FOR500.3: Core Windows Forensics Part II: USB Devices and Shell Items | FOR500.4: Core Windows Forensics Part III: Email, Key Additional Artifacts, and Event Logs [FOR500_C01_01 ed.]

FOR500.3: Core Windows Forensics Part II: USB Devices and Shell Items Overview Being able to show the first and last tim

1,249 64 59MB

English Pages 318 Year 2017

Report DMCA / Copyright

DOWNLOAD PDF FILE

Recommend Papers

FOR500.3: Core Windows Forensics Part II: USB Devices and Shell Items | FOR500.4: Core Windows Forensics Part III: Email, Key Additional Artifacts, and Event Logs [FOR500_C01_01 ed.]

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

4081500.3 Core Windows Forensics II: USB Devices and Shell Items 4081500.4 I

I

Core Windows Forensics III: •

I

I

&Mafl, Key Additional Amfacts, and Event Logs iLiIiihIiiii

-

;

;WWWWWW

?4III1Z•I•NIIW 7’:z :

y :

ib

.aIh

;%



v

HOSfRUtD 6bRC

O4IfG z

-



:

j

T4 Stt3R

TR1INER Etc ;;

c

40 AiW /_

4

::

SE

CH _/c

ans4j _,

;:Z

Copyright © 2017, The SANS Institute. All rights reserved. The entire contents of this publication are the property of the SANS Institute. PLEASE READ THE TERMS AND CONDITIONS OF THIS COURSEWARE LICENSE AGREEMENT (CLA”) CAREFULLY BEFORE USING ANY OF THE COURSEWARE ASSOCIATED WITH THE SANS COURSE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU (THE “USER”) AND THE SANS INSTITUTE FOR THE COURSEWARE. YOU AGREE THAT THIS AGREEMENT IS ENFORCEABLE LIKE ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU. With the CLA, the SANS Institute hereby grants User a personal, non-exclusive license to use the Courseware subject to the terms of this agreement. Courseware includes all printed materials, including course books and lab workbooks, as well as any digital or other media, virtual machines, andlor data sets distributed by the SANS Institute to the User for use in the SANS class associated with the Courseware. User agrees that the CLA is the complete and exclusive statement of agreement between The SANS Institute and you and that this CLA supersedes any oral or written proposal, agreement or other communication relating to the subject matter of this CLA, BY ACCEPTING THIS COURSEWARE YOU AGREE TO BE BOUND BY THE TERMS OF THIS CLA. BY ACCEPTING THIS SOFTWARE, YOU AGREE THAT ANY BREACH OF THE TERMS OF THIS CLA MAY CAUSE IRREPARABLE HARM AND SIGNIFICANT INIURY TO THE SANS INSTITUTE, AND THAT THE SANS INSTITUTE MAY ENFORCE THESE PROVISIONS BY INJUNCTION (WITHOUT THE NECESSITY OF POSTING BOND), SPECIFIC PERFORMANCE, OR OTHER EQUITABLE RELIEF. If you do not agree, you may return the Courseware to the SANS Institute for a full refund, if applicable. User may not copy, reproduce, re-publish, distribute, display, modify or create derivative works based upon all or any portion of the Courseware, in any medium whether printed, electronic or otherwise, for any purpose, without the express prior written consent of the SANS Institute. Additionally, User may not sell, rent, lease, trade, or otherwise transfer the Courseware in any way, shape, or form without the express written consent of the SANS Institute. If any provision of this CLA is declared unenforceable in any jurisdiction, then such provision shall be deemed to be severable from this CLA and shall not affect the remainder thereof. An amendment or addendum to this CLA may accompany this courseware. SANS acknowledges that any and all software and/or tools, graphics, images, tables, charts or graphs presented in this courseware are the sole property of their respective trademark/registered/copyright owners, including: AirDrop, AirPort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TV, App Nap, Back to My Mac, Boot Camp, Cocoa, Facelime, FileVault, Finder, fireWire, FireWire logo, iCal, iChat, iLife, iMac, iMessage, iPad, iPad Air, iPad Mini, iPhone, iPhoto, iPod, iPod classic, iPod shuffle, iPod nano, iPod touch, iTunes, iTunes logo, iWork, Keychain, Keynote, Mac, Mac Logo, MacBook, MacBook Air, MacBook Pro, Macintosh, Mac OS, Mac Pro, Numbers, OS X, Pages, Passbook, Retina, Safari, Sin, Spaces, Spotlight, There’s an app for that, Time Capsule, Time Machine, Touch ID, Xcode, Xseiwe, App Store, and iCloud are registered trademarks of Apple Inc. Governing Law: This Agreement shall be governed by the laws of the State of Maryland, USA. FOR5OO4O8_34CO1_O1

