Monday, December 2, 2013

Daily Blog #162: Sunday Funday 12/1/13 Winner!

Hello Reader,
                     Another challenge behind us and this week saw fewer responses than normal, just one submitted in time in fact. I'm not sure if you all were in turkey coma or if the challenge itself stumped you. This weeks answer is good as it covers the standard analysis one would expect but it is missing data from the USN journal and the behavioral patterns of Outlook 2007. This sounds like a good series of posts to work on this week. Congratulations of Simon Mccabe for winning this weeks contest!

The Challenge:
You are involved in a case that involves emails containing confidential information being sent to outside parties. You've been given an image of one of the outside parties computer and the name of the email that was sent by subject and date.  The image was created two weeks after the email was sent. You've located the message on the image but the suspect has denied accessing any attachments.

Please detail how on a Windows 7 system running Outlook 2007 you can determine:
1. What attachments were accessed in the last two weeks
2. When attachments were accessed
3. How many times attachments were accessed

The Winning Answer:

Simon Mccabe
Once the image has been acquired and processed in EnCase, I would navigate to C:\Users\ and export his/her NTUser.dat file. This NTUser.dat file would be the most recent NTUser.dat file for the suspect, without going into restore points. In order to find out what attachments were accessed in the last two weeks, I would open the user's NTUser.dat file in AccessData's Registry Viewer and navigate to:

"HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security"

Outlook 2007 (sometimes) creates a temp folder for attachments that were opened directly from an email. The registry location listed above would tell you the temp folder, which would be in the user's "AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\\" directory. Any files held within the temp folder would have timestamps showing the creation time, so if the creation time was in the last two weeks, this would be evidence.

For further evidence, I would then use Harlan Carvey's RegRipper to rip the user's NTUser.dat file to a txt file. I would open the NTuserRIP.txt file and search for 'recentdocs'. This could show the last write time and information about which files were last opened, with the most recent appearing at the top.

I would then green-plate the entire folder structure in EnCase and sort by file extension. I would be looking for lnk files. More specifically, I would then look for lnk files which point to any of the attachments. Lnk files show the MAC (Modified, Accessed, Created) times of the files, so this may provide important evidence about when files were accessed.

To find out how many times attachments were accessed, I would look for the 'userassist' records in the NTuserRIP.txt file I had made. I should be able to see the count in brackets, for example: (3). This would suggest that the suspect had opened the attachment three times, along with when it was last opened.