pt;
height:187.5pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image049.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcgIjBObkHVeRBDVXTRyEx4SEsBtcsQJykBxhXdT3PybmDctkDdTM89W_7Aav6_j5303ZT5CMSepo8ZYGUSmBLlgvQzoxJBU2_XcjTfhS8ZelqjMKNqaym2YdETT8vgjbezjhsKWz-FHez/s1600/pic25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcgIjBObkHVeRBDVXTRyEx4SEsBtcsQJykBxhXdT3PybmDctkDdTM89W_7Aav6_j5303ZT5CMSepo8ZYGUSmBLlgvQzoxJBU2_XcjTfhS8ZelqjMKNqaym2YdETT8vgjbezjhsKWz-FHez/s640/pic25.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 25: EnCase Parent UUID
Correlation to XenServer Verification</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
As previously mentioned, there are
two virtual hard disk files associated with each snapshot. The first of these disks is the identity
disk, which will typically range up to sixteen megabytes and simply provides
each VM with a unique identity. The
second disk, referred to as the difference disk, is “used to store any writes
made to the VM. The disk is thin
provisioned (if supported by the storage) and will increase to the maximum size
of the base VM if required,” (Feller). <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_41" o:spid="_x0000_i1037" type="#_x0000_t75" style='width:252pt;
height:237.75pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image051.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrE4cwyD9P_g530_BvXUlwlICIlaA_KHRG38PzUn0rKmNZGRdoe-DPLT3Cm3QzhZFz3XgGs7daB66vv6pWiqJ7iWntgQd3QRgfg3vtG4A2Lrf_P2miJFA_yQJZkSegG2mrkeJFexB1GCoe/s1600/pic26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrE4cwyD9P_g530_BvXUlwlICIlaA_KHRG38PzUn0rKmNZGRdoe-DPLT3Cm3QzhZFz3XgGs7daB66vv6pWiqJ7iWntgQd3QRgfg3vtG4A2Lrf_P2miJFA_yQJZkSegG2mrkeJFexB1GCoe/s320/pic26.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 26: Disk Creation (Source: Feller)</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
Review of the identity disk yields just
a pointer UUID to the difference disk associated with it. The difference disk contains content from the
virtual machine as well as a pointer to the golden image it was created from. Although this is all shown as unallocated
space and needs manual parsing, some very helpful artifacts remain and can be
found. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
A virtual machine was created that
had limited activity on it but with enough different items to look for. The following table depicts the activity on
the machine.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: .7in;" valign="top" width="67"><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br clear="all" style="page-break-before: always;" />
</span>
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Time<o:p></o:p></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 5.95in;" valign="top" width="571"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Activity<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: .7in;" valign="top" width="67"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
5:09pm<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 5.95in;" valign="top" width="571"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Visited Msn.com using Internet Explorer (IE)<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: .7in;" valign="top" width="67"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
5:09pm<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 5.95in;" valign="top" width="571"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Visited Amazon.com using IE<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: .7in;" valign="top" width="67"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
5:10pm<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 5.95in;" valign="top" width="571"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Visited Google.com using IE<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: .7in;" valign="top" width="67"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
5:10pm<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 5.95in;" valign="top" width="571"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Ran MSPaint.exe<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: .7in;" valign="top" width="67"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
5:11pm<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 5.95in;" valign="top" width="571"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Saved a paint file – “findthis.png” to the desktop<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: .7in;" valign="top" width="67"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
5:12pm<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 5.95in;" valign="top" width="571"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Visited www.champlain.edu<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: .7in;" valign="top" width="67"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
6:10pm<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 5.95in;" valign="top" width="571"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Google search for “april fools jokes”<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: .7in;" valign="top" width="67"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
6:11pm<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 5.95in;" valign="top" width="571"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Visited dig4n6.blogspot.com<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: .7in;" valign="top" width="67"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
6:11pm<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 5.95in;" valign="top" width="571"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Saved file from website – xzibit_meme.png<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: .7in;" valign="top" width="67"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
6:11pm<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 5.95in;" valign="top" width="571"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Changed the file type of xzibit_meme.png to xzibit_meme.bmp<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: .7in;" valign="top" width="67"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
6:13pm<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 5.95in;" valign="top" width="571"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Created a file named Deleted Item and deleted it, removed it from the
recycling bin<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: .7in;" valign="top" width="67"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
6:18pm<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 5.95in;" valign="top" width="571"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Changed file type of xzibit_meme.bmp to xzibit_meme.jpeg<o:p></o:p></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
Due to the disk being all
unallocated space, the quickest way to determine if any information was still
recoverable on the drive was by doing simple keyword searches. Keyword
searches were executed for the following phrases: <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
“msn.com”, “amazon.com”, “google.com”,
“paint”, “paint.exe”, “findthis.png”, “findthis”, “efleisher”, “www.champlain.edu”,
“april fools jokes”, “dig4n6.blogspot.com”, “deleted item”, “xzibit_meme”.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
One of the most intriguing and
important artifacts that was recovered were multiple entries from the Master
file table (MFT). These MFT entries
contain accurate time stamps and accurate information in regards to the files
that were created on the virtual machine.
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_20" o:spid="_x0000_i1036" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\mft entry with accurate creation timestamp.png"
style='width:468pt;height:114.75pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image053.png"
o:title="mft entry with accurate creation timestamp"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMImB3AOiRyJM8iSPJ6NhJ2Rr_eEEiJRsJX8nCLdaLBvXzr_M0thaxJj5Tju8A2Ic6xpCyv48UF2imQylw8O1Byo3Qur-IR_2Xh0mPAHOlewqqg8OsIg9BrOADt5h8TN_b1-clYNQBxQeA/s1600/pic27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMImB3AOiRyJM8iSPJ6NhJ2Rr_eEEiJRsJX8nCLdaLBvXzr_M0thaxJj5Tju8A2Ic6xpCyv48UF2imQylw8O1Byo3Qur-IR_2Xh0mPAHOlewqqg8OsIg9BrOADt5h8TN_b1-clYNQBxQeA/s640/pic27.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 27: MFT Entry for "findthis.png"
with accurate creation date</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
A search was done for the phrase
“FILE0” as this is a typical indicator of a MFT record. There were a total of 1457 hits in response
to this keyword. This is at least
indicative of 1457 MFT entries being present on this virtual disk. There were MFT entries present for each file
and folder that was created on the machine which will at least provide
information about some pertinent items on the machine.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_24" o:spid="_x0000_i1035" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\file0 keyword search.png"
style='width:429.75pt;height:42pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image055.png"
o:title="file0 keyword search" croptop="34448f" cropbottom="7562f"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkgGtDMbMTWTgEpkDPGAL5wdiN3IBe6AUVMAVY5flhMClmOPSvjDlLQNQNzx0TpHqGFaZa5llgeUZEUetuLGj9UiJpl8f0WRqq01zezvLiMhZ6L1Ha8BN0hGOuucwJfTCu07f8G17wOWVz/s1600/pic28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkgGtDMbMTWTgEpkDPGAL5wdiN3IBe6AUVMAVY5flhMClmOPSvjDlLQNQNzx0TpHqGFaZa5llgeUZEUetuLGj9UiJpl8f0WRqq01zezvLiMhZ6L1Ha8BN0hGOuucwJfTCu07f8G17wOWVz/s640/pic28.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 28: Keyword results for MFT
Entry Header "FILE0"</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
The keyword search for the phrase
“april fools jokes” successfully pulled the Google search in plaintext from the
unallocated space as well.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_42" o:spid="_x0000_i1034" type="#_x0000_t75" style='width:301.5pt;
height:81.75pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image057.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPxmoLMyIEauXiOl3mQJC-eYPrhE4yADLY2tzRyPnvzjiwBBfmsIu9F9uxsMMrOsvqSwBag0Ty7iuOss3xXWRhy0mzgRtUvuwanlqtyWsafwgeeIXQuRKdq7U5ooeVNzOKhUJgcsf11GLY/s1600/pic29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPxmoLMyIEauXiOl3mQJC-eYPrhE4yADLY2tzRyPnvzjiwBBfmsIu9F9uxsMMrOsvqSwBag0Ty7iuOss3xXWRhy0mzgRtUvuwanlqtyWsafwgeeIXQuRKdq7U5ooeVNzOKhUJgcsf11GLY/s400/pic29.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 29: Retrieved Google Search</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
A keyword search was done with a
username of “efleisher” to search for any data that may be relevant to what the
user was doing on the computer. Nearly
two thousand hits responded containing information primarily relating to
browsing history. The data was in a
plaintext readable format, with results being displayed in similar format to “efleisher@amazon.com”. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_15" o:spid="_x0000_i1033" type="#_x0000_t75" style='width:468pt;
height:116.25pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image059.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJhvZXx1eGV0PBy6i7gZzzGQuyWb3-j7hVLT05TOUHzhrvVsOhz-KT8B5u37jiNo5_h-K56VB1NzruXesY3Kd3fDCxr0V9EnFRAQIDdAN4TdrJ7A_jgE8imrlz5HNoCHeNyzz3_3A1eB5C/s1600/pic30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJhvZXx1eGV0PBy6i7gZzzGQuyWb3-j7hVLT05TOUHzhrvVsOhz-KT8B5u37jiNo5_h-K56VB1NzruXesY3Kd3fDCxr0V9EnFRAQIDdAN4TdrJ7A_jgE8imrlz5HNoCHeNyzz3_3A1eB5C/s640/pic30.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 30: User Activity via
Username Search</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
This data provides the investigator
with insight into the users browsing history.
By manually parsing these entries, the investigator is able to ascertain
when the username was accessing certain websites. These time stamps can be found prior to the
website address. It will be stored in little
endian hex format and will be eight
bytes long. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_17" o:spid="_x0000_i1032" type="#_x0000_t75" style='width:468pt;
height:144.75pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image061.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga249mlRovqWsu8IwxxrZywEqCCWNqohCCx_B5SC-erp0cFyPMN7nKNW9ZCegyFdwJsgP-KR1F2YbAdx91IGra0r2gEJ20UtX8bhjEAXR-Y7l7XeuT5cnBSNSsZIbASVmVXzvSNgbuOKXp/s1600/pic31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga249mlRovqWsu8IwxxrZywEqCCWNqohCCx_B5SC-erp0cFyPMN7nKNW9ZCegyFdwJsgP-KR1F2YbAdx91IGra0r2gEJ20UtX8bhjEAXR-Y7l7XeuT5cnBSNSsZIbASVmVXzvSNgbuOKXp/s640/pic31.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 31: Internet History
Timestamp Verification</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
Through keyword searches of
websites that were visited, an entry was found that revealed each website that
was browsed to. The order that these
websites were presented was in the reverse order that they were visited, with
the last website browsed to being the first website listed in the entry. It is potentially indicative of a file that
contained all web browsing history, similar to an index.dat file. Unlike most internet history entries,
however, there were no records of potential timestamp information. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_25" o:spid="_x0000_i1031" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\all websites searched.png"
style='width:468pt;height:114.75pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image063.png"
o:title="all websites searched"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKJHkslCriowdOhiRxzLfxFrvPTRl4Uh4hCGlHIsBYDOyzMCOJcguoroeHj7-mK0UcYMU0syUwMEfPo3m0HeZUkS_YbofgJRR12Qy1tIttuRxBt6M_9ZcTmvO9z5O-YVxA6-fbEmVliiDk/s1600/pic32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKJHkslCriowdOhiRxzLfxFrvPTRl4Uh4hCGlHIsBYDOyzMCOJcguoroeHj7-mK0UcYMU0syUwMEfPo3m0HeZUkS_YbofgJRR12Qy1tIttuRxBt6M_9ZcTmvO9z5O-YVxA6-fbEmVliiDk/s640/pic32.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 32: Complete Browsing History</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
With the previous findings
presenting a plethora of internet history information, the next step was to try
an automated tool. Internet history
tools will attempt to perform an automated acquisition of the internet history
on a hard disk and present the findings to an investigator in an easy to read
format. Internet Evidence Finder v5 was
able to successfully parse and extract internet history, including cookies,
with accurate time stamps and user correlation.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_1" o:spid="_x0000_i1030" type="#_x0000_t75" style='width:468pt;
height:298.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image065.png"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2c2AreDTjNuiTbNVn4L7zWPcoPzKDEOCa6DcBgwZB7fmqn_5K1BLlZSVtsVUJj8nNeLEQyEW-v_HIRRf4W9CRMwALmLPohiTZNW_AY1N67z_IgGjw4qEdDF63Wa9IttoLqOf_hp5sXz6k/s1600/pic33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="408" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2c2AreDTjNuiTbNVn4L7zWPcoPzKDEOCa6DcBgwZB7fmqn_5K1BLlZSVtsVUJj8nNeLEQyEW-v_HIRRf4W9CRMwALmLPohiTZNW_AY1N67z_IgGjw4qEdDF63Wa9IttoLqOf_hp5sXz6k/s640/pic33.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 33: Successful Internet
Evidence Finder Parsing of VHD</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
Further research into web browsing artifacts
provided HTML code for specific websites that were visited. This code provides a plaintext view of some
of the information that was on the webpage when it was visited by the user.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_19" o:spid="_x0000_i1029" type="#_x0000_t75" style='width:468pt;
height:100.5pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image066.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhReJ8SLB1S_tB9Ak55oVYmpwg__xSTmS6GgA2fy9nFTZyLfQ3ADPmsVxji_1vd6lcshm4zVk8YDXl2bcrNNlfgcFfGI8VAo7rNfxEmsSGMIgD6dt5N9K0li6CDK8qFdTTF6jGPunb3C0jt/s1600/pic34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhReJ8SLB1S_tB9Ak55oVYmpwg__xSTmS6GgA2fy9nFTZyLfQ3ADPmsVxji_1vd6lcshm4zVk8YDXl2bcrNNlfgcFfGI8VAo7rNfxEmsSGMIgD6dt5N9K0li6CDK8qFdTTF6jGPunb3C0jt/s640/pic34.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 34: Plaintext HTML Code of
Webpage</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
An important and common artifact
that is looked at in a forensic investigation is deleted items. A deleted item can mean many things to an
investigator, such as an attempt to hide information, an attempt at removing
evidence, or perhaps merely an attempt at removing clutter. Both data recovery and forensic
investigations frequently deal with deleted items, thus making the ability to
recover them a desirable skill. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
During this research, a text file
was created named deleted item. This item
was created on April 1st, 2013 at 6:13:07pm and immediately deleted afterwards
at 6:13:20pm. The keyword search for
this particular artifact provided multiple hits, including accurate timestamps
for the file creation time.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_21" o:spid="_x0000_i1028" type="#_x0000_t75" style='width:468pt;
height:156.75pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image068.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNWBMg7kZrI_9uSfjrILLskIV_kPIbqLXXNAQ_UpVWHZ89a8fmg4jnnlJLSyIqzM_admkPpHtNNGnyR8cX8mqgzob1c-7qVviWTErf2dw8Y1gQHLoZCKpAX2P-rW7XPVgO55x-N5-pTCWF/s1600/pic35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNWBMg7kZrI_9uSfjrILLskIV_kPIbqLXXNAQ_UpVWHZ89a8fmg4jnnlJLSyIqzM_admkPpHtNNGnyR8cX8mqgzob1c-7qVviWTErf2dw8Y1gQHLoZCKpAX2P-rW7XPVgO55x-N5-pTCWF/s640/pic35.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 35: Accurate Timestamp of
Deleted Item Creation Time</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
When a file is deleted on a Windows
machine, it creates two files in the recycling bin that are associated with
it. These files are known as “$I” and
“$R” files. The $I file will contain the
original name and path of the file, along with its deletion date. The $R file will retain the actual data of
the file. When examining the evidence
near the location to the original file, the investigator will find references
to $I and $R files associated with the deleted item. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_35" o:spid="_x0000_i1027" type="#_x0000_t75" style='width:7in;
height:109.5pt;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image070.png"
o:title=""/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZQlVckJUWq3GBskPwyY6cQKLPbN1TvsPU1AEMvSsChIihyEeaR4Ywb6f_MI1dkwAn5sJc5Z59ATxhZycAqhA9jOAthiWNvVv3JJuoMpFdy-8YlpKrX666r6SLUr77oP8bR5F-mxOtXDAh/s1600/pic36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZQlVckJUWq3GBskPwyY6cQKLPbN1TvsPU1AEMvSsChIihyEeaR4Ywb6f_MI1dkwAn5sJc5Z59ATxhZycAqhA9jOAthiWNvVv3JJuoMpFdy-8YlpKrX666r6SLUr77oP8bR5F-mxOtXDAh/s640/pic36.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 36: Discovery of Deleted Item
as well as $I and $R files</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
In order to recover the deletion
time of the file, it is necessary to obtain the creation time of the $I and $R
files. This timestamp can be recovered
by moving twenty bytes prior to the $ symbol and then obtaining the previous
eight bytes prior to that. If done
correctly, these eight bytes can be decoded in little-endian format to produce
the created time of both $I and $R files, therefore the deletion time of the
original file. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_36" o:spid="_x0000_i1026" type="#_x0000_t75" style='width:468pt;
height:2in;visibility:visible;mso-wrap-style:square' o:bordertopcolor="black"
o:borderleftcolor="black" o:borderbottomcolor="black" o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image072.png"
o:title="" croptop="4458f"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3Wbwmc-qCHB0pCU_S0M_2N68PV-sAUyOhSaSTRHVsDKWj8ydS73VqK_hWJb3SDPFYVR_EfSRH6e7f1VN6vapeyBFuDwck-p-0L3WEQ7Yoj1F4isZkZokG0u-X8_5kOlv87P1m7YT0-J-S/s1600/pic37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3Wbwmc-qCHB0pCU_S0M_2N68PV-sAUyOhSaSTRHVsDKWj8ydS73VqK_hWJb3SDPFYVR_EfSRH6e7f1VN6vapeyBFuDwck-p-0L3WEQ7Yoj1F4isZkZokG0u-X8_5kOlv87P1m7YT0-J-S/s640/pic37.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 37: Accurate Timestamp of
Deleted Item Deletion Time</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
Perhaps the most interesting piece
of evidence left behind on the virtual hard disk was the resemblance to a
timeline of system activity. An entry
within the virtual hard disk depicted a chain of events that occurred on the
hard drive, including website visits, usernames, applications opening, files
being created, and a list of some of the values that would have been updated on
a system during the activity that occurred. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_18" o:spid="_x0000_i1025" type="#_x0000_t75" alt="Description: C:\Users\efleisher\Desktop\Capstone Files\play by play with values being updated.png"
style='width:468pt;height:321pt;visibility:visible;mso-wrap-style:square'
o:bordertopcolor="black" o:borderleftcolor="black" o:borderbottomcolor="black"
o:borderrightcolor="black">
<v:imagedata src="file:///C:\Users\EFLEIS~1\AppData\Local\Temp\msohtmlclip1\01\clip_image074.png"
o:title="play by play with values being updated"/>
<w:bordertop type="single" width="24"/>
<w:borderleft type="single" width="24"/>
<w:borderbottom type="single" width="24"/>
<w:borderright type="single" width="24"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMmKO6JDNMeXuXPQB51dDqroZCiXCMQ81koPcPrg44iRQItdcmRs7wJU7aHrUPlep0w1B7GR468RXwuGXI6GHbzb_fHNFFThadCWIq_m0wKjtBXAHoaNTuoyQwVyyuwohhb0P6puyciwlu/s1600/pic38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="438" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMmKO6JDNMeXuXPQB51dDqroZCiXCMQ81koPcPrg44iRQItdcmRs7wJU7aHrUPlep0w1B7GR468RXwuGXI6GHbzb_fHNFFThadCWIq_m0wKjtBXAHoaNTuoyQwVyyuwohhb0P6puyciwlu/s640/pic38.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Figure 38: Entry reflecting Timeline
of Events</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<i>What would you
recommend my company to do?<o:p></o:p></i></div>
<div class="MsoNormal">
<i><br /></i></div>
<div class="MsoNormal" style="margin-left: .5in;">
Analysis of a Citrix Virtual
Desktop Environment requires a fair amount of setup behind the scenes in order
for it to be accomplished successfully.
