Knowing where to look for the right data, finding the data including its data types and formats is the foremost important step to start computer forensic investigations

Introduction

Knowing where to look for the right data, finding the data including its data types and formats is the foremost important step to start computer forensic investigations. All of which can be found using the tools you already are familiar with such as Redline, EnCase, FTKi, NetworkMiner, Autopsy etc. Moreover, chapter 10, Enterprise Services can help you guide through your search. To name a few, Registry Editor Hives, Event Viewer, LANDesk, Database logs and more.

Pictures and other media can be found in a machines’ thumbnail icons. Tools like NetworkMiner (Lab 4) can also assist us in finding images and other media in a more organized manner.

Data Types

There are many types of data types than can be identified by their extensions such as .dat, .bak (backup), .bat (Batch files), .vbn (AV extensions quarantined files) you get the idea, but what is the path?

In an enterprise environment, you can also find network related devices info at various levels, such as mapped drives.

For instance, if a network log file is getting bigger, you can see the details directly at:

1. [DHCP == C:\Windows\System32\Dhcp] before unloading it.
2. Similarly, to see various DHCP configuration and backups, look into [C:\Windows\System32\Dhcp\backup] etc., before going into the DHCP Management Console.
3. SSMS also has its own log management, or you can create a Stored Procedure (Sproc) to perform many activities on your behalf including alerts that will either popup, send you SMS or make an auto call if your table(s) have been altered.
4. How about quarantined files? Maybe in your Anti-Virus files, specifically, a file that is allocated for such intensions? The point is, getting the RIGHT data when you need it essential.

If you remember the scenario about the CFO case study in Chapter xx, you will have to go to the DBMS to see and extract what has happened. It may require some querying (not part of this lab), but you will find it with the support of the DBA.

Exceptions

Keep in mind that there are some exceptions you may want to consider.

• Sendable data extensions have a send relationship and map to a subscriber. Contacts are added to All Contacts when you send to the recipients.
• Non-sendable data extensions are reference data like order details, airport codes and weather.

Deliverables -A:

Identify the data types you would look for, why you would need them and where to find them, if possible, with their path of the following scenarios. First try Chapters 10 and 11 before doing research.

#1 and #5 are samples that we went through last week! Please take a note about what they are, how they can help us and where to find them for your Report Writing practice. ?!

1. A user opening and closing several applications in a relatively short period of time.

This situation is involved with the application category of evidence. This data is stored inside of desktops and laptops, where how fast applications are opened depends on the storage solution such as a hard drive, solid state drive, etc. Also, opening applications also depends on the amount of RAM a system has. You would need storage devices, RAM, and a desktop to open several applications at once. You can see what applications are open through Task Manager, which shows the utilization of the desktop. Also, in Event Viewer under the Windows Logs, Application, you can find data about certain applications events as well. These events can help troubleshoot problems.

2. You noticed a DNS issue.

Looking at logs related to DNS will help me help identify DNS issues. Also, the command prompt and commands like ipconfig /all will show DNS and DHCP. Additionally, you can open event viewer to look at logs as well. The path is Applications and Services Logs\Microsfot\Windows\DNS-Server. This path views application logs if there are any, and I could then look at the times of each log, how many logs there are, etc. Looking at DNS related logs could help solve the issue.

3. Your IIS web server.

IIS log files are stored by default in the %SystemDrive%\inetpub\logs\LogFiles folder of the standard Windows server. By looking at this path, the user can see different types of information about the web server about websites. You can see the status of different websites and logs that contain IP and username, service status, number of bytes received, and many more data.

4. Your Apache server configuration seems to be out of whack.

In Apache, you can find access logs, error logs, and configurations to see why the configuration is out of whack. Access logs can be found at /usr/local/etc/log/http/access.log, error logs can be found at /var/log/httpd/[apache2]/error.log, and configuration can be found at /usr/local/etc/apache2/httpd.conf. Also, the usage of a grep or tail command can be used to find live Apache logs to see what errors are in the configuration.

5. Your SQL Server keeps on crashing.

In SQL Server Management Studio (SSMS), you can go to Object Explorer, connect to an instance of SQL Server, and expand instance, find the Management section, and Right-click SQL Server Logs, View, and choose SQL Server Log. Looking into the SQL Server logs will show what errors are occurring and could help with why the server continues to crash.

Additionally, the SQL Server error log by default is located at Program Files\Microsoft SQL Server\MSSQL \MSSQL\LOG\ERRORLOG and ERRORLOG files.

Using the above examples that we went through in class, please write your findings.

1. A user copying sensitive data from SharePoint and sending them via email.

2. A database system unexpectedly expanding.
3. You noticed a sudden burst of network ingress.
4. You noticed that there was a known malware alert but it’s no longer there.

Deliverables -B:

1. In your findings of any combination above, do you see any pattern?
2. Import the pattern and try to get any type of chart or reliability monitor.
   • Open Control Panel à System and Security à Security and Maintenance
   • Expand Maintenance and click on “View reliability history” under Report problems. Take a screenshot of the chart. In your own words, describe what you see.
   • How many of the following did you find?
     • Application Failures
     • Windows Failures
     • Miscellaneous Failures
     • How many “Critical Events” did you find? List them.
   • Do you believe this will help you find application logs, system logs, server logs and other logs?
   • How can you save this Reliability History?
   • Go to “Problem Reports” and list the number of the following issues. (No need to list the Application Name, only numbers)
     • Stopped Working ________
     • Stopped Responding _______
     • XYZ_Exception64/32 _______
     • Shut down unexpectedly ____
     • Unhandled exception ________

Extra Points (10)

3. If you have enough date related metadata, create a Time Series and Predictive Analysis and insert the screenshots below.