Journey Into Incident Response

According to Websense, there is a new trend where cyber criminals are spreading malware by taken advantage of Google Image search rankings. The attack involves poisoned pictures being displayed in Google’s image search results which when clicked redirects a user to a malicious site. As I was in the middle of putting together this write-up the Unmask Parasites blog had a great post, Thousands of Hacked Sites Seriously Poison Google Image Search Results, on how the websites involved in this attack were compromised and how the Google image search is poisoned while Brian Krebs wrote his own article on the subject Scammers Swap Google Images for Malware.

Those write-ups provided good information about the Google image search poisoning technique but I was approaching the topic from a different angle. My approach is from the perspective of the digital forensic practitioner who investigates this attack on a computer (client side). The Google image search is being leverage to spread malware but one important question I haven’t seen addressed is what are the potential artifacts that indicate the malware came from a Google image search. Along the same line of thinking, how are the artifacts of this delivery mechanism different than a Google web search, SPAM email, or a network share? The answer to these questions will be discussed in detail, hopefully before the Google image search attack comes to a system near you.

Simulation Setup

I tried to simulate how a user would perform Google searches for a selected topic. The topic I selected for my searches was the news of the day on 05/02/11 since the media coverage was everywhere. The topic seemed like a candidate for cyber criminals to try to leverage for spreading malware. I performed Google web and image searches using different word combinations until I had my first sign of an infection which was a warning message saying my unpatched Windows XP SP3 system was infected. I pretended to be a “normal” user to get rid of the warning by clicking cancel but in a short period of time the computer was held hostage by a fake antivirus program.

The Search Hit Culprit

I usually write my posts the way I conducted the examination. The malware is located then I work backwards in time examining the system activity to identify the initial infection vector. I’m taking a slightly different approach for this write-up by first explaining what the user saw followed by what the digital forensic practitioner would see during an examination. The potential artifacts of the Google image search being used to deliver a payload is shown through the DF perspective.

***** Heads Up: some of the URLs and domains mentioned in this write-up were malicious at one point in time so caution should be used if anyone tries to access them for their own research. All URLs were sanitized (or purposely only shown in images) to prevent anyone from accidently accessing the URLs. *****

User Perspective 1

Starting at 09:41:38 PM on 05/02/11 Google web and image searches were performed looking for sites and images about the news of the day. After about 20 minutes I performed the Google image search shown in the picture below. The highlighted image in the first row of search results is the image I access which lead to my system being infected.

DF Perspective 1

The above picture shows what a user sees when performing a Google image search. Different tools/techniques can be used to see what the search looks like on a system post mortem. The picture below shows the part of the timeline where the Google image search occurred and the images in the timeline were downloaded because of the search.

User Perspective 2

Clicking on the image highlighted in red resulted in the Internet Explorer window disappearing and being replaced by the warning message below.

It wasn’t too long until an Internet Explorer window appeared which was pointing to the malicious mlrglrqj.co.cc domain as illustrated below.

DF Perspective 2

At this point a Google image search resulted in the Internet Explorer browser being redirected to the mlrglrqj.co.cc domain where a fake online scanner was located. To see how this occurred forensically, the activity of the Google image being accessed needs to be examined. The portion of the timeline below shows the Google image URL that was accessed and this resulted in the image (line 151879) and a webpage (line 151880) being downloaded to the system. The timeline also shows a webpage, mlrglrqj.co[2].htm, being downloaded six seconds after the image was accessed (line 151881).

