# Practical Windows Forensics ###### tags: `dfir` `blue team` `volatility` `memory forensics` `defense against the dark arts` ## Introduction This article is meant to serve as a 'how to' guide for Incident Response and Digital Forensics practitioners. It assumes prior security knowledge and only highlights a methodology that I have personally found useful when conducting investigations. ## Agenda The go-to methodology to get up and running with forensics is as follows: 1. Extract Evidence 2. Mount with Arsenal Image Mounter 3. Parse with KAPE into a cases folder 4. Examine Registry with RegRipper and output findings to text file for further searching ## Forensics Process The forensics process can broadly be classified into the following steps: - Data identification - Data Acquisition - Verify Integrity ( create hash at the start for verification at the end) ### Order of Volatility (RFC3227) While acquiring evidence, it is important to note the order of volatility as follows: - Registers, cache - Routing table, ARP cache, process table, kernel statistics, memory - Temporary file systems - Disk - Remote logging and monitoring data that is relevant to the system in question - Physical configuration, network topology - Archival media ## Acquisition ```=1 # To hash a file on windows use certUtil -hashfile # To print it out type hashedfile ``` ## Windows OS: Sources of Evidence Fundamental sources of forensics evidence: - Memory - Disk - NTFS - Windows Registry - Windows Event logs - Other windows artifacts ## Disk Analysis Process - System and user information - Registry - File analysis - NTFS - Evidence of execution - Background Activity Moderator - Shimcache - Amcache - Prefetch - Persistence Mechanisms - Run Keys - Startup Folder - Scheduled tasks - Services - Event Log Analysis ## Windows Registry Registry is a db of key value pairs * The HKEY_CURRENT_USER is a symbolic link to HKEY_USERS * The HKEY_CLASSES_ROOT stores preferences for the user * The HKEY_LOCAL_MACHINE stores details about the system including the security, software, system and SAM file configurations. Once you've extracted evidence using KAPE, you can find the registry files in ```windows -> system32 -> config ``` Users only have settings stored in the system if they logged in interactively - i.e mouse and keyboard The NTUser.dat file gives you specific info about the user and can be found at ```Users > IEUser > NTUSER.DAT``` The UsrClass.dat file gives you specific info that was in the HKEY_CLASSES_ROOT hive and can be found at ```Users > IEUser > AppData > Local > Microsoft > Windows > UsrClass.dat ``` Transcation log files store changes to key and value entries in the registry hives ## RegRipper rip.exe for the cli tool plugins (-p) include: |Plugin name| Function| Example | |:--------|----|------ | |winver | windows version | rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p winver| | timezone | timezone | rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p timezone | nic2 | network info | rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p nic2 | | networklist | gives list of APs | rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p networklist | | shutdown | shutdown time | rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p shutdown | | defender | gives details on Windows defender | rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p defender | For automating regripper, first unhide the user specific registry files i.e the UsrClass.dat and NTUSER.dat through ``` attrib * attrib -h UsrClass.dat attrib -h NTUSER.dat ``` To automate regripper use a for loop specifying regripper should apply the suitable plugins to each hive and store the output in a corresponding text file as follows: ``` for /r %i in (*) do (C:\Tools\RegRipper\RegRipper3.0-master\rip.exe -r %i -a > %i.txt) ``` ## Starting Point ### System Information - Computername: Registry: HKLM\System\CurrentControlSet\Control\Computername\ - Windows Version: Registry: HKLM\Software\Microsoft\Windows NT\Currentversion\ - Timezone: Registry: HKLM\System\CurrentControlSet\Control\TimeZoneInformation\ - Network Information: Registry: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{interface-name} - Shutdown time: Registry: HKLM\System\ControlSet001\Control\Windows\ShutdownTime - Defender settings: Registry: HKLM\Software\Microsoft\Windows Defender\ ### Users, Groups and User Profiles Some questions to ask relate to: * Active accounts during the attack timeframe? * Which account(s) were created? * Which accounts are Administrator group members? * Which users have profiles? ### User Behavior |Item | Description | Hive | |:------|--------------|------| | UserAssist: | Applications opened | NTUSER.dat |RecentDocs: | Files and folders opened | NTUSER.dat| | Shellbags: | Locations browsed by the user | UsrClass.dat | | Open / Save MRU: | Files that were opened | | | Last-Visited MRU: | Applications used to open files | | User Assist keeps track of every application a user has visited. Therefore when examining multiple users, you'll have to load each of their NTUSER.dat user hives ## NTFS - File System Analysis ``` # search through MFT and save in csv format (to be opened with Timeline Explorer later) MFTECmd.exe -f C:\Cases\E\$MFT --csv C:\Cases\Analysis\NTFS --csvf JAnalysis.csv # Search for file details given the specific entry number MFTECmd.exe -f C:\Cases\E\$MFT --de 84937 ``` MACB timestamp format vs Standard Information format: Modified m... - Modified on Accessed .a.. - Last Accessed on Changed ..c. - Record modified on Birth (creation) ...b - Created on The Changed refers to the Record Modification of the $MFT $MFT is the Master File Table. The $MFT stores info on files - this is what we carve to get deleted files. File Name timestamps are the timestamps created when a file