Without the presence of snapshots, an investigator would be hard pressed
in finding any information that occurred on a pooled virtual machine. Although network monitoring tools could be
put in place that would monitor everything that occurs, these options are often
very costly and can still miss important artifacts. For a SMB or large business that is
implementing a VDI, it would be recommended that snapshots be scheduled of at
least the hard disk. Depending on
storage available, if both disk and memory snapshots are capable, more information
would be recoverable. This type of
snapshot would require high quantities of storage. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
Through implementation of snapshots
and with appropriate administrative access, an investigator is able to manually
parse through virtual hard disk files that the Citrix VDI-in-a-Box
maintains. User information such as web
history, created files and folders, opened programs, Google searches, passwords,
deleted items, and master file table entries are all recoverable. This information may not be everything that
is needed to crack the case, but it is surely a huge stepping stone into
uncovering more information and perhaps even the “smoking gun.” <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
When looking at the vdiManager
virtual hard disk, the investigator is able to obtain information about when a
user is logging into a virtual desktop.
Using this and information from the domain controller, further research
needs to be done to be able to successfully link a specific user to a given
UUID. Doing this will allow for the
investigator to not need to sift through hundreds of hard drives for information,
and instead have immediate access to
which snapshots are linked to which users.
Doing so will provide for a streamlined investigative process in both
acquisition and analysis. Although this
is just the tip of the iceberg, there is without a doubt much more information
that can be uncovered. While access to
these servers and machines are no longer available, I hope to someday expand
this research, or at least see another professional take what has already been
done and expand upon it to allow for even more thorough analysis of Citrix
VDI’s in the future.<o:p></o:p></div>
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br clear="all" style="mso-special-character: line-break; page-break-before: always;" />
</span>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<i>References<o:p></o:p></i></div>
<div class="MsoNormalCxSpMiddle">
"Citrix XenServer
® 5.6 Feature Pack 1 Administrator's Guide." Citrix RSS. Citrix, 24
Mar. 2011. <o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
Web.<o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
“Create the First
Windows Image." Citrix EDocs. Citrix, 12 Feb. 2013. Web.<o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
"Create a VM
Protection Policy." Citrix EDocs. Citrix, 26 Nov. 2012. Web.<o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
Feller, Daniel.
"Machine Creation Services Primer – Part 1." Citrix Blogs.
Citrix, 28 June 2011. <o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
Web.<o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
Hochmuth, Phil.
"The Benefits Of Virtual Desktops." Forbes. Forbes Magazine, 12
Jan. 2010. <o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
Web.<o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
"Internet Evidence
Finder." Magnet Forensics. N.p., n.d. Web.<o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
"Master Boot
Record." Master Boot Record. Microsoft TechNet, n.d. Web.<o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
"NTFS Master File
Table (MFT)." NTFS Master File Table (MFT). N.p., n.d. Web<o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
Powledge, Tom.
"Top 7 SMB Information Protection Predictions for 2013." Endpoint,
Cloud, <o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
Mobile & Virtual
Security Solutions. Symantec, 4 Dec. 2012. Web.<o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
Savitz, Eric.
"Citrix Shares Rally As Q4 Results Crush Street Estimates." Forbes.
Forbes Magazine, <o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
30 Jan. 2013. Web.<o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
Sweeney, Brandon.
"State of SMB IT Report – Equip Yourself with These Stats to Help Make <o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
Vital IT
Decisions." VMware SMB Blog. VMware, 20 Feb. 2013. Web.<o:p></o:p></div>
<br />
<div class="MsoNormalCxSpMiddle">
<br /></div>
Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com5tag:blogger.com,1999:blog-7792322207109434614.post-29718683390206495892013-03-22T10:31:00.002-07:002013-03-22T10:31:41.798-07:00Script for FAT Root Directory ParsingSo I recently finished a class at Champlain College entitled Scripting for Digital Forensics. This class was quite simply bootcamp for learning Python. We started with basic operators and moved quickly through the eight weeks to eventually being able to write scripts that would be useful for the forensic workplace. <br />
<br />
I decided to write my script on parsing a FAT root directory. At the time of choosing what to do, I was enrolled in another class focusing on file system forensics and we were doing in depth analysis of the FAT file system. Quickly turned into a no brainer as to what would be a useful and fun script for me to write. <br />
<br />
A quick how-to for using the script: <br />
<br />
With a FAT file system, navigate to the root directory using WinHex or a similar hex editing tool. Copy the entirety of the root directory and place it into a new file. Do a quick edit of the script and change the following sections:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLiGhAmXRz_ra09hCvAtMY1a9jUGGLiJ96_s33Eb1iwK3kVVtTMdWD8KCLBNka7ra6cGUlMjTiRVY5zBbMr1RklEOlX237TUcg3Or-ztLbImAP_XCTxNjn17ce9Ml_bZdNyTHKNl9P1DWq/s1600/updates.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLiGhAmXRz_ra09hCvAtMY1a9jUGGLiJ96_s33Eb1iwK3kVVtTMdWD8KCLBNka7ra6cGUlMjTiRVY5zBbMr1RklEOlX237TUcg3Or-ztLbImAP_XCTxNjn17ce9Ml_bZdNyTHKNl9P1DWq/s1600/updates.png" /></a></div>
<br />
These sections just need to be changed to reflect the path of the root directory file that was created, and then the output path that the user desires. The third path that needs changed will allow for the script to open the file in notepad automatically.<br />
<br />
All that being said, here is the script!<br />
<br />
https://www.dropbox.com/s/qu93cx5ep4zt6mv/rootdirParse.py<br />
<br />
<br />Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com1tag:blogger.com,1999:blog-7792322207109434614.post-66543323850892191182013-02-07T06:58:00.001-08:002013-02-07T07:05:05.710-08:00Creating a Citrix VDI for Digital Forensic Analysis<br />
<div class="MsoNormalCxSpFirst">
If the past few weeks have taught me anything so far,
it would be that the process of creating a Citrix environment is rather
difficult. What seemed like it would be
rather cut and dry installing and setting up a few basic parameters has easily
turned into what may be the hardest part of the project. <o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
My initial issue was attempting to find a location
that I could actually set a miniature virtual environment up in. My first thoughts were almost to the level of
Inception – a virtual machine hypervisor hosting a virtual machine domain
controller delegating IP’s to multiple virtual machines that are each being
hosted by…surprise!, a virtual machine (Citrix’s
vdiManager). For any of you that follow
meme’s, I’m pretty sure Xzibit would have something to say about my attempt
here (if you don’t get the reference, see <a href="https://www.google.com/search?q=xzibit+memes&aq=f&um=1&ie=UTF-8&hl=en&tbm=isch&source=og&sa=N&tab=wi&ei=jcgPUartH6q40gG8wYCQCA&biw=1680&bih=949&sei=j8gPUdboBsbE0QHBmYGoCQ">here</a>). Needless to say, it was an idea I dropped
pretty quickly and went on to finding some hardware that I could use instead.<o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk902qkMvnZB_RQhyphenhyphenmaDqRrs1MY_mnEcWXwBWF2X2WMi_7sFZ3VAjoSkPuveWhr4b90I7hExjPVHqCEZO9RaibKhglEEYJZYvVr3l94LMZcvaZhmXUeqmajLXqPJaJeoyhUooAlXdtzgC9/s1600/xzibit+meme.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk902qkMvnZB_RQhyphenhyphenmaDqRrs1MY_mnEcWXwBWF2X2WMi_7sFZ3VAjoSkPuveWhr4b90I7hExjPVHqCEZO9RaibKhglEEYJZYvVr3l94LMZcvaZhmXUeqmajLXqPJaJeoyhUooAlXdtzgC9/s400/xzibit+meme.PNG" width="400" /></a></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
Fortunately, the Senator Patrick Leahy Center for
Digital Investigation (LCDI) has multiple servers, and one of them wasn't currently in use. This gave me the
server that I needed for my hypervisor, and from here I was able to start
moving forward. The first go around with
real hardware involved setting up an ESXi 5 hypervisor on the Dell Server that would
be used to host a virtual machine of XenServer.