The URL in the above picture shows that when the Google image was accessed it brought the user to hxxp://pimpit.com/pr-Osama-Binladen-Dead.html (the imgrefurl variable contained the URL) and the webpage was using an image located at hxxp://theblackboxoffice.com/wp-content/uploads/2010/08/binladen_dead_alive.jpg (the imgurl variable contained the URL). Besides the image of interest, the only other file downloaded to the system before the browser redirect was an htm file named CA16L2DT.htm (this file was uploaded to jsunpack and can be viewed here). I examined CA16L2DT.htm to see if I could find in the file what caused the browser redirect. There was a reference to the t3.gstatic.com domain so I decided to look into the domain a little closer. The first Google search hit for the domain was a thread in a CNET forum titled “Phishing on Google Image Search - t3.gstatic.com/images” from July 2010. A person in the thread mentioned how Kaspersky antivirus was blocking the t3.gstatic.com domain due to it being a phishing attack. I did a search for the domain using the Malware Analysis Search which found malware samples associated with URLs that looked similar to the URL I found in the CA16L2DT.htm file (two of the malware sample reports can be found here and here). I wasn’t able to confirm what caused the browser redirect but I was able to determine the pimpit.com domain was involved with the redirect and a suspicious URL was present on pimpit.com’s webpage.

User Perspective 3

A “Windows Security Alert” appeared on the fake online scanner as shown below.

Shortly after the “Windows Security Alert” a program named XP Home Security appeared on the system. XP Home Security was the program holding the test system hostage.

DF Perspective 3

User Perspective 3 showed the payload of the attack wasn’t the fake online scanner but was the XP Home Security program which was successfully installed on the system. Continuing with the examination of the timeline, the activity on the system indicates the fake online scanner was still open as can be seen in the timeline below.

After the fake online scanner activity there was an Internet Explorer history entry for the following URL hxxp://mlrglrqj.co.cc/file/sc1/SecurityScanner.exe. Immediately after this URL was accessed there were a few registry modifications and the creation of a prefetch file indicating the SecurityScanner.exe program was executed. The picture below shows this activity in the timeline.

The timeline showed there were no indications of a software exploit (vulnerable programs executing, new files appearing on system ,etc..) on the system so it doesn’t appear an exploit was responsible for installing the malware. However, the administrator user account was responsible for the suspicious Internet activity so the account's recent activity was examined to shed light on how the malware was installed. I used Regripper to examine the user activity stored in the registry by parsing the administrator user account’s NTUSER.DAT registry hive. The MUICache registry key entry in the Regripper report shows the administrator user account executed the Security Scanner.exe and ieh.exe programs. The MUICache data for these programs are shown below:

Software\Microsoft\Windows\ShellNoRoam\MUICache
LastWrite Time Tue May 3 02:09:07 2011 (UTC)
     C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4967GLU3\SecurityScanner[1].exe (SecurityScanner[1])
     C:\Documents and Settings\Administrator\Local Settings\Application Data\ieh.exe (ieh)

The lack of exploit artifacts and the MUICache registry key data indicate the administrator user account installed the malware which was exactly what happened. Further examination of the system identified the ieh.exe file as the program holding the system hostage and a VirusTotal scan of the file had a detection rate around 30%.

Potential Google Image Search Delivery Artifacts

At this point the user and digital forensics perspectives showed malware being installed on a system because of a Google image. The purpose of this post was to identify the potential artifacts of a Google image search being used to deliver malware which is why I stopped writing about the DF perspective once the malware was installed on the system. The portions of the timeline in my write-up showed had a lot of deleted files which helped explain how this attacked happened. Most likely deleted files will be over written since the system won’t be preserved within 30 seconds of being infected. However, the potential artifacts of the Google image search being used as the delivery mechanism may still be present on a system in the Internet browsing history. If the browser history artifacts occur around the time when malware firsts executes on a system (prefetch files, registry modifications, etc) then this may indicate the Google image search was used as the delivery method. For example, the malware executed on my test system around 10:03 PM on 05/02/11 and the Internet browsing history around this time showed a Google image being accessed followed by my Internet browser visiting a malicious domain. My browser history showing the Google image search is below.

I use a range of tools to perform digital forensics and these tools fall into different categories such as free, open source, and commercial tools. Some readers of this blog may have picked up on that Encase is one of the commercial tools in my toolbox. I thought I would share some of the interesting links I came across over the past month about Encase.

