What are tell-tales?
tell·tale /ˈtelˌtāl/ Adjective Revealing, indicating, or betraying something: "the telltale bulge of a weapon". Noun A person, esp. a child, who reports others' wrongdoings or reveals their secrets. Synonyms adjective. traitorous - treasonable - treacherous noun. informer - talebearer - tattler - sneak - tattletale
In computer forensics, tell tales may come from different sources but are typically found from software, not hardware, although hardware details ARE important to capture also.
Why are tell tales important to digital forensic science?
In a word, evidence.
Because they give away the important details i.e. evidence of and can reveal the nature of the crime or offense. The data extracted and extrapolated from such findings can reveal details regarding the basic fact (who,what,why,where & how) to prove criminal or malicious intent.
Where do I look?
- Memory-based - commonly known as RAM. kernel and user space memory allocation
- Disk-based (non-volatile) media such as
- Hard drive partitions and boot record
- Vendor storage (hidden) partition
- Filesystems - files and folders (files can be sockets, devices and other things)
- Swap or pagefile - acts as overflow for RAM
This will depend on the system under examination. See #appendix-a for a breakout by operating system & applications. Always consider the architecture and operating system type early on in the process of an investigation. In particular, the type of filesystems present may determine the proper path for imaging the storage and which type of analysis tools best suit the type.
You should always being an investigation with a set of labels or concepts related to the case at hand. For instance, if credit card fraud was suspected, a specific regex pattern can be derived to find patterns of numbers matching commonly used credit-card patterns.
What will I find?
- Web Browser history
- Logs such as chat (e.g. Pidgin)
- File-based configuration settings
- History files
Interesting files and folders, broken down by operating system, and if applicable, application.
Because Linux/UNIX systems have always used .dotfiles as a way to hide files and folders from casual view, these comprise a potential treasure trove of important data. Here, then are a few examples of files/folders in a users's $HOME folder.
- .adobe/Acrobat/9.0 <-- shows Acrobat version 9.0 installed
- .ssh/ -- can find ssh keys (id_rsa, id_rsa.pub) and authorized_keys file
- .my.cnf -- may contain user/password details
Here is a simple way to search for interesting files in any Linux/Unix filesystem under examination.
- Install the 'tree' application e.g. sudo aptitude install tree
- Run `tree /path | less` it will drop you into a pager
- Search for terms using /<searchterm><enter>
- Take screen shots of interesting finds. You can annotate and md5 them later.
- For better md5 repeatability, only screenshoot the shell app (xterm or whatever) since
it will not change under a second round
Under modern linux a window manager is used, such as Gnome or KDE. There are also quite a few variations of Xorg window managers in use, due to the surplus of choices which are available.
Folders related to window managers by type:
- Gnome (edited for brevity)
$ tree .gnome2 .gnome2 ├── epiphany │ ├── bookmarks.rdf │ ├── cookies.sqlite* │ ├── downloads* │ ├── ephy-bookmarks.xml │ ├── ephy-favicon-cache.xml │ ├── ephy-history.xml* │ ├── epiphany-toolbars-3.xml │ ├── favicon_cache* │ │ ├── 27d2f0cdb0894546cc268412f5cbb913 │ │ ├── a300678849734e7aa190a6d65d7cb504 │ │ ├── ab1e08e712b5220eb9f6459c49843084 │ │ └── bd27eb1d7950b17d5b4226c061563ae0 │ └── states.xml ├── evince │ ├── ev-metadata.xml │ ├── last_settings │ └── migrated-to-gvfs ├── file-roller ├── gedit │ ├── gedit-2 │ ├── gedit-2.9DCP8U │ ├── gedit-page-setup │ ├── gedit-print-settings │ └── sessions │ └── gedit-sUWJ3M ├── gedit-2 ├── gedit-metadata.xml ├── gnomemeeting ├── gnome-power-manager │ ├── profile-20034-charging.csv │ ├── profile-20034-discharging.csv │ ├── profile-DELL_GK4798-57720-20034-charging.csv │ ├── profile-DELL_GK4798-57720-20034-discharging.csv │ ├── profile-DELL_GK4798-charging.csv │ ├── profile-DELL_GK4798-discharging.csv │ └── webcam.png ├── gthumb │ ├── bookmarks │ ├── categories │ ├── collections │ ├── comments │ └── remote_cache ├── hal-device-manager ├── keyrings │ ├── default │ ├── default.keyring │ ├── login.keyring │ ├── login.keyring.temp-200020390 │ ├── user.keystore │ ├── user.keystore.9MOZ8U │ └── user.keystore.DEVP8U ├── main ├── nautilus-scripts ├── nautilus-sendto │ └── spool │ └── tmp ├── network-admin-locations │ ├── Work │ └── Home ├── seahorse ├── share ├── Totem │ └── state.ini
Similar to logs but contain the commands / queries issued to the system (but not outputs).
Look for a ~/.mysql_history file which contains the command history
Look for a ~/.dbshell file which contains the command history
Look for a ~/.bash_history file which contains the command history
SQLite / SQLite3
Look for a ~/.sqlite_history file which contains the command history
Back to Forensics