After doing some quick setup with this, which was rather painless, I ran
into a few roadblocks. Attempting to
create a Windows virtual machine using XenServer hosted on top of ESXi 5
prompted multiple errors and wouldn’t allow for appropriate virtualization to ensue. Turns out I managed to overlook the fact that
XenServer is a hypervisor and not similar to Windows Server that would rest on
top of a hypervisor.<o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
It tends to work out more often than not that the third
time is the charm, and so far my third attempt is looking that way. This go around, I installed XenServer as the
hypervisor on the server and then hosted vdiManager to it. I am using Citrix’s VDI-in-a-Box (ViaB) to
quickly set up a small environment that doesn’t require multiple protocols and
variables to be put into place that their other programs, such as Virtual
Desktop, would. <o:p></o:p></div>
<div class="MsoNormalCxSpMiddle">
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNk3wEo468bFvJfFnbUMoklMkNe2DCEwkc_IkLLyZu70z5NbLrDz1YsK135kOWqqmc5mxfocBpaEMVLGIcQBSpH-J8vYC-HIBx0tzlGPCdTtgHGCHHTDa3MTIvAFdAJ82hj7q66wZ0sf1F/s1600/network+diagram.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="475" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNk3wEo468bFvJfFnbUMoklMkNe2DCEwkc_IkLLyZu70z5NbLrDz1YsK135kOWqqmc5mxfocBpaEMVLGIcQBSpH-J8vYC-HIBx0tzlGPCdTtgHGCHHTDa3MTIvAFdAJ82hj7q66wZ0sf1F/s640/network+diagram.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
</div>
<div class="MsoNormalCxSpMiddle" style="text-indent: 0.5in;">
There
have definitely been a few stopping points that have been frustrating, but it’s
more little things on the internal network that I needed to tweak. For example, it was necessary to create a new
domain controller due to limitations and restrictions set in place on the current
domain controller. After I recognized a
few of the simple networking problems, moving forward started to become easier
and easier.<br />
<br /></div>
<div class="MsoNormalCxSpMiddle" style="text-indent: 0.5in;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijMnuNdAQnHECg2NWR_zMKcKSMrhaBhT3nAhieyi8_Csz5SCpYpHb20VIX4k8r_NyLFf0xRSBZcIg5Fjud9i-Q8C5fNNHkNPiGs-QClz-U87K49BZ01R2O8e_TngJzu5SgBqDf46ELIB45/s1600/login.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto; text-align: center; text-indent: 0.5in;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijMnuNdAQnHECg2NWR_zMKcKSMrhaBhT3nAhieyi8_Csz5SCpYpHb20VIX4k8r_NyLFf0xRSBZcIg5Fjud9i-Q8C5fNNHkNPiGs-QClz-U87K49BZ01R2O8e_TngJzu5SgBqDf46ELIB45/s1600/login.PNG" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Setup Overview for VDI-in-a-Box</td></tr>
</tbody></table>
<br /></div>
<div class="MsoNormalCxSpMiddle" style="text-indent: 0.5in;">
The
next frustrating stop with my process came very quickly, though, and again I
started face-palming every few minutes wondering why I couldn't get it working. In order to host a VM to vdiManager to create
a base image, RDP needs to be configured as does File and Printer sharing. Although this is one of the most basic things
to do on a computer, my virtual machine just wouldn’t have it. Yet again though, some quick network
troubleshooting and I noticed that the DNS was incorrect, changed it, and the
settings were up and running. Finally,
at long last, the conversion to upload the image was beginning. <o:p></o:p></div>
<div class="MsoNormalCxSpMiddle" style="text-indent: 0.5in;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="text-indent: 0.5in;">
Stepping
back from the setup process of the environment, it is important to take a look
at the semantics of this project and the blogs that I will be writing. My initial blog post stated that I would be
looking at the difference between persistent and non-persistent VDI’s. Though this is still the case and nothing has
changed, ViaB uses different terminology to describe these two states of an
image. A persistent image is known as a “personal
desktop”, and a non-persistent image is referenced as a “pooled desktop.” Please take note that, although I will try to
keep my own wording consistent, there may be images and references throughout
to pooled versus personal desktops.<br />
<br /></div>
<div class="MsoNormalCxSpMiddle" style="text-indent: 0.5in;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZWio4XJwPQ2QQ2wl1zVHO0VnWmootjkNH-GjgIYoPHra_xG6dbejLTXkldBGSiQO9dZf-t1KKul0qC1oTh-LlZg5ivv3ZDAJOSSJfgSFSg13O_cRRE1g5xhPSNLqsEMPmIMF0tcqsQJFh/s1600/pooled+vs+personal.PNG" imageanchor="1" style="display: inline !important; margin-left: auto; margin-right: auto; text-align: center; text-indent: 0.5in;"><img border="0" height="289" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZWio4XJwPQ2QQ2wl1zVHO0VnWmootjkNH-GjgIYoPHra_xG6dbejLTXkldBGSiQO9dZf-t1KKul0qC1oTh-LlZg5ivv3ZDAJOSSJfgSFSg13O_cRRE1g5xhPSNLqsEMPmIMF0tcqsQJFh/s400/pooled+vs+personal.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Template setup for Pooled vs Personal (Non-persistent vs Persistent)</td></tr>
</tbody></table>
<br /></div>
<div class="MsoNormalCxSpMiddle" style="text-indent: 0.5in;">
Check back in the near future for more updates on the progress of this project. The environment should be finished setting up soon, and not too long after the real fun should start! </div>
<div class="MsoNormalCxSpMiddle" style="text-indent: 0.5in;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="text-indent: 0.5in;">
Please feel free to leave any comments and/or suggestions for me!</div>
Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com3tag:blogger.com,1999:blog-7792322207109434614.post-8775730842541555322013-01-25T14:04:00.001-08:002013-01-25T14:04:51.431-08:00GPT/MBR Quick ReferenceMade a quick reference guide for GPT/MBR analysis for class, figured I would post it on here as well. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOdIWgpoo7JIcAqGbhN7VDTwjZzU6z-_cEATy0nnaNf0Pepzr9bdsOu0G6wXe5Fcj_hUqfKaT6tpjcIAuSDN1G91mXM3BmhMSIO-IAzAvjhhFhRft9bc87EgE5lD1DypudY7DGK_GnIs3k/s1600/Fleisher_GPT_MBR+Cheat+Sheet_FOR320-01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOdIWgpoo7JIcAqGbhN7VDTwjZzU6z-_cEATy0nnaNf0Pepzr9bdsOu0G6wXe5Fcj_hUqfKaT6tpjcIAuSDN1G91mXM3BmhMSIO-IAzAvjhhFhRft9bc87EgE5lD1DypudY7DGK_GnIs3k/s640/Fleisher_GPT_MBR+Cheat+Sheet_FOR320-01.jpg" width="588" /></a></div>
<br />Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com3tag:blogger.com,1999:blog-7792322207109434614.post-19300638147419207062013-01-23T18:43:00.000-08:002013-02-08T07:15:11.341-08:00Capstone Intro: Virtual Desktop Environments<br />
<div class="MsoNormal" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 4.8pt; margin-left: 0.25in;">
<span style="color: #333333; font-family: "Tahoma","sans-serif"; font-size: 10.0pt; mso-fareast-font-family: "Times New Roman";">Capstone is finally here.
Almost five years of college later, and it’s all about to end. Time to get cracking on the final project. Ideas were bouncing through my head for quite
some time as I debated about what I wanted to do. I dabbled into the ideas of Siri, Google Chrome
Sync, Samsung Keis, Evernote, and a few other things. Nothing was really grabbing my attention
though and sucking me in. I wanted my
project to be an “all-star” level project with the potential of going to a
conference. Fortunately, my professors
here at Champlain College know some pretty big name people in the industry, and
a very unique and fun project idea was dropped on me. Corey Harrell sparked the idea a few months
ago thinking about virtual desktop environments and it was passed down to me
through my professor Jon Rajewski. I’d
like to give credit to both of them for the project idea, and I can’t wait to
see what information I obtain from it in the long run!</span></div>
<div class="MsoNormal" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 4.8pt; margin-left: 0.25in;">
<br /></div>
<div class="MsoNormal" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 4.8pt; margin-left: 0.25in;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><img border="0" height="116" src="http://www.atlantiscomputing.com/images/solutions/soltile_pg_citrix.png" style="margin-left: auto; margin-right: auto;" width="200" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Source: AtlantisComputing.com</td></tr>
</tbody></table>
<a href="http://www.atlantiscomputing.com/images/solutions/soltile_pg_citrix.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><u></u></a><a href="http://www.atlantiscomputing.com/images/solutions/soltile_pg_citrix.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><u><br /></u></a>
<div class="MsoNormal">
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: Tahoma, sans-serif; font-size: 10pt; line-height: 115%;">Virtual desktop
environments (VDI’s) are quickly becoming more popular as businesses are
attempting to cut costs in different areas while increasing productivity.
Employing a VDI automates many processes that networks currently undertake, and
allows for administration of new machines and machine scalability to
increase. There are many popular clients currently used right now,
including VMWare, Hyper-V, and Citrix. Though the
technology isn't quite as widespread and implemented in many
corporations yet, it is important to realize that it very well could be. </span><span class="apple-converted-space" style="color: #333333; font-family: Tahoma, sans-serif; font-size: 10pt; line-height: 115%;"> </span><span style="color: #333333; font-family: Tahoma, sans-serif; font-size: 10pt; line-height: 115%;">It is always better to be proactive
and already have a set idea of what measures need to be implemented and what
data is retrievable ahead of time.</span></div>
</div>
<div style="text-align: left;">
<br /></div>
<span style="font-size: x-small;"><span style="color: #333333; font-family: Tahoma, sans-serif;"><br /></span></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.virtualizationpractice.com/blog/wp-content/uploads/2011/08/VDIinabox-255x300.png" imageanchor="1" style="display: inline !important; margin-left: auto; margin-right: auto; text-align: center;"><img border="0" height="320" src="http://www.virtualizationpractice.com/blog/wp-content/uploads/2011/08/VDIinabox-255x300.png" width="272" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Source: VirtualizationPractice.com</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
<span style="background-position: initial initial; background-repeat: initial initial; color: #333333; font-family: Tahoma, sans-serif; font-size: 10pt; line-height: 115%;">Understanding why this
project is important is relatively important to hit on here as well.
VDI's are definitely the way that networks, regardless of if they're
small or large, are moving. It's much easier for a company to purchase
multiple thin-client $200 computers and have them remotely connect to a
powerful virtual machine than it is for a company to purchase multiple $1,500
machines. Being able to determine, at the very least, a basic
understanding of what we can get as forensicators on VDI's will be invaluable.
Although many people that have been in the industry for a while will
probably say they have come across this scenario a handful of times in their
career, the answer would be very different in a few years.</span><o:p></o:p></div>
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.packetsniffers.com/images/solutions/v-4-single.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="320" src="http://www.packetsniffers.com/images/solutions/v-4-single.png" width="212" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Source: PacketSniffers.com</td></tr>
</tbody></table>
<div class="MsoNormal" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 4.8pt; margin-left: 0.25in;">
<span style="color: #333333; font-family: "Tahoma","sans-serif"; font-size: 10.0pt; mso-fareast-font-family: "Times New Roman";">While researching VDI’s, I plan on using Citrix as my main
client. My setup will involve a server using
Citrix’s XenServer as the hypervisor, Citrix XenCenter controlling the
hypervisor, a Windows Server 2008 R2 domain controller primarily for DHCP, and
multiple Windows virtual machines. Windows
virtual machines are arguably the most common thin-client that will be seen in
the work place. I plan on examining what
is capable of being obtained from both persistent and non-persistent VDI’s by
creating a base scenario/template that will have multiple users accessing different,
commonly found, artifacts. Ideally, if
my time before the project is due permits, I would like to explore into what
information can be found on the XenServer itself, what may be obtainable
through the Windows Server, and what potential information may be available
through either XenCenter.<o:p></o:p></span></div>
<div class="MsoNormal" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 4.8pt; margin-left: 0.25in;">
<span style="color: #333333; font-family: "Tahoma","sans-serif"; font-size: 10.0pt; mso-fareast-font-family: "Times New Roman";"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://support.citrix.com/proddocs/topic/xendesktop-bdx/cds-eval-xpress-system-bdx.png" imageanchor="1" style="display: inline !important; margin-left: auto; margin-right: auto;"><img border="0" height="281" src="http://support.citrix.com/proddocs/topic/xendesktop-bdx/cds-eval-xpress-system-bdx.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Source: support.citrix.com</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.virtualizationpractice.com/blog/wp-content/uploads/2011/08/VDIinabox-255x300.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 4.8pt; margin-left: 0.25in;">
<span style="color: #333333; font-family: "Tahoma","sans-serif"; font-size: 10.0pt; mso-fareast-font-family: "Times New Roman";"><br /></span></div>
<div class="MsoNormal" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 4.8pt; margin-left: 0.25in;">
<span style="color: #333333; font-family: "Tahoma","sans-serif"; font-size: 10.0pt; mso-fareast-font-family: "Times New Roman";">The project outline involves the initial setup, which may take
some time, creating the template scenario, working with both persistent and non-persistent
machines, and ultimately attempting forensics on these machines.<o:p></o:p></span><br />
<br /></div>
<div class="MsoNormal" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 4.8pt; margin-left: 0.25in;">
<span style="color: #333333; font-family: "Tahoma","sans-serif"; font-size: 10.0pt; mso-fareast-font-family: "Times New Roman";">There is a lot of appeal in the project to me. First and foremost, there is not much
research that has been done on the topic to date. This is something that could easily take
months to do and could continue, looking for various artifacts and attempting
different ways to capture the information.
My hope is that I can at least, if nothing else, come to the conclusion
that information “A-G” is available on a persistent VDI, maybe no information,
or “A-C” is available on a non-persistent, and “A-Z” is available when the VDI
as well as the hypervisor and domain controller are all obtainable. To be able to have the initial research done
will help in many future endeavors as the technology becomes much more
prevalent and more investigators are coming across virtual desktops
environments. I’m excited to start
digging into it, make sure to check back over the next 10 weeks to see my
progress! <o:p></o:p></span></div>
<div class="MsoNormal" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 4.8pt; margin-left: 0.25in;">
<span style="color: #333333; font-family: "Tahoma","sans-serif"; font-size: 10.0pt; mso-fareast-font-family: "Times New Roman";"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://img.ehowcdn.com/article-new/ehow/images/a07/ct/to/change-client-name-citrix-pnagent-800x800.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://img.ehowcdn.com/article-new/ehow/images/a07/ct/to/change-client-name-citrix-pnagent-800x800.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Source: ehowcdn.com</td></tr>
</tbody></table>
<div class="MsoNormal" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 4.8pt; margin-left: 0.25in;">
<span style="color: #333333; font-family: "Tahoma","sans-serif"; font-size: 10.0pt; mso-fareast-font-family: "Times New Roman";"><br /></span></div>
<div class="MsoNormal" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 4.8pt; margin-left: 0.25in;">
<span style="color: #333333; font-family: "Tahoma","sans-serif"; font-size: 10.0pt; mso-fareast-font-family: "Times New Roman";">Please feel free to leave any comments as well and any insight
on where you think this should go!<o:p></o:p></span></div>
Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com3tag:blogger.com,1999:blog-7792322207109434614.post-64469460709183987922012-08-21T11:33:00.001-07:002012-08-21T11:41:39.942-07:00Windows 8: Reset and Refresh Artifacts<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: small;">Note: <span style="font-weight: normal;">The following information is primarily from a paper that I wrote detailing the Windows 8 Reset and Refresh functions. A few pieces have been changed for formatting, but the structure has stayed the same. The sections are broken down in the same manner as the paper.</span></span><br />
<div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: small;"><span style="font-weight: normal;"><br /></span></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>1. Introduction</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.blogger.com/blogger.g?blogID=7792322207109434614" name="_Toc331170041"><b><br /></b></a></span>
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: large;">1.1 Research Problem</span></b><br />
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Windows 8 ships with a new feature
that will be extremely handy for the average consumer; the Reset and Refresh
function. This allows a user to choose
whether or not to reinstall the OS, quickly reset their entire computer, or
thoroughly reset their entire computer.
A function that has the potential to wipe out data is of extreme
importance to the world of digital forensics, as it could easily make or break
a case. This paper will delve into what
can be found on a machine that has had the refresh, quick reset, or thorough
reset function performed on it. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>2. Refreshed and Reset Machines</b></span><br />
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Before diving into the
differences between a refreshed machine and a reset machine, the first
important thing to look at is whether or not the machine even had one of the
two functions performed on it. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>2.1 Recovery Directory</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">Within the system
recovery volume on a Windows 8 computer, a folder named recovery can be
found. Within the recovery folder, a
folder labeled with the GUID will exist.
Three files are located in this folder: Winre.wim, boot.sdi, and
ReAgent.xml. Winre.wim is the windows
image format file, boot.sdi is the windows deployment system image, and
ReAgent.xml, which is associated with recovery.
All of this is typical behavior and can be found on any installation of
a Windows 8 machine.<o:p></o:p></span></div>
<div class="MsoNormalCxSpLast" style="page-break-after: avoid;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: Arial, Helvetica, sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitEqlvi8r_L6XwtJWZMedOmkK4c0cssl3aPZ0lT5IJ8QnjNIuONomUJeh8qlol63VX0R2zpFaBkCCjzUDLefaSK0aN8ZdDewYysB7QAU6JkHPQCP6hmsNoTjlLKba5tF5U1pawrxG9QvCg/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitEqlvi8r_L6XwtJWZMedOmkK4c0cssl3aPZ0lT5IJ8QnjNIuONomUJeh8qlol63VX0R2zpFaBkCCjzUDLefaSK0aN8ZdDewYysB7QAU6JkHPQCP6hmsNoTjlLKba5tF5U1pawrxG9QvCg/s1600/1.png" /></a> </span></div>
<div align="center" class="MsoCaptionCxSpLast" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;">Windows 8 - System Recovery Volume\Recovery\GUID\ReAgent.xml<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">When a Refresh or Reset
is done to a system, a new file/folder can be found in the Recovery folder on
the system volume. The folder, named
logs, contains a file named Reload.xml.
