DOCSLIB.ORG

Methodology and Automated Metadata Extraction from Multiple Volume Shadow Copies Henri Michael Van Goethem James Madison University

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Methodology and Automated Metadata Extraction from Multiple Volume Shadow Copies Henri Michael Van Goethem James Madison University James Madison University JMU Scholarly Commons Masters Theses The Graduate School Fall 2012 Methodology and automated metadata extraction from multiple volume shadow copies Henri Michael van Goethem James Madison University Follow this and additional works at: https://commons.lib.jmu.edu/master201019 Part of the Computer Sciences Commons Recommended Citation van Goethem, Henri Michael, "Methodology and automated metadata extraction from multiple volume shadow copies" (2012). Masters Theses. 354. https://commons.lib.jmu.edu/master201019/354 This Thesis is brought to you for free and open access by the The Graduate School at JMU Scholarly Commons. It has been accepted for inclusion in Masters Theses by an authorized administrator of JMU Scholarly Commons. For more information, please contact [email protected]. Methodology and Automated Metadata Extraction from Multiple Volume Shadow Copies Henri M. van Goethem A thesis submitted to the Graduate Faculty of JAMES MADISON UNIVERSITY In Partial Fulfillment of the Requirements for the degree of Master of Science Department of Computer Science December 2012 Dedication This work is dedicated to my family for their unwavering commitment and patience throughout my studies for the JMU InfoSec program and this Thesis research effort. ii Acknowledgements I would like to acknowledge the following: Tim Leschke for his amazing vision, support, and insight throughout this Thesis research effort as well as for the DC3 Research Mentoring Program sponsorship that initially led to this research concept. Rob Lee, Mark McKinnon, Mike Hom, Troy Larson, Harlan Carvey, and the many other extremely talented ―digital investigator‖ trailblazers, who continuously innovate methods of analyzing and unveiling new sources of digital forensics data that reside in the systems we use each and every day. Many thanks for the expert guidance and support these individuals provided throughout this Thesis research. They are the true ―shadow warriors.‖ Steve Mead and Eric Eifert who provided immeasurable guidance and support throughout the process of completing multiple iterations of peer review and subsequent edits. Here‘s to ―FINAL‖.doc! The JMU InfoSec faculty and staff, who provided outstanding thought leadership, direction, and support throughout my memorable learning experience at JMU. Many thanks for ensuring the InfoSec program focused on proving the theoretical using concrete examples. iii Preface This Thesis research effort discusses the advancement of digital investigative and analysis techniques, resulting in the ability to generate more comprehensive timelines using historical system activity. It is assumed that in conjunction with proper digital investigative techniques, no evidentiary copy of a disk image, volume, etc, would be accessed directly in an investigation, including for the extraction of metadata/data. A suitable working copy should first be made from the evidentiary copy (using appropriate hardware write-blocking technology or approved techniques to safeguard the evidentiary copy). The working copy should then be used for the actual analysis and metadata/data extraction. iv Table of Contents Dedication ...................................................................................................................................................... ii Acknowledgements ....................................................................................................................................... iii Preface ............................................................................................................................................................iv Table of Contents ............................................................................................................................................ v List of Tables ............................................................................................................................................... viii List of Figures ................................................................................................................................................ix Abstract ........................................................................................................................................................ xii I. Introduction ............................................................................................................................................ 1 II. Background ............................................................................................................................................. 3 Timelines and Time Attributes in Digital Investigations ............................................................................ 3 Visualization of Change-Over-Time ........................................................................................................... 4 Windows Volume Shadow Copy Service ................................................................................................... 5 Windows Volume Shadow Copies............................................................................................................ 12 Rendering VSC Contents .......................................................................................................................... 13 III. Digital Investigations Using VSCs ....................................................................................................... 19 Accessing VSC metadata and data ............................................................................................................ 19 Using Windows Previous Versions ...................................................................................................... 20 Using vssadmin with mklink or net share ............................................................................................. 21 Restoring and accessing ........................................................................................................................ 23 Parsing VSCs ........................................................................................................................................ 24 VSC metadata/data extraction ................................................................................................................... 