2. 0011 0010 1010 1101 0001 0100 1011
Current, Relevant Topics
• HP’s private investigators fraudulently used the identities of
the victims to get login credentials to access online telephone
records without authorization.
• Title 18 Section 1030(a)(4) – felony!
• The investigation resulted in unauthorized use of AT&T's
computer systems by third-party investigators to gain access to
the phone records of seven board members, nine reporters, and
two HP employees. While such techniques fall under the broad
category of deception to gain information, or "pretexting,"
computer crime statutes clearly define the activity as
unauthorized access, or "hacking." The investigators also
tailed several directors and reporters and sent forged
documents to one reporter that would phone home the Internet
address of anyone to whom the reporter forwarded the
document.
Robert Lemos, SecurityFocus 2006-09-22
3. 0011 0010 1010 1101 0001 0100 1011
This Week’s Presentations
• Moses Schwartz: Email Analysis -
Client and Web
• Johnathan Ammons: Web Analysis
• James Guess: IRC Analysis
4. 0011 0010 1010 1101 0001 0100 1011
Next Week’s Presentations
• Kelcey Tietjen: Wireless Network Traffic
• David Burton: Collection and Analysis of
Network Traffic
• David Burton: Network Devices: Routers,
Switches, … (EC)
5. 0011 0010 1010 1101 0001 0100 1011
Lecture Overview
• Application Analysis Overview
• E-mail
• Web Browsers
• Microsoft Word
• Portable Document Format
• Tools et cetera
Legal/Policy
Preparation Collection Analysis
Findings/
Evidence
Reporting/
Action
7. 0011 0010 1010 1101 0001 0100 1011
Types of Hidden Application Data
• Metadata
– information about a file or its contents that
software stores in the file
• Hidden Data
– content the author or editors add to files that may
be hidden in some circumstances
• Really Hidden Files
– files you can not find with Explorer at all and can
only find with DOS if you know where to look
8. 0011 0010 1010 1101 0001 0100 1011
Module 2
E-mail
What data may be found?
9. 0011 0010 1010 1101 0001 0100 1011
What can be found?
• Sender
• Date / Time
• Subject
• Communication Path
• Contents
10. 0011 0010 1010 1101 0001 0100 1011
Client-based E-mail
• MS Outlook PST
– ReadPST ↑ will convert the PST into RFC-
compliant UNIX mail
• MS Outlook Express
– readDBX ↑ will extract the contest of a DBX
files into RFC-compliant UNIX mail
• UNIX E-mail
– grep expression on the simple text file
↑from SourceForge
11. 0011 0010 1010 1101 0001 0100 1011• Netscape Navigator
– grep expression on the simple text file
• AOL
– proprietary format: PFC
– E-mail Examiner, EnCase, FTK
– FTK decodes email archive, retrieves e-mail
and other information such as favorites
Client-based E-mail
12. 0011 0010 1010 1101 0001 0100 1011• Yahoo
– recover e-mail from Internet cache
– files that contain rendered html that was on screen
• ShowFolder – lists subject lines, sender alias, message
dates, and sizes
• ShowLetter – opened e-mail
• Compose – e-mail to which the user is replying before
an modification is done
– search
• input type=hidden name=Body value=
Web-based E-mail
13. 0011 0010 1010 1101 0001 0100 1011• Hotmail
– use the same tools to find information in files
• Hotmail
• doaddress
• getmsg – the e-mail message
• compose
• calendar
– search
• /cgi-bin/dasp/E?N?/?hotmail_+#+.css
Web-based E-mail
14. 0011 0010 1010 1101 0001 0100 1011
Module 3
Web Browsers
What metadata and hidden data may be found?
