Try   HackMD

Practical Windows Forensics

tags: dfir blue team volatility memory forensics defense against the dark arts

Introduction

This article is meant to serve as a 'how to' guide for Incident Response and Digital Forensics practitioners.

It assumes prior security knowledge and only highlights a methodology that I have personally found useful when conducting investigations.

Agenda

The go-to methodology to get up and running with forensics is as follows:

  1. Extract Evidence
  2. Mount with Arsenal Image Mounter
  3. Parse with KAPE into a cases folder
  4. Examine Registry with RegRipper and output findings to text file for further searching

Forensics Process

The forensics process can broadly be classified into the following steps:

  • Data identification
  • Data Acquisition
  • Verify Integrity ( create hash at the start for verification at the end)

Order of Volatility (RFC3227)

While acquiring evidence, it is important to note the order of volatility as follows:

  • Registers, cache
  • Routing table, ARP cache, process table, kernel statistics, memory
  • Temporary file systems
  • Disk
  • Remote logging and monitoring data that is relevant to the system in question
  • Physical configuration, network topology
  • Archival media

Acquisition






# To hash a file on windows use 
certUtil -hashfile 

# To print it out
type hashedfile

Windows OS: Sources of Evidence

Fundamental sources of forensics evidence:

  • Memory
  • Disk
    • NTFS
    • Windows Registry
    • Windows Event logs
    • Other windows artifacts

Disk Analysis Process

  • System and user information

    • Registry

  • File analysis

    • NTFS

  • Evidence of execution

    • Background Activity Moderator
    • Shimcache
    • Amcache
    • Prefetch

  • Persistence Mechanisms

    • Run Keys
    • Startup Folder
    • Scheduled tasks
    • Services

  • Event Log Analysis

Windows Registry

Registry is a db of key value pairs

  • The HKEY_CURRENT_USER is a symbolic link to HKEY_USERS
  • The HKEY_CLASSES_ROOT stores preferences for the user
  • The HKEY_LOCAL_MACHINE stores details about the system including the security, software, system and SAM file configurations.

Once you've extracted evidence using KAPE, you can find the registry files in windows -> system32 -> config
Users only have settings stored in the system if they logged in interactively - i.e mouse and keyboard

The NTUser.dat file gives you specific info about the user and can be found at Users > IEUser > NTUSER.DAT

The UsrClass.dat file gives you specific info that was in the HKEY_CLASSES_ROOT hive and can be found at Users > IEUser > AppData > Local > Microsoft > Windows > UsrClass.dat

Transcation log files store changes to key and value entries in the registry hives

RegRipper

rip.exe for the cli tool
plugins (-p) include:

Plugin name Function Example
winver windows version rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p winver
timezone timezone rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p timezone
nic2 network info rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p nic2
networklist gives list of APs rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p networklist
shutdown shutdown time rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p shutdown
defender gives details on Windows defender rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p defender

For automating regripper, first unhide the user specific registry files i.e the UsrClass.dat and NTUSER.dat through

attrib *
attrib -h UsrClass.dat
attrib -h NTUSER.dat

To automate regripper use a for loop specifying regripper should apply the suitable plugins to each hive and store the output in a corresponding text file as follows:

for /r %i in (*) do (C:\Tools\RegRipper\RegRipper3.0-master\rip.exe -r %i -a > %i.txt)

Starting Point

System Information

  • Computername:
    Registry: HKLM\System\CurrentControlSet\Control\Computername\
  • Windows Version:
    Registry: HKLM\Software\Microsoft\Windows NT\Currentversion\
  • Timezone:
    Registry: HKLM\System\CurrentControlSet\Control\TimeZoneInformation\
  • Network Information:
    Registry: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{interface-name}
  • Shutdown time:
    Registry: HKLM\System\ControlSet001\Control\Windows\ShutdownTime
  • Defender settings:
    Registry: HKLM\Software\Microsoft\Windows Defender\

Users, Groups and User Profiles

Some questions to ask relate to:

  • Active accounts during the attack timeframe?
  • Which account(s) were created?
  • Which accounts are Administrator group members?
  • Which users have profiles?

User Behavior

Item Description Hive
UserAssist: Applications opened NTUSER.dat
RecentDocs: Files and folders opened NTUSER.dat
Shellbags: Locations browsed by the user UsrClass.dat
Open / Save MRU: Files that were opened
Last-Visited MRU: Applications used to open files

User Assist keeps track of every application a user has visited.
Therefore when examining multiple users, you'll have to load each of their NTUSER.dat user hives

NTFS - File System Analysis

# search through MFT and save in csv format (to be opened with Timeline Explorer later)
MFTECmd.exe -f C:\Cases\E\$MFT --csv C:\Cases\Analysis\NTFS --csvf JAnalysis.csv

# Search for file details given the specific entry number
MFTECmd.exe -f C:\Cases\E\$MFT --de 84937

MACB timestamp format vs Standard Information format:
Modified m - Modified on
Accessed .a.. - Last Accessed on
Changed ..c. - Record modified on
Birth (creation) b - Created on

The Changed refers to the Record Modification of the $MFT
$MFT is the Master File Table. The $MFT stores info on files - this is what we carve to get deleted files.

File Name timestamps are the timestamps created when a file starts to exist.
You can only modify the timestamps in the Standard Information since they are the only ones you have access to through the windows API

When SI(Standard Information) < FN (File Name) there is a possibility that the file has been timestomped i.e the timestamp has been altered.