Forensic Analysis Techniques Using Encase

Lance Muller put together a couple of posts about computer forensics analysis techniques using Encase. First up is the post Basic Computer Forensic Analysis Techniques in Encase which outlines the techniques commonly used in cases and techniques specific to certain types of cases. His second post is General Forensics (using EnCase Enterprise) Flow chart and this provides some ideas on the different ways to use Encase Enterprise in support of investigations, incident response, and e-discovery.

Lance mentioned that both posts are not meant to be all inclusive lists but are to be used as starting points. He also said in one of the posts that the type of investigation will impact the techniques to use. I couldn’t agree more with his comment. To help determine what techniques to use a person should take a step back before an image is loaded into Encase or a servlet is pushed across the network. Taking a step back provides time to think about the goals of their forensic examination, the questions that need to be answered, and what data is needed to answer those questions. This quick reflection (or better yet an analysis design plan) will not only help determine what techniques/activities are needed to extract the data of interest but can also help keep the examination focused on what the customer wants or needs.

A New Option for Creating Timelines

Kristinn Gudjonsson released version 0.52 of log2timeline in April. I was checking out the change log to see what was new and one of the changes is the ENCASE_DIRLISTING input module. According to the change log, this new module imports a text file exported by Encase which contains the file listing of an image. It’s good to see more options for creating timelines. Now we have the Sleuthkit, Sleuthkit with Harlan’s timeline tools, Sleuthkit with log2timeline, FTK file listing, FTK file listing with log2timeline, Encase enscript, Encase file listing, and now the Encase file listing with log2timeline. Having options lets me test the different ways to create timelines and choose the method that best meets my needs. An additional thought that came to me as I was typing the various options was to do a write up on the different ways to create timelines. One more idea added to my blog hopper.

Encase version 7

Just in case for anyone who missed the announcements from the Guidance Software’s advertising machine, Encase version 7 is on the horizon. If you’re interested in some of the new features or changes check out Lee Whitfield’s podcast Episode 36 Encase Forensic 7 and Geoff Black’s Forensic Gremlins post Encase 7 Sneak Peek (NYC).

Besides the  layout of the user interface, two new improvements I’m also interested in are the index and email functionality. At times and in certain types of cases, I need the flexibility to search an index on the fly so I’m curious how well the new index will work. I always found the email analysis in Encase to be lacking so I'll welcome any improvements in this area. Unfortunately, the new email still lacks support for Lotus Notes version 8.X but I have other options to address this need.

Encase Version 7 Preview

Speaking of wanting to see the new features in Encase 7, Guidance released the Encase 7 preview software last weekend. Paul Bobby of SecureArtisan has been testing the software and sharing his thoughts on his blog. Encase v7 Preview, Encase v7 Conditions, and Tagging in Encase v7 are his posts so far. Hopefully I’ll find some time over the next week to play with my preview software. I was a little disappointed to see that the software is restricted to the evidence files provided by Guidance. I was looking forward to throwing my images and email files at the new version to see how it performs … at least in the meantime I can see the new layout.

********** 02/06/12 Update **********

I changed the script since I made this post. For more info refer to the post Ripping VSCs – Practitioner Method

**********                         **********

This post is about a batch script I wrote to help automate accessing Volume Shadow Copies (VSCs). I'm not going to discuss the forensic value of VSCs or different ways to access them since I couldn't add to what is already out there. For this type of information check out Harlan's Assessing Volume Shadow Copies post including the links he provides (one link is to Troy Larson's presentation slides), Lee Whitfield's Into the Shadows write-up, or the QCCIS whitepaper on recovering data from Volume Shadow Copies (this paper is the source of the for loops in my batch file). The information I can add is discussing a problem I was facing and how I addressed it. Recently, I've been working with VSCs on different volumes in different systems. When accessing the VSCs I found myself doing the same thing over and over again which was:

* Using the vssadmin list shadows command to list the VSCs for a specific volume. At times I'd redirect the command's output to a text file for documentation purposes.

