CNS 320 Week4 Lecture

7/28/2019 CNS 320 Week4 Lecture

http://slidepdf.com/reader/full/cns-320-week4-lecture 1/74

1

CNS 320 COMPUTER FORENSICS &INCIDENT RESPONSE

Week 4 Lecture

Copyright © 2012, John McCash. This work may be copied, modified, displayed anddistributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

http://creativecommons.org/licenses/by-nc/2.0/






Quiz 1

Any questions from last weekbefore the quiz?

2



Technical Material for this week

Missing slide from week 2

Malware Identification Using MemoryAnalysis

Windows Event Logs

Application Metadata

Thumbnails



Missing week 2 slide:

DATA Attributes

Normally hold file content data

NTFS Files may have more than one

Those after the 1st are referred to as

Alternate Data Streams

They have a short header before the filedata, containing the stream’s

identifier/name Feature added primarily for Mac support,

and poorly supported until Win7

Used maliciously for data hiding 4



Windows Malware Identification &

Analysis Procedures & Tools

5



Overview Suspicious host identified via anomalous network traffic, AV

logs, or other security alerts

Memory & disk images extracted from host• Memory images can be extracted directly using various tools

EnCase Enterprise or LiveResponse (commercial, via network)

Moonsols Dumpit

ManTech Mdd

Mandiant Memoryze

AcessData FTK Imager

• Memory images can also be extracted from hibernation files orvia firewire using tools such as Inception

Memory image examined using Memoryze/Auditviewer. Offending process typically identified by searching for strings

related to original alert

Auditviewer also has heuristics to highlight certain suspiciousbehaviors or characteristics

Files relating to offending process extracted from disk image

Static & dynamic analysis of malicious binaries done in VMusing various tools, if necessary

6



Run Auditviewer/Memoryze (select

‘Configure Memoryze’ as initial option)

7



Specify Output Folder

8



Specify UnErased Image File

9



Select all Analysis Options

10



No Process or Driver Acquisition

11



Select all Process Enumeration

Options

12



Select all Driver Enumeration options

13



Select all Hook Enumeration Options

14



When Processing Completes, the Memory

Image Browser will Open



Suspicious Behavior Heuristics

Processes with possible injectedDLLs displayed in red (several falsepositive mechanisms & doesn’tcatch all methods)

Malware rating Index (MRI) Rulescause numeric ranking to be

displayed

16



MRI Rules

17



Process Username Verification

18



Argument Verification

19



Process Path Verification

20



Suspicious Handles



Suspicious Imports

22



Heuristic Report on EnCase

Enterprise Servlet

23



Searching

24



Search Results

25



Other Information Per process

Handles

Files, Folders, processes, Reg keys,Semaphores, Mutexes, Events, Memory

Sections

Memory Sections

DLLs

Strings Network ports

26



Driver Information

Drivers Enumerated by Scanning

Root Drivers

All Drivers

Drivers Enumerated by Walking List

Driver information includes all associated

strings

27



Hooks

System Service Descriptor (SSD)Table Hooks

Interrupt Descriptor Table Hooks Driver IRP Hooks

Keystroke Logger Detection

28



Other AuditViewer Functionality

Similar functionality to Red Curtainalso rolled into Auditviewer, butrequires the application to be run ontarget host rather than on amemory image.

29



Other Methods of Malware Detection

Known Good Hash Elimination (NSRL,FileAdvisor)

Red Curtain Rule-Based Analysis

Upload to VirusTotal.com

Manually examine persistence mechanismsfor suspicious patterns

Search for suspicious file/folder namesamong binaries associated with runningprocesses or scheduled jobs

Manual examination of binaries associatedwith running processes or scheduled jobs

30



Windows Event Logs

NT/2K/XP/2K3 .evt files

%systemroot%\System32\config

SecEvent.evt, Appevent.evt, Sysevent.evt,

sometimes others Vista/7/2K8

.evtx files

%systemroot%\System32\winevt\logs

SecEvent.evtx, Appevent.evtx, Sysevent.evtx,

many others Logs can be sent to a remote log collector

File locations can be changed in the registry



Event Log (.evt) File Header Structure

(first 48 bytes of a valid Event Log file )

Offset Size Description 0 4 bytes Size of the record; for an .evt file header, the size

is 0x30 (48) bytes. Event record sizes are 56bytes

4 4 bytes Magic number (LfLe)