FO

WINDOWS FORENSIC ANALYSIS

Core VVindows Forens ics II & III: DFIR USB, Shell Items, E-mail, Key Additional

DIGITAl FDRtNSIS B INGIDENT RESPDNE

Artifacts, and Event Logs

@2017 Rob Lee I All Rights Reserved jVersion # FOR500_C0 I0I

Welcome to Core Windows Forensics. Rob Lee [email protected] -

Chad Tilbuiy [email protected] -

USB Contribtitions by Nicole Ibrahim http://twitter.com/robtlee http://twitter.com/chadtilbury http://twitter.com/sansforensics

©2017 Rob Lee

_____

1. Practice with a well-known commercial tool used for Digital forensics and Incident Response

2.

Determine for yourself whether the tool is useful in accomplishing

your goals during digital forensics and media exploitation

3. Work with a solution and assess a product without vendor pressure







I

dfir. to/FOR500-DFIR--$olutions

Pass

=

DflRwhatworks j

z -‘rzrz ZZz ZZEZ2 ZE7 FORSOO

DFIR

J

Windows Fnrensic Analysis

The SANS What Works program highlights commercial tools recommended by students as solving specific problems particularly well. This program is accomplished without any vendor sponsorship or payment for the opportunity. The program is simply meant to further the education of students and SANS attendees and expose them to real-world products to test on their own time and without influence. students SANS DfIR has developed partnerships for many years to offer trial versions of commercial utilities so find to students surveyed first s. We can continue to learn and test popular solutions in their own environment subsequently We challenges. out which solutions they feel “work” the best to solve specific cyber security approached several vendors and challenged them to come up with training scenarios we could offer to SANS students to anonymously test the capabilities of their commercial solutions. For digital forensics and incident not response, multiple tools were recommended to help with commercial DFIR products. We offer this exercise ultimately and solution the try to as endorsed tool(s) by SANS or its instructors, but as a way for each student near its capabilities, good or bad, on their own. We anticipate adding additional vendor challenges in the assess

future. No student information is passed to any vendor unless you specifically elect for them to know who you are. This is your chance to try a popular commercial solution without the vendor trying to sell you anything. While the lab was written by the vendor, we attempted to emphasize the same qualities that you experienced in other SANS labs. Specifically, we required that the lab should not be a “sales” presentation and should demonstrate how the tool can be used to solve real-world problems. We hope you enjoy this opportunity,

As this is not a SANS written lab, any questions regarding this lab should be directed to the provider. 1-lowever, we can pass along any feedback back to them anonymously as well. Feel free to write and relate your experiences to rleesans.org.