USN journal analysis

USN journal - update sequence number journal contains a log of operations that are being applied to files on the system.
Location: $Extend -> $UsnJrnl
The UsnJrnl consists of two alternate data streams:

  • $Max
  • $ J data stream

When you triage with Kape, you'll find these files under $Extend -> $J and $Extend -> $Max

# Look through USNjournal for deleted files and file changes that might not reflect in the MFT
MFTECmd.exe -f C:\Cases\E\$Extend\$J -m  C:\Cases\E\$MFT --csv C:\Cases\Analysis\NTFS

Execution Artifacts

Background Activity Moderator (BAM)

Only exists after Windows 10 v1709 (circa 2018).
It records information about exes that have been run on a sys and stores this info in the system registry hive.

Application Compatibility Cache ("AppCompatCache") / Shimcache

Another way to prove existence of malicious executables.
Registry: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
The shimcache only gets written upon system shutdown.

A file timestamp is basically a 64 bit value representing the number of 100 nanosecond intervals that have elapsed since Jan 1 1601.

Don't sort the Shimcache list by the Modified Time file timestamp, instead sort by the Cache Entry Position.

AppCompatCacheParser.exe -f C:\Cases\E\Windows\System32\config\SYSTEM --csv C:\Cases\Analysis\Exes

AmCache

AmCache Is a registry hive.
It can be found at the Registry: C:\Windows\AppCompat\Programs\Amcache.hve

AmcacheParser.exe -f C:\Cases\E\Windows\AppCompat\Programs\Amcache.hve --csv C:\Cases\Analysis\Exes

Prefetch

Prefetch can be found at the Path: C:\Windows\Prefetch*.pf
Windows stores a prefetch file for every application that is executed.

PECmd.exe -d C:\Cases\E\Windows\prefetch --csv C:\Cases\Analysis\Exes

Persistence Mechanisms

Consider the persistence mechanisms listed below while investigating.

Auto-Run Keys

Registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Windows Services

Registry: HKLM\SYSTEM\CurrentControlSet\Services

Scheduled Tasks

Registry:

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
    Path:
  • C:\Windows\System32\Tasks

from the regripper output search for taskcache

You can view the services that ran using Autoruns for Sysinternals by Mark Russinovich

Windows Event Log Analysis

Path: C:\Windows\System32\winevt\logs
Event id for logons is 4624
Catch up on 4624 here
We discard a logon type 5 because it is associated with service accounts.
We pay attention to:

  • logon type 2 (interactive),
  • 3 (network) and
  • 10 (remote interactive e.g through RDP)
    Here is a cheatsheet for important event ids
Source EventID Description
Microsoft-Windows-Windows Defender 5000 Defender enabled
5001 Defender disabled
System 7045 A new service was installed
Security 4624 An account was successfully logged on
Windows Powershell 400 Engine state changed from none to available (meaning a powershell engine was started)
Microsoft-Windows-Sysmon 1 Process creation
3 Network Connection
11 File Create
12,13 Registry Events
22 DNSQuery

Windows Memory Forensic Analysis

To analyze RAM in Windows, one can opt to use Volatility as summarily described below.

vol -f DFIR\ Windows-Snapshot4.vmem windows.info

# view processes as tree
 vol -f DFIR\ Windows-Snapshot4.vmem windows.pstree
 
# examine specific process id
vol -f DFIR\ Windows-Snapshot4.vmem windows.pslist --pid 5068

# dump process
 vol -f DFIR\ Windows-Snapshot4.vmem windows.pslist --pid 5068 --dump
 
# check dlls for suspicious process
vol -f DFIR\ Windows-Snapshot4.vmem windows.dlllist --pid 6436 > dlls.txt

# dump dlls
 vol -f DFIR\ Windows-Snapshot4.vmem windows.dlllist --pid 6436 --dump
 
# see who owns processes through sids for multiple pids
 vol -f DFIR\ Windows-Snapshot4.vmem windows.getsids --pid 6436 5068
 
# extract info from registry
 vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.printkey -h
 
 # list registry hives
 vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.hivelist
 
 # from the offset obtained above, find info on the file
  vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.printkey --offset 0xce8afd3e8000 --key AtomicRedTeam

The user hive is the one that contains the classes subkey

Timelines

Volatility timeline output is recorded as Mactime Bodyfile in Timeline Explorer

# timeline with volatility
vol -f /mnt/c/Cases/Analysis/Memory/DFIR\ Windows-Snapshot4.vmem timeliner --create-bodyfile

Reporting Considerations

  • Establish expectations in the beginning
  • Consider the audience you are targeting (technical vs non technical)
  • Alternative explanations (let the facts speak for themselves)
  • Actionable information e.g identified iocs (indicators of compromise) that we should look for in other systems to aid the incident response lifecycle

Type of Reporting

  • Forensic Report
  • High level presentation
  • System Timeline

EZ Tools CheatSheet

Here is a cheatsheet to EZ tools

Conclusion

This serves as an introduction to Windows Forensics in a practical format that you can use to get up and running when you need to carry out a Digital Forensics Investigation.

Last changed by 
codeAssassin
As a code Assassin my focus is on Learning different ways to break code, and therefore, secure it. Interested in everything cyber security!
0
1
1814

Read more

Jeeves - HTB Series

Windows Exploitation Walk through for Jeeves on Hack The Box

Sep 5, 2024
Windows Privilege Escalation

Fuzzy Security reference

Aug 26, 2024
Chatterbox - HTB Series

We start by scanning the target with nmap to find open ports

Aug 11, 2024
Active - HTB Series

image

Aug 10, 2024
Read more from codeAssassin
Published on HackMD