What is W4

[admin]

W4 (Who, What, Where, When) is a tool for fast review and investigation of computer forensic images and evidence. The goal of W4 is to allow investigators to rapidly review a set of evidence and locate items of interest. The main interface of W4 allows for timeline filtering and linking items such as: 

• Operating  System files
• Programs used
• Devices connected
• Files and Folders 
• Browser Histories
• Notable Items
• Communications (Email, SMS, Chat)
• Documents
• Media 
• Transport links 
• Tags
• Work product

While W4 is still in the development stage we are looking for a number of beta testers to assist with how the program works in different environments. 

W4 Usage:
W4 differs from Intella type products as the goal is to look at system setting, browser history and device usage to detect any items of interest. While there is some overlap with Intella's Insight tab this differs from Intella where the user is focused more on user created data and email content. 

Common usage of W4 is detecting what devices, such as USB devices, were connected to a system and what data was copied to them.  Another usage is filtering by time and date to only certain file or record types. An example would be all Internet Explore history from Jan to Feb. 

A great deal of development time has gone into simplifying time-consuming tasks such as decoding dates and categorizing registry entries. 

W4 has a category to highlight  Notable items. This category automatically populates on processing and lists any references to Cryptocurrencies,  Darknet and BitTorrent.  

Visual review

As with all Vound products, we focus on the visual presentation of results. To facilitate this W4 uses a number of visual elements to better understand the evidence.  

The visual timeline:

This allows the user to select a date range but also understand how much data is in that range. 

Events overtime log:

This view allows the user to visually see in chronological order every event in order. This view can be filtered to only certain events and is very useful to tracking user activity over time. 

Item linking map:

This view uses item metadata to link items together. This is extremely useful to see ownership of data and what accounts or devices had access to the data at some stage in its lifespan on that system. 

A simple quick start set of images is located at: 
https://www.vound-software.com/W4/

A sample image below.

How can you help:

We are looking for beta users to run W4 on a range of images and environment. Let us know what you like and what could be better. We are looking for ideas on what other features would be needed to make it your go-to tool for this type of work. If you would like to be a beta tester please contact us directly. 

 

 

[AdamS]

Just quietly I'm excited.

Downloaded and started testing on a 120GB disk image, within 1 minute of processing starting I'm able to start triaging and seeing valuable data.

I'll withhold any more comments until the indexing process finishes and I can spend a few hours coming up with some constructive testing, but what I've seen in the last 30 minutes or so has me massively impressed.

Edit: sorry just one comment, I love the Events view. A good timeline tool has long been something missing and the way this presents the data is exceptional. I'll be watching closely to see how the reporting side of this tool develops, as traditionally this is where it can get tricky. Porting those timelines out into something useful for clients or third parties to use.

[AdamS]

Okay some initial feedback.

Firstly, I just want to acknowledge that I know this is a first release Beta so some of my thoughts below are likely already on the map, and some are likely far down that map. But my initial excitement about this software wasn't misplaced. I'm extremely impressed and can't wait to see how this develops. I can already see a place for this tool in my day to day work life.

Testing Notes

I threw in an image of a PC and an iMac just for giggles, I'm guessing at this early stage the concentration has been on support of Windows OS as much less types of artefacts for the Mac was identified, but I was kind of expecting that for such a new bit of gear. 

Test Machine Specs

Core i7 with 64GB ram running Windows 7 x64

Installation

Install went smoothly, however did take around 45 mins. I'm assuming that as a first beta release this is pretty low on the priority list and I would expect that to improve and change as the package develops.

Case Setup

Case setup extremely simple, just a couple of fields to fill in then point to the disc image to ingest.

Processing

• 120 GB - Started at 1800 hrs 25/10/18
• 1 min – Identified user accounts and other artefacts started appearing after 1 min processing
• 48 min total processing time
• 1TB iMac image - Started at 1900 hrs
• Again within 1 minute I was seeing data and could triage results
• 1hr 13m total processing time

Notes

No video or audio ‘open in external application option’ possibly intentional at this stage. Other viewers seem to work for pic and docs

Thoughts and Ruminations

USB Logs

• Would be nice to see some other info here if it's possible to show any file movement or access at the same time as the devices are connected
• The links view shows the user account that was logged in, would be nice to see this in the events view as well, maybe far right side in the boxes for each item?

Event log viewer

• Would be nice to see more information around the event types, maybe another tab next to the ‘properties’ tab when selecting a log.
• Filter ability to isolate specific types of event logs, possibly addition of auto filter for event logs that might be of common interest ( shutdown/startup, virus scan, windows update, windows restore, restore point creation)

Notable Program Usage

• Expand notable program usage (likely already high on the list) maybe ability to filter here from a predefined list (check box), possibly the ability to add custom programs based on the .exe name. In my head I'm seeing something similar to what IEF use when determine which app artefacts to go looking for.

Deleted file activity

• Would be great to add tab next to ‘properties’ tab to show more information such as which user was logged in at the time, can currently see in the links view only.

User Profiles

• The ability to filter all events based on a user profile, ie build a full timeline of activity for a single user by session linkage.

Geolocation

• Would be nice to have a map with GEO location items (for offline use) AND direct link from the Geolocation field to google maps for online use.

Cosmetic Stuff

• Collapse/Expand all option in search window for facets
• Create thumbnail pics for video files 

Data Support

• Support for mobile phone artefacts like iPhone backups, also to identify those backups which can’t be parsed due to encryption (possibly out of scope but given Intella support already of UFDR files this would seem to be a natural progression)
• Can UFDR files be imported yet, on the roadmap?
• Virus scanner logs showing quarantine events, etc
• Firewall Logs

I also noted the picture review is nice and fast, the thumbnail caching works fantastic. Great for onsite triage of pics for LEO.