25 Using fls and mactime to extract timestamp metadata .......................................................................... 25 Using specialized utilities/methods ...................................................................................................... 27 IV. Achieving Automation for VSC Metadata/Data Extraction ................................................................. 30 Scripting manual tools .............................................................................................................................. 30 Using robocopy ......................................................................................................................................... 32 Using LogParser........................................................................................................................................ 34 v Using shadowcopy.py ............................................................................................................................... 36 Commercial & Open Source GUI Utilities ............................................................................................... 39 Using ShadowExplorer ......................................................................................................................... 39 Using ProDiscover ............................................................................................................................... 41 V. Merits and Limitations Analysis Confirms Requirements and Drives Enhancements ......................... 47 Merits and Limitations Analysis ............................................................................................................... 47 VI. Custom Modifications Extend Automation .......................................................................................... 53 Exploration of Advancements ................................................................................................................... 53 Utilities Used ........................................................................................................................................ 53 Automating Disk Image Mounting ....................................................................................................... 54 Enhancing Automated Metadata Extraction ......................................................................................... 58 Storage Format/Method ........................................................................................................................ 63 Metadata Storage in Database Format (SQLite)............................................................................... 63 Enhancement Results Summary ................................................................................................................ 67 VII. Conclusion ............................................................................................................................................ 72 Overview ................................................................................................................................................... 72 Research Activities ..................................................................................................................................
Load more

Recommended publications
  • LS-09EN. OS Permissions. SUID/SGID/Sticky. Extended Attributes
    Operating Systems LS-09. OS Permissions. SUID/SGID/Sticky. Extended Attributes. Operating System Concepts 1.1 ys©2019 Linux/UNIX Security Basics Agenda ! UID ! GID ! Superuser ! File Permissions ! Umask ! RUID/EUID, RGID/EGID ! SUID, SGID, Sticky bits ! File Extended Attributes ! Mount/umount ! Windows Permissions ! File Systems Restriction Operating System Concepts 1.2 ys©2019 Domain Implementation in Linux/UNIX ! Two types domain (subjects) groups ! User Domains = User ID (UID>0) or User Group ID (GID>0) ! Superuser Domains = Root ID (UID=0) or Root Group ID (root can do everything, GID=0) ! Domain switch accomplished via file system. ! Each file has associated with it a domain bit (SetUID bit = SUID bit). ! When file is executed and SUID=on, then Effective UID is set to Owner of the file being executed. When execution completes Efective UID is reset to Real UID. ! Each subject (process) and object (file, socket,etc) has a 16-bit UID. ! Each object also has a 16-bit GID and each subject has one or more GIDs. ! Objects have access control lists that specify read, write, and execute permissions for user, group, and world. Operating System Concepts 1.3 ys©2019 Subjects and Objects Subjects = processes Objects = files (regular, directory, (Effective UID, EGID) devices /dev, ram /proc) RUID (EUID) Owner permissions (UID) RGID-main (EGID) Group Owner permissions (GID) +RGID-list Others RUID, RGID Others ID permissions Operating System Concepts 1.4 ys©2019 The Superuser (root) • Almost every Unix system comes with a special user in the /etc/passwd file with a UID=0. This user is known as the superuser and is normally given the username root.
    [Show full text]
  • Journey Through the Impact of the Recovery Artifacts in Windows 8 WENDELL Kenneth JOHNSON Iowa State University
    Iowa State University Capstones, Theses and Graduate Theses and Dissertations Dissertations 2013 Journey through the impact of the recovery artifacts in Windows 8 WENDELL Kenneth JOHNSON Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/etd Part of the Databases and Information Systems Commons Recommended Citation JOHNSON, WENDELL Kenneth, "Journey through the impact of the recovery artifacts in Windows 8" (2013). Graduate Theses and Dissertations. 13414. https://lib.dr.iastate.edu/etd/13414 This Thesis is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Journey through the impact of the recovery artifacts in Windows 8 by Wendell Kenneth Johnson A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Co-majors: Computer Engineering; Information Assurance Program of Study Committee: Yong Guan, Major Professor Doug Jacobson Jennifer L. Davidson Iowa State University Ames, Iowa 2013 Copyright © Wendell Kenneth Johnson, 2013. All rights reserved. ii DEDICATION This Thesis is dedicated to my family Jessica, Savannah and Brady. Without your unrelenting support and sacrifices I would not have been able to follow my educational and career dreams. To Lee Adams, while you will never see the finished work, your guiding light and compassion shown to me helped create the person I am today. My drive to succeed and to share my success comes from watching you give so much of your compassion to others.