The information contained within this file remains the same, whether or
not the system was refreshed or reset.<o:p></o:p></span></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglDk5PpDXoBGm6jmVXfNDYxhM68pKkCyHhOs8jeUW-MdKsCgVHMNWV8NuYf0W7BER43SiCslaH3MGGvBosnCT1mk1k9rKrlQyWbWu86wju5UQtkgjcLHD1IA0OcKPQt1-CtTEFc2xC6Rxw/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglDk5PpDXoBGm6jmVXfNDYxhM68pKkCyHhOs8jeUW-MdKsCgVHMNWV8NuYf0W7BER43SiCslaH3MGGvBosnCT1mk1k9rKrlQyWbWu86wju5UQtkgjcLHD1IA0OcKPQt1-CtTEFc2xC6Rxw/s1600/2.png" /></span></a></div>
<div align="center" class="MsoNormalCxSpLast" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;">Windows 8 – System Recovery Volume\Recovery\Logs\Reload.xml<o:p></o:p></span></div>
<div align="center" class="MsoNormalCxSpLast" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>3. Refresh vs. Data Generation</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">Upon first glance, there
are three folders that pop out when comparing a refreshed image to one that has
never been refreshed. The windows
partition contains: $SysReset, Windows.old, and Lost Files<o:p></o:p></span></div>
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheF5r2-LJQWq2A3YOiIiOS9ynnx15Z-2B3GykiLFDlqjrvhdixUN2gaeSx7bajHW-a6l-sgHBzOAnopxeclG_qBES_DLDjGrdJKOJuAqjcz-RgQ-_HT8O9kNV-Tz4rUbTleGCxA2sMzlQN/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheF5r2-LJQWq2A3YOiIiOS9ynnx15Z-2B3GykiLFDlqjrvhdixUN2gaeSx7bajHW-a6l-sgHBzOAnopxeclG_qBES_DLDjGrdJKOJuAqjcz-RgQ-_HT8O9kNV-Tz4rUbTleGCxA2sMzlQN/s1600/3.png" /></span></a></div>
<div class="MsoNormalCxSpMiddle" style="text-align: center;">
<o:p><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></o:p></div>
<div class="MsoNormalCxSpMiddle" style="text-align: center;">
<br /></div>
<div align="center" class="MsoNormalCxSpLast" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>4. Lost Files</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">To start, we’ll take a
look at the Lost Files folder. This
folder will appear on more than just a system that has been refreshed, but it
is still worth mentioning what it is.
The Lost Files folder contains files that still have a MFT entry on the
system, but their parent folder has been deleted. The files and folder that contained them were
deleted, and the only the parent folder was overwritten. However, the files within were not
overwritten, and the MFT entries are still present. Due to the entries still being present,
forensic software is still able to know that the file exists. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;">With that being said, the
Lost Files folder could potentially hold data of forensic value, but, in
regards to this Windows 8 paper, is nothing new.<o:p></o:p></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5. $SysReset</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">The SysReset folder
contains a vast amount of information, ranging from log files to migration xml
documents, all of which provide useful information to a forensic investigator.</span></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLk3uLobF2E2fXH0_wqK4-PvK6HspfNxjfpfMC1jToVauo-ORd2R5C7BzE22rTegWXkTx7kUUIH2Jm178bsSNN6lZeCKYZ6lbvyS_oIaYv1qz7VKKV4vaq_PEkXOqQDzyDIVR1O-3T-HPY/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLk3uLobF2E2fXH0_wqK4-PvK6HspfNxjfpfMC1jToVauo-ORd2R5C7BzE22rTegWXkTx7kUUIH2Jm178bsSNN6lZeCKYZ6lbvyS_oIaYv1qz7VKKV4vaq_PEkXOqQDzyDIVR1O-3T-HPY/s1600/4.png" /></span></a></div>
<div align="center" class="MsoNormalCxSpLast" style="text-align: center;">
<o:p><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></o:p></div>
<div align="center" class="MsoNormalCxSpLast" style="text-align: center;">
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5.1 Bin Directory</b></span><br />
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">The bin directory is a great asset of information. Within the bin directory, a
directory named rollback can be found.
There are three text files that provide information relevant to the
refresh that happened. These files are:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoListParagraphCxSpFirst" style="margin-left: 38.25pt; text-indent: -0.25in;">
<span style="font-family: Arial, Helvetica, sans-serif;">1.
QuarantineLog.txt<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: 38.25pt; text-indent: -0.25in;">
<span style="font-family: Arial, Helvetica, sans-serif;">2.
LogRestore.txt<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpLast" style="margin-left: 38.25pt; text-indent: -0.25in;">
<span style="font-family: Arial, Helvetica, sans-serif;">3.
FolderMoveLog.txt<o:p></o:p></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: Arial, Helvetica, sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhScSiQcfsqCC7UiQXcPrYa2aB7AEUTk4XSwudw6gXF7iSZxfnN3TCqiJbY8eBWY5m_pIegq2P-XRX-2bqSzndXH3Z03TQiKzXF_v8Az_9T7tL-K-azET3uTJ1WyuQokaWF0hk7fnI4-iQ3/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhScSiQcfsqCC7UiQXcPrYa2aB7AEUTk4XSwudw6gXF7iSZxfnN3TCqiJbY8eBWY5m_pIegq2P-XRX-2bqSzndXH3Z03TQiKzXF_v8Az_9T7tL-K-azET3uTJ1WyuQokaWF0hk7fnI4-iQ3/s1600/5.png" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5.1.1 QuarantineLog.txt</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">QuarantineLog.txt
displays which folders were saved, and where they were saved. The contents of QuarantineLog.txt are as
follows:<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLVUE8ZMfBlT5kaVeEEPVmlOHk_Iolw-7ujiPZMVSgDviCsqtj3iB1wMYc2iwHw1xxtxri72CJIjYpJM1lGG0Sskzpbr0i1HP4OihJ6JW-SxoksIfOkBLBm8Sorqv2cE2EqyjFzDxcqJ0m/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLVUE8ZMfBlT5kaVeEEPVmlOHk_Iolw-7ujiPZMVSgDviCsqtj3iB1wMYc2iwHw1xxtxri72CJIjYpJM1lGG0Sskzpbr0i1HP4OihJ6JW-SxoksIfOkBLBm8Sorqv2cE2EqyjFzDxcqJ0m/s1600/6.png" /></span></a></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5.1.2 LogRestore.txt</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">LogRestore.txt contains the
location of the migration log from the reset. This will be explained in further detail later.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpLast" style="text-indent: 0.5in;">
<span style="font-family: Arial, Helvetica, sans-serif;">example: D:\$SysReset\Logs\Mig </span></div>
<div class="MsoNormalCxSpLast" style="text-indent: 0.5in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormalCxSpLast" style="text-indent: 0.5in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5.1.3 FolderMoveLog.txt</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">FolderMoveLog.txt
contains a list of all folders that were moved, with listing their new location
followed by their previous location. It
is notated in the format: <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="text-indent: 0.5in;">
<span style="font-family: Arial, Helvetica, sans-serif;">New
file location | Previous file location<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDKIpqEPMLA1fH0XB067-Jhyphenhyphen009sx_NLDLY3mvXLy4j8TuNYi5_tVhJ1QxK9wPYwZNStMfp83aGxiNXnoyIn8D0llm6f9qk4Rz_22UCGqRbuFaPpI6z5FRO5mihJXF0DAWG3YYtaNXlv7a/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDKIpqEPMLA1fH0XB067-Jhyphenhyphen009sx_NLDLY3mvXLy4j8TuNYi5_tVhJ1QxK9wPYwZNStMfp83aGxiNXnoyIn8D0llm6f9qk4Rz_22UCGqRbuFaPpI6z5FRO5mihJXF0DAWG3YYtaNXlv7a/s1600/7.png" /></span></a></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;">Within this text file,
files ranging from typical user document files to internet favorites and also
metro settings are found. <o:p></o:p></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5.2 Framework Directory</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">The framework directory
contains information that does not immediately appear to be very helpful.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;">Within
Framework\Migration\Preserve is a file named Immersive Apps
MigrationMigration.xml. This file
contains information that appears to relate to metro apps. It contains registry key information, as well
as multiple lines stating “rejuvenation”.
These rejuvenation lines relate to:</span></div>
<div class="MsoNormalCxSpLast">
</div>
<ul>
<li><span style="text-indent: -0.25in;"><span style="font-family: Arial, Helvetica, sans-serif;">AppX Payload</span></span></li>
<li><span style="text-indent: -0.25in;"><span style="font-family: Arial, Helvetica, sans-serif;">AppX Licensing</span></span></li>
<li><span style="text-indent: -0.25in;"><span style="font-family: Arial, Helvetica, sans-serif;">Modern Tiles</span></span></li>
<li><span style="text-indent: -0.25in;"><span style="font-family: Arial, Helvetica, sans-serif;">Modern App Data</span></span></li>
<li><span style="text-indent: -0.25in;"><span style="font-family: Arial, Helvetica, sans-serif;">AppX Enterprise Apps Authorization</span></span></li>
<li><span style="text-indent: -0.25in;"><span style="font-family: Arial, Helvetica, sans-serif;">AppX Lock Screen Notifications</span></span></li>
<li><span style="text-indent: -0.25in;"><span style="font-family: Arial, Helvetica, sans-serif;">AppX Application Tamper State Cache</span></span></li>
</ul>
<br />
<div class="MsoListParagraphCxSpFirst" style="text-indent: -0.25in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -0.25in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -0.25in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -0.25in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -0.25in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -0.25in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpLast" style="text-indent: -0.25in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: small;"><a href="http://www.blogger.com/blogger.g?blogID=7792322207109434614" name="_Toc331170053"><b><br /></b></a></span>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5.3 Logs Directory</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">$SysReset contains a
directory named Logs as well. Within
this directory are multiple log files and xml files defining the migration
process during the refresh, stating where files previously were and also where
the files currently reside. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;">Within the $SysReset\Logs
directory is a file named MigLog.xml, as well as two subdirectories Mig and
Rollback. These files are the ones that
appear to be of most importance. <o:p></o:p></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5.3.1 MigLog.xml</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">MigLog.xml can be
relatively beneficial to determining basic information about the machine
itself. Information such as the system
name, user name and SID correlation, last access times/log in times, and
windows mapping schemes can all be found here.
<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">For example, by doing a
simple ctrl-f search for the username that was used, the first hit provided me
with last access, profile path, SID, and the domain that the account was tied
to.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC6XBq6i6DM4uOI4HRt-iie0ICDDgR6pT0QEODe0AqjV1_qfZmZOmDYuAkfkQjV8b0VUUU5jS5OfqsSzet7Y2hhsM10CENPmqm8pGcmgZXOCmsI7AZc4wxhl2TXOsG6jSmzV4d4lV4uNgN/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC6XBq6i6DM4uOI4HRt-iie0ICDDgR6pT0QEODe0AqjV1_qfZmZOmDYuAkfkQjV8b0VUUU5jS5OfqsSzet7Y2hhsM10CENPmqm8pGcmgZXOCmsI7AZc4wxhl2TXOsG6jSmzV4d4lV4uNgN/s1600/8.png" /></span></a></div>
<div class="MsoNormalCxSpMiddle" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5.3.2 Logs\Mig Subdirectory</b></span><br />
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Within the sub-directory Mig are
three files, two log and one xml, that provide more information about the
system. These three files are
setupact.log, systemresetplatform.log, and miglog.xml.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5.3.3 Setupact.log</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">Setupact.log holds some
basic information about the system and the setup itself. All user profiles that are present on the
machine at the time of the migration can be located within here. By searching for the string “Processing
Profile”, all of the accounts that are migrated over can be found. These range from the system profile to
localservice and networkservice, and also the created users themselves. Default locations are mapped for each user as
well.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">The machine name, SID,
and GUID can all also be found in the setupact.log<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZJgnrQgdbwyPUP2UdNwKwGMIStNMWuUpil-ZCtaxF1AsLjmM-IO_Gng945DB76c1m3UOfC3MDsf1_KSAV7xU5r47PCbIr3ACyhZwK1ibHiYsEkCg9Cxc3zDfoliOOFi2aAd1LjkCzCLBl/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZJgnrQgdbwyPUP2UdNwKwGMIStNMWuUpil-ZCtaxF1AsLjmM-IO_Gng945DB76c1m3UOfC3MDsf1_KSAV7xU5r47PCbIr3ACyhZwK1ibHiYsEkCg9Cxc3zDfoliOOFi2aAd1LjkCzCLBl/s1600/9.png" /></span></a></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div align="center" class="MsoNormalCxSpMiddle" style="text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">Finally, all apps that
were recursively downloaded on the Windows 8 store and migrated over can be
found. Doing a search for the string
“STORERECURSIVE” will bring display this.
A list of all applications downloaded from the Windows store can be
found here.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: Arial, Helvetica, sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2HppSoANAae-foTzNk2vGzmDUwDvhKzLLMlCDersdszNI3k6TN_dXIPQfO8avaUkhoObnjmqZc3FnRAjY-nUnVUKw16UEZ6v6X_HcPWeRdwSl2-c2R5iW2x_ZsxAye9sg0RnMFmmE5Gmw/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2HppSoANAae-foTzNk2vGzmDUwDvhKzLLMlCDersdszNI3k6TN_dXIPQfO8avaUkhoObnjmqZc3FnRAjY-nUnVUKw16UEZ6v6X_HcPWeRdwSl2-c2R5iW2x_ZsxAye9sg0RnMFmmE5Gmw/s1600/10.png" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5.3.4 Systemresetplatform.log</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">This relatively short
log file contains a couple pieces of information. It is convenient, that like the other logs,
this one also gives timestamps for when the events happened. This can very easily put a date and time to
the refresh. Also, much like
setupact.log, all of the immersive metro apps that were installed on the system
and migrated over can be found here. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">Perhaps the more
interesting piece of information on this page though is where old registry keys
were unloaded to. These keys include the
software hive, system hive, and NTUSER.dat hives. This is located at the very end of this log.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQTsq41cwbwP7N9Fca5qohC3aKNu-KwcDjXIWTyFrw6-vPN29H2H4wQyvuUqXZXf51uPm8OY38urXREDdak2P-M1RIyqMqjP2kngAi8bpD-pSu88dVOr89zYq0LVk3WBAVLyDWQqDOISo3/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQTsq41cwbwP7N9Fca5qohC3aKNu-KwcDjXIWTyFrw6-vPN29H2H4wQyvuUqXZXf51uPm8OY38urXREDdak2P-M1RIyqMqjP2kngAi8bpD-pSu88dVOr89zYq0LVk3WBAVLyDWQqDOISo3/s1600/11.png" /></span></a></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5.3.5 MigLog.xml</b></span><br />
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">MigLog.xml contains similar
information to the previous files, including system names, SSID numbers, domain
names, profile names, mapping information, and more. Any of these logs can be used to gain
information about the system and the migration process, giving investigators
locations of both old data and new migrated locations.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5.4 MigEngineStore Directory</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">The MigEngineStore
directory contains two subdirectories: MachineSpecific and XMLs. The MachineSpecific folder has two files
containing information, migstate.dat and catalog.mig. After
very briefly parsing these, however, it appears that the information
provided is nothing overly new when compared to the other files that have been
found.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;">The XMLs subdirectory
contains two xml files, both of which appear to simply ensure that the system
is setup correctly. Once again, the
information in here may be useful, but it would extremely situational. <o:p></o:p></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>5.5 MigEngineWork and Temp</b></span><br />
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">The remaining directories in
$Sys.Reset are MigEngineWork and Temp.
