🪴 Quartz 4.0

Search

SearchSearch

forensics

Apr 19, 20246 min read

Investigating Windows Endpoints

Tooling (Windows)

AreaToolDescription
Throw-Away SandboxWindows SandboxEnable in Windows Features
Linuxwsl2
ToolsSysinternals SuiteInstall through appstore
ToolsPowertoysInstall through appstore
Image AccessFTKImager
Image AccessArsenal Recon Image Mounter
RestZimmerman ToolkitInstall through Get-Zimmerman.ps1
RestKAPE
Browser HistoryNirSoft BrowsingHistoryView

Windows Event Logs

  • Windows XP: 3 event logs: application, system, security

  • since Windows VIsta

    • evx format
      • channels → log name
      • provider → writes to a channel
    • Files in windows\system32\winevt\logs
      • could be changed in registry
      • only lsass can write to security log
      • default size 20mb, short event horizon

  • access with windows event viewer

    • windows terminal as administrator
    • Get-Help Get-WinEvent, Get-WinEvent -LogName Security or Get-EventLog (deprecated)
    • List all event ids within a single log: (Get-WinEvent -ListProvider Microsoft-Windows-TaskScheduler).Events | Format-Table Id, Description

common ids

  • 4624: account logon event (in security channel)
  • 4688: process execution event (security, not turned on by default)
    • logon type 3: network logon
  • 7045: service installation event (system)
  • ntdsutil for snapshotting dit
    • eventid 216

Windows Registry

  • Configuration database

  • partially in-memory only

    • when backed on filesystem: registry hives
      • windows/system32/config
        • default
        • sam
        • security
        • software
        • system
      • two user-specific hives
        • ntuser.dat
        • usrclass.dat

  • keys and subkeys have last-write stand, values have not

  • root registry keys

    • HKEY_CLASSES_ROOT: associate extensions for file extensions
    • HKEY_CURRENT_USER: nduser.dat + part usrclass.dat
    • HKEY_LOCAL_MACHINE: files under config
      • BCD and Hardware is in-memory only
    • HKEY_USERS: configuration for all active users
      • .default maps to Default file in config
    • HKEY_CURRENT_CONFIG: current hardware profile

  • RegBack: was a registry backup (is not used anymore)

  • Many hiddenfiles (.log1, .log2, UUIDs)

    • transaction log journals

  • AppData\Local\Microsoft\windows → usrClass.dat

    • windows\appcompat\programs → amcache.hve
RegistryUse-Case
RunMRU(Run Cmd) command must have been executed successfully to be included here
UserAssistEoE for GUI based programs
MUICacheGUI based programs
ShellBagsWhich folders (and zip files) were viewed by user
ASEPRun/RunOnce
USBStorwhich usb devices were connected
ControlSetInformation about Timezones, etc.
appcompatcacheevidence of execution
shimcacheevidence of execution

Evidence of Execution

  • what ran on a system?
  • typically use something that was put in place to improve UX or Compat

Prefetch

  • purpose: speed up subsequent launches of applications
  • background process that runs for 10 seconds and analyzses which files a program is interacting with
  • for both GUI and CLI
  • information is stored on the filesystem in %SYSTEMROOT%/prefetch, .pf files
  • use pecmd.exe to parse it
  • it’s normal for svchost to be there multiple times (as -k is part of the hash)

shimcache / appcompatcache

  • for legacy applications
  • database is stored in registry, in the ControlSet
  • cannot be used in windows 10 and later
  • appcompatcacheparser.exe (zimmermann)

amcache

  • registry hive
  • evidence of presence, not execution
  • tracks SHA1 hash, compilation time of the executable
  • RegistryExplorer: InventoryApplication, InventoryApplicationFile, InventoryDriverBinary
  • AmCacheParser.exe -f amcache.hve —csv c:\temp
  • howto extract amcache.hve?
    • ftkimager → add evidence item (physical drive) → windows → appcompat → programs → amcache + journals
    • right click: export files

Program Compatibility Assistant

  • PsaAppLaunchDict.txt → full path of the binary that was executed and the last time it was executed
  • in the db: path to the binary, amcache program id

MUICache

  • Multilingual Cache for GUI-based programs
  • populated the first time an executable runs, but no timestamp
  • usrdata.dat hive

UserAsssist

  • GUI-based progam
  • uses ntuser.dat
  • use regexplore
  • RECmd → Batch: Kroll_Batch

SRUM

  • %windows%/system32/sru
  • grab software hive
  • SrumECmd.exe -d tmp-directory —csv