    [Show full text]
  • Linux Filesystem Hierarchy Chapter 1
    Linux Filesystem Hierarchy Chapter 1. Linux Filesystem Hierarchy 1.1. Foreward When migrating from another operating system such as Microsoft Windows to another; one thing that will profoundly affect the end user greatly will be the differences between the filesystems. What are filesystems? A filesystem is the methods and data structures that an operating system uses to keep track of files on a disk or partition; that is, the way the files are organized on the disk. The word is also used to refer to a partition or disk that is used to store the files or the type of the filesystem. Thus, one might say I have two filesystems meaning one has two partitions on which one stores files, or that one is using the extended filesystem, meaning the type of the filesystem. The difference between a disk or partition and the filesystem it contains is important. A few programs (including, reasonably enough, programs that create filesystems) operate directly on the raw sectors of a disk or partition; if there is an existing file system there it will be destroyed or seriously corrupted. Most programs operate on a filesystem, and therefore won't work on a partition that doesn't contain one (or that contains one of the wrong type). Before a partition or disk can be used as a filesystem, it needs to be initialized, and the bookkeeping data structures need to be written to the disk. This process is called making a filesystem. Most UNIX filesystem types have a similar general structure, although the exact details vary quite a bit.
    [Show full text]
  • Bulk Data Migration Using Robocopy
    Bulk Data Migration Using Robocopy Created by: Nasuni Support Last update: 6/14/2011 Contents Overview...................................................................................................................................................................... 2 Using Robocopy to copy data to the Nasuni Filer....................................................................................... 2 2011 © Nasuni Corporation. All Rights Reserved Resizing the Cache and Snapshots Disks in Nasuni Filer v2.7 Robocopy and the Nasuni Filer cache ............................................................................................................. 2 Conclusion ................................................................................................................................................................... 3 Overview The information in this document applies to Nasuni Filer 2.x versions. It explains how to use Robocopy, a Microsoft Windows tool, to migrate data from a Windows file server to the Nasuni Filer. Robocopy has been bundled with Windows operating systems since Vista and Server 2008. Using Robocopy to copy data to the Nasuni Filer Robocopy is a Windows command line tool. To migrate data to the Nasuni Filer using Robocopy follow the steps below. 1. Identify the data set you want to migrate to the Nasuni Filer 2. Create/locate a share on the Nasuni Filer to write your data set to 3. Run cmd.exe 4. Run the command below from the source server’s command line. robocopy (path to source data) (path to Filer share)
    [Show full text]
  • IBM Cognos Analytics - Reporting Version 11.1
    IBM Cognos Analytics - Reporting Version 11.1 User Guide IBM © Product Information This document applies to IBM Cognos Analytics version 11.1.0 and may also apply to subsequent releases. Copyright Licensed Materials - Property of IBM © Copyright IBM Corp. 2005, 2021. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at " Copyright and trademark information " at www.ibm.com/legal/copytrade.shtml. The following terms are trademarks or registered trademarks of other companies: • Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. • Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. • Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. • Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. • UNIX is a registered trademark of The Open Group in the United States and other countries. • Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
    [Show full text]
  • A Dll Required for This Install Could Not Be Run
    A Dll Required For This Install Could Not Be Run Foldable Hannibal saunter anticipatorily and respectably, she reseat her wentletrap overlaid retractively. Which Arne igniting butso cheap berrying that her Dickie instruments triturated flying. her tanists? Analyzed Giovanne still encyst: salt and Circassian Whitby outface quite fervently This product was an option, microsoft distributed dll required dll for could not a install the problem for fixing the table doe Will not a install could be run this dll required for what is solved by multiple rows into boot. How to resolve my case, code and performance cookies and this dll for install a could not be run in. Any solution is required actions, hardware failure and be. If he're running Windows installation as the repair source or sale you're using Windows from a. Thank you for safe prompt response. A DLL required for this installation to complete could not be run. Does this solution from your pc scan with windows installer on target system is this tool in any proposed solutions to use windows updates about how did run a this dll required for could not install be. Reddit on the respective owners in this dll for a required. Set properties are you hate cookies may not a install be run this dll required for instant savings! Could not initialized handler. Your pc and framework, dll could not be able to customize it? Qgis also for this issue, dll required for could not a install it is a time i run. Fix problems installing Chrome Google Chrome Help.
