Forensicating windows Artifacts investigation without event logs

Information about Forensicating windows Artifacts investigation without event logs

Published on June 13, 2019

Author: RenzonCruz

Source: slideshare.net

Content

1. Forensicating Windows Artifacts: Investigation w/o Event Logs! Renzon L. Cruz Senior Security Analyst @renzoncruz BSides London 2019 Security Conference

2. #whoami • 7 years working experience in Cyber Security. • Sr. Security Analyst – (National Cyber Security Operations Centre – Doha, Qatar). • Core member of VARIA Cybersecurity in Manila, Philippines. • Former College Instructor – New Era University. • GCIH | CFR | eCDFP | eJPT | MCP | MCS | ITIL BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 2

3. Agenda: Windows Artifacts • LNK (.lnk) Files • Prefetch • ThumbCache • Jumplists • Shellbags • Registry Keys BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 3

4. NOW WHAT TO DO?!?!? BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 4

5. Windows Artifacts!! BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 5

6. LNK Files (shortcuts) • Relatively simple but valuable artifact for the forensics investigator. • They are commonly called Shortcuts. They are small files with a .lnk file extension. • Window-created LNK files are generated when a user opens a local or remote file or document, giving investigators valuable information on a suspect’s activity Location: %USERPROFILE%AppDataRoamingMicrosoftWindowsRecent %USERPROFILE%AppDataRoamingMicrosoftOfficeRecent BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 6

7. %USERPROFILE%AppDataRoamingMicrosoftWindowsRecent %USERPROFILE%AppDataRoamingMicrosoftOfficeRecent BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 7

8. LNK File: LECmd.exe C:UsersRenzonDesktopDFIRForensic ToolkitLECmd>LECmd.exe -d C:UsersRenzonAppDataRoamingMicrosoftWindowsRecent --csv Result BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 8

9. Prefetch • Caches code pages loaded at program startup - Speeds up start up time - Even if the exe is on a USB drive. • Files named <EXE NAME>-HASH.PF - Depends on where file was run from • CHROME.EXE-5349D2DF.pf Location: C:Windowsprefetch BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 9

10. Prefetch: WinPrefetchView C:WINDOWSPrefetch BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 10

11. Thumbcache (thumbs.db) - Hidden file in directory where images on machines exist stored in a smaller thumbnail graphics - Thumbs.db catalogs pictures in a folder and stores a copy of the thumbnail even if the pictures were deleted. - WinXP/Win8/8.1 Automatically created anywhere - Win 7/10 Automatically created anywhere accessed via a UNC path (local or remote) • Starting from Windows Vista/7, all the Thumbnails files are stored in a single directory located at: %USERPROFILE%AppDataLocalMicrosoftWindow sExplorer With the file named as thumbcache.db BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 11

12. BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 12

13. ShellBag • Set of windows registry keys located in NTUser.dat and USRClass.dat registry hives that maintain view, icon, position and size of folders when using Windows Explorer. Location: - HKCUSoftwareMicrosoftWindows Shellbags - HKCUSoftwareMicrosoftWindowsShellBagMRU (ntuser.dat) - HKCUSoftwareMicrosoftWindowsShellNoRoamBags Under NTUSER.DAT - HKCUSoftwareMicrosoftWindowsShellNoRoamBagMRU Under USERCLASS.DAT - HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellBagMRU - HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellBags BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 13

14. Shellbag: Example (usrclass.dat) BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 14

15. Jumplist - Is a new feature released with Microsoft Windows 7 - Provides the user with a GUI associated with each installed application which lists files that have been previously accessed by that application. %USERROFILE%AppDataRoa mingMicrosoftWindowsRecent BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 15

16. Jump List Files BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 16

17. Jump List: App IDs The files are named with 16 hexadecimal digits, known as the App ID followed by the extension ‘automaticDestinations- ms’ http://www.forensicswiki .org/wiki/List_of_Jump_ List_IDs BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 17

18. Jump List Files BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 18

19. Jumplist: Example BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 19

20. Windows Registry • Database for storing configuration info - Can store arbitrary data • Used by almost every aspect of OS. • System registry - %SystemRoot%System32Config • User registry - %UserProfile%NTUSER.dat Name Abbreviation HKEY_CLASSES_ROOT HKCR HKEY_CURRENT_USER HKCU HKEY_LOCAL_MACHINE HKLM HKEY_USERS HKU HKEY_CURRENT_CONFIG HKCC BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 20

21. Windows Registry: Forensic Value • Users and the time they last used the system • Most recently used software • Any devices mounted to the system including unique identifiers of flash drives, hard drives, phones, tablets, etc. • When the system connected to a specific wireless access point • What and when files were accessed • A list any searches done on the system • And much, much more BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 21

22. Windows Registry: Forensics Recently Opened Programs/Files/URLS HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32OpenSaveMRU Files opened directly from Windows Explorer HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs Start>Run HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU Typed URLs HKCUSoftwareMicrosoftInternet ExplorerTypedURLs Installed Programs HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp Paths Mounted Drives HKLMSYSTEMMountedDevices BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 22

23. Recent Mapped Network Drives HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMap Network Drive MRU USB Storage HKLMSYSTEMCurrentControlSetEnumUSBSTOR Autorun HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun RunServices and RunServicesOne HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunServices HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce Services HKLMSYSTEMCurrentControlSetServices Last User Logged In SOFTWAREMicrosoftWindowsCurrentVersionAuthenticationLogonUILastLoggedOnUser BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 23

24. Windows Registry: Tools • RegRipper (RR) – Automatec registry extraction - https://github.com/keydet89/RegRipper2.8 • Registry Explorer - https://ericzimmerman.github.io/#!index.md BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 24

25. BSides London 2019 | Forensicating Windows Artifacts: Investigation w/o event Logs! | Renzon Cruz 25

#whoami presentations

Zer 0 no zer(0 day)   dragon jar
25. 09. 2020
0 views

Zer 0 no zer(0 day) dragon jar

Related presentations