starts to exist. You can only modify the timestamps in the Standard Information since they are the only ones you have access to through the windows API When SI(Standard Information) < FN (File Name) there is a possibility that the file has been timestomped i.e the timestamp has been altered. ### USN journal analysis USN journal - update sequence number journal contains a log of operations that are being applied to files on the system. Location: $Extend -> $UsnJrnl The UsnJrnl consists of two alternate data streams: - $Max - $ J data stream When you triage with Kape, you'll find these files under $Extend -> $J and $Extend -> $Max ``` # Look through USNjournal for deleted files and file changes that might not reflect in the MFT MFTECmd.exe -f C:\Cases\E\$Extend\$J -m C:\Cases\E\$MFT --csv C:\Cases\Analysis\NTFS ``` ## Execution Artifacts ### Background Activity Moderator (BAM) Only exists after Windows 10 v1709 (circa 2018). It records information about exes that have been run on a sys and stores this info in the system registry hive. ### Application Compatibility Cache ("AppCompatCache") / Shimcache Another way to prove existence of malicious executables. Registry: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache The shimcache only gets written upon system shutdown. A file timestamp is basically a 64 bit value representing the number of 100 nanosecond intervals that have elapsed since Jan 1 1601. Don't sort the Shimcache list by the Modified Time file timestamp, instead sort by the Cache Entry Position. ``` AppCompatCacheParser.exe -f C:\Cases\E\Windows\System32\config\SYSTEM --csv C:\Cases\Analysis\Exes ``` ### AmCache AmCache Is a registry hive. It can be found at the Registry: C:\Windows\AppCompat\Programs\Amcache.hve ``` AmcacheParser.exe -f C:\Cases\E\Windows\AppCompat\Programs\Amcache.hve --csv C:\Cases\Analysis\Exes ``` ### Prefetch Prefetch can be found at the Path: C:\Windows\Prefetch\*.pf Windows stores a prefetch file for every application that is executed. ``` PECmd.exe -d C:\Cases\E\Windows\prefetch --csv C:\Cases\Analysis\Exes ``` ## Persistence Mechanisms Consider the persistence mechanisms listed below while investigating. ### Auto-Run Keys Registry: * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce ### Windows Services Registry: HKLM\SYSTEM\CurrentControlSet\Services ### Scheduled Tasks Registry: * HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks * HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree Path: * C:\Windows\System32\Tasks from the regripper output search for ```taskcache ``` You can view the services that ran using Autoruns for [Sysinternals](https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns) by Mark Russinovich ## Windows Event Log Analysis Path: C:\Windows\System32\winevt\logs Event id for logons is 4624 Catch up on 4624 [here](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624) We discard a logon type 5 because it is associated with service accounts. We pay attention to: - logon type 2 (interactive), - 3 (network) and - 10 (remote interactive e.g through RDP) [Here](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/) is a cheatsheet for important event ids | Source | EventID | Description | | :-------| ------|--------| | Microsoft-Windows-Windows Defender | 5000 | Defender enabled | | | 5001 | Defender disabled | | System | 7045 | A new service was installed | | Security | 4624 | An account was successfully logged on | | Windows Powershell | 400 | Engine state changed from none to available (meaning a powershell engine was started) | | Microsoft-Windows-Sysmon | 1 | Process creation | | | 3 | Network Connection | | | 11 | File Create | | | 12,13 | Registry Events | | | 22 | DNSQuery | ## Windows Memory Forensic Analysis To analyze RAM in Windows, one can opt to use Volatility as summarily described below. ``` vol -f DFIR\ Windows-Snapshot4.vmem windows.info # view processes as tree vol -f DFIR\ Windows-Snapshot4.vmem windows.pstree # examine specific process id vol -f DFIR\ Windows-Snapshot4.vmem windows.pslist --pid 5068 # dump process vol -f DFIR\ Windows-Snapshot4.vmem windows.pslist --pid 5068 --dump # check dlls for suspicious process vol -f DFIR\ Windows-Snapshot4.vmem windows.dlllist --pid 6436 > dlls.txt # dump dlls vol -f DFIR\ Windows-Snapshot4.vmem windows.dlllist --pid 6436 --dump # see who owns processes through sids for multiple pids vol -f DFIR\ Windows-Snapshot4.vmem windows.getsids --pid 6436 5068 # extract info from registry vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.printkey -h # list registry hives vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.hivelist # from the offset obtained above, find info on the file vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.printkey --offset 0xce8afd3e8000 --key AtomicRedTeam ``` The user hive is the one that contains the classes subkey ## Timelines Volatility timeline output is recorded as Mactime Bodyfile in Timeline Explorer ``` # timeline with volatility vol -f /mnt/c/Cases/Analysis/Memory/DFIR\ Windows-Snapshot4.vmem timeliner --create-bodyfile ``` ## Reporting Considerations - Establish expectations in the beginning - Consider the audience you are targeting (technical vs non technical) - Alternative explanations (let the facts speak for themselves) - Actionable information e.g identified iocs (indicators of compromise) that we should look for in other systems to aid the incident response lifecycle ### Type of Reporting * Forensic Report * High level presentation * System Timeline ## EZ Tools CheatSheet [Here](https://sansorg.egnyte.com/dl/cOBcwZSosv) is a cheatsheet to EZ tools ## Conclusion This serves as an introduction to Windows Forensics in a practical format that you can use to get up and running when you need to carry out a Digital Forensics Investigation.