16 4 bytes Offset within the .evt file of the oldest eventrecord

20 4 bytes Offset within the .evt file to the next event recordto be written

24 4 bytes ID of the next event record 28 4 bytes ID of the oldest event record

32 4 bytes Maximum size of the .evt file (from the Registry) 40 4 bytes Retention time of event records (from the

Registry) 44 4 bytes Size of the record (repeat of DWORD at offset 0)



Event Log (.evt) Record Header Structure

(First 56 bytes of Event Record)

Offset Size Description 0 4 bytes Length of the event record, or size of the record in bytes 4 4 bytes Reserved; magic number LfLe

8 4 bytes Record number 12 4 bytes Time generated; measured in UNIX time, or the number of seconds

elapsed since 00:00:00 1 Jan 1970, in Universal Coordinated Time(UTC)

16 4 bytes Time written; measured in UNIX time, or the number of secondelapsed since 00:00:00 1 Jan 1970, in UTC

20 4 bytes Event ID, which is specific to the event source and uniquelyidentifies the event; the event ID is used along with the sourcename to locate the appropriate description string within themessage file for the event source

24 2 bytes Event type (0x01 = Error; 0x10 = Failure; 0x08 = Success; 0x04 =Information; 0x02 = Warning)

26 2 bytes Number of strings 28 2 bytes Event category 30 2 bytes Reserved flags 32 4 bytes Closing record number 36 4 bytes String offset; offset to the description strings within this event record 40 4 bytes Length of the user Security Identifier (SID); size of the user SID in bytes

(if 0, no user SID is provided) 44 4 bytes Offset to the user SID within this event record 48 4 bytes Data length; length of the binary data associated with this event record 52 4 bytes Offset to the data



Data Stored for a Given Event is

Dependant on the Event Type

Typically stored as a list of null-terminated strings



EVTX Record Structure

(Less useful because of binary encoding)

Offset Type Meaning0x00 char[4] Magic, const 0x2a, 0x2a, 0x00, 0x00

(two asterisks followed by twonull bytes)

0x04 uint32 Length1 (whole record's size, from the

magic string to the trailing length indicator)0x08 int64 NumLogRecord (record number, relative to

the log channel. The log channel may consistof several log files which are consecutivelywritten to)

0x10 FILETIME TimeCreated

var. char[] BinXmlStream (complex binary structure)var. uint32 Length2

NumLogRecord & TimeCreated values also included inBinXmlStream

This is less useful because the various event strings are binary

encoded and so won’t be found in normal searching



Great Windows Security Event

Reference

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/def ault.aspx

demo

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx








Useful Windows Event Log Tools

Event Log Explorer (commercial, butfree for private use. 3.4 supports evtx)

FixEvt

Lsevt (Carvey) – Available in the ‘extras’ of Windows Forensic Analysis

PsLogList (Sysinternals)

Evtx_parser (Schuster) Grokevt (Linux only, but can parse

events out of unallocated space)



Windows Event Log Types

Security (most useful for forensics, butdon’t ignore the others) Access control & security settings

Audit & group policy

System Services, system components, drivers,

resources, etc.

Application Software events unrelated to the OS

Custom Custom application logs



Event Types

Error

Warning

Information Success Audit

Failure Audit



Security Event Categories

Account Logon – Stored on system that authorizedlogin

Account Mgmt – Changes to accounts Directory Service – Attempted access of AD objects Logon Events – Instances of logon/logoff for local

system Object Access – Access to objects specified in ACLs Policy Change – Change to user rights, or audit or trust

policies Privilege Use – Instances of accounts exercising user

rights

Process Tracking – Process start/end, handles, acess toobjects

System Events – System start/shutdown, security logmanipulation



Changes from NT/2K/XP/2K3 to Vista/7/2K8

Event IDs were changed Where there’s a direct one-to-one mapping, new ID

usually (but not always!) = Old ID + 4096

Some groups of old event IDs were collapsed to a single

new event ID 528,540 (Successful Logon) -> 4624

529-537,539 (Login Failure) -> 4625

Some old IDs were broken out into multiple new IDs

672 (auth ticket granted) -> 4768 (requested), 4772(failed)

673 (service ticket granted) -> 4769 (requested), 4773(failed)

A significant number of new events and log files wereadded. Logging capabilities & defaults are generallysomewhat better on Vista/7/2K8 than previously.