With the system I worked on, both of these were empty.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>6. Windows.Old</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">The windows.old folder
is an amazing resource. Opening this
folder is almost like opening the computer before the refresh was even
done. When initially drilling through
the folder structure, it appears to resemble exactly that of the previous
computer. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinEv0hOeIRYzWT0bNJ2FS09AAk3oSzRJdpr6bvjZR3WdCW51Iqrvnua393d4nGTrF42iMskQiAi_nDw8oGHpkdzqVZ5sFkLmK0H5i2uT3yfLbpGNUBtAUPJUllqM3Lkf0_tuotffNHGOum/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinEv0hOeIRYzWT0bNJ2FS09AAk3oSzRJdpr6bvjZR3WdCW51Iqrvnua393d4nGTrF42iMskQiAi_nDw8oGHpkdzqVZ5sFkLmK0H5i2uT3yfLbpGNUBtAUPJUllqM3Lkf0_tuotffNHGOum/s1600/12.png" /></span></a></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div align="center" class="MsoNormalCxSpMiddle" style="text-align: center;">
<br /></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;">The simple breakdown of a
few key points and differences looks like this:<o:p></o:p></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>6.1 $Recycle.Bin</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">Within the $Recycle.Bin
folder, deleted files that were never emptied from the recycle bin can still be
found. However, unlike the current
version of the system, the $R file is not displayed with its file name. Instead, it is simply given the $R
value. However, the metadata is still
present, and the $I file still contains the data itself.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiST-ZFuRlo3daArC0LJfdUDcJIZx8vEjhW2q7Ky7Lnra1GELvFwXnlJOE38VpxdIJxWSpX27vS4S2gqNmS3YaVM4ckTOUKuwulZVrER8a6Shd-i8j2AJenfVqGw54LNoUpOIR1o7us-eMP/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiST-ZFuRlo3daArC0LJfdUDcJIZx8vEjhW2q7Ky7Lnra1GELvFwXnlJOE38VpxdIJxWSpX27vS4S2gqNmS3YaVM4ckTOUKuwulZVrER8a6Shd-i8j2AJenfVqGw54LNoUpOIR1o7us-eMP/s1600/13.png" /></span></a></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>6.2 System Volume Information</b></span><br />
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">This folder cannot be found in
the windows.old directory, only under the new install.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>6.3 Users</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">A majority of the data
in each user’s directory can be recovered from a refreshed machine. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">Internet history is
preserved and can be found within here.
Primarily, with Windows 8, we will be looking in a variety of places, including
WebCachev24.dat and the IndexedDB directory within
<user>\appdata\local\microsoft\internet explorer. Other internet related activity, such as
TypedURLs and TypedURLsTime results from NTUSER.dat, can be recovered as well.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">An interesting key can be
found in NTUSER.dat\software\microsoft\windows\currentversion\settingsync. At this location is a registry value labeled
LastLocalTimeChange. This value is
displayed in big endian hex format. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF-4VBaHm72F_axd2PEfVV6cRm0n-WfPd-sGzbPU3UGOA9gysk_ScBT43yZBND0GNTMD2IXqSQURHKeErj5WU1WmCnWm4f3OrQa3PjwoTSrCgUlI5KXPNK-ELfsRLhTQ0mDqULy9VpytR4/s1600/14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF-4VBaHm72F_axd2PEfVV6cRm0n-WfPd-sGzbPU3UGOA9gysk_ScBT43yZBND0GNTMD2IXqSQURHKeErj5WU1WmCnWm4f3OrQa3PjwoTSrCgUlI5KXPNK-ELfsRLhTQ0mDqULy9VpytR4/s1600/14.png" /></span></a></div>
<div align="center" class="MsoNormalCxSpMiddle" style="text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">When run through DCode,
the value in the above picture yielded Wed, 20 June 2012 16:41:10 UTC. This could help to place the computer in a
specific proximity on a certain date at the very least.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">Because I was logged
into the system under a Microsoft Live account, however, I would be curious to
see if this key exists when only a local account has been used and the
Microsoft Sync was not occurring.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">Each user’s desktop
contains an html file named Removed Apps.
Opening this file shows all removed applications that were installed by
a third party vendor on the machine. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_2tzTjIluUdeMae89PXvTVj3H1gBx4Ck06VU0xCugl7VO0WFsmcu9C4rfXM3vbq_dnnXTPhRGlsLf6IXScoJq84XQps_-x9ieDsogqgwWDCsueMZ_1g6eIg4v0e7C6jzF5sDOyBy72Amk/s1600/15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_2tzTjIluUdeMae89PXvTVj3H1gBx4Ck06VU0xCugl7VO0WFsmcu9C4rfXM3vbq_dnnXTPhRGlsLf6IXScoJq84XQps_-x9ieDsogqgwWDCsueMZ_1g6eIg4v0e7C6jzF5sDOyBy72Amk/s1600/15.png" /></span></a></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div align="center" class="MsoNormalCxSpMiddle" style="text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">All of the users
downloads, pictures, videos, and music are also left untouched and intact in
their native folders.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">Taking a glance at
where Windows 7 stored jump list information,
c:\users\<user>\appdata\roaming\microsoft\windows\recent\automaticdestinations,
I was quickly able to find the same information. Many of the pieces of information listed in
here came from recent locations that were touched, including websites,
downloaded files, and pictures.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">All user assist
information is capable of being captured within the windows.old directory as
well.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;">Other items such as open/save
MRUs, LNK files, RunMRU, Last Visited MRU, were all found in the same locations
as Windows 7. <o:p></o:p></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>6.4 Windows</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">Before diving into
registry hives, the first thing I checked was for the existence of event
logs. Much to my avail, all of the
computers event logs can be located within system32\winevt\logs. Simply exporting and viewing them in whatever
preferred event log viewer is all that is necessary.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbfZvv7g0u-z7Tn3fYMfVvwXo2jRbEGIIGU4gWNwyEL8StX7q1Dry0GNajmxX5neYvB-FaaN0at8QG-VjpeEqHO7SffBMahtKpPJc0F8VAq_JVn5jRMwqwRBoRdMYquXeEwaMI3x71UkOq/s1600/16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbfZvv7g0u-z7Tn3fYMfVvwXo2jRbEGIIGU4gWNwyEL8StX7q1Dry0GNajmxX5neYvB-FaaN0at8QG-VjpeEqHO7SffBMahtKpPJc0F8VAq_JVn5jRMwqwRBoRdMYquXeEwaMI3x71UkOq/s1600/16.png" /></span></a></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div align="center" class="MsoNormalCxSpMiddle" style="text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">When taking a quick
glance at the registry, all plugged in USB devices are able to be determined as
well. Doing a quick search for
setupapi.dev.log provided results, and allowed for me to determine the first
time USB drives were plugged into the system.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;">Other files such as
prefetch files and system information, i.e. timezone info, and network history
information can still be found in the same areas as Windows 7.<o:p></o:p></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>7. Reset vs. Data Generation</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">Upon first glance of a
system that has undergone either of the reset functions, it would appear that
not much information can be located.
Unlike the Refresh function, which contained two folders full of
information (SysReset and Windows.Old), a reset machine appears as a though it
is a fresh image. While looking through
the various folders, however, I was able to come across important
artifacts. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;"> <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">The recovery volume of
the system appears to be relatively untouched by the resets done to the
computer. As shown below, the MFT,
$Bitmap, and other important system files were, for the most part, created and
last written to prior to the reset of the computer.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizBIDX4btYV87jYvTR8xexJ3zbXtuytRuDztrg93mERHwLQ8wtdWbRIyFTXh54B6MeQOJqpvDwkYq7zUyp-w-xTwwIxBPV-o-wFu-AGIWQ0mQs0yd0d2kx8DVTj_E7jVFf0EilOTkuOWAF/s1600/17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizBIDX4btYV87jYvTR8xexJ3zbXtuytRuDztrg93mERHwLQ8wtdWbRIyFTXh54B6MeQOJqpvDwkYq7zUyp-w-xTwwIxBPV-o-wFu-AGIWQ0mQs0yd0d2kx8DVTj_E7jVFf0EilOTkuOWAF/s1600/17.png" /></span></a></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">Only a few other pieces
of evidence were found that put the computer to a previous date. Internet history within WebCacheV24.dat can
still be located from before the machine was reset.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmjuf8UNGGkrXIUqEtpsTop6NkEAgdzFX2st1daE3GSrPi7o72I_A0NUa3aQ6wd01c4CYlMJ6InGZp-UW4XZdtDpI0tR_V-mP9qYKtgwVqVzMpQNuewYNssu2THF4XdEvXOZt9WxWWderT/s1600/18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmjuf8UNGGkrXIUqEtpsTop6NkEAgdzFX2st1daE3GSrPi7o72I_A0NUa3aQ6wd01c4CYlMJ6InGZp-UW4XZdtDpI0tR_V-mP9qYKtgwVqVzMpQNuewYNssu2THF4XdEvXOZt9WxWWderT/s1600/18.png" /></span></a></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div align="center" class="MsoNormalCxSpMiddle" style="text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">As noted previously, 36
bytes prior to the Visited: Ethan@http/website (highlighted in blue) is the
timestamp of the visit in big-endian format.
The decoded value of this (DC 60 82 DF 4C 4A CD 01 – big endian) is
equal to Thu, 14 June 2012 16:43:49 UTC.
The computer itself was reset on Wednesday, June 20<sup>th</sup>, 2012.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">Along with this
discovery, the history.IE5 folder contains subdirectories from dates prior to
the reset, yet they all still contain empty container.dat files.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM4H_vEiETVSpjLJC2lOg-Rm4NxrXH9XcZxCPesAxa4letEWJv7nmQnn2Y7Q8HsGfuHqtoPkr1pC8UQURgjlBi1dtW9WM0M76UztY-zxVRLNmB6Nd7jv0JTKjPzCnIpbHzounV0q1CVEmH/s1600/19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM4H_vEiETVSpjLJC2lOg-Rm4NxrXH9XcZxCPesAxa4letEWJv7nmQnn2Y7Q8HsGfuHqtoPkr1pC8UQURgjlBi1dtW9WM0M76UztY-zxVRLNmB6Nd7jv0JTKjPzCnIpbHzounV0q1CVEmH/s1600/19.png" /></span></a></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">Exporting
WebCacheV24.dat and parsing it with EseDbViewer presented user browsing
information as well, dating back to the creation of the virtual machine.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim0i9ZUhmVTG5bvjTe5nd46ZLDSTerTiDLq4jNPB7U9vp5IbsMnEcLt3Uyt_o4Hjc14jtHPqxc3KI6xW9ujiaPlrz6tEzO1d8Dg1lNm6TebDvfjyI3tzI3873ECGmeUoD5qmKYeNARTxAB/s1600/20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim0i9ZUhmVTG5bvjTe5nd46ZLDSTerTiDLq4jNPB7U9vp5IbsMnEcLt3Uyt_o4Hjc14jtHPqxc3KI6xW9ujiaPlrz6tEzO1d8Dg1lNm6TebDvfjyI3tzI3873ECGmeUoD5qmKYeNARTxAB/s1600/20.png" /></span></a></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div align="center" class="MsoNormalCxSpMiddle" style="text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">Besides these pieces of
evidence, there isn’t much that can pin the machine back to before the reset
date; at least, not much that I found. Running
log2timeline, however, did provide some information about the system prior to
the reset. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">Most of the information
that was parsed by log2timeline unfortunately just related to the system
recovery partition, and more or less displayed that there was existence of a
system before the reset occurred.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN7lH43Y9Ww3WCHNG_z-gKeXASbi6LPILNSn_sq-YwYU4ldwngGmU5ZtSlEUxnQUBT2y50SMx9S0JZY4hKbezQ_cNVZgfQxtOC7Ki2lvTlbAaeHllmyZMdIaaEhqVRbvGKCwL09WzwVRr1/s1600/21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN7lH43Y9Ww3WCHNG_z-gKeXASbi6LPILNSn_sq-YwYU4ldwngGmU5ZtSlEUxnQUBT2y50SMx9S0JZY4hKbezQ_cNVZgfQxtOC7Ki2lvTlbAaeHllmyZMdIaaEhqVRbvGKCwL09WzwVRr1/s1600/21.png" /></span></a></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div align="center" class="MsoNormalCxSpMiddle" style="text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">With the exception of
these few artifacts recovered from the machine, not much else has been found
that can be recovered. Although it is
somewhat disappointing, the fact that a chunk of internet history still exists
is amazing. Log2timeline giving us an insight
to the fact that the system existed on a certain date is also helpful in the
grand scheme of a timeline. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;">Both the quick and
thorough resets left behind the same traces of data. One function did not outperform the other in
terms of data deletion, even when it came to WebCacheV24.dat.<o:p></o:p></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>8. Conclusion</b></span><br />
<br />
<div class="MsoNormalCxSpFirst">
<span style="font-family: Arial, Helvetica, sans-serif;">It appears that a system
that was simply refreshed can still provide a plethora of evidence to an
investigator. Seemingly everything about
the machine pre-refresh can be recovered, and is conveniently placed into a
nifty folder named windows.old.
Information in regards to the migration process itself, old mappings
versus new mappings, and the exact date and time of the refresh can be found by
examining the $SysReset folder and checking the specific log and xml files
within. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">All in all, let’s hope
that people will refresh their computer if they perform any of the three
features, or that other artifacts are left behind when more user activity is
done on the computer. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: Arial, Helvetica, sans-serif;">Keep in mind too that all of this testing is being done on release preview. Although I doubt it would change drastically when the release itself hits in a couple months, it is possible some artifacts may change. </span></div>
Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com0tag:blogger.com,1999:blog-7792322207109434614.post-12359606570829936682012-07-23T11:41:00.001-07:002013-11-06T12:21:17.284-08:00Attacking WebCacheV24 with EseDbViewer<br />
<div class="MsoNormalCxSpFirst" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Internet history on Windows 8, particularly with Microsoft
Internet Explorer v10, has taken a turn from its traditions that we are all
used to. Gone are the days of
index.dat, or so it seems. That’s somewhat of a scary
statement to say, even for someone like myself who has only been around for a
couple years now.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Fortunately, I spend much of my time doing research and
development, always trying to figure out things that can help the world of
forensics. With the help of Jimmy Weg,
I’ve been able to add on to <a href="http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2">my previous research</a> (see hyperlink for details) into WebCacheV24.dat and came
across quite a few things. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Just a few directories down from the old
<user>\appdata\local\microsoft\windows\history directory is a directory
that may be a new good friend, WebCache.
