The case
Let say we just received a system where it is alleged that a peer-to-peer (P2P) software was used to download contraband and share intellectual property. You decide to look at what P2P software was in use to determine what forensic artifacts can be recovered. The forensic tool used does not know how to parse some of these potentially evidentiary artifacts you found. Others, like the 'AC_SearchStrings.dat' artifact, has content consistent with how it is named. Do we really know the contents of the file are searches done by the user? How can we verify? What about the items the tool does not understand and which contents are not in clear text?
The substitution process
One way of looking at data is by using the tool that created it as the viewer of it. If you can determine what software and version was in use, or recover the installation file from the target system, you can install the software in your analysis workstation. It becomes trivial to substitute the files created by the just installed program with artifacts recovered from the target system. The idea is that when the program re-starts it will read the substituted artifacts and show you the state of the program as it was on the target system at acquisition time. Neat, right?
Be aware that installing software from a case on your work system can cause problems. Here is where a sandbox comes in.
Sandbox vs VMs
If you have a VM available you can install the software, do the substitution, and see what you get. After you are done you can revert to a previous snapshot and be ready for the next case. Nice. But ask yourself, how do you know you got everything? Do you know what changes did the software make to the system in its entirety? Do you know if you actually substituted everything there is to substitute about the software? There are software tools you can use to keep track of changes to the system made by the targeted software but they come with increased complexity. A sandbox might be a better alternate solution for this particular scenario.
The case in toto
One of the P2P software packages in use for this case was eMule. You were able to extract the eMule executable from the downloads folder as well as the corresponding configuration files in use at the time of extraction. Instead of using a VM we will use a sandbox. One of the oldest and most well know sandbox implementations is the Sandboxie software for Windows.
After installation the program will have created the following directory structure:
C:\Sandbox\{User Account Name}\DefaultBox
Now we are ready to start.
1. Install the software by right-clicking on the executable and press the 'Run Sandboxed' option.
 |
| 4th option from the top. |
 |
| Registry files!!!! |
AppData - Substitution happens here.
4. We are going to focus on the 'AC_SearchStrings.dat' artifact that we believe contains user generated search terms. After the installation there are no search terms available. This make sense since it is a clean install of the software in the sandbox.
 |
| You can tell it is sandboxed. |
Now let's view the contents of the 'AC_SearchStrings.dat' artifact before substitution.
 |
| Obvious search terms are obvious. Still need to confirm. |
 |
| Before with a few files. |
 |
| After with a bunch of files. |
 |
| Right-click. Run Sandboxed. |
 |
| The program is your viewer. |
8. Go through the application and see what else can you see. In this particular instance one can find historical statistics of how much data was transferred and how many files completed transfer among many other potentially important data points.
9. After preserving the contents of the sandbox as part of your work you can delete it simply right-clicking and selecting 'Delete Contents' form the Sandboxie icon in the system tray.
Benefits of sandboxing
This analysis confers the following benefits:
1. All writes done by the program to storage are kept within the sandbox.
2. No need for third party software tracking of program interactions with storage.
3. If the program has additional bloatware it will not affect the host system you use for analysis.
4. It makes it easy to identify locations where configuration and file substitution will be needed for this type of application as a viewer analysis.
5. It reduces the need to virtualize a whole target system if only a few limited apps are of interest.
Conclusion
The application as a viewer is one of the most effective ways of understanding and presenting digital forensic artifacts. The use of a sandbox is one simple and quick method that may help you achieve those desired results.
As always I can be reached on twitter @alexisbrignoni and email 4n6[at]abrignoni[dot]com.