Configurable Security Logging

See ‘Administrative Tools’ \ ‘Local SecurityPolicy’, and examine ‘Audit Policy’ These settings are stored in the registry’s Security

hive, and can be extracted using regripper.

Non-Domain Workstations have most settingsdisabled by default

Non-Domain Servers aren’t much better

Recommended baseline is to log Success/Failure formost categories, Failure for Privilege Use, and nonefor Process Tracking

Windows 2K8 adds more categories of log

Some events (672, 673) can be found on theauthenticating domain controller for domainworkstations



Account Logon Security Events

(logged on authenticating system)

672/4768,4772 - Authentication Ticket Granted

673/4769,4773 - Service Ticket Granted

674/4770 - Ticket Granted Renewed

675/4771 - Pre-authentication failed

676/4768 - Authentication Ticket Request Failed 677 - Service Ticket Request Failed

678/4774 - Account Mapped for Logon by

679/4775 - The name: %2 could not be mappedfor logon by: %1

680/4776 - Account Used for Logon by 681/4776 - The logon to account: %2 by: %1

from workstation: %3 failed.

4777 - The domain controller failed tovalidate the credentials for an

account



Event ID 672: Authentication Ticket Granted

(initial user authentication to domain)

Data Fields: User Name: %1 Supplied Realm Name: %2 User ID: %3 Service Name: %4 Service ID: %5 Ticket Options: %6 Result Code: (For an explanation of result/failure codes see the

chart on event ID 675) Ticket Encryption Type: %8 Pre-Authentication Type: %9 Client Address: %10 (source from which user authenticated) Certificate Issuer Name: %11

Certificate Serial Number: %12 Certificate Thumbprint: %13

Also logged when a computer authenticates to domain, suchas on boot. These events have hostname$ for User Name.



Event ID 673: Service Ticket Granted

(domain access to another host)

Data Fields: User Name: %1

User Domain: %2

Service Name: %3 (computer name of the

server the user accessed ) Service ID: %4

Ticket Options: %5

Ticket Encryption Type: %6

Client Address: %7 (IP from which user

authenticated) Failure Code: %8

Logon GUID: %9

Transited Services: %10



Logon/Logoff Security Events

(logged on local system) 528/4624 - Successful Logon 529/4625 - Logon Failure - Unknown user name or bad password 530/4625 - Logon Failure - Account logon time restriction violation 531/4625 - Logon Failure - Account currently disabled 532/4625 - Logon Failure - The specified user account has expired 533/4625 - Logon Failure - User not allowed to logon at this computer 534 /4625 - Logon Failure - The user has not been granted the requested logon

type at this machine 535/4625 - Logon Failure - The specified account's password has expired

536/4625 - Logon Failure - The NetLogon component is not active 537/4625 - Logon failure - The logon attempt failed for other reasons. 538/4634 - User Logoff 539/4625 - Logon Failure - Account locked out 540/4624 - Successful Network Logon 551/4647 - User initiated logoff 552/4648 - Logon attempt using explicit credentials 576/4672 - Special privileges assigned to new logon 682/4778 - Session reconnected to winstation 683/4779 - Session disconnected from winstation 4646 - IKE DoS-prevention mode started. 4649 - A replay attack was detected 4650 - An IPsec Main Mode security association was established 4651 - An IPsec Main Mode security association was established 4652 - An IPsec Main Mode negotiation failed 4653 - An IPsec Main Mode negotiation failed 4654 - An IPsec Quick Mode negotiation failed

4655 - An IPsec Main Mode security association ended



More Logon/Logoff Security Events

(logged on local system)

4675 - SIDs were filtered 4800 - The workstation was locked 4801 - The workstation was unlocked 4802 - The screen saver was invoked 4803 - The screen saver was dismissed 4964 - Special groups have been assigned to a new logon 4976 - During Main Mode negotiation, IPsec received an invalid negotiation packet. 4977 - During Quick Mode negotiation, IPsec received an invalid negotiation packet. 4978 - During Extended Mode negotiation, IPsec received an invalid negotiation packet. 4979 - IPsec Main Mode and Extended Mode security associations were established. 4980 - IPsec Main Mode and Extended Mode security associations were established

