Agenda
The go-to methodology to get up and running with forensics is as follows:
- Extract Evidence
- Mount with Arsenal Image Mounter
- Parse with KAPE into a cases folder
- Examine Registry with RegRipper and output findings to text file for further searching
Forensics Process
The forensics process can broadly be classified into the following steps:
- Data identification
- Data Acquisition
- Verify Integrity ( create hash at the start for verification at the end)
Acquisition
Windows OS: Sources of Evidence
Fundamental sources of forensics evidence:
- Memory
- Disk
- NTFS
- Windows Registry
- Windows Event logs
- Other windows artifacts
Disk Analysis Process
System and user information
- Registry
File analysis
- NTFS
Evidence of execution
- Background Activity Moderator
- Shimcache
- Amcache
- Prefetch
Persistence Mechanisms
- Run Keys
- Startup Folder
- Scheduled tasks
- Services
Event Log Analysis
Windows Registry
Registry is a db of key value pairs
- The
HKEY_CURRENT_USERis a symbolic link to HKEY_USERS - The
HKEY_CLASSES_ROOTstores preferences for the user - The
HKEY_LOCAL_MACHINEstores details about the system including the security, software, system and SAM file configurations.
Once you’ve extracted evidence using KAPE, you can find the registry files in windows -> system32 -> config
Users only have settings stored in the system if they logged in interactively - i.e mouse and keyboard
The NTUser.dat file gives you specific info about the user and can be found at Users > IEUser > NTUSER.DAT
The UsrClass.dat file gives you specific info that was in the HKEY_CLASSES_ROOT hive and can be found at Users > IEUser > AppData > Local > Microsoft > Windows > UsrClass.dat
Transcation log files store changes to key and value entries in the registry hives
RegRipper
| Plugin Name | Function | Example |
|---|---|---|
| winver | Windows version | rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p winver |
| timezone | Timezone | rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p timezone |
| nic2 | Network info | rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p nic2 |
| networklist | List of APs | rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p networklist |
| shutdown | Shutdown time | rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p shutdown |
| defender | Windows Defender details | rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p defender |
For automating regripper, first unhide the user specific registry files i.e the UsrClass.dat and NTUSER.dat through
1
2
3
4
attrib *
attrib -h UsrClass.dat
attrib -h NTUSER.dat
To automate regripper use a for loop specifying regripper should apply the suitable plugins to each hive and store the output in a corresponding text file as follows:
1
2
for /r %i in (*) do (C:\Tools\RegRipper\RegRipper3.0-master\rip.exe -r %i -a > %i.txt)
Starting Point
System Information
- Computername:
HKLM\System\CurrentControlSet\Control\Computername\ - Windows Version:
HKLM\Software\Microsoft\Windows NT\Currentversion\ - Timezone:
HKLM\System\CurrentControlSet\Control\TimeZoneInformation\ - Network Information:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{interface-name} - Shutdown time:
HKLM\System\ControlSet001\Control\Windows\ShutdownTime - Defender settings:
HKLM\Software\Microsoft\Windows Defender\
Windows Services
1
HKLM\SYSTEM\CurrentControlSet\Services
Scheduled Tasks
Registry:
1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
Path:
- C:\Windows\System32\Tasks
from the regripper output search for taskcache
You can view the services that ran using Autoruns for Sysinternals by Mark Russinovich
Windows Event Log Analysis
Path: C:\Windows\System32\winevt\logs
Event id for logons is 4624
Catch up on 4624 here
We discard a logon type 5 because it is associated with service accounts.
We pay attention to:
- logon type 2 (interactive),
- 3 (network) and
- 10 (remote interactive e.g through RDP)
Here is a cheatsheet for important event ids
| Source | EventID | Description |
|---|---|---|
| Microsoft-Windows-Windows Defender | 5000 | Defender enabled |
| Microsoft-Windows-Windows Defender | 5001 | Defender disabled |
| System | 7045 | A new service was installed |
| Security | 4624 | An account was successfully logged on |
| Windows Powershell | 400 | Engine state changed from none to available |
| Microsoft-Windows-Sysmon | 1 | Process creation |
| Microsoft-Windows-Sysmon | 3 | Network Connection |
| Microsoft-Windows-Sysmon | 11 | File Create |
| Microsoft-Windows-Sysmon | 12,13 | Registry Events |
| Microsoft-Windows-Sysmon | 22 | DNSQuery |
Windows Memory Forensic Analysis
To analyze RAM in Windows, one can opt to use Volatility as summarily described below.
vol -f DFIR\ Windows-Snapshot4.vmem windows.info
view processes as tree
vol -f DFIR\ Windows-Snapshot4.vmem windows.pstree
examine specific process id
vol -f DFIR\ Windows-Snapshot4.vmem windows.pslist --pid 5068
dump process
vol -f DFIR\ Windows-Snapshot4.vmem windows.pslist --pid 5068 --dump
check dlls for suspicious process
vol -f DFIR\ Windows-Snapshot4.vmem windows.dlllist --pid 6436 > dlls.txt
dump dlls
vol -f DFIR\ Windows-Snapshot4.vmem windows.dlllist --pid 6436 --dump
see who owns processes through sids for multiple pids
vol -f DFIR\ Windows-Snapshot4.vmem windows.getsids --pid 6436 5068
extract info from registry
vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.printkey -h
list registry hives
vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.hivelist
from the offset obtained above, find info on the file
vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.printkey --offset 0xce8afd3e8000 --key AtomicRedTeam
The user hive is the one that contains the classes subkey
Timelines
Volatility timeline output is recorded as Mactime Bodyfile in Timeline Explorer
1
2
# timeline with volatility
vol -f /mnt/c/Cases/Analysis/Memory/DFIR\ Windows-Snapshot4.vmem timeliner --create-bodyfile
EZ Tools CheatSheet
Here is a cheatsheet to EZ tools
Conclusion
This serves as an introduction to Windows Forensics in a practical format that you can use to get up and running when you need to carry out a Digital Forensics Investigation.
Reminiscent | Hack The Box | Forensics