<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYLodX1r2p1MbSqEceGZNqtNTtRENg3F3526RRfncUYaleACv5ZtDZat7GDNChkzMslHRpiE-Jf_rWf29S-jG4_d7APNuwBQqY6OgFYXz2kYeH-lIM0Fy5XOzWx2yf_c3SlRmjBzoLdlCe/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYLodX1r2p1MbSqEceGZNqtNTtRENg3F3526RRfncUYaleACv5ZtDZat7GDNChkzMslHRpiE-Jf_rWf29S-jG4_d7APNuwBQqY6OgFYXz2kYeH-lIM0Fy5XOzWx2yf_c3SlRmjBzoLdlCe/s1600/1.png" /></a></div>
<div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Within this folder is a file named WebCacheV24.dat. Before learning of Mark Woan’s EseDbViewer, I
parsed these files manually by their hex values. It was great fun, and I figured out a lot of
information. Most of my initial research
on this can be found on the LCDI blog, if at all interested.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">However, I wanted to now take it to the next level with
EseDbViewer and verify my results against what I had previously found. First step is obvious, open up
WebCacheV24.dat into the program. On the
left side of the window is a Table Name pane:<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHtj1YJckwcFUxsijZwBwVUMS2NbuBPfkISchyphenhyphenc5ahAcwCpUliANfijCoELkch0iFyB_hWeDDJQfMpfNjfyg0L_4tg_mBF0EsKLoBG3YVhGOSFMmjSiTlOzMjMzL_JbOt1iQ3kCKc4fhJM/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHtj1YJckwcFUxsijZwBwVUMS2NbuBPfkISchyphenhyphenc5ahAcwCpUliANfijCoELkch0iFyB_hWeDDJQfMpfNjfyg0L_4tg_mBF0EsKLoBG3YVhGOSFMmjSiTlOzMjMzL_JbOt1iQ3kCKc4fhJM/s1600/2.png" /></a></div>
<div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Important information for navigating throughout the tables is
found in the Containers table. All
containers are listed numerically and display the path of the directory that is
being extracted for that specific table. The name of the type of data that is being
extracted is shown as well. For example,
in the follow picture, container 10 and 14 both are being extracted from c:\users\forensicator\appdata\local\microsoft\windows\history\history.ie5\mshist[daterange].<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-QYZn_n1g5l9hbR2kyr61i0k3gqfrKwaLrjYfOhtPFRJGWJk0YAnegnOJ6yLyv1r4DaHa8oNAZFxpuZmU4QWQJQC1dsesonu4DpAhIOOYLh8i7uXxuY61KTCZgCsaoMaacHzDmruxdcoA/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-QYZn_n1g5l9hbR2kyr61i0k3gqfrKwaLrjYfOhtPFRJGWJk0YAnegnOJ6yLyv1r4DaHa8oNAZFxpuZmU4QWQJQC1dsesonu4DpAhIOOYLh8i7uXxuY61KTCZgCsaoMaacHzDmruxdcoA/s1600/3.png" /></a></div>
<div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">With an image that has much more information, there could be
upwards to 50 or more containers. With
that in mind, it’s quite obvious why the Containers table is very important to
parse through before looking into each and every container. For my purposes, I will examine containers 2,
6, 10 and 14.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Before going into the parsing, the following is my documentation
table that I created while visiting websites:<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Website/URL<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Time/Date of Visit<o:p></o:p></span></b></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Opened IE – default page Bing.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:28 - 7/18/2012<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">NBA.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:28<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Facebook.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:28<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Hackintosh.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:29<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Bing search: Asrock<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:30<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Asrock.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:30<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Z77 Extreme6 Specs<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:31<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Google.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:32<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Google search: asrock z77 extreme6 mac compatibility<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:32<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Google search: best mac compatible motherboards 2012<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:33<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Macbreaker.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:34<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Google search: best mac compatible motherboards 2012<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:42<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Macbreaker.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:42<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Tonymacx86.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">16:43<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Nba.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">17:00<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Twitter.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">17:01<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td colspan="2" style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 6.65in;" valign="top" width="638"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Opened IE – default page Bing.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">09:08 - 7/19/2012<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Nba.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">09:08<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Tonymacx86.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">09:15<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Newegg.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">09:21<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Tonymacx86.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">09:23<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">As one last note, please keep in mind that the containers I am looking at here (2,6,10,14) may change from case to case. This is why parsing the Containers table first is extremely important.</span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: small;">But, without further </span><span style="font-family: 'Times New Roman', serif;">ado</span><span style="font-family: 'Times New Roman', serif; font-size: small;">, here goes:</span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;"><br /></span></div>
<h2>
<span style="font-family: 'Times New Roman', serif;"><span style="font-size: large;">Container 2</span><span style="font-size: small;"><o:p></o:p></span></span></h2>
<div class="MsoNormalCxSpFirst">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Container 2 contains information
that looks very similar to the information that I parsed manually in the
WebCacheV24.dat file, at least in terms of its syntax. Oddly though, it’s located within users\forensicator\appdata\local\microsoft\windows\history\history.ie5,
which is the location of where the all-containing index.dat file used to be
located. Instead, now, there is a
container.dat file in this folder that (in EnCase) appears empty. Apparently not so empty after all. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">The first thing that pops out in
this container is Bing searches that I performed. Pretty easy find, just takes a little
scrolling.<o:p></o:p></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBuIx72idc2ch4e_TJwuwULD8AN6_C3kggpjV3nbqOlZSzkdXYCJENMtQarVQAiJ6D3HVMvBdRlxkofpxlr25Psm6dk1G6uf_jaieVgjzTONwv-o_r0ljSTadKWCa8lyCIFEgG55pankuc/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBuIx72idc2ch4e_TJwuwULD8AN6_C3kggpjV3nbqOlZSzkdXYCJENMtQarVQAiJ6D3HVMvBdRlxkofpxlr25Psm6dk1G6uf_jaieVgjzTONwv-o_r0ljSTadKWCa8lyCIFEgG55pankuc/s1600/4.png" /></a></div>
<h2>
</h2>
<div class="MsoNormalCxSpFirst">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">The next thing to do is to check
the time stamps for these and verify them.
Thanks to Jimmy Weg for pointing out that the numbers here are decimal
and need converted to hexadecimal, and then run through D-Code or a similar
tool. The time values displayed by
EseDbViewer are shown in the following image: <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyB8TzXLrNfidyMnYnecoS9aflqTFcSDgdnwU1vD3xRYOBG-oi73JHOI4-oDmINraG7UCZshanQKUN6PqCu3eyN9h57qFFso2DAZj14zHCuNeqiMi4Yx6nfRPTG2CLJqqhNoz2BwioyHxt/s1600/5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyB8TzXLrNfidyMnYnecoS9aflqTFcSDgdnwU1vD3xRYOBG-oi73JHOI4-oDmINraG7UCZshanQKUN6PqCu3eyN9h57qFFso2DAZj14zHCuNeqiMi4Yx6nfRPTG2CLJqqhNoz2BwioyHxt/s1600/5.png" /></a></div>
<div align="center" class="MsoNormalCxSpMiddle" style="text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">For the following times, I am using the values in the fifth row
down, “Visited: Forensicator@http://hackintosh.com/”<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Time Entry<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Decimal<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Hexadecimal<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Actual Time<o:p></o:p></span></b></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Accessed Time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">129871833391583038<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">1CD65BE8FA24F3E<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Thu, 19 July 2012 09:55:39 -0500<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Modified Time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">129871169652117654<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">1CD652405ADD096<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Wed, 18 July 2012 15:29:25 -0500<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Sync Time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">129871833391583038<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">1CD65BE8FA24F3E<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Thu, 19 July 2012 09:55:39 -0500<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Expiry Time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">129893633652122884<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">1CD7992546B6504<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Mon, 13 August 2012 15:29:25 -0500<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">When parsing through this container and the table, it is very
common to find the same value in many places for both Accessed Time and Sync
Time. There are also many instances
where the Expiry Time is listed as 0.
Strangely, though, the accessed/sync times are one hour behind what they
should actually be, in reference to the logs from earlier. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormalCxSpLast" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Another value from these tables that appeared off is Modified
Time. I created this virtual machine for
this testing at 16:00 on July 18<sup>th</sup>, 2012, and logged my first time
opening the browser at 16:28. Despite
this, the time for this entry is thirty (30) minutes before the creation of the
system even.</span><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">
<o:p></o:p></span></div>
<div class="MsoNormalCxSpLast" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;"><br /></span></div>
<h2>
<span style="font-family: 'Times New Roman', serif;"><span style="font-size: large;">Container 6</span><span style="font-size: small;"><o:p></o:p></span></span></h2>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 115%;">Despite being listed as a container that should hold
history, this container seems to contain mostly cookies when initially looking
at it. Typically on a Windows Vista or
Windows 7 machine, when an index.dat file is found in
…\windows\history\low\history.ie5, it is because UAC is turned on and the
system is in Protected Mode. Using
default settings will cause these folders to be used for all cache, cookies,
and history for the internet security zone and restricted security zone. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 115%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 115%;">With that being said, this particular container
still contained information mainly relating to cookies, as shown below:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 115%;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyAfZVzmD2YxBFCbyHxNIaByKoUAdo-PgSfno9lWMwsQsjuL8fU7EqP6wPaScH40SIjETPjasDAqon2Logs29ik6hzljYAHFNKWyhQR8nhU3yiDeeqUhHaU01myLz60V1Them5Ad9ZvIW0/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyAfZVzmD2YxBFCbyHxNIaByKoUAdo-PgSfno9lWMwsQsjuL8fU7EqP6wPaScH40SIjETPjasDAqon2Logs29ik6hzljYAHFNKWyhQR8nhU3yiDeeqUhHaU01myLz60V1Them5Ad9ZvIW0/s1600/6.png" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<h2>
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"> </span></h2>
<h2>
<span style="font-family: 'Times New Roman', serif;"><span style="font-size: large;">Container 10</span><span style="font-size: small;"><o:p></o:p></span></span></h2>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 115%;">Container 10 holds url history that is more common
from what we’ve seen before. It is
broken down though by date and week periods, similar to how MSHIST files
work. Container 10, in this instance,
held the web browsing history for the date range of 07-18-2012 to 07-19-2012.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 115%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 115%;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiezc731C4nRWgVA-hxR7qAxrqlCSmAZEcrgOPraPXnDUKGvd5i-cc8f-PpM8ORJ50XmiXlCHNLRKfURm4u1OzkdM3EQFtTCVkANK1Vh2-Oy-5UYo1ehy4cslybzKOQj0tx9Jp-wRl1AnhP/s1600/7.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiezc731C4nRWgVA-hxR7qAxrqlCSmAZEcrgOPraPXnDUKGvd5i-cc8f-PpM8ORJ50XmiXlCHNLRKfURm4u1OzkdM3EQFtTCVkANK1Vh2-Oy-5UYo1ehy4cslybzKOQj0tx9Jp-wRl1AnhP/s1600/7.png" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 115%;">The information in the
following table pertains to the time values for the top row, 2012071820120719:
Forensicator@ Host: www.bing.com:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 115%;"><br /></span></div>
<div align="center">
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Time Entry<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Decimal<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Hexadecimal<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Actual Time<o:p></o:p></span></b></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Accessed Time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">129871168894599004<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin: 0in 0in 0.0001pt 0.5in; text-indent: -0.5in;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">1CD6523D886FF5C<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Wed, 18 Jul 2012 15:28:09 -0500 UTC<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Modified Time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">129870916894440000<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">1CD64E92C25BA40<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Wed, 18 Jul 2012 8:28:09 -0500 UTC<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Sync Time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">129871168894599004<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">1CD6523D886FF5C<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Wed, 18 Jul 2012 15:28:09 -0500 UTC<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 3.85pt; mso-yfti-irow: 4; mso-yfti-lastrow: yes;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 3.85pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Expiry Time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 3.85pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">0<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 3.85pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">0<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 3.85pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">N/A<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Once again, the confusing thing
about this is the time that is being tracked.
It references the accessed, modified, and sync time to a time all before
the system was ever booted, and accessed/sync time are again one hour behind
the time they should be.<o:p></o:p></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"><br /></span></div>
<h2>
<span style="font-family: 'Times New Roman', serif;"><span style="font-size: large;">Container 14</span><span style="font-size: small;"><o:p></o:p></span></span></h2>
<div class="MsoNormalCxSpFirst" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Container 14 holds the same content as container 10 with the
exception that it is just for a different day.
This is the same notion as what a user would get from MSHist index.dat
files that are separated by dates. Once
again, all date timestamps are still an hour off with this table.<o:p></o:p></span></div>
<div class="MsoNormalCxSpLast" style="margin-bottom: 0.0001pt;">
<br /></div>
<h2>
<span style="font-family: 'Times New Roman', serif;"><span style="font-size: large;">Test Round 2</span></span></h2>
<div class="MsoNormalCxSpFirst">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">So, because my time stamps were
consistently one hour off the first time did this, I decided to test again and
again. The following table and screenshots
all come from my third round of testing, and yield the same results (timestamps
being one hour off) as the first two tests.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Time settings for the Windows 8
virtual machine:<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjewmi4R6nFseB6wAlaBoUMHRFVFfJTdgxn9S1f0CvMbA3jTCVNiIk7jStT1jGhx7F6WTWaml5XOK4lsiWZlIlEeFMwK3LXhN6umghAcuhcZxEjDFUn4VQTFXRnMK_XIYRlZ07SZaxSN7tw/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjewmi4R6nFseB6wAlaBoUMHRFVFfJTdgxn9S1f0CvMbA3jTCVNiIk7jStT1jGhx7F6WTWaml5XOK4lsiWZlIlEeFMwK3LXhN6umghAcuhcZxEjDFUn4VQTFXRnMK_XIYRlZ07SZaxSN7tw/s1600/8.png" /></a></div>
<div align="center" class="MsoNormalCxSpMiddle" style="text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">The following table is my
documented browsing information for this test.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Website/URL<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Time/Date of Visit<o:p></o:p></span></b></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Opened IE – default page Bing.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">10:26 - 7/23/2012<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Newegg.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">10:29<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Facebook.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">10:37<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Opened new IE – default page Bing.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">10:50<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Woot.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">10:51<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Computerforensics.champlain.edu<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">10:56<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Nba.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">10:56<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Google.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">10:59<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Google Search: </span><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">computer and digital forensics research topics</span><span style="font-family: 'Times New Roman', serif; font-size: 12pt;"><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">10:59<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Forensicfocus.com<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 239.4pt;" valign="top" width="319"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">11:00<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Due to there only being one day
of brief internet browsing on this machine, the Containers table only lists one
container directly linking to an MSHist directory.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLYxRgvmAWNWbnZYz9BFI69bQfhDWoh8Rz3PXy78h1aVEGwwzoqv_isj-i0WB4NiYbdzgTCoLpNa3RD0P5VX-xHlNl8XJniXnfwB-_70wRyiVvWhqWv9-4QdFa20Qh8L-OEkERF3Xvammy/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLYxRgvmAWNWbnZYz9BFI69bQfhDWoh8Rz3PXy78h1aVEGwwzoqv_isj-i0WB4NiYbdzgTCoLpNa3RD0P5VX-xHlNl8XJniXnfwB-_70wRyiVvWhqWv9-4QdFa20Qh8L-OEkERF3Xvammy/s1600/9.png" /></a></div>
<div align="center" class="MsoNormalCxSpMiddle" style="text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">The container directly linked to
MSHist, in this instance, was once again container 10. The following image shows this table, sorted
by Access Time in descending order. As
shown, it follows the same order that I documented. <o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL2oLJtyZ3Fy2Y0HD3MV0kNCTk5xx_ZZi4IBTsQPEmvkcU34KcsxnxgpghejQ-k92RSIMWq7gTJeLgFoYxTIa-EteN9WtlaS7Hhuwlc5uBxFd0gJIkQ0mLg0UAGFDDxNgB0htZMCAKjSUT/s1600/10.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL2oLJtyZ3Fy2Y0HD3MV0kNCTk5xx_ZZi4IBTsQPEmvkcU34KcsxnxgpghejQ-k92RSIMWq7gTJeLgFoYxTIa-EteN9WtlaS7Hhuwlc5uBxFd0gJIkQ0mLg0UAGFDDxNgB0htZMCAKjSUT/s1600/10.png" /></a></div>
<div align="center" class="MsoNormalCxSpMiddle" style="text-align: center;">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpMiddle">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">For this time testing, we will use
the third timestamp down, in reference to 2012072320120724: ethanf@http://www.newegg.com/.<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div align="center">
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Time Entry<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Decimal<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Hexadecimal<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div align="center" class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt; text-align: center;">
<b><span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Actual Time<o:p></o:p></span></b></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Accessed Time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">129875273668344960<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin: 0in 0in 0.0001pt 0.5in; text-indent: -0.5in;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">1CD68DF901BBC80<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Mon, 23 July 2012 09:29:26 -0500<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Modified Time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">129875129668340000<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">1CD68BE090A0920<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Mon, 23 July 2012 05:29:26 -0500<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Sync Time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">129875273668344960<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">1CD68DF901BBC80<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Mon, 23 July 2012 09:29:26 -0500<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 3.85pt; mso-yfti-irow: 4; mso-yfti-lastrow: yes;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 3.85pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Expiry Time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 3.85pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">129897737668350190<o:p></o:p></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 3.85pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">1CD7D4DDED950EE<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 3.85pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 119.7pt;" valign="top" width="160"><div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">Sat, 18 August 2012 09:29:26 -0500<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
</div>
<div class="MsoNormalCxSpMiddle">
<br /></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Once again, the timestamps from
this are one hour behind what I documented.