4981 - IPsec Main Mode and Extended Mode security associations were established 4982 - IPsec Main Mode and Extended Mode security associations were established 4983 - An IPsec Extended Mode negotiation failed 4984 - An IPsec Extended Mode negotiation failed 5451 - An IPsec Quick Mode security association was established 5452 - An IPsec Quick Mode security association ended 5453 - An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules

(IKEEXT) service is not started 5632 - A request was made to authenticate to a wireless network 5633 - A request was made to authenticate to a wired network 6272 - Network Policy Server granted access to a user 6273 - Network Policy Server denied access to a user

6274 - Network Policy Server discarded the request for a user 6275 - Network Policy Server discarded the accounting request for a user 6276 - Network Policy Server quarantined a user 6277 - Network Policy Server granted access to a user but put it on probation because the host did not meet

the defined health policy 6278 - Network Policy Server granted full access to a user because the host met the defined health policy 6279 - Network Policy Server locked the user account due to repeated failed authentication attempts 6280 - Network Policy Server unlocked the user account



Logon Types

2 Interactive (logon at keyboard and screen of system) Windows2000 records Terminal Services logon as this type rather thanType 10.

3 Network (i.e. connection to shared folder on this computerfrom elsewhere on network or IIS logon - Never logged by528 on W2k and forward. See event 540)

4 Batch (i.e. scheduled task) 5 Service (Service startup) 7 Unlock (i.e. unnattended workstation with password protected

screen saver) 8 NetworkCleartext (Logon with credentials sent in clear text.

Most often indicates a logon to IIS with "basic authentication") 9 NewCredentials

10 RemoteInteractive (Terminal Services, Remote Desktop orRemote Assistance) 11 CachedInteractive (logon with cached domain credentials such

as when logging on to a laptop when away from the network)



Kerberos Failure Codes

1 0x1 Client's entry in database has expired 2 0x2 Server's entry in database has expired 3 0x3 Requested protocol version # not supported 4 0x4 Client's key encrypted in old master key 5 0x5 Server's key encrypted in old master key 6 0x6 Client not found in Kerberos database Bad user name, or new computer/user account has not

replicated to DC yet (common) 7 0x7 Server not found in Kerberos database New computer account has not replicated yet or

computer is pre-w2k (common) 8 0x8 Multiple principal entries in database 9 0x9 The client or server has a null key administrator should reset the password on the account 10 0xA Ticket not eligible for postdating 11 0xB Requested start time is later than end time 12 0xC KDC policy rejects request Workstation/logon time restriction (common) 13 0xD KDC cannot accommodate requested option 14 0xE KDC has no support for encryption type 15 0xF KDC has no support for checksum type 16 0x10 KDC has no support for padata type

17 0x11 KDC has no support for transited type 18 0x12 Clients credentials have been revoked Account disabled, expired, or locked out.

(common) 19 0x13 Credentials for server have been revoked 20 0x14 TGT has been revoked 21 0x15 Client not yet valid - try again later 22 0x16 Server not yet valid - try again later 23 0x17 Password has expired The users password has expired. (common) 24 0x18 Pre-authentication information was invalid Usually means bad password (common) 25 0x19 Additional pre-authentication required*



More Kerberos Failure Codes

31 0x1F Integrity check on decrypted field failed 32 0x20 Ticket expired Frequently logged by computer accounts 33 0x21 Ticket not yet valid 33 0x21 Ticket not yet valid 34 0x22 Request is a replay 35 0x23 The ticket isn't for us 36 0x24 Ticket and authenticator don't match

37 0x25 Clock skew too great Workstations clock too far out of sync with the DCs (common) 38 0x26 Incorrect net address IP address change?

39 0x27 Protocol version mismatch 40 0x28 Invalid msg type 41 0x29 Message stream modified 42 0x2A Message out of order 44 0x2C Specified version of key is not available 45 0x2D Service key not available 46 0x2E Mutual authentication failed may be a memory allocation failure 47 0x2F Incorrect message direction 48 0x30 Alternative authentication method required* 49 0x31 Incorrect sequence number in message 50 0x32 Inappropriate type of checksum in message 60 0x3C Generic error (description in e-text) 61 0x3D Field is too long for this implementation