    [Show full text]
  • Filesystem Hierarchy Standard
    Filesystem Hierarchy Standard LSB Workgroup, The Linux Foundation Filesystem Hierarchy Standard LSB Workgroup, The Linux Foundation Version 3.0 Publication date March 19, 2015 Copyright © 2015 The Linux Foundation Copyright © 1994-2004 Daniel Quinlan Copyright © 2001-2004 Paul 'Rusty' Russell Copyright © 2003-2004 Christopher Yeoh Abstract This standard consists of a set of requirements and guidelines for file and directory placement under UNIX-like operating systems. The guidelines are intended to support interoperability of applications, system administration tools, development tools, and scripts as well as greater uniformity of documentation for these systems. All trademarks and copyrights are owned by their owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Permission is granted to make and distribute verbatim copies of this standard provided the copyright and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this standard under the conditions for verbatim copying, provided also that the title page is labeled as modified including a reference to the original standard, provided that information on retrieving the original standard is included, and provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this standard into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the copyright holder. Dedication This release is dedicated to the memory of Christopher Yeoh, a long-time friend and colleague, and one of the original editors of the FHS.
    [Show full text]
  • Preparation of Papers in Two-Column Format
    Protecting Media Production Companies against Ransomware Rob Gonsalves Avid Technology, Inc. Burlington Massachusetts [email protected] Abstract - Ransomware, a type of malicious software designed to block access to digital assets until a sum of money is paid, represents a growing threat for media production companies, as digital media assets are a valued target for hackers. To protect their media assets and mitigate the risk of these types of attacks, companies can implement a set of security policies, procedures and systems. Deploying and operating Disaster Recovery (DR) systems with specific safeguards against ransomware will help companies retrieve valuable files without having to pay FIGURE 1 - INITIAL RANSOMWARE ATTACK cyber-criminals. This paper will discuss the growing threat of ransomware to media companies and cover the key The initial attack often comes when a user inadvertently concepts for understanding and building security and DR downloads and installs malware from a website. After systems with specific safeguards against ransomware. installation, the ransomware quietly searches for and Using these techniques, critical business functions can encrypts files. Its goal is to stay below the radar until it can continue in the event of an attack. find and encrypt all of the files that could be of value to the user. By the time the company is presented with the RANSOMWARE malware’s message with the ransom demand, the damage has already been done [2]. Ransomware is a form of malware that encrypts data files and holds these files for ransom. After the initial infection, the malware begins encrypting files on local drives, shared storage, and potentially other computers on the network.