* Changing the for loop with the mklink command to reflect the VSCs I wanted hard links created for.

* Running the for loop with the mklink command to create the hard links.

* Examining the data of interest in the VSCs.

* Changing the for loop with the rd command to reflect the hard links I wanted to delete.

* Running the for loop with the rd command to delete the hard links.

Going through the above process worked fine. However, I wanted a faster way to access the VSCs without always having to make changes to a saved command or batch file. I'd rather just run one script that allowed me to specify what action to take and what VSCs to create links for. So I read a few articles on batch files and this is the solution I came up with to meet my need. I thought a few screenshots would help show the functionality of the script before I posted the code.


Menu appears when batch file is executed



List VSCs selection shows the option to save output to a text file



List VSCs selection prompts for volume to list the VSCs for



List VSCs selection showing that the C volume doesn't have any VSCs



Create links selection prompts for the range of VSCs to create hard links for



Remove links selection prompts for the range of hard links to delete

 As the screenshots show, the batch file made things a lot easier and I no longer have to keep changing saved commands or simple batch files. Now I just run a script and specify a few parameters so I can focus on the data I'm after in the VSCs. The text below is the batch file I'm talking about. To create a batch file for yourself, copy the text into a text file and save the file with a .bat extension. It can be run from anywhere on the forensic workstation that's being used to examine the VSCs. Enjoy ...

@echo off
REM Author: Corey Harrell (Journey into IR)
REM The batch file can be executed from anywhere on a computer by double-clicking on it or calling it from the command line
REM The only change required is the name and location of the hard links being created. The script uses C:\vsc so this can be changed for your environment
REM Script starts here ...
REM The goto statement below makes the script process the menu function.
goto :menu
:menu
     REM The menu function allows you to select one of the following: list all of the VSCs for a drive, create hard links to VSCs, or remove hard links pointing to VSCs
     echo Press 1 to list the Volume Shadow Copies on a drive
     echo Press 2 to create hard links to Volume Shadow Copies on a drive
     echo Press 3 to remove hard links to Volume Shadow Copies
     echo Press 4 to exit
     set /p selection= Enter your selection:
     cls
     REM The if statements below makes the script process a specific function based on the selection made.
     if %selection% == 1 goto :listvsc
     if %selection% == 2 goto :makelink
     if %selection% == 3 goto :removelink
     REM Selection 4 is to exit the script and this will result in the goto below being called
     goto :EOF
:listvsc
     REM The listsvc function list the Volume Shadow Copies for the selected drive
     setlocal
     REM The line below lets you save a text file listing the VSCs injunction with the VSCs being displayed on the screen. This is helpful if the listing of VSCs has to be documented.
     set /p output=Do you want the output to be saved as a text file [y/n]
     cls
     echo Enter the letter of the drive to list the Volume Shadow Copies for (do not include the colon)
     set /p drive=Enter the drive letter:
     cls
     REM The if statement below will create a text file listing the VSCs if this option was slected. The output file is created in the same folder where the batch file is executed from.
      if %output%== y (vssadmin list shadows /for=%drive%: > list-vscs.txt)
     vssadmin list shadows /for=%drive%:
     echo The Volume Shadow Copies for the %drive% drive have been listed
     pause
     endlocal
     cls
     REM The goto statement below makes the script loop back to the menu
     goto :menu
:makelink
     REM makelink function creates hard links to the VSCs lists for the selected drive
     echo Configuring what Volume Shadow Copies to create hard links for
     REM The next part of the script sets the variables for the start and end parameters in the for loop.
     setlocal
     REM The vssadmin list shadows command provides the VSC numbers. The start parameter is the first VSC to create a link to while the end parameter is the last VSC to create a link to.
     set /p start=Enter the VSC number to start with:
     set /p end=Enter the VSC number to stop at:
     cls
     REM The script uses c:\vsc for the location and name of the hard links. The location (c:) and name (vsc) of the hard links can be changed to whatever you choose
     for /l %%f in (%start%,1,%end%) do mklink /j c:\vsc%%f \\?\GLOBALROOT\Device\HardDiskVolumeShadowCopy%%f\
     echo Hard links created for VSC %start% to %end%
     pause
     cls
     endlocal
     REM The goto statement below makes the script loop back to the menu
     goto :menu
:removelink
     REM removelink function removes the hard links to VSCs that were created on the computer
     echo Configuring the hard links to remove.
     REM The next part of the script sets the variables for the start and end parameters in the for loop.
     setlocal
     REM The start and stop parameters are for the numbers in the names of the hard links
     set /p start=Enter the number in the name of the hard link to start at:
     set /p end=Enter the number in the name of the hard link to stop at:
     cls
     REM The location and name of the hard links below must be changed to match what was used in the makelink function
     for /l %%f in (%start%,1,%end%) do rd c:\vsc%%f
     echo Hard links removed for link %start% to %end%
     pause
     cls
     endlocal
     REM The goto statement below makes the script loop back to the menu
     goto :menu

