Archive for Miscellaneous

FoxTab: Firefox’s Hidden Camera

The FoxTab add-on to Mozilla Firefox presents some interesting artifacts in respect to forensic analysis.  According to FoxTab’s webpage, the add-on “brings innovative 3D functionality to your Firefox.”  Among the features offered by FoxTab are the “Tab Flipper” and “Recently Closed Tabs”, which allow a user to view their currently opened tabs and recently closed tabs in an animated fashion.  While these features may be appealing to some users, they are interesting from a digital forensic standpoint in that the artifacts they leave behind provide a unique insight into a user’s browsing history.  Each screenshot taken by FoxTab is either a JPG or PNG file (depending on the version of FoxTab) that is stored on the disk and in many cases readily available to a forensic examiner.  And unlike the page thumbnails stored by newer versions of Firefox, Foxtab’s thumbnails are undisturbed after clearing the browsing history.

Screenshot stored by FoxTab

Foxtabthumbs Directory
The images displayed using the Tab Flipper feature (depicting the currently opened tabs) are stored in a folder titled “thumbs” within a user’s AppDataLocalTempfoxtab directory (or Local SettingsTempfoxtab on XP).  For each tab that is opened in Firefox, a screenshot of the webpage depicted in the tab is stored for use in navigating between currently opened tabs using the Foxtab interface. While newer versions of FoxTab appear to delete the screenshots in the foxtabthumbs folder when Firefox is closed, older versions (1.4.2 and earlier) of FoxTab aren’t quite as efficient in cleaning up their mess. When testing this feature, I observed on several occasions files remaining in the foxtabthumbs directory after closing Firefox.  The remaining files could simply be given a .jpg or .png extension (they are stored without an extension) and viewed using the native Windows photo viewer.

Based on my testing thus far, the $STANDARD_INFORMATION creation date of the files within the foxtabthumbs folder correspond with the time in which the webpage depicted in the screenshot was first visited. The $STANDARD_INFORMATION last modified time appears to be a close approximation of the time the webpage was first visited, although it’s a few seconds after the creation date.  I haven’t pinned down exactly what the variance can be attributed to, but in all tests, the last modified time of each file was within 40 seconds of the creation time (although some were as close as four seconds apart).

FoxtabthumbsRCT Directory 
The images displayed using the Recently Closed Tabs feature are stored in a folder titled “thumbsRCT” within a user’s AppDataLocalTempfoxtab folder (or Local SettingsTempfoxtab on XP).  Similar to the foxtabthumbs folder, this directory stores images of tabs that were opened in Firefox at some point.  Within the FoxTab interface, a user may view a graphical depiction of the recently closed tabs.  My testing has indicated that only those tabs that were closed since Firefox was last opened are available, despite the fact that screenshots from previous browsing sessions may very well still be stored in the foxtabthumbsRCT folder.

Recently Closed Tab Feature of FoxTab

As with the foxtabthumbs folder, newer versions of FoxTab appear to remove screenshots from previous browsing sessions stored in the foxtabthumbsRCT directory more frequently.  When FoxTab is installed and a tab is closed within Firefox, the image file depicting the screenshot appears to be copied from the foxtabthumbs directory to the foxtabthumbsRCT folder and renamed using the computed MD5 hash of the URL of the webpage from which the screenshot was taken.  I’ve been unable to find a location in which the URL is stored for the purposes of FoxTab, so an examiner may only have the screenshot of the webpage and the MD5 of the URL at their disposal.

Based on my testing thus far, it appears that the $STANDARD_INFORMATION last modified date of each file in the foxtabthumbsRCT folder corresponds to the approximate time in which the webpage depicted in the screenshot was opened (this is the same last modified time of the file when stored in the foxtabthumbs directory).  The $STANDARD_INFORMATION creation date of each file appears to correspond with the time in which the Firefox tab containing the depicted webpage was closed (and hence the screenshot was added to the “thumbsRCT” folder).  If the $STANDARD_INFORMATION timestamps can be trusted in a particular case, the creation and last modified time of files in the foxtabthumbsRCT folder may provide a time frame in which the webpage depicted in the screenshot was open in the user’s browser.

Forensic Implications of FoxTab
Although the artifacts left behind by FoxTab do not seem to store the URL of the webpage depicted in each screenshot, an examiner is provided with a visual depiction of the webpage as the user would have viewed it.  This can be very telling in cases involving access to illicit websites where the relevant browsing history of the computer is no longer available.

It seems that clearing the Firefox browsing history does not have an effect on the files saved by FoxTab, as they are stored independently of the browsing history and cache files.  Additionally, uninstalling the FoxTab add-on does not seem to remove either the foxtabthumbs or foxtabthumbsRCT directory.  Further, utilizing Firefox’s InPrivate browsing mode does not seem to have an effect on the functionality of FoxTab.  It appears that unless the foxtab directories themselves are deleted, many screenshots from previous browsing sessions, both standard and InPrivate, may remain on disk.

Overall, if FoxTab is functioning correctly, it will save screenshots of currently opened tabs and tabs that were closed since Firefox was last opened.  Older versions of FoxTab (1.4.2 and earlier) remove screenshots less frequently (if at all) than newer versions, however, even the most current version (1.4.5) does not seem to remove all screenshots.  This means that a visual depiction of many webpages visited by the user may potentially be available in the foxtab directories previously described, regardless of whether a user deleted their browsing history or utilized the InPrivate browsing mode of Firefox.  While the absence of the page URL is certainly a drawback, the artifacts left behind by FoxTab may provide insight into a user’s browsing history where it would otherwise be unavailable.