15. 0011 0010 1010 1101 0001 0100 1011
• Internet Explorer
– Cookiesindex.dat – audit trail for installed cookies
– Local SettingsHistoryHistory.IE5index.dat –
history for the last day IE was used
– Local
SettingsHistoryHistory.IE5MSHistXXXXXXX
XXXXindex.dat – history rollup for older usage
– Local SettingsTemporary Internet Files
Content.IE5index.dat – audit trail for include files
– UserDataindex.dat – audit trail for automatic
Windows accesses to the internet
Web Browsers
Pasco – converts the data into a tab-delimited format (Foundstone)
NOTE: Files in C:Documents and Settings<username>
16. 0011 0010 1010 1101 0001 0100 1011
• Internet Explorer - Cookies
– Cookiesindex.dat – audit trail for installed cookies
– Fields of metadata
• SITE – URL that the cookie came from
• VARIABLE – name stored in cookie
• VALUE – value stored
• CREATION TIME – time of cookie creation
• EXPIRE TIME – time of cookie expiration
• FLAGS – flags set for the cookie
Web Browsers
galleta – converts the data into a tab-delimited format (Foundstone)
17. 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox
– MORK – Mozilla history format (Mork.pl utility)
– Windows
• Application DataMozillaProfiles<profile
name>history.dat
– Linux
• ~/.Mozilla/Profiles/<profile name>/history.dat
– gives access time, # accesses, URL
– tools can provide more information, e.g.,
NetAnalysis
Web Browsers
18. 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox - Cookies
– cookies.txt in the profiles directory
– human readable
• web site of origin
• variable name
• value
• etc.
Web Browsers
19. 0011 0010 1010 1101 0001 0100 1011• Mozilla / Firefox – Cache browsing
– make the cache read-only
– fire up Mozilla
– enter URL about:cache
Web Browsers
22. 0011 0010 1010 1101 0001 0100 1011• NoTrax
– Secure Anonymous Stand Alone Tabbed Web
Browser.
– Blowfish encryption of cache & erases the cache
during and after each browser session using secure
deletion methods.
– Erases Cookies during and after each browser
session using secure deletion methods.
– Erases the Windows Swap file on shutdown.
– No log files created.
Web-based E-mail
23. 0011 0010 1010 1101 0001 0100 1011
Module 4
Microsoft Word
What metadata and hidden data may be found?
24. 0011 0010 1010 1101 0001 0100 1011
MS Word
• metadata
– Older versions
• every file name saved under
• run “strings –u” to get names
– If document won’t open,
then metadata may have
been modified
– who edited document
– file path
– version of Word used
– when created
– GUID (MAC based) of
machine used to create
• hidden data
– quick save data
• look in binary editor
• open and use undo
– Word 97 – MAC address
• PID_GUID
– Excel spreadsheet
• when you drag data you get
the entire spreadsheet
• change .doc to .xls and open
– full images
• when a frame is shrunken
• when matches background
color
Beware of track changes
26. 0011 0010 1010 1101 0001 0100 1011
PDF
• metadata
– under document properties
– document title
– author
– subject
– creation date
– creation program
• hidden data
– text with background set to
the same color as text
– very large or small fonts
28. 0011 0010 1010 1101 0001 0100 1011
Tools & Claims
• SecretExplorer
– locate web form autocomplete data for IE,
passwords for websites, Outlook account and
identity passwords, dial-up passwords
• Document Inspector
– search for hidden content: comments, revisions,
versions, annotations, document properties,
personal information, XML data, headers,
footers, watermarks, hidden text
29. 0011 0010 1010 1101 0001 0100 1011
Tools & Claims, cont.
• Document Detective
– search for and remove hidden data: color on
color text, thumbnails, bookmarks, very large
or small images, very large or small fonts in
MS Word, Excel, and PowerPoint
• snipurl.com/3osw
– delete hidden text and comments
• rdhtool
– Office 2003 tool to strip all metadata
30. 0011 0010 1010 1101 0001 0100 1011
File Formats
• How do we find file format information for
(proprietary) files?
– Wotsit
• http://www.wotsit.org/search.asp
