Sunday, May 19, 2019

NIST data sets on Magnet AXIOM - Examine




Continued from Magnet AXIOM Process post
https://www.datadigitally.com/2019/05/processing-image.html

This post will be looking at the processed image from NIST data sets regarding a data leakage case from the Computer Forensics Reference Data Sets Project(CFReDS).
Found at:
https://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html


Opening Magnet AXIOM Examine and selecting the recent processed case



Magnet Axiom Examine - Home page

Drop down for different tabs in the home menu





Artifacts tab, tree pane view, within Axiom Examine


File system, tree pane, view.  2 partitions, System Reserved and C







Questions
  • What are the hash values (MD5 & SHA-1) of all images?


cfreds_2015_data_leakage_pc.E01
72432916933F5A309A8C456B40C9601D1F8D2A4F
cfreds_2015_data_leakage_pc.E02
0CAF4261ED8432A8B3BAA019B1B28FDF96F79130
cfreds_2015_data_leakage_pc.E03
BE836C891736C4C0C2253C6803399BF0F2A599BA
cfreds_2015_data_leakage_pc.E04
9159BFFD56097495F73FBBF967B75EB288B1E3DE





  •        Identify the partition information of PC image?

















  •        Explain installed OS information in detail.
    (OS name, install date, registered owner…)?

In the artifacts tab, drilling down to Operating System Information


OS information(Windows 7 Ultimate, 3/22/2015 install date, Owner is informant)




























































  •        What is the timezone setting?

Eastern Standard Time, gathered from registry
































































































  • Who was the last person to logon to the PC?
Because this is Win 7, it is located in the registry at:
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\

LastLoggedOnUser
Registry Key for Last Logged on



























  • What application was last installed?
Eraser has the most recent created date in the Installed Programs
























  • Identify web related history

Web Related items include artifacts from Chrome History file and Edge\IE Webcache file




Search Terms in Google Web related item





























































  • When was the last recorded shutdown date/time?

HKLM\SYSTEM\ControlSet###\Control\Windows (value: ShutdownTime)

Pathing to registry key value and highlighting the hex
























Decode section to read the decoded time 








































  • What are some artifacts of recent execution?

Jump Lists sorted off recent Last Access time
































Link files showing activity to a D: drive, a share drive, and cloud drive services










































In the NTUSER.DAT location of "Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder"












































Decoded to Unicode





















Shellbags indicating access to a C:, D:, and share drive

























































  • What was written on the recent sticky note?
In Win7 it is located here: 
"\Users\informant\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt"
Tomorrow ... Everything will be OK









































NIST has kindly posted the solutions for the case.
And can be found at
https://www.cfreds.nist.gov/data_leakage_case/leakage-answers.pdf

It shows in better detail about the data leakage included with USB images that I did not include.  As well as looking at email artifacts and a burnt CD.

I do commend and thank NIST for making this and found it to be a fun resource.

--Bryan






No comments:

Post a Comment