    [Show full text]
  • Autodesk Alias 2016 Hardware Qualification
    Autodesk Alias 2016 Hardware Qualification Updated June 1, 2015 Windows Mac OSX Build Information Products Platform Version Software Date Build Number • Autodesk AutoStudio • Autodesk Alias Surface 64-bit 2016 March 6, 2015 201503061129-441529 • Autodesk Alias Design Supported Operating Systems and CPU Platforms Operating System CPU Platform Windows 7 SP1 Intel Xeon (Enterprise, Ultimate or Professional) 64-bit Intel Core AMD Opteron Windows 8.0 or 8.1 Intel Xeon (Enterprise or Professional) 64-bit Intel Core AMD Opteron Important Notes • Alias AutoStudio, Automotive, Surface and Design fully support 64-bit environments. Running the 64-bit native version requires Windows 8 or 8.1 64-bit or Windows 7 64-bit operating system. • Certain 3rd party software may alter the processor affinity settings, affecting multi-cpu systems running Alias.exe and its spawned processes. To check the affinity setting, right-click on the Alias.exe process inside the Windows Task Manager and select Set Affinity... ensure that all available CPUs are enabled. • Alias or its component programs may not launch successfully depending on your Windows security settings. If this occurs, you may either unblock the program via the Windows Firewall Security Alert dialog, or add it as an Exception in the Exceptions Tab in the Windows Firewall dialog box. For more information, please see the Microsoft Update. Similar configurations are necessary for any third party firewall software, Please Read • It may be possible to successfully use Alias for Windows with a non-qualified configuration, however, Support and Maintenance programs will be subject to the Autodesk Support services guidelines. • The configurations shown are subject to change, and additional qualified configurations may be added after qualification testing has been carried out.
    [Show full text]
  • How to Re-Register Vss Dll Binaries (32 Bit)
    QBR Knowledge base HOW TO RE-REGISTER VSS DLL BINARIES (32 BIT) SCOPE The command vssadmin list writers does not produce an output then following commands will help to re-register the VSS Service's associated DLL binaries. There may be other reasons in which QBR support may also ask to run this batch file besides the inability to list the VSS Writers of the OS. One of the most common causes for needing to perform these steps is that there has been a conflicting VSS-aware application being run on the protected machine. Please ensure that any other VSS-aware process is removed, including scheduled shadow copies in the OS, this will ensure further long term stability and reliability for the SnapToVM Agent to perform. Please note this will only work on 32bit systems, if you have a 64 bit system there is a separate article on this KB for you. TO RE-REGISTER VSS BINARIES AND SERVICES Run the following commands from within cmd.exe running with Administrative privileges cd /d %windir%\system32 net stop vss net stop swprv regsvr32 ole32.dll regsvr32 oleaut32.dll regsvr32 /i eventcls.dll <--This will fail to register on Vista & 2008 and newer which is OK regsvr32 vss_ps.dll vssvc /register regsvr32 /i swprv.dll regsvr32 es.dll <-- This will fail to register on Vista & 2008 and newer which is OK regsvr32 stdprov.dll regsvr32 vssui.dll <-- This only applies to server2003\server2008 regsvr32 msxml.dll <---This may not be installed and may fail to register which is OK regsvr32 msxml3.dll <---This may not be installed and may fail to register which is OK regsvr32 msxml4.dll <---This may not be installed and may fail to register which is OK Please reboot the machine if you have any trouble testing the VSS with the VShadow tool below.
    [Show full text]
  • Filesystem Hierarchy Standard
    Filesystem Hierarchy Standard Filesystem Hierarchy Standard Group Edited by Rusty Russell Daniel Quinlan Filesystem Hierarchy Standard by Filesystem Hierarchy Standard Group Edited by Rusty Russell and Daniel Quinlan Published November 4 2003 Copyright © 1994-2003 Daniel Quinlan Copyright © 2001-2003 Paul ’Rusty’ Russell Copyright © 2003 Christopher Yeoh This standard consists of a set of requirements and guidelines for file and directory placement under UNIX-like operating systems. The guidelines are intended to support interoperability of applications, system administration tools, development tools, and scripts as well as greater uniformity of documentation for these systems. All trademarks and copyrights are owned by their owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Permission is granted to make and distribute verbatim copies of this standard provided the copyright and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this standard under the conditions for verbatim copying, provided also that the title page is labeled as modified including a reference to the original standard, provided that information on retrieving the original standard is included, and provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this standard into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the copyright holder. Table of Contents 1. Introduction........................................................................................................................................................1 1.1.
    [Show full text]
  • System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 15 SP1
    SUSE Linux Enterprise Server 15 SP1 System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 15 SP1 An administrator's guide for problem detection, resolution and optimization. Find how to inspect and optimize your system by means of monitoring tools and how to eciently manage resources. Also contains an overview of common problems and solutions and of additional help and documentation resources. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xii 1 Available Documentation xiii
    [Show full text]