Have you ever run a *insert search engine* search to locate information about an artifact only to find a listing of mostly irrelevant hits? A lot of time is wasted going through the irrelevant hits to locate the few websites with information that helps you better see how the artifacts fit into your forensic examination. Wouldn't it be better if the majority of the search hits were in the context of digital forensics or incident response, thereby making the hits more relevant to your forensic examination? Here is the formal introduction of the Digital Forensic Search engine.

The combination of the Yahoo Win4n6 group's discussion about David Kovar's post The Fragmentation of the digital forensics community, hooked-on-mnemonics blog post Malware Analysis Search, and writing my last post on searching RSS feeds inspired me to want to search for information a different way. A more effective way is to use a custom search engine that's configured to only search blogs, groups, forums, or any other sites related to digital forensics and incident response. Digital Forensic Search is a custom Google search and in a way I think it harnesses the collective knowledge and research of the people/organizations who share information back to the forensics community.

Digital Forensic Search results in more search hits which are in the realm of digital forensics and incident response. Depending on the artifact being researched, the search hits may result in information on the artifact, tools to extract data from the artifact, and how the artifact affected other practitioners' examinations. For example, perform a search for the keyword "link file" (include the quotes) in your favorite search engine. The first 10 hits in my search only included one digital forensics hit while the other hits were for information not beneficial to any type of forensic investigation. Run the same search in the Digital Forensic Search and it results in the majority of the hits being directly related to link files in the context of a digital forensic examination. Three of the hits on the first page were an article about the Evidentiary Value of Link Files on Forensic Focus, Richard Drinkwater's blog post Link Files in System Restore Points, and the article The Meaning of Link Files in Forensic Examinations on the Computer Forensics Miscellany website.

If anyone still isn't convinced in the value of a custom search then I recommend performing a couple of searches between *insert search engine* and Digital Forensic Search. A few potential topics to search on are: comdlg32, tool validation, evidence collection, timeline analysis, or volume shadow copies. The searches should show that Digital Forensic Search has more relevant hits related to digital forensic and incident response which results in it being one effective method to locate information.

This post is where I'm going to be maintaining the list of sites included in the Digital Forensic Search so any updates to the index will be reflected below. The repository tries to focus on sites containing information on digital forensics and incident response as opposed to tool specific sites. With this in mind, if you see any sites missing or URLs with too much noise (such as job postings) then post a comment or send me an email.

