Practical Windows Forensics

Agenda

The go-to methodology to get up and running with forensics is as follows:

• Extract Evidence
• Mount with Arsenal Image Mounter
• Parse with KAPE into a cases folder
• Examine Registry with RegRipper and output findings to text file for further searching

Forensics Process

The forensics process can broadly be classified into the following steps:

• Data identification
• Data Acquisition
• Verify Integrity ( create hash at the start for verification at the end)

Acquisition

Windows OS: Sources of Evidence

Fundamental sources of forensics evidence:

• Memory
• Disk
  • NTFS
  • Windows Registry
  • Windows Event logs
  • Other windows artifacts

Disk Analysis Process

• System and user information

  • Registry

• File analysis

  • NTFS

• Evidence of execution

  • Background Activity Moderator
  • Shimcache
  • Amcache
  • Prefetch

• Persistence Mechanisms

  • Run Keys
  • Startup Folder
  • Scheduled tasks
  • Services

• Event Log Analysis

Windows Registry

Registry is a db of key value pairs

• The HKEY_CURRENT_USER is a symbolic link to HKEY_USERS
• The HKEY_CLASSES_ROOT stores preferences for the user
• The HKEY_LOCAL_MACHINE stores details about the system including the security, software, system and SAM file configurations.

Once you’ve extracted evidence using KAPE, you can find the registry files in windows -> system32 -> config
Users only have settings stored in the system if they logged in interactively - i.e mouse and keyboard

The NTUser.dat file gives you specific info about the user and can be found at Users > IEUser > NTUSER.DAT

The UsrClass.dat file gives you specific info that was in the HKEY_CLASSES_ROOT hive and can be found at Users > IEUser > AppData > Local > Microsoft > Windows > UsrClass.dat

Transcation log files store changes to key and value entries in the registry hives

RegRipper

Plugin Name	Function	Example
winver	Windows version	rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p winver
timezone	Timezone	rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p timezone
nic2	Network info	rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p nic2
networklist	List of APs	rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p networklist
shutdown	Shutdown time	rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p shutdown
defender	Windows Defender details	rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p defender

For automating regripper, first unhide the user specific registry files i.e the UsrClass.dat and NTUSER.dat through

attrib *
attrib -h UsrClass.dat
attrib -h NTUSER.dat

To automate regripper use a for loop specifying regripper should apply the suitable plugins to each hive and store the output in a corresponding text file as follows:

for /r %i in (*) do (C:\Tools\RegRipper\RegRipper3.0-master\rip.exe -r %i -a > %i.txt)

Starting Point

System Information

• Computername:
  HKLM\System\CurrentControlSet\Control\Computername\
• Windows Version:
  HKLM\Software\Microsoft\Windows NT\Currentversion\
• Timezone:
  HKLM\System\CurrentControlSet\Control\TimeZoneInformation\
• Network Information:
  HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{interface-name}
• Shutdown time:
  HKLM\System\ControlSet001\Control\Windows\ShutdownTime
• Defender settings:
  HKLM\Software\Microsoft\Windows Defender\

Windows Services

HKLM\SYSTEM\CurrentControlSet\Services

Scheduled Tasks

Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

Path:

• C:\Windows\System32\Tasks

from the regripper output search for taskcache

You can view the services that ran using Autoruns for Sysinternals by Mark Russinovich

Windows Event Log Analysis

Path: C:\Windows\System32\winevt\logs
Event id for logons is 4624
Catch up on 4624 here

We discard a logon type 5 because it is associated with service accounts.
We pay attention to:

• logon type 2 (interactive),
• 3 (network) and
• 10 (remote interactive e.g through RDP)
  Here is a cheatsheet for important event ids

Source	EventID	Description
Microsoft-Windows-Windows Defender	5000	Defender enabled
Microsoft-Windows-Windows Defender	5001	Defender disabled
System	7045	A new service was installed
Security	4624	An account was successfully logged on
Windows Powershell	400	Engine state changed from none to available
Microsoft-Windows-Sysmon	1	Process creation
Microsoft-Windows-Sysmon	3	Network Connection
Microsoft-Windows-Sysmon	11	File Create
Microsoft-Windows-Sysmon	12,13	Registry Events
Microsoft-Windows-Sysmon	22	DNSQuery

Windows Memory Forensic Analysis

To analyze RAM in Windows, one can opt to use Volatility as summarily described below.

vol -f DFIR\ Windows-Snapshot4.vmem windows.info

view processes as tree

vol -f DFIR\ Windows-Snapshot4.vmem windows.pstree

examine specific process id

vol -f DFIR\ Windows-Snapshot4.vmem windows.pslist --pid 5068

dump process

vol -f DFIR\ Windows-Snapshot4.vmem windows.pslist --pid 5068 --dump

check dlls for suspicious process

vol -f DFIR\ Windows-Snapshot4.vmem windows.dlllist --pid 6436 > dlls.txt

dump dlls

vol -f DFIR\ Windows-Snapshot4.vmem windows.dlllist --pid 6436 --dump

see who owns processes through sids for multiple pids

vol -f DFIR\ Windows-Snapshot4.vmem windows.getsids --pid 6436 5068

extract info from registry

vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.printkey -h

list registry hives

vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.hivelist

from the offset obtained above, find info on the file

vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.printkey --offset 0xce8afd3e8000 --key AtomicRedTeam

The user hive is the one that contains the classes subkey

Timelines

Volatility timeline output is recorded as Mactime Bodyfile in Timeline Explorer

# timeline with volatility
vol -f /mnt/c/Cases/Analysis/Memory/DFIR\ Windows-Snapshot4.vmem timeliner --create-bodyfile

EZ Tools CheatSheet

Here is a cheatsheet to EZ tools

Conclusion

This serves as an introduction to Windows Forensics in a practical format that you can use to get up and running when you need to carry out a Digital Forensics Investigation.