<o:p></o:p></span></div>
<div class="MsoNormalCxSpLast">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"><br /></span></div>
<h2>
<span style="font-family: 'Times New Roman', serif;"><span style="font-size: large;">Conclusions</span><o:p></o:p></span></h2>
<div class="MsoNormalCxSpFirst" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman', serif; font-size: 12pt;">It's great to have a lot of progress on the WebCachev24.dat files,
personally. I had been trying to parse them at the hex level for a VERY
long time. What a relief. The
frustrating part, now, is determining why it is giving me time stamps from
before the machine was even created, and why the accessed time timestamps are
all one hour off. I made sure that th</span><span style="font-family: Times, Times New Roman, serif;">e
virtual machine was set to -0500 UTC, my machine was set to -0500 UTC, and
DCode set to -0500 UTC. Even still, all
my times are still coming up one hour before the time I actually accessed the
websites.<span style="font-size: small;"><o:p></o:p></span></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormalCxSpMiddle" style="margin-bottom: 0.0001pt;">
<span style="font-family: Times, Times New Roman, serif;">One more kink in my never ending road of turmoil with MSIEv10
history files. The other item that I haven’t
been able to check with this system yet is the <span style="background-color: white; background-position: initial initial; background-repeat: initial initial;">NoQuota.edb</span>
file within <user>\appdata\local\microsoft\internet explorer\Indexed DB. MSDN refers to Indexed DB as “<span style="background-color: white; background-position: initial initial; background-repeat: initial initial;">… a<span class="apple-converted-space"> </span></span>W3C
Working Draft<span class="apple-converted-space"> </span>that enables you to store, search, and retrieve data on
the user's device, even when<span class="apple-converted-space"> </span>Internet
connectivity is disabled. IndexedDB is a
feature of the Web platform shared by IE10 and Metro style apps in the Windows
8 Consumer Preview.” A user also has the
ability to set a quota on the amount of data that is stored on the device
itself. These quotas, however, do not
apply to metro apps, nor did I set any quotas on this machine itself. Therefore, being able to parse this database should
give me more information relevant to internet history. As I stated in my previous blog post though,
I have been unable to run esentutl to fix the database and actually parse it. </span><span style="font-family: 'Times New Roman', serif; font-size: 12pt;"><o:p></o:p></span></div>
Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com7tag:blogger.com,1999:blog-7792322207109434614.post-33881314868047526232012-07-18T12:50:00.001-07:002012-07-18T12:50:45.362-07:00Incoming PostsMost of my initial research into the refresh and reset functions is complete. It took a while, as I've been managing many other projects at work, but within the next couple days expect to see a few blog posts up on here and on the <a href="http://computerforensics.champlain.edu/blog">LCDI blog</a> in regards to my work. <div>
<br /></div>
<div>
On a side note, I was recently in contact with Jimmy Weg, author of <a href="http://justaskweg.com/">http://justaskweg.com</a>, in regards to some of my prior Windows 8 research. He kindly pointed out that Windows 8 is storing MSIE history within ESE databases and recommended parsing them with Mark Woan's <a href="http://www.woanware.co.uk/?page_id=89">EseDbViewer</a>. As such, I popped my WebCachev24.dat file into the program, and it shot out a great amount of results to me. </div>
<div>
<br /></div>
<div>
It's great to have a lot of progress on the WebCachev24.dat files, personally. I had been trying to parse them at the hex level for a VERY long time. What a relief. Expect a blog post on this soon too, lots of testing to be set up.</div>
<div>
<br /></div>
<div>
Now, though, I am once again stumped with something else. Located within the user directory, <user>\appdata\local\microsoft\internet explorer\Indexed DB, is a file named NoQuota.edb. Within this file, from a purely hex view, some internet history related items can be found, mostly (without having thoroughly tested yet) seeming related to metro browsing. When attempting to open this with EseDbViewer, however, I get the error it needs repaired. So, I open up command line, run esentutl /r on it, and get an API parameter error. I thought it was maybe a windows 7 vs windows 8 issue, and attempted to do it on both a Windows 8 VM as well as the native machine the EDB file came from, but continually got API parameter errors. At this point, I'm stumped. </div>
<div>
<br /></div>
<div>
The error reads: </div>
<div>
<br /></div>
<div>
<div>
Initiating RECOVERY mode...</div>
<div>
Logfile base name: c:\users\efleisher\desktop\noquota.edb</div>
<div>
Log files: <current directory></div>
<div>
System files: <current directory></div>
<div>
<br /></div>
<div>
Operation terminated with error -1003 (JET_errInvalidParameter, Invalid API para<span style="background-color: white;">meter) after 0.0 seconds.</span></div>
</div>
<div>
<br /></div>
<div>
Suggestions?</div>Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com0tag:blogger.com,1999:blog-7792322207109434614.post-76344767060887575512012-06-19T12:10:00.001-07:002012-06-20T10:57:23.021-07:00Windows 8 Reset and Refresh<span style="font-family: Georgia, 'Times New Roman', serif;">Finally getting to start working on the Windows 8 Reset and Refresh features. I started this project about 2 weeks ago and took a good 3 day chuck of time to generate data. I had high hopes of being able to smoothly go through the reset and refresh features without issue - but of course that just wouldn't be right. I went to do the refresh, and it popped an error. Reverted back to a snapshot, went to do reset - same thing again. Finally did a full reset on it, and it brought it back to consumer preview - so I was pretty annoyed. </span><br />
<span style="font-family: Georgia, 'Times New Roman', serif;"><br /></span><br />
<span style="font-family: Georgia, 'Times New Roman', serif;">After looking at multiple things, I decided to step back and take a look at what was going on. I reviewed a few things, and finally checked the hash of the files I originally downloaded - low and behold, they were off. I did some quick research and discovered that Google Chrome sometime has issues with downloads over 2GB, and quickly went to download the iso's in Firefox instead. Finally, it installed flawlessly and I was off and running. 4 days and a lot of data generation, and I'm ready to start my reset and refresh project. Here's the outline:</span><br />
<br />
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
</div>
<br />
<ol>
<li><span style="font-family: Georgia, 'Times New Roman', serif;">Create a clean Windows 8 virtual machine</span></li>
<li><span style="background-color: white; font-family: Georgia, 'Times New Roman', serif;">Create a forensic image of this Windows 8 machine</span></li>
<li><span style="background-color: white; font-family: Georgia, 'Times New Roman', serif;">Generate user data on the virtual machine, including but not limited to: internet browsing, USB activity, application activity, downloads, metro activity, social media activity, and more.</span></li>
<li><span style="background-color: white; font-family: Georgia, 'Times New Roman', serif;">Create a forensic image of the machine with generated traffic</span></li>
<li><span style="background-color: white; font-family: Georgia, 'Times New Roman', serif;">Take a snapshot of the virtual machine to revert back to</span></li>
<li><span style="background-color: white; font-family: Georgia, 'Times New Roman', serif;">Perform the refresh function </span></li>
</ol>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdz5ic7PrQkC92ZmuKqyaHm0l8Ay59AvUgs6yNZs2rQprPsbVKLamxiMRe85CQG5rX1Xov2sPrKDvLVnEgUne2tlt2hPe4sVSwftW_yhQVKj-2lQbaOB041Fea2otfhd8plCrGqF8aE_rY/s1600/refresh.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdz5ic7PrQkC92ZmuKqyaHm0l8Ay59AvUgs6yNZs2rQprPsbVKLamxiMRe85CQG5rX1Xov2sPrKDvLVnEgUne2tlt2hPe4sVSwftW_yhQVKj-2lQbaOB041Fea2otfhd8plCrGqF8aE_rY/s640/refresh.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Georgia, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP2Ye_9Q0RrvAElM6nLvVEywvLrBt4pe3OQ5-to6B3LC0uzLCoQzTd68pQE9aFb0CfPrl5V8Z-i5rmsWZhm1wqHLNjKhdDDZe3V5Ok8QzafP-qhlndaPXGlVlSQxyfKkh-QF9VbWUNGatX/s1600/refresh+go.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP2Ye_9Q0RrvAElM6nLvVEywvLrBt4pe3OQ5-to6B3LC0uzLCoQzTd68pQE9aFb0CfPrl5V8Z-i5rmsWZhm1wqHLNjKhdDDZe3V5Ok8QzafP-qhlndaPXGlVlSQxyfKkh-QF9VbWUNGatX/s640/refresh+go.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="background-color: white;"><span style="font-family: Georgia, 'Times New Roman', serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white;"><span style="font-family: Georgia, 'Times New Roman', serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Georgia, 'Times New Roman', serif;"><span style="background-color: white;"> 7. </span><span style="background-color: white;">Forensic image of the machine after this is complete </span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white;"><span style="font-family: Georgia, 'Times New Roman', serif;"> 8. Revert back to snapshot, perform reset function - quick</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white;"><span style="font-family: Georgia, 'Times New Roman', serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWfaW14CvQK4928emi2YnpA5qBkDT0Z1Dbof5axL6Mpze5JaqIo2MlhuPXX21ThLva5pqBB3z5fpzU8W_6v8odpzbLr35JBwJ3hNYO4SdsEJqvhkjpU82ynIQLCNXy1riGBVxs1IcIfsfR/s1600/just+remove+files+option.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Georgia, 'Times New Roman', serif;"><img border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWfaW14CvQK4928emi2YnpA5qBkDT0Z1Dbof5axL6Mpze5JaqIo2MlhuPXX21ThLva5pqBB3z5fpzU8W_6v8odpzbLr35JBwJ3hNYO4SdsEJqvhkjpU82ynIQLCNXy1riGBVxs1IcIfsfR/s640/just+remove+files+option.png" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Georgia, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnHhPIBOlz6NwlA5frL5B4dp4KuzJcmeuwL8ttNhUjPLb3W2Kg7VTc3iswhPC7zBYuSH_cmxV_YrC9hZzeOeZFwJQxfiZT15peSpfgCMyNluhP9sog237dzItUetPBAcvrA6QF3Md7UnY6/s1600/reset+options.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Georgia, 'Times New Roman', serif;"><img border="0" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnHhPIBOlz6NwlA5frL5B4dp4KuzJcmeuwL8ttNhUjPLb3W2Kg7VTc3iswhPC7zBYuSH_cmxV_YrC9hZzeOeZFwJQxfiZT15peSpfgCMyNluhP9sog237dzItUetPBAcvrA6QF3Md7UnY6/s640/reset+options.png" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Georgia, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWfaW14CvQK4928emi2YnpA5qBkDT0Z1Dbof5axL6Mpze5JaqIo2MlhuPXX21ThLva5pqBB3z5fpzU8W_6v8odpzbLr35JBwJ3hNYO4SdsEJqvhkjpU82ynIQLCNXy1riGBVxs1IcIfsfR/s1600/just+remove+files+option.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Georgia, 'Times New Roman', serif;"><img border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWfaW14CvQK4928emi2YnpA5qBkDT0Z1Dbof5axL6Mpze5JaqIo2MlhuPXX21ThLva5pqBB3z5fpzU8W_6v8odpzbLr35JBwJ3hNYO4SdsEJqvhkjpU82ynIQLCNXy1riGBVxs1IcIfsfR/s640/just+remove+files+option.png" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="background-color: white;"><span style="font-family: Georgia, 'Times New Roman', serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white;"><span style="font-family: Georgia, 'Times New Roman', serif;"> 9. Forensic image of the machine after this is complete </span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white;"><span style="font-family: Georgia, 'Times New Roman', serif;"> 10. Revert back to snapshot, perform reset function -
thorough</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white;"><span style="font-family: Georgia, 'Times New Roman', serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8o08-Q_H3jdaojJ75i6ESGXFBuY4KovgI5_KBwcR5KaclQ8lj3gGNouXG3uHDE8-CA3ci6VYw0T5h6gold8MUpSAOEgqiMH0Dbp4i1v2HFwzxrVwx-0J1668Ge-NqKPfPlRwCv-Nxu2BQ/s1600/thorough+reset.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Georgia, 'Times New Roman', serif;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8o08-Q_H3jdaojJ75i6ESGXFBuY4KovgI5_KBwcR5KaclQ8lj3gGNouXG3uHDE8-CA3ci6VYw0T5h6gold8MUpSAOEgqiMH0Dbp4i1v2HFwzxrVwx-0J1668Ge-NqKPfPlRwCv-Nxu2BQ/s640/thorough+reset.png" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="background-color: white;"><span style="font-family: Georgia, 'Times New Roman', serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white;"><span style="font-family: Georgia, 'Times New Roman', serif;"> 11. Forensic image of the machine after this is complete</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white;"><span style="font-family: Georgia, 'Times New Roman', serif;"> 12. Comparison of the five forensic images:</span></span></div>
<ol>
<ul>
<li><span style="font-family: Georgia, 'Times New Roman', serif;">Clean</span></li>
<li><span style="background-color: white; font-family: Georgia, 'Times New Roman', serif;">Data</span></li>
<li><span style="background-color: white; font-family: Georgia, 'Times New Roman', serif;">Refresh</span></li>
<li><span style="background-color: white; font-family: Georgia, 'Times New Roman', serif;">Reset Quick</span></li>
<li><span style="background-color: white; font-family: Georgia, 'Times New Roman', serif;">Reset Thorough</span></li>
</ul>
</ol>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif;"><br /></span><br />
<span style="font-family: Georgia, 'Times New Roman', serif;">Comparison of these images will focus on multiple areas, including:</span></div>
<div>
<ul>
<li><span style="font-family: Georgia, 'Times New Roman', serif;">What artifacts remain after each feature is done? - i.e., is USB activity still present? internet history? documents? is data carving possible? are prefetch files recoverable?</span></li>
<li><span style="font-family: Georgia, 'Times New Roman', serif;">What artifacts are present in a machine that has been reset versus a clean one? What about a refreshed machine? How can we tell if this has happened?</span></li>
</ul>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif;">Any comments or suggestions, please feel free to let me know! </span></div>
</div>Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com0tag:blogger.com,1999:blog-7792322207109434614.post-62694461117712046732012-06-16T08:34:00.000-07:002012-06-16T08:34:51.611-07:00New toys!Everything always comes late on Fridays...<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: -webkit-auto;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzmI7F5Q3wwCsH8cTddCt0PbdUjyCBz9jecxMMrq6V3s6lY97V505Jk0ITL7NfXyY0xJXQmoC7hecpQbLxO5_Q8oHosAy7SifhoZer3Ol5JWEd8h8AEN5IGum6vPfBhKwV1P8yMUUZ9VW2/s1600/601147_10150947474878503_1081038442_n.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzmI7F5Q3wwCsH8cTddCt0PbdUjyCBz9jecxMMrq6V3s6lY97V505Jk0ITL7NfXyY0xJXQmoC7hecpQbLxO5_Q8oHosAy7SifhoZer3Ol5JWEd8h8AEN5IGum6vPfBhKwV1P8yMUUZ9VW2/s320/601147_10150947474878503_1081038442_n.jpg" width="320" /> </a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUKOJsinXk1ZFnyChHuj4AjpXJdsV_jNarpNfVZ7hl9ZZK8mn7GeptUf7wJ8vdsARUfKuGeDW1F7CQ7hBI-eeE1iLVns68KjbAZlYjUSsotIGVw42gRnXyMX9qzLgNAmFQvY6Ya0ZqCw0x/s1600/freddie.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUKOJsinXk1ZFnyChHuj4AjpXJdsV_jNarpNfVZ7hl9ZZK8mn7GeptUf7wJ8vdsARUfKuGeDW1F7CQ7hBI-eeE1iLVns68KjbAZlYjUSsotIGVw42gRnXyMX9qzLgNAmFQvY6Ya0ZqCw0x/s320/freddie.png" width="215" /></a></div>
<div>
<br /></div>Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com0tag:blogger.com,1999:blog-7792322207109434614.post-64106311746336106492012-06-15T22:07:00.000-07:002012-06-15T22:09:20.675-07:00Windows 8 KB Resource<span id="goog_1808431856"></span><span id="goog_1808431857"></span><a href="http://www.blogger.com/"></a>Awesome post by Lance Mueller over at <a href="http://www.forensickb.com/2012/06/windows-8-is-coming.html">http://www.forensickb.com</a>. Brings all of the current Windows 8 research together - something I've definitely been trying to work on too! Have to thank someone with a much more reputable name than myself for bringing all the research together! <a href="http://www.blogger.com/"></a><br />
<br />
Let's keep up the collaboration!<br />
<br />
Check back soon, I'll have the rest of my current research posted and hopefully some interesting news on the reset and refresh feature!Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com0tag:blogger.com,1999:blog-7792322207109434614.post-48168420339788967822012-06-15T08:21:00.001-07:002012-06-15T08:26:24.380-07:00Windows 8 USB Activity<span style="font-family: Georgia, "Times New Roman", serif;">When I started working on Windows 8 USB drive forensics, I assumed it would be pretty similar to Windows 7. I created a fresh Windows 8 VM and plugged a thumb drive into my local system. Like normal, the VM recognized it as it should. At this point I shut the VM down and opened it in EnCase to examine what happened. All of the findings were similar to Windows 7 USB forensics, and much like the recycle bin, proved nothing exciting. Here are the results:</span><br />