Digital Forensic Search can be found at the top of jIIr or directly at this link:

http://www.google.com/cse/home?cx=011905220571137173365:7eskxxzhjj8


DFRWS (Digital Forensics Research Conference)  http://www.dfrws.org/
Digital Forensics Magazine supporting the professional computer security industry  http://www.digitalforensicsmagazine.com/
Digital Forensics Solutions' Research http://www.digitalforensicssolutions.com/research.shtml
ENSIA CERT  http://www.enisa.europa.eu/act/cert/
E-Evidence Information Center - Home  http://www.e-evidence.info/
FIRST - Improving security together  http://www.first.org/
Forensic Focus  www.forensicfocus.com/
Forensic Magazine Issues  http://www.forensicmag.com/
Forensics Wiki  http://www.forensicswiki.org/
HolisticInfoSec toolsmith http://holisticinfosec.org/toolsmith
Inside the registry  http://www.insidetheregistry.com/regdatabase/
I-Sight's Investigations http://i-sight.com/investigation/
International Journal of Digital Evidence on Utica College  http://www.utica.edu/academic/institutes/ecii/ijde/
Into The Boxes  http://intotheboxes.wordpress.com/
IronGeek's InfoSec Articles http://www.irongeek.com/i.php?page=security/
Journal of Digital Forensics, Security and Law  http://www.jdfsl.org/
Lenny Zeltser  http://zeltser.com/
log2timeline  http://log2timeline.net/
mnin.org  http://www.mnin.org/
Mobile Forensics Central  http://www.mobileforensicscentral.com/
National Institute of Justice Publications  http://nij.gov/nij/pubs-sum/
National White Collar Crime Center  http://www.nw3c.org/
Network Forensics Puzzle Contest  http://forensicscontest.com/
NIST Computer Security Division Special Publications  http://csrc.nist.gov/publications/nistpubs/
Open Source Digital Forensics  http://www2.opensourceforensics.org/
SANs Computer Forensics  http://computer-forensics.sans.org/
SANS InfoSec Reading Room - Forensics  http://www.sans.org/reading_room/whitepapers/forensics/
SANS InfoSec Reading Room - Incident Handling  http://www.sans.org/reading_room/whitepapers/incident/
SANS InfoSec Reading Room - Malicious Code  http://www.sans.org/reading_room/whitepapers/malicious/
SANS InfoSec Reading Room - Steganography  http://www.sans.org/reading_room/whitepapers/stenganography/
SANs Summit Archives  http://digital-forensics.sans.org/summit-archives
Small Scale Digital Device Forensics Journal  http://www.ssddfj.org/
SWGDE  http://www.swgde.org/
The Honeynet Project Challenges  https://www.honeynet.org/challenges/
Welcome AppleExaminer  http://www.appleexaminer.com/
Williballenthin.com  http://williballenthin.com

DFIR Webpages

AuSCERT Forming an Incident Response Team  http://www.auscert.org.au/render.html?it=2252&cid=1938
Cybercrime.gov searching and seizing manual  http://www.cybercrime.gov/ssmanual/index.html
Daubert v. Merrell Dow Pharmaceuticals  http://www.law.cornell.edu/supct/html/92-102.ZS.html
Default Processes in Windows 2000  http://support.microsoft.com/kb/263201
Digital Evidence: Standards and Principles  http://www.fbi.gov/about-us/lab/forensic-science-communications/fsc/april2000/swgde.htm
Digitalcorpora Disk Images  http://digitalcorpora.org/corpora/disk-images/
FileSignatures Table  http://www.garykessler.net/library/file_sigs.html
Forensically interesting spots in the Windows 7, Vista and XP file system and registry (and anti-forensics)  http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots
Microsoft Windows XP - Default settings for services  http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sys_srv_default_settings.mspx?mfr=true
QQIS Whitepapers  http://qccis.com/resources/publications/
RFC 3227 - Guidelines for Evidence Collection and Archiving  http://www.rfc-archive.org/getrfc.php?rfc=3227
SEI Handbook for Incident Response Teams  http://www.sei.cmu.edu/library/abstracts/reports/03hb002.cfm
Windows 7 Default Services and Suggested Startup Mode  http://www.windowsnetworking.com/articles_tutorials/Windows-7-Default-Services-Suggested-Startup-Mode.html

