File access via mailer
•Thunderbird
–Saves attachments together with mail in MIME-Format in profile-folder
•Profile-folder in
–XP: <Nutzername>\Application Data\Thunderbird\Profiles\<Profile name>
–Win 7: \Users\<Nutzername>\AppData\Roaming\Thunderbird\Profiles\<Profile name>\
•Die Thunderbird-Extension Attachment Extractor
•Extract all attachments from a Mailbox
v1.3.5.1 https://addons.mozilla.org/en-US/thunderbird/addon/attachmentextract or/ http://www.eviljeff.com/?page=moz-extensions
FTP-Client
•Transfer password in clear
•JumpList-Hashes (Win 7) pubished, also for FTP-Applications e.g.: http://forensicartifacts.com/tag/ftp/ http://www.forensicswiki.org/wiki/List_of_Ju mp_List_IDs
FTP-Client
• WS-FTP creates for each download a file WS_FTP.LOG
•Create-Date = Download-Time
•Content Servername and path of the same timestamp
FTP-Client
•WS-FTP-Client
–ws_ftp.ini cached passwords
•Decrypt , sniffing
–FTP ThumbsExtractor simple Carver Suite analyse Thumbs from WS-FTP http://www.simplecarver.com/tool.php? toolname=FTPThumbs%20Extractor
•FileZilla
–Passwort-Decyrpter http ://passwordforensics.com/filezilla-password-decryptor.php
–Unable caching fzdefaults.xml, Kiosk Mode 1
–
FileShare P2P:eMule
•KnownMetAnalyzer
–Analyse known.met-files from eMule-Client.
–extract information about (if available)
•Filename
•File hash
•Uncomplete downloaded files
•Amount of updated files
•Number of download request
FileShare P2P: BitTorrent
•Torrents contains Metadata of a file
–*.torrent | *.tor
•Bencoded
–http://en.wikipedia.org/wiki/Bencode
•Spezifikation
–https://wiki.theory.org/ BitTorrentSpecification#Metainfo_File_Structure
FileShare P2P: BitTorrent
•Read Torrent files
•Bencode Editor
•http://sites.google.com/site/ ultimasites/bencode-editor
•Tracker(s):
in announce/announce-list keys (binary/list)
•Webseed(s):
in url-list key (binary/list)
•DHT bootstrap node(s): in nodes key (list)
FileShare P2P: μTorrent
•Safes Torrent-Infos in .dat-files, especially in resume.dat, secured against changes through .fileguard-Hash
BitTorrent Forensic
•Acorn (2008): Forensics of BitTorrent
•http://www.ma.rhul.ac.uk/static/techrep/2008/RHUL-MA-2008-04.pdf
•Important ressources for μtorrent
–settings.dat (bencoded)
–Resume.dat
•Registry
–FileExts\.torrent\OpenWithList: Client is standard editor for
Torrent-Files
–RecentDocs\.torrent ComDLG\openSaveMRU\torrent: saved Torrents
–ShellNORoam\MUICache: Application started
Virusscanner
•Log-Files of virusscanner
•Windows XP SP3:
•%WinDir%/INF/netfw.inf contains Registry-Keys for exeption
•HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\List
•Or StandardProfile
•See http://www.microsoft.com/germany/technet/datenbank/articles/600399.mspx