NTLM Error Codes

Decimal Hex Reason 3221225572 C0000064 user name does not exist 3221225578 C000006A user name is correct but the

password is wrong 3221226036 C0000234 user is currently locked out

3221225586 C0000072 account is currently disabled 3221225583 C000006F user tried to logon outside his day

of week or time of day restrictions 3221225584 C0000070 workstation restriction 3221225875 C0000193 account expiration 3221225585 C0000071 expired password

3221226020 C0000224 user is required to change passwordat next logon 3221226021 C0000225 evidently a bug in Windows and not

a risk



Useful Well Known Account SIDs

LOCAL_SYSTEM S-1-5-18

IUSR S-1-5-17

LOCAL_SERVICE S-1-5-19 NETWORK_SERVICE S-1-5-20

Local Administrator S-1-5-*-500

Local Guest S-1-5-*-501



Event Log Security Events

516/4612 Internal resources allocated forthe queuing of audit messageshave been exhausted, leading tothe loss of some audits

517/1102 The audit log was cleared (specifies

clearing user) 1100 The event logging service has

shut down 1101 Audit events have been dropped by the

transport.

1104 The security Log is now full 1105 Event log automatic backup 1108 The event logging service encountered

an error



Other Security Events of Particular Interest

512/4608 - Windows NT is starting up513/4609 - Windows is shutting down520/4616 - The system time was changed592/4688 - A new process has been created

593/4689 - A process has exited560/4656 - Object Open (accessed)564/4660 - Object Deleted567/4657,4653 - Object Access Attempt (permissions

exercised: read, write, delete, …) 601/4697 - Attempt to install service

602/4698,4699,4700,4701,4702 - Scheduled Task created4618 - A monitored security event pattern has

occurredVarious account management events



Example Scenario: Domain user logs in to

workstation and maps network file share

Domain user (Kerberos authentication, Win2K3server environment) logs in to workstation andmaps a network file share to a file server

Events Logged: Workstation

528 – successful logon Domain Controller

672 – authentication ticket granted 673 – service ticket granted (workstation) 673 – service ticket granted (domain controller) 540 - Successful Network Logon 538 – User Logoff 673 – service ticket granted (file server)

File Server 540 - Successful Network Logon 538 – User Logoff



Events of Particular Interest in Sysevt.evt

7034 – Service Crashed Unexpectedly

7035 – Service sent a Stop/Startcontrol

7036 – Service Started or Stopped

7040 – Start Type Changed(boot/manual/disabled)

20001 - Plug and Play driver installattempted (Vista/Win7only, contains uniquedevice ID)



Events of Interest in Appevt.evt

1033 – Installation Complete (success/fail)

1034 – Application Deinstall complete(success/fail)

11707 – Install Successful

11708 – Install Failed 11724 – Deinstall Successful

No log entry is created for failure to install due tolack of admin rights.

In Win7, application install information is logged toSetup.evtx.



Wireless Network Logging in Win7

WLAN-Autoconfig.evtx Event IDs 11000 Wireless Network Association

Started

8001 Successful connection towireless network

8002 Failed connection to wirelessnetwork

These events record the BSSID (WirelessMAC) of the associated AP, potentiallyenabling geolocation of the event.



Windows Text Logs

%windir%\Setuplog.txt - records information during Windows setup %windir%\Setupact.log - actions that occurred during graphical

portion of Windows setup process %windor%\Setupapi.log - device, service pack, and hotfix

installations (including plug and play devices) %windir%\debug\Netsetup.log – workgroup & domain membership

changes %windir%\schedlgu.txt – Task Scheduler Log (Unicode) %windir%\pfirewall.log – Windows firewall log (doesn’t exist by

default) %windir%\debug\Mrt.log - Malicious Software Removal Tool install,

update & scan results

%windir%\logs\cbs\Cbs.log–

Vista/2K8 package manager %WinDir%\System32\LogFiles\* - IIS (note that these entries havetext timestamps in GMT)

C:\Documents and Settings\All Users\Application Data\Microsoft\DrWatson\drwatson32.log – program crashes (can sometimes flagexploitation)



Text Log Examination

Mandiant Highlighter is an excellent toolfor review of text logs Free from Mandiant

Histogram view shows line length distributionwithin file. This can immediately pinpointanomalies, as in IIS logs

Allows graphical highlighting & hit counts of search results

Allows lines matching specified patterns to be

eliminated from vies Can parse timestamps and plot events on a

timeline



Application Metadata

Many different file types contain assortedmetadata values

JPG images (example: iPhone Geolocation)