DFIR Groups

Yahoo Win4n6 Group  http://tech.groups.yahoo.com/group/win4n6/
Yahoo Linux Forensics Group  http://tech.groups.yahoo.com/group/linux_forensics/ 
The Vol-users Archives  http://lists.volatilesystems.com/pipermail/vol-users/

A feed reader is a valuable resource since the software manages the content from websites such as news sites, blogs, or other online publishers. A reader not only enables you to stay informed of the latest content from the sites but it also enables content to be leverage to help keep your knowledge current and to assist with research for your investigations. This post is about how I’ve been using RSS feeds to help keep my knowledge current and conduct research.

Before I discovered the value of RSS feeds I wasted a lot of time and energy on trying to stay current with the latest content from information security and digital forensics websites. Periodically I checked the sites to see if anything was new, I wasted time trying to find an article I read but couldn’t remember where, and I struggled to remember all of the articles/posts I wanted to read on new sites I came across. Needless to say this was the wrong approach so I turned to RSS feeds to help me manage this content.

Getting Started with Feeds

RSS (Rich Site Summary) is a “format for delivering regularly changing web content”. A feed reader is software that downloads feeds from various sites and stores them for a person to read and use. The first and only program I tested was FeedReader and this has become my reader of choice. The software has no fees and a range of capabilities to read, collect, and organize web content using RSS or Atom feeds. I’m not going to go into detail about FeedReader’s features or its configuration since I wanted to focus on the benefit of feeds.

Right away I knew the one feature I wanted in any reader was portability. I use numerous computers between work and home so I didn’t want to be tied to one system or have to worry about syncing content between systems. FeedReader can either be installed on a computer using the installer or the zip package can be used for the program to run from a thumb drive. I opted for the latter option and this has allowed me to have access to the web content no matter where I am. Plus an additional benefit is being able to access the content stored in the database without needing Internet access.

Adding Feeds

There are different ways to find digital forensics and incident response related websites. Most blogs have an area where the authors share links or blogs they follow. Authors’ may also include links to content on other sites in their posts/articles. Following all of these links can lead to interesting sites that can be used to create a collection of feeds. In addition to blogs and news sites, I’ve been working on adding social media sites, such as Twitter, to my feed collection. After the sites are located then the next step is to determine if a site supports RSS or Atom feeds. One quick way to determine this is to look for the icon in the web browser. The picture below shows the icon highlighted in Firefox and Internet Explorer.

Adding feeds to a reader will vary depending on the program being used. FeedReader supports adding the following types: feeds, smartfeeds, and search feeds. My current FeedReader database consists of 159 feeds, 20,031 news (downloaded web content), 141 unread news, and the database is only 76 MB. I organized the content into folders to make it easier to manage. The picture below shows FeedReader’s interface and the web content downloaded from jIIr. Unread items are highlighted in bold and the numbers to the left of the folders show the amount of unread content in that folder.

Leverage the Feeds

FeedReader automatically downloads feeds from sites and this saves me a lot of time since I no longer have to periodically check sites for new content. The reader allows me to stay informed about the latest content and helps me organize the content. This isn’t the only benefit of a reader because another benefit is the ability to search the content for research or investigations. To see how it's possible I’ll perform three different searches against my FeedReader’s database.

The first search will be on random topic and Internet Explorer 8 InPrivate browsing feature is the first thing I thought about. The feature enables users to surf the web without leaving any traces of their activity on the computer being used. To obtain information about this feature I performed a search against my feeds using the keyword inprivate. The following is the summary of three of the keyword hits:

* Derek Newton’s blog post Internet Explorer InPrivate URL Artifacts. The post discusses a few areas that could contain InPrivate URL artifacts and how those areas can be searched.