Persistence, Priv-Esc and Movement

Services and Scheduled Tasks

  • RegistryASEP with RECmd to find autostart services
  • gkape.exe → Registry Hives + use module → destination (Desktop), recmd_registry_aesps

privilege escalation

using ntdsutil

  • ntdsutil.exe (only on domain controller)
  • ntdsutil “ac i ntds” “ifm” “create full c:\ProgramData\Backup” q q
    • ”Active Directory” and “registry” directory
  • event viewer: application channel 325/ESENT (6704)

Lateral Movement

  • windows log: 4624 type 3 (netowork logon)
  • 5140/5145 → smb access
  • 5156 connectivity between systems

NTFS

  • create image
  • $files → metadata of filesystem
    • $Boot: link to the main file
    • $MFT: this is the main file (index)
    • $MFTMirr: duplicate of the first four records
    • $Bitmap: clusters on disk (usage): cluster is the lowest level of storage
    • $secure: security-related information for fiels
    • index_root, bitmap
      • timestamps, filename, filesize
      • Btree index
      • there can be slack-space, can show presence of a file that does not exist anymore
    • $Extend Directory → more metadata: quotas, symbolic links, object identifiers, file system journals
  • MFT:
    • database, comprised of database records
    • 1024 size (usually) per record, can be larger
    • lots of FILE Records
      • two sets of MACB timestamps
        • compare those two to detect time stomping
    • Non-Resident File: typical file on the file system, clusters are tracked within MFT
      • Clustersize: typical 4k
    • Resident File: 600bytes or less, stored in MFT
  • Journal
    • two journals, $LogFile (low-level changes), $Extend/$UsnJrnl → inside: $J
    • deletion can only be detected through journal
    • $LogFile
  • Alternate Data Stream (ADS)
    • notepad 13cubed.txt:secret (creates an ADS)
    • dir /R
    • This is used for Zone-Identifiers (ZoneId, HostUrl)

MACB timestamps

  • default: modification time
  • MACB: modification, access and birth/creation are available to use
  • C: not exposed through windows API
  • $FILE_NAME attribute from the index record of that directory, not from the MFT
    • can be different to MFT record
  • data access: works in windows 11, but rather useless because it is updated often
  • trust modification/birth timestamps
  • updates: update modification and access timestamp
  • rename: does not update anything except (C → MFT record/metadata time)
  • file copy: new birth-timestamp, access is updated, modification: still the old one
    • this indicates a file-copy, the modification timestamp is inherited
  • file move
    • local file move (volume file move): access time: the last time I accessed the file?
      • creation/modified has not changed
      • meta data could change
    • op-code FILE-DELETE

MFTECmd (parse NTFS MFT/USN Journal)

  • export with imager or kape
    • target: filesystem (process VSS option for older events)
  • mftecmd -f <file> --csv <dir> --csvf <filename>
    • --dr to write out resident files
  • do this for J
    • MFT Entry 6byte + 2byte sequence → file reference number
    • hex 10 → $STANDARD_INFORMATION
    • hex 30 → $FILE_NAME
    • if timestamp is empty → same as the timestamp left adjecent
    • SIlessthanFN → might indicate timestomping
    • subsec_zeroes → might indicate timestomping
    • copied → indicate copying
  • USN → list of operatinos
    • no full file path, but could map to MFT sequence numbers
  • $I30
    • look at volume with ftkimager
      • ”x” shows previously existing files, indicates from where through “type”
      • is shown through Slack
    • can be parsed with mftecmd.exe
      • ”from slack”
      • physical size is a multiple of the cluster size

recycle bin

normal usage

  • RBCcmd.exe
  • old windows 95 → xp, recycle bin (info2)
  • xp → vista: recycler
  • vista → $recycle.bin ?
    • $i - new metadata file
    • $r - file contents itself
  • dir /a
  • recycle bin per user

Permanent Delete

  • shift-delete
  • MFT record wil be updated, $bitmap is updated → available for re-use
  • $i30 will be updated (for this directoy)
  • FS journals will be updated

LNK Files & JumpLists

LNK Files

  • LECmd.exe
  • lnk files contain meta-data
  • appdata\roaming\microsoft\windows\recent
    • modification time is the last time the original was changed
    • modification time is also altered when file was opened
    • can use exiftool to analyze link files
      • timestamps of the link file
      • additional timestamps (of the actual file, BAM)

JumpLists

  • right click on icons on a deskbar icon → recent files
  • jumplist: collection of lnk files
  • custom destinatino jumplist: when pinned, the other type: automatic destination
  • appdata\roaming\windows\recent
    • automaticdestinations
    • customdesinations
  • jlecmd.exe

Other Stuff

web browser forensics

  • LocalAppData and AppData
    • AppData is roamed when using Microsoft Active Directory
  • NirSoft BrowsingHistoryTool

Thumbnails

  • thumb

Windows Activity Timeline

  • Windows 10/11
  • not synced anymore, but is still collected by default

References

Graph View

Backlinks

  • No backlinks found