 

I will spend some quality time over the coming weeks to really dig into this, but this is my initial thoughts after a few hours of playing.

 

[jon.pearse]

The Events view is useful for showing the events that have occured with USB devices on the system. In this screenshot the Events view shows the following:

• Plugging in a USB device. Entries 3 and 4.
• Creating a folder on that device. Entries 5 and 6.
• Creating a file, or moving a file onto that device. Entries 7 and 8.
• Modifying the file on the device. Entries 10-12 and 14.
• Disconnecting the USB device. The last entry.

We also show where information has potentially been overwritten. The first two entries show the file was created on the USB device. However, these time stamp entries were originally created when the file was created on the C drive. Windows has updated the location information from C to the USB device when the link file was used on the USB device. Because these entries exist before the USB device was connected to the computer, this provides a clue that the file was created on some other device before the USB device was connected. Further investigation and carving may discover additional artifacts. Such artefacts could include the original information of the lnk file when the file was created on the C drive. 

 

[jon.pearse]

In this screenshot we see that the Links view (for a .LNK file) shows a clear picture of which other elements/artefacts are involved. Here we can see the following items linked to the .LNK file.

• The user account.
• The USB device.
• The location of the .LNK file.
• The document which the .LNK file points to.
• The parent directory for the document.

This provides the investigator with additional information, and other pathways for investigation. 

 

[dale]

I had a first look at and I very much like what I am seeing here. Quite a number of the things that W4 addresses remind me feature requests that I raised for Intella in the past. The question is going to be if and if so how Intella and W4 will interact?

Here first impressions after some (very) high-level testing:

Ingestion times seem very reasonable.

• Support for compound file types (e.g. my favorite NSFs...) has room for growth (hence the question - how will this link up with Intella?)
• The Links Graph has a lot of promise. In particular when you start holding down the CTRL key when double-clicking
  Suggestions:
  • Add a backwards and forward button so the investigator can 'navigate'.
  • Consider adding a graphical view of the navigation history showing how the investigator jumped from one item to the next
• MacOS support is kind of limited still. I didn't test APFS. However, there are a lot of MacOS artifacts that are worth considering including
  • FSevents (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498158287.pdf),
  • Unified Logs (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498146226.pdf)
  • Parsing of plists for event data, e.g., iMessages etc.
• On NTFS carve for MFT records in unallocated space and use record ID and record date field to build history of file modifications by combining older versions of MFT records based on record ID.
• Create a calendar view showing a month, a week, a day, (an hour, minute) with event data like we know it from our favorite calendaring tool
• Integrate external data sources. Example: The Code42 Security Center provides information about data ingress and egress via USB and Cloud storage including filenames, MD5(!), dates, media details etc.

What I didn't test yet is the integration of calendar events, mobile device data and a lot more. I need to find more time for this... But what I'd want to look at are things such as locally synchronized cloud storage repositories etc.

This looks promising ?

Dominique

[AdamS]

Just loaded up the new version (1.0.2) and wanted to confirm if this is expected behaviour. 

I tried to add two different E01 images to index, however indexing completed after a few seconds with no data found and no errors.

I removed the sources and just added a single image and all is working as expected.

[igor_r]

Hi Adam,

Thanks for the feedback!

Did you add both images under a single source? That could explain the issue. The "Files" section in the source panel is for adding parts of the same image.

If you need to index two different images, you need to create a separate source for each image.

I hope that answers your question.

[AdamS]

Ahh I possibly did Igor, I'll revisit that when I get a chance to confirm but I suspect that's what I did

[AdamS]

Any known issues with report creation? I started a report for all known artifacts (around 300k) and left it running overnight, check on a short time ago and still says it's running but no actual files appearing in the target location.

Is this designed to be more targeted using a smaller number of items perhaps?

[igor_r]

Hi Adam,

Yes, it depends on what you included in the report.

If you report items as a table (one item per row) then it may be ok. I've just tried to create a report that contained 177K items as a table and it worked fine. It took 5 mins to produce. The result PDF file was 28MB and 12,500 pages.

But if you report items as a list (1-3 items per page), it might produce an enormous PDF with 200-300K+ pages. I don't think you could even open such file then in Acrobat Reader.

So, at the moment reporting is indeed designed to have smaller number of items or pages.

What you could do is to change the presentation of certain items to "Table". That might dramatically reduce the number of pages in the report.

If you really need to report everything in the case, then exporting to a CSV file might be a better option for now.

We'll think how to handle such huge reports better in a future version.

Thanks for your feedback!

[llanowar]

I am poking around W4 1.0.3 for the first time - using the NIST CFReDS "Data Leakage Case" data set. I am really liking what I am seeing so far.

One irregularity I just ran into:

In the "USB Devices" Search section, the "Items" view correctly lists the connection timestamps (even after applying an EDT timezone offset in the "Sources" tab). The irregularity occurs when switching over to the "Events" view. The connection timestamps are all off by exactly 1 hr (likely a Standard/Daylight Savings issue). In the "Events" view, the right-side "Properties" preview section lists the timestamps correctly, however, the timestamps listed in the primary window area sorted chronologically are off by exactly 1 hr.

I re-indexed the entire case and selected "rebuild links" with the Timezone offset already selected to Eastern Time to no avail. (My initial indexing was set for UTC time (-0)).

Keep up the great work, this tool shows great promise.

[igor_r]

Hi llanowar,

Thanks for testing W4!

At the moment, all timestamps on the "Events" view are always shown in your current timezone. The source timezone setting only applies to timestamps in the table and the properties tab. The reason we did that is because the Events view can display data from multiple sources which might come from different timezones.

In the next version we'll add an option to select the timezone for Events view.