* Digital Detective’s blog post NetAnalysis v1.50 - New Release and the post advertizes that Netanalysis can recover data from InPrivate browsing.

* Computer Forensics and IR – What’s New blog post Internet Evidence Finder - new release and more and the post mentions how IEF is able to recovery IE8 URLs.

The previous search showed how to locate information on a random topic. The search located research on InPrivate browsing artifacts and three possible ways to try to recover data from InPrivate browsing. The next search will illustrate how the feeds can help in obtaining more information about an artifact found during an investigation. If the investigation involves the activity of a user account then one of the artifacts of interest could be the UserAssist key in the Ntuser.dat registry hive. A search was conducted using the keyword userassist and the following is a summary of some of the hits.

* ForensicArtifacts blog post UserAssist which is a write-up about what the key is and contains useful references about the key.

* Richard Drinkwater’s Forensics from the Sausage Factory blog post Prefetch and User Assist. This write-up was about determining how often a program was ran and one of the areas that provided this information was the UserAssist key.

* Harlan Carvey’s Windows IP blog post Accessing Volume Shadow Copies where he discusses how the registry key could be analyzed in Volume Shadow Copies.

* Chris Pogue’s Digital Standard blog post The “Not So” Perfect Keylogger. In this write-up the UserAssist key showed the initial execution of a keylogger.

* Into the Boxes Digital Forensics and Incident Response Magazine Issue 0x0. Didier Stevens wrote an article for this issue about the Windows 7 Userassist Registry key.

* Dave Hull’s post Digital Forensics: Detecting time stamp manipulation on the SANs forensics blog. This write-up was about identifying time stamp manipulation and the UserAssist key was one of the artifacts including in a timeline.

The previous search showed the potential wealth of information that could be obtained about an artifact of interest. The last search will illustrate how the feeds can help in conducting research about an item such as an email. The picture below shows an email that was in one of my throw away email accounts and this email will be used for this demonstration.

The email appears to be a notification from the United Parcel Service and the attachment is supposed to contain the tracking number and more information about a shipment. This is the type of email I would do additional research on so I can learn more about the Spamming campaign and the artifacts left on a system by opening the attachment. The first keyword I searched for was the name of the attachment which was upsnotify. This only resulted in one hit in my feeds and this was for the post Spamvertised United Parcel Service notifications serve malware on Dancho Danchev's blog - Mind Streams of Information Security Knowledge. His post was about the current spam campaign impersonating UPS for malware serving purposes. The information covered was the detection rates for the attachment contents, additional executables downloaded, and domains contacted. I wanted more information so I ran another search using the keyword United Parcel Service. The following is the summary of some of the keyword hits:

* MXLab blog post “United Parcel Service notification” from UPS contains trojan. The post discusses how MXlab started receiving a new trojan distribution campaign by email with the subject “United Parcel Service notification" and it provides some information about the email.

* MXLab blog post “United Parcel Service notification 48161” from UPS contains trojan. This write-up is about the SPAM campaign and provides details about the spoofed email address, URLs the Trojan downloads data from, payload artifacts created on the system, and processes started on system.

* Microsoft Malware Protection Center post Trojan downloader Chepvil on the UPSwing. The post discusses the email campaign and the attachment that was detected as TrojanDownloader:Win32/Chepvil.I.

* There were a couple of tweets mentioning the SPAM email as well.

The searches against my feeds provided a wealth of information. I was able to determine an email sitting in my Inbox was a part of a Spamming campaign and identified some of the potential artifacts on a system where the attachment was opened. The two other searches located information on how to recover the InPrivate browsing data and a wealth of information about the UserAssist key.

The best part about the moving to a feed reader is that I have access to the information at any time since it is stored in the RSS feed database stored on the thumb drive. Sometimes it feels like I have a portable Google in my pocket.