<div style="margin-bottom: 0in;">
<br />
<span style="font-family: Georgia, "Times New Roman", serif;">The original post for this can be found on the </span><a href="http://computerforensics.champlain.edu/blog/windows-8-forensics"><span style="font-family: Georgia, "Times New Roman", serif;">Patrick Leahy Center for Digital Investigation blog.</span></a><br />
<br />
</div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Mounted devices tab:</span><br />
<br />
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitDfRB8OBKSUtVoIL_CuOIY_hzvXAcZ4un9XWEntkkFbqLLZME0Wx_CK-x3nFg_DX1pRIpbkr4hgd6g4SGlkYJOoijJcA91nQFX6-M9rGrWiVfRddnpupsjOzV37f7QY-FHkWOBh94leSp/s1600/Win8_5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Georgia, "Times New Roman", serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitDfRB8OBKSUtVoIL_CuOIY_hzvXAcZ4un9XWEntkkFbqLLZME0Wx_CK-x3nFg_DX1pRIpbkr4hgd6g4SGlkYJOoijJcA91nQFX6-M9rGrWiVfRddnpupsjOzV37f7QY-FHkWOBh94leSp/s1600/Win8_5.jpg" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in; page-break-before: always;">
<span style="font-family: Georgia, "Times New Roman", serif;">System\currentcontrol\enum\usbstor:</span><br />
<br />
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhs0yTcRCLM_SB93o0CNiddraLZQJaoebv0qbgnvbhTi8GqKGmUH-2iM8M9gpNrR5UTthk9FKk8nKwsAS-4ZpHAfNSXfQrmQ9Z8gwrINEwnoSYO6c6ULjbKJbNKAjYLuel7mDvw2ZaKaHB/s1600/Win8_6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Georgia, "Times New Roman", serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhs0yTcRCLM_SB93o0CNiddraLZQJaoebv0qbgnvbhTi8GqKGmUH-2iM8M9gpNrR5UTthk9FKk8nKwsAS-4ZpHAfNSXfQrmQ9Z8gwrINEwnoSYO6c6ULjbKJbNKAjYLuel7mDvw2ZaKaHB/s1600/Win8_6.jpg" /></span></a></div>
<div style="margin-bottom: 0in; page-break-before: always;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in; page-break-before: always;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Setupapi.dev.log:</span><br />
<br />
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0Pf_pynlK__OmApnq78r4aHj1W66AbpdoSL_M2udrmHHDFVG6QS0Z9SQCTaY4bgHIDjXmD7by3ClKSYE5Nu-dEVFBxuspz1cfD19bBS4fX0q4dtzJiFxOBF4E_HxTo3go7KIgQLFuUxPt/s1600/Win8_7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Georgia, "Times New Roman", serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0Pf_pynlK__OmApnq78r4aHj1W66AbpdoSL_M2udrmHHDFVG6QS0Z9SQCTaY4bgHIDjXmD7by3ClKSYE5Nu-dEVFBxuspz1cfD19bBS4fX0q4dtzJiFxOBF4E_HxTo3go7KIgQLFuUxPt/s1600/Win8_7.jpg" /></span></a></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in; page-break-before: always;">
<span style="font-family: Georgia, "Times New Roman", serif;">Software\microsoft\windows portable devices\devices – friendly name link:</span><br />
<br />
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEGDnXTukRur-JPQL0a90MUjoAIrlDTliqWztOEA9IJHaAF6t90biW8m7wlwXE79-4_C3nHQuaaelAGQVXcCoubOcQM6HTFwGTShyphenhyphen5p9Lyz5MZYvGA0gr-SX83KlEH05y-Z4B8Vn_SOJ2l/s1600/Win8_8.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Georgia, "Times New Roman", serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEGDnXTukRur-JPQL0a90MUjoAIrlDTliqWztOEA9IJHaAF6t90biW8m7wlwXE79-4_C3nHQuaaelAGQVXcCoubOcQM6HTFwGTShyphenhyphen5p9Lyz5MZYvGA0gr-SX83KlEH05y-Z4B8Vn_SOJ2l/s1600/Win8_8.jpg" /></span></a></div>
<div style="margin-bottom: 0in; page-break-before: always;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span><span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">These keys are all the same as Windows 7, therefore it should be smooth sailing to continue producing USB activity results.</span></div>Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com1tag:blogger.com,1999:blog-7792322207109434614.post-67144499141286491102012-06-15T07:47:00.000-07:002012-06-15T08:22:28.176-07:00Windows 8 Recycle Bin<span style="font-family: Georgia, "Times New Roman", serif;">No shocking information to be found here, the Windows 8 recycle bin behaves just like the Windows 7 recycle bin.</span><br />
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span><br />
<span style="font-family: Georgia, "Times New Roman", serif;">The original blog post for this can be found at the </span><a href="http://computerforensics.champlain.edu/blog/windows-8-forensics"><span style="font-family: Georgia, "Times New Roman", serif;">Patrick Leahy Center for Digital Investigation blog</span></a><span style="font-family: Georgia, "Times New Roman", serif;">, but this is a slightly edited version.</span><br />
<br />
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">We still find the $Recycle.Bin, $R, and $I files. Here's a breakdown of my methodology.</span></div>
<ol><span style="font-family: Georgia, "Times New Roman", serif;">
</span>
<li><div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Created “I wonder if this will appear“ at 10:14</span></div>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></li>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></ol>
<div style="margin-bottom: 0in; margin-left: 0.5in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Deleted “I wonder if this will appear“ at 10:14</span></div>
<ol start="2"><span style="font-family: Georgia, "Times New Roman", serif;">
</span>
<li><div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Created “test document.txt“ at 10:22</span></div>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></li>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></ol>
<div style="margin-bottom: 0in; text-indent: 0.5in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Deleted “test document.txt“ at 10:23</span></div>
<ol start="3"><span style="font-family: Georgia, "Times New Roman", serif;">
</span>
<li><div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Created “lets try this” at 10:40 – filled it with text, 36.5 mb</span></div>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></li>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></ol>
<div style="margin-bottom: 0in; text-indent: 0.5in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Deleted “lets try this“ at 10:40</span></div>
<div style="margin-bottom: 0in; text-indent: 0.5in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Recycle Bin in EnCase still has $Recycle.Bin and $I files. The actual $R notation can be found when looking at simply the user ID under the recycle bin, but since the $R file is the file data itself, it is represented by the file name in the recycle bin. </span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOLatxr0OLOimOhi5paeElsdA106t2C2z8m9toC03XJIs2j8_zrE3boOMgeoybgYijVwHwZ69L62VGjrZk9DRXaDG_YnZtaWtox57gx3XqvM2ax5BUO7nKVeqhKJUK8eW2P1hdM6hF_ecV/s1600/Win8_1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Georgia, "Times New Roman", serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOLatxr0OLOimOhi5paeElsdA106t2C2z8m9toC03XJIs2j8_zrE3boOMgeoybgYijVwHwZ69L62VGjrZk9DRXaDG_YnZtaWtox57gx3XqvM2ax5BUO7nKVeqhKJUK8eW2P1hdM6hF_ecV/s1600/Win8_1.jpg" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Located and verified times of “test document”, “lets try this”, and “I wonder if this will appear” to be accurate to what I recorded when creating/deleting originally.</span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Verified hex values for $I files in comparison to known Windows 7 values.</span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Bytes 0-7 are still the file header, always 01 followed by seven sets of 00.</span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Bytes 8-15 are the original file size, stored in hex, in little-endian. This can be converted into big endian format and converted with a hex calculator to a decimal notation to determine the size in bytes. I tested this with the “Lets try this” document that was 36.5mb. The hex value in encase was F0 E2 39 02, read in little endian. Converting this into big endian yields 02 39 E2 F0, which ran through a hex calculator shows that it is 37348080 bytes, which is roughly 36.5mb</span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAYrtoWP9N4qsNlonvO7ZkmqB2bwoy7M38v1VnBeO0YzEe3a-VFDUofp14U7aJyHz7A9BT4n1TIxhaakkH1eH-hyyrwD0jAfU9YT-e6oh53Lhxk076AqfNBZULUDL0hk5RpMxuG4EZ8eAk/s1600/Win8_2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Georgia, "Times New Roman", serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAYrtoWP9N4qsNlonvO7ZkmqB2bwoy7M38v1VnBeO0YzEe3a-VFDUofp14U7aJyHz7A9BT4n1TIxhaakkH1eH-hyyrwD0jAfU9YT-e6oh53Lhxk076AqfNBZULUDL0hk5RpMxuG4EZ8eAk/s1600/Win8_2.jpg" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Bytes 16-23 reflect the deleted date time stamp, represented per normal standards (number of seconds since Midnight, January 1, 1601).</span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4idw2ggn59qV81NPMKMMApRgO3oPtUd7IEECTHifAeo5YPBJmXRzUiAE7C76KH7QWk0ak9pfSOhIqTa_dl4gsxo1keX-M608mqqdk3GBmfU-2IbpX_r77JeYzBWTcrSb_Zfno95BSNKaJ/s1600/Win8_3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Georgia, "Times New Roman", serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4idw2ggn59qV81NPMKMMApRgO3oPtUd7IEECTHifAeo5YPBJmXRzUiAE7C76KH7QWk0ak9pfSOhIqTa_dl4gsxo1keX-M608mqqdk3GBmfU-2IbpX_r77JeYzBWTcrSb_Zfno95BSNKaJ/s1600/Win8_3.jpg" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<span style="font-family: Georgia, "Times New Roman", serif;">Bytes 24-543 reflect the original file path/name.</span><br />
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeNFnMUMcMkvuZen2ao_aqB6-GlTf6bVH-F-WSHkOEirbwHWDNjNBJZWDMmNUoswW0yLB9Y5BkRbYIokfsGmlKZgVHcwd_aZee3ARCqtZy_DOSB0ZZKVyn9Cuh88lJLbT3k2o2LKWrA8ib/s1600/Win8_4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Georgia, "Times New Roman", serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeNFnMUMcMkvuZen2ao_aqB6-GlTf6bVH-F-WSHkOEirbwHWDNjNBJZWDMmNUoswW0yLB9Y5BkRbYIokfsGmlKZgVHcwd_aZee3ARCqtZy_DOSB0ZZKVyn9Cuh88lJLbT3k2o2LKWrA8ib/s1600/Win8_4.jpg" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span>Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com0tag:blogger.com,1999:blog-7792322207109434614.post-87227729695479419202012-06-15T06:52:00.002-07:002012-06-15T08:22:34.367-07:00Introduction to Windows 8 Forensics<span style="font-family: Georgia, "Times New Roman", serif;">Dating back to late 2011, I began researching the Windows 8 operating system from a digital forensics standpoint. I wanted to take an in depth look at the operating system using many of the commonly used tools in the digital forensics world today. When I first took on the project, I thought - hey, how hard could this be? I didn't quite grasp, at first, the notion that I was going to be examining an entire operating system and the complexities that would be involved in doing so. Fortunately, I had some ideas on what I wanted to look at, and I also intended to build upon the other research that had been done already. </span><br />
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span><br />
<span style="font-family: Georgia, "Times New Roman", serif;">At that point in time, there was one other person that was researching Windows 8 publically. Kenneth Johnson, author of the blog </span><a href="http://randomthoughtsofforensics.blogspot.com/"><span style="font-family: Georgia, "Times New Roman", serif;">random thoughts of forensics</span></a><span style="font-family: Georgia, "Times New Roman", serif;">, was also working on examining Windows 8. I viewed his initial research and saw what he was doing, and figured I'd check out some other artifacts to start. With that, I built a preliminary list of the following:</span><br />
<ul><span style="font-family: Georgia, "Times New Roman", serif;">
</span>
<li><div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Recycle Bin Properties</span></div>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></li>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span>
<li><div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">USB Drive Activity</span></div>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></li>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span>
<li><div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Internet History</span></div>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></li>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span>
<li><div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Windows 8 Reset and Refresh Feature</span></div>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></li>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span>
<li><div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Event Logs</span></div>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></li>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span>
<li><div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Prefetch Files</span></div>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></li>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span>
<li><div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">Jump Lists</span></div>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></li>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span>
<li><div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">File History Feature</span></div>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></li>
<span style="font-family: Georgia, "Times New Roman", serif;">
</span></ul>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">With that, I started diving into the Developer Preview version that was released, examining the recycle bin, USB drive activity, internet activity, and the file history feature. Jump lists, prefetch files, event logs, and the reset and refresh feature were all still on the horizon for me. As I got further into my research however, February 29th rolled around and the consumer preview was released - thus, my research was set back to a restart point. Looking at the consumer preview, I dug into the same four primary topics of recycle bin, USB activity, internet history, and the file history feature. Due to time constraints with the school year coming to a close and having to work another job, though, I was only able to get limited amounts of research done. I did manage to discover a good amount of useful information, which I presented at the Conference for Undergraduates in Technology at Champlain College on April 21st, 2012. </span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;">The following blog posts will touch on each individual item that was presented on.</span></div>
<div style="margin-bottom: 0in;">
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span></div>Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com0tag:blogger.com,1999:blog-7792322207109434614.post-33865433528359764572012-06-14T12:29:00.001-07:002012-06-15T08:22:39.997-07:00Welcome / Purpose<span style="font-family: Georgia, "Times New Roman", serif;">Hey all, </span><br />
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span><br />
<span style="font-family: Georgia, "Times New Roman", serif;">Just starting up this blog today. I plan on using it mainly for posting my progress on the Windows 8 Forensics research that I've been doing, as well as other research and development, ideas, problems, and discoveries that I come across in the days to come!</span><br />
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span><br />
<span style="font-family: Georgia, "Times New Roman", serif;">The first few blog posts I am going to put up are going to be in regards to Windows 8 forensic research that I have already done, and can also be found on the </span><a href="http://computerforensics.champlain.edu/blog"><span style="font-family: Georgia, "Times New Roman", serif;">Senator Patrick Leahy Center for Digital Investigation blog</span></a><span style="font-family: Georgia, "Times New Roman", serif;">! Check them out here, or there.</span><br />
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span><br />
<span style="font-family: Georgia, "Times New Roman", serif;">I'm hoping to get some input back from what I'm doing from the DFIR community, so feel free to chime in if you see anything that you think I could be doing better, differently, that is wrong, or anything! I'm always up for criticism, preferably constructive though.</span><br />
<span style="font-family: Georgia, "Times New Roman", serif;"><br /></span><br />
<span style="font-family: Georgia, "Times New Roman", serif;">Thanks for checking out the blog, come back often as I will be updating it relatively frequently!</span>Ethan Fleisherhttp://www.blogger.com/profile/00806309855263286461noreply@blogger.com0