MS Office Documents (doc, docx, xls, xlsx, etc.) PDF Documents

Portable Executables (exe, sys, dll)

Some document formats support embedded

files - these may in turn contain metadata Best generic & well-maintained tool for

extraction is Phil Harvey’s exiftool



Office Default Metadata Values

Title Subject Author Keywords Comments Template Last author Revision number Application name Last print date

Creation date Last save time Total editing time Number of pages Number of words Number of characters

Security Category Format Manager Company Number of bytes Number of lines Number of paragraphs Number of slides Number of notes

Number of hidden Slides Number of multimedia

clips Hyperlink base Number of characters

(with spaces)



Old Office Metadata

Old Office versions (I believe 2K3and previous) stored the last tenaccount names to update the

document. These can be extractedthe document’s OLE metadatastream using Pinpoint Metaviewer.

Also in early Word 97 and previous,

the MAC address of the system usedto create a document was stored. Std part of system’s GUID

M l E i i f N (XML)



Manual Examination of New (XML)

Office Files (docx, xlsx, pptx)

Unzip the file

Result will be a folder

Examine the file docProps\app.xmlunder that extracted folder

Metadata values will be encoded inXML



PDF Metadata

Typical XMP PDF Metadata Tags Author Copyright CreationDate Creator (application name) Keywords

Marked (boolean value) ModDate PDFVersion Producer (application name) Subject Title Trapped

The official XMP specification defines only Keywords,PDFVersion, Producer and Trapped. The other tags areincluded because they have been observed in PDF files



Metadata in JPG Images

Newer digital cameras & phones oftengeotag images with GPS coordinates

Can also potentially identify the

specific camera that took a picture Lots of data about specific camera

settings at the time the picture wastaken

Can sometimes identify photo editingsoftware used to alter the image

Some images carry an internal

thumbnail which can be extracted

T i l M t d t i P t bl



Typical Metadata in a Portable

Executable File (exe/sys/dll)

Machine Type Time Stamp (compiled) PE Type Linker Version Code Size

Initialized Data Size Uninitialized Data Size Entry Point OS Version Image Version Subsystem Version Subsystem (GUI/DOS/Native) File Version Number Product Version Number File Flags Mask

File Flags File OS Object File Type (app/dll) File Subtype Language Code

Character Set Company Name File Description File Version Internal Name Legal Copyright Original Filename Product Name Product Version Product Date



Metadata Extraction Tools

Exiftool (Phil Harvey)

Free

Immensely capable multiformat

extraction



Thumbnails

Mechanism for creating and storingthumbnail images of pictures & firstpages of documents for use in

folder previews Pre-Vista: Thumbs.db

Vista+: Thumbcache



Pre-Vista: Thumbs.db

Populated in any folder which has been at onetime set to show thumbnails of includedimages & documents

Hidden file, not viewed by most users and notcleaned out when files are removed from thefolder

Uses OLE compound document format (similar

to Office 2K3 and previous) to store: thumbnail picture of original image or first page of

document

last modification time

original filename



Thumbs.db Analysis

Binary format is a mess. Sector based,devised in the days of floppy disks.

Free Tool: Mitec Windows File Analyzer

Another one: Vinetto (open sourcepython script – also does Vistathumbcache)

Format is also parsed directly byEnCase and FTK



Vista+: Thumbcache

Single, centrally stored file for each user Thumbcache_32.db (small) Thumbcache_96.db (medium) Thumbcache_256.db (large) Thumbcache_1024.db (extra large)

Thumbcache_idx.db Thumbcache_sr.db

Located in<profile>\AppData\Local\Microsoft\Windows\Explorer

All created when a folder is switched to thumbnailmode or views pictures in a slideshow

Even stores thumbnails for pictures/docs/media onremovable media, network shares, or encryptedcontainers

Numbered files store actual images, linking to files isdone by idx file.

Purpose of sr file not yet determined



Reading Assignment for Next Week

The remaining sections in Chapter 4 of the Carvey book

Chapters 3 (Volume Shadow Copies) & 7

(Timeline Analysis) in the Carvey book I didn’t assign chapter 6 for this week,

but I probably should have. You mightwant to scan through that briefly

73



Questions?