Introduction
Typical leaves of applications (overview)
•E.g.
–Filesharing
–Virusscanner
–Remote
–Cleaner
Introduction
•Traces of selected classes of applications
•Kind of artefacts
•Only local leaves
•Communication/social networks
•Filetransfer between computers / Online-Stores
•Cloud-Applications
•Encrypted Software
•Virtual Moneytransfer
Introduction
•Traces of selected classes of applications e.g.
•Only local : Winrar, 7-zip
•Local leaves from communication programs
–Chat (Windows Live Messenger/MSN, Skype)
–Soziale networks (Facebook, Windows Live, ...)
•Local leaves of filetransfers on online-storages
–winscp, putty, sftp, ...
•Local leaves of Cloud-Services / Software as a Service
•Dropping files (Dropbox, Skydrive)
•Local access auf foreign services or data, e.g. ToDo Lists
•Encryption
–TrueCrypt, ...
•Payments and virtual money
–Bitcoin
Introduction
Methodology and Tools
•Requirements
–Isolated and protected Enviroment for experiments
–Minimal testenviroment without foreign tracks
–Changes traceable and reversible
–Reviewing results
•Virtual Enviroment
–Snapshots VMWare, Virtualbox, Qemu, VirtualPC
•In a Sandbox
–Sandboxie, Automated Sandboxes cuckoo
•Kombination of virtualisation and sandbox
Windows Artefacts
Evaluation methods for application tracks
15
Methodology
•When?
–During installation
–During using (per action)
–After using
–Leaves after deinstallation/deleting
•What?
–Behavior: What is the programm doing? (processes...)
–What is the program producing?
(configuration, databases, logfiles, userfiles,...)
16
Methodology
•Where ?
–Harddrive
–Mobile storage
–Local server
–Network (eg. Routers, firewalls)
–Extern (friends computer, server, cloud,....)
17
Leaves on harddisk
•Filesystem
–Former filesystems, changes in partitions
–Filenames and timestamps from ntfs: $MFT, $Logfile, $I30; exFAT
–Former States / decrypted rests in Backups oder VolumeShadowCopies and images (vhd)
•Operating System
–Program or / Userdata are deletef in Trash or are in slack /unallocated area
–Programms are executed in virtual enviroment
–Programms are executed autmaticaly
–Programms are started with userdata (Prefetch/Superfetch)
–Shortcuts created
–Programms or userdata is written in libraries
18
Leaves on Harddisk
•Operating System
–Programm writes data in System –and or User Profiles
•Location of installation, App-Data, Temp-Files, Caches, Installation-Log, Executable-Logs, Error-Messages...
•Favorites, Recently used, Jump Lists
•The execution of the programm is protocolled in the Event Logs
•The programm has written changes in the Windows- Registry
•The Programm open a network connection
•Leaves in pagefile or hyperfile.sys
19
Leaves on Harddisk
•Application: Program deals with other programs
–Downloaded ( Download folder, share folder of p2p downloader
–Checked by virus scanner
–Log file of the scanner maybe have checked the file, usually only for infected files
–Dropped remotely
–Cleaned by a cleaner-program partially or complete
20