Forensics/Tell-tales

From ConShell
Jump to: navigation, search

What are tell-tales?

tell·tale  
/ˈtelˌtāl/
Adjective
  Revealing, indicating, or betraying something: "the telltale bulge of a weapon".
Noun
  A person, esp. a child, who reports others' wrongdoings or reveals their secrets.
Synonyms
 adjective.  	traitorous - treasonable - treacherous
 noun.  	informer - talebearer - tattler - sneak - tattletale

In computer forensics, tell tales may come from different sources but are typically found from software, not hardware, although hardware details ARE important to capture also.

Why are tell tales important to digital forensic science?

In a word, evidence.

Because they give away the important details i.e. evidence of and can reveal the nature of the crime or offense. The data extracted and extrapolated from such findings can reveal details regarding the basic fact (who,what,why,where & how) to prove criminal or malicious intent.

Where do I look?

  • Memory-based - commonly known as RAM. kernel and user space memory allocation
  • Disk-based (non-volatile) media such as
  • Hard drive partitions and boot record
  • Vendor storage (hidden) partition
  • Filesystems - files and folders (files can be sockets, devices and other things)
  • Swap or pagefile - acts as overflow for RAM

This will depend on the system under examination. See #appendix-a for a breakout by operating system & applications. Always consider the architecture and operating system type early on in the process of an investigation. In particular, the type of filesystems present may determine the proper path for imaging the storage and which type of analysis tools best suit the type.

You should always being an investigation with a set of labels or concepts related to the case at hand. For instance, if credit card fraud was suspected, a specific regex pattern can be derived to find patterns of numbers matching commonly used credit-card patterns.

What will I find?

  • Web Browser history
  • Logs such as chat (e.g. Pidgin)
  • File-based configuration settings
  • History files

Appendix-a

Interesting files and folders, broken down by operating system, and if applicable, application.

Linux

Obvious places

  • $HOME/Downloads
  • $HOME/Documents
  • /tmp

Because Linux/UNIX systems have always used .dotfiles as a way to hide files and folders from casual view, these comprise a potential treasure trove of important data. Here, then are a few examples of files/folders in a users's $HOME folder.

  • $HOME/.TrueCrypt
  • .recently-used.xbel
  • .adobe/Acrobat/9.0 <-- shows Acrobat version 9.0 installed
  • .bash_history
  • .bashrc
  • .cache/
  • .gnome2/keyrings/login.keyring
  • .ssh/ -- can find ssh keys (id_rsa, id_rsa.pub) and authorized_keys file
  • .my.cnf -- may contain user/password details

Here is a simple way to search for interesting files in any Linux/Unix filesystem under examination.

  • Install the 'tree' application e.g. sudo aptitude install tree
  • Run `tree /path | less` it will drop you into a pager
  • Search for terms using /<searchterm><enter>
  • Take screen shots of interesting finds. You can annotate and md5 them later.
    • For better md5 repeatability, only screenshoot the shell app (xterm or whatever) since

it will not change under a second round

Under modern linux a window manager is used, such as Gnome or KDE. There are also quite a few variations of Xorg window managers in use, due to the surplus of choices which are available.

Folders related to window managers by type:

  • Gnome (edited for brevity)
$ tree .gnome2
.gnome2
├── epiphany
│   ├── bookmarks.rdf
│   ├── cookies.sqlite*
│   ├── downloads*
│   ├── ephy-bookmarks.xml
│   ├── ephy-favicon-cache.xml
│   ├── ephy-history.xml*
│   ├── epiphany-toolbars-3.xml
│   ├── favicon_cache*
│   │   ├── 27d2f0cdb0894546cc268412f5cbb913
│   │   ├── a300678849734e7aa190a6d65d7cb504
│   │   ├── ab1e08e712b5220eb9f6459c49843084
│   │   └── bd27eb1d7950b17d5b4226c061563ae0
│   └── states.xml
├── evince
│   ├── ev-metadata.xml
│   ├── last_settings
│   └── migrated-to-gvfs
├── file-roller
├── gedit
│   ├── gedit-2
│   ├── gedit-2.9DCP8U
│   ├── gedit-page-setup
│   ├── gedit-print-settings
│   └── sessions
│       └── gedit-sUWJ3M
├── gedit-2
├── gedit-metadata.xml
├── gnomemeeting
├── gnome-power-manager
│   ├── profile-20034-charging.csv
│   ├── profile-20034-discharging.csv
│   ├── profile-DELL_GK4798-57720-20034-charging.csv
│   ├── profile-DELL_GK4798-57720-20034-discharging.csv
│   ├── profile-DELL_GK4798-charging.csv
│   ├── profile-DELL_GK4798-discharging.csv
│   └── webcam.png
├── gthumb
│   ├── bookmarks
│   ├── categories
│   ├── collections
│   ├── comments
│   └── remote_cache
├── hal-device-manager
├── keyrings
│   ├── default
│   ├── default.keyring
│   ├── login.keyring
│   ├── login.keyring.temp-200020390
│   ├── user.keystore
│   ├── user.keystore.9MOZ8U
│   └── user.keystore.DEVP8U
├── main
├── nautilus-scripts
├── nautilus-sendto
│   └── spool
│       └── tmp             
├── network-admin-locations
│   ├── Work
│   └── Home
├── seahorse
├── share
├── Totem
│   └── state.ini

History files

Similar to logs but contain the commands / queries issued to the system (but not outputs).

MySQL

Look for a ~/.mysql_history file which contains the command history

MongoDB

Look for a ~/.dbshell file which contains the command history

Bash

Look for a ~/.bash_history file which contains the command history

SQLite / SQLite3

Look for a ~/.sqlite_history file which contains the command history

Back to Forensics