DFIR Online Meetup

Last week, I had the opportunity to attend the first DFIR online meetup.  The meetup was hosted by Mike Wilkinson of Champlain College and featured a presentation from Mike on an interesting assault case, as well as a presentation from Harlan Carvey on accessing VSCs.  I really liked the layout of the technology that was used.  There were two chat areas: one directed towards the speaker/presenter and a general chat area for everything else.  As Mike mentioned in his blog, the conversation died down after the recording started, but I think that also may have been because the presentations had begun and people were paying attention to the speakers instead.

Mike’s case study was an interesting assault case that dealt with a machine that had four OS’s on two hard drives. The main issue in this case was involving computer use during a specific timeframe. I won’t go into details, but the presentation really hit on the fact that you should know your tools and understand how they present data to you as an examiner. Time conversions from UTC to local or visa versa can make significant impacts on a case if you’re not aware that they’re happening in the background.

Harlan’s presentation went through the steps necessary to mount and access data stored in volume shadow copies.  He’s outlined the steps in his blog before, but it’s nice to hear it straight from the source to help reinforce the process.  What made this even better is that is you had a specific question about mounting and accessing VSCs or an issue you’ve had in the past when working with these, you could ask it during or after the presentation and receive an answer from Harlan or one of the other attendees that may have dealt with a similar situation.

There were around 30 total people present at the meetup, which was nice in the sense that it had more of a small group feeling than that of a huge seminar that many of us are used to when attending online meetups.  However, on the other hand, it would be nice to have more attendees in the future to increase the pool of knowledge for questions and answers.  Overall, it was a great experience and I’ll be ready for another one on January 19th.

Using Log Parser in Timeline Analysis

Timeline analysis has become a key component of many/most forensic examinations nowadays.  Whether you’re using the four step process detailed by Chris Pogue at The Digital Standard (or one of the many other great sources online), using fls for file system timestamps, or a mix somewhere in between, the output will typically be the same.  You’ll end up with a csv file – either as a direct output from log2timeline or from running mactime against a bodyfile encompassing your timeline data.

Corey Harrell from Journey Into IR posted a great article on using Excel filtering and advanced filters to drill down into the timeline for relevant or key information, and there are a few other posts out there discussing a similar approach.  There are surely many ways that an examiner can filter or otherwise eliminate irrelevant data from the timeline, but I would like to discuss one in particular here.

For those who haven’t used it, Log Parser is a free tool published by Microsoft (written by Gabriele Giuseppini) capable of interpreting data files as SQL records that can be readily queried by Log Parser using SQL commands.  Although Log Parser is capable of interpreting many types of logs and other data files, what specifically interests me in the realm of timeline analysis is the ability to query csv files.  Given the ability to process a timeline as a SQL database, a forensic examiner that has an idea of what they’re targeting can easily, and more importantly, quickly drill down to the essential timeline information that is relevant to the case.

For those of you who may not be very well versed when it comes to SQL, rest assured that by no means do I consider myself an expert in constructing SQL queries.  That’s the beauty here – you don’t have to be.  You do need a basic understanding of building SQL queries and the fundamentals of using Log Parser, but in the end we’re just performing basic queries.  If you need to gain a better understanding of SQL, there are tons of resources on the web (not to mention several books on the topic).  There’s also plenty of resources on Log Parser (and at least one book that I know of).

One nuance that you have to deal with when using Log Parser on a csv created by mactime is the issue of column header naming.  On a side note, Log Parser creates two virtual columns that can be used if needed – “FileName” and “RowNumber”.  “FileName” refers to the csv file that is taken as input and processed by LogParser, while “RowNumber” refers to the actual row number within the csv file that a match is found.  Mactime creates a column header titled “File Name”.  The space between “File” and “Name” can be a nuisance to deal with in SQL, so I’ll simply open the csv file in Notepad++ and change “File Name” to “File_Name”.  This will make the queries easier and a bit cleaner.

Let’s move into an example.  We’ll assume that our timeline is already in csv format and that we used mactime against a bodyfile for the conversion (as opposed to the csv output module of log2timeline).  Note that the timeline used in this example is only a file system dump.  Suppose you were interested in files referencing CCleaner from any time in 2011.  By running the following query, you could view the matching rows in a table (defined by Log Parser as a datagrid).  Note that I specified to only display four columns in order to make the screenshot easier to read.

logparser -o datagrid “SELECT file_name, date, size, type FROM timeline.csv WHERE file_name LIKE ‘%ccleaner% AND date LIKE ‘%2011%””

Alternatively, you could export the result directly into another csv file by using the command below.

logparser “SELECT * INTO C:timelineDataCCleaner2011.csv FROM timeline.csv WHERE file_name LIKE ‘%ccleaner%’ AND date LIKE ‘%2011%'”

I will often start by viewing the results in the datagrid provided by Log Parser, and then export the rows to a separate csv file after I have verified that the query does indeed return the data that I’m interested in.  The ability to run a SQL query against my timeline often greatly reduces the time and effort that I need to find relevant information.

While timeline analysis and the use of Log Parser is nothing new, I think that the two coupled together pose for an efficient means of analyzing timeline data.  This of course assumes that the examiner has an idea of what they’re targeting.  So the next time you’re working with a timeline, consider running a few queries on it using Log Parser.