2

©2017 Rob Lee

2

DFIR

F0R408

Windows Forensics GCFE

DIGITAL FDRENSICS

FOR5O

Advanced Incident Response GCFA

INCIDENT RESPDNSE

F0R572

Advanced Network Forensics and Analysis GNFA

) Mac Forensi s Cybe Threat ntelhgenc

FQR6IO

REM: Malware Analysis

FM

F0R526

Memory Forensics In-Depth

GREM SEC5O4

Hacker Tools, Techniques, Exploits, and Incident Handling

(

GCH

FOR5SS

MGTS3S

Advanced Sniartphone Forensics GASf

I

Incident Response Team Management

in sassforensics

sans1srnsics

dfirto/DHRlinkedlntommunity

dfir.to/gps ‘miorensics

dfirto/MAIL4JST

Welcome to Core Windows Forensics. Rob Lee rleesansorg Chad Tilbury ctilburysans.org USB Contributions by Nicole Ibrahim -

-

http://twitter.com/robtlee http://twitter.com/chadtilbury http://twitter.com/sansforensics

©2017 Rob Lee

3

FORO8

Windows Forensics

FOR58

Mac Forensics

FOR%26

Memory Forensics

lnDepth

FORS8S

Advanced Smartphone Forensics

@sansforensics

I

ii

SSDFIR

dflrto/DFIRbnkedlnCommunity

ccii

F

11*

Y’

.4*,

dfirto/gpussans(orensics

INCIDENT RESPONSE & ADVERSARY H UN TIN 6

OIWTA[ FORENSICS S INCIDENT RESPONSE

OPERATING SYSTEM & DEVICE IN-DEPTH

sansforensics

OR5O8

Advanced Incident Response

FORE 72

Advanced Network Forensics and Analysis

FORS%8

CyberThreat Intelligence

0

REM: Malware Analysis

• Hacker Tools, Techniques, Exploits, and Incident Handling

Incident Response

MGTS3S

Team Management

dfirto/MAII-LIST

C -J

0

-o

C

0

C”

FOR3O

WINDOWS FORENSIC ANALYSIS

Core Windows DFIR Forensics II:

DIOITAL FDRENSlS B lNlOENT RESPONSE

USB Devices and Shell Items

@2017 Rob Lee AB Rights Reserved jVersion # F0R500

Welcome to Core Windows Forensics. Rob Lee rleesans.org Chad Tilbury ctilburysans.org USB Contributions by Nicole Ibrahim -

-

http://twitter.com/robtlee http://twitter.com/chadtilbuiy hftp ://twitter.com/sansforensics

©2017 Rob Lee

5

CD CD

0

C

0)

0

CD

C

CD

CD

ffQ

-1

I.

C

I

iI

DFIR

FOR500

WI dows Forensic Analys

$

This page intentionally left blank.

©2017 Rob Lee

7

‘3 PJfl4.,4A? Fcen.s’iump.. ] f4T4rP3 4,,!,! Cot Wool!,

SANStnfor Ant SPool Ntwo; ISo SeN

13 For4)8 1,Cornpcor,,EDocW ZN!

1/3 No.5-APP

Sc

13 J

p p

JPP1’E IN.

04 A1>t

41! .tP TArP”! ZN. -

SANS Computer ho ruco Trans.

,,r,tt, :&

a Hw We SPI 1rSrt

Nw rrccrgrrto wirrdoc

-‘s Pmthtsprs-rirarrtoteskbrr

Google Chrome

Clomaik’,m*.ro

1

Unn thrr neo-5rartr from 1otlbr Cictewrrrdow

oW p perot reIN jerk

Mtksrig the,.

FctPS SCcmpototL4w

rJ Mtcroroft PoererPosr*21D40 ri -At Nor

to no

WhoP Sbt

btPe

1100 Itdteg ETft, h’uoP No

All

NLofopo 1011.

/3NWdo4OrPjI 4S

C

cr5.

Right-clicktask • Users can “jump” to recently opened files .

FOR500 [Windows ForensicAnalysis

OFIR

a

The Win7—Win 10 taskbar (Jumplist) is engineered to easily allow users to “jump” or access items they frequently or have recently used quickly and easily. This functionality cannot only be recent media files, but recent tasks as well. Tasks can be creating a new archive, burning an item to a DVD, or chatting with a friend via Skype. Developers use the W1n7—Win 10 Jumplists as a “mini-start” menu allowing them additional functionality at the hands of the user. Usually, by right-clicking the application in the Windows taskbar, the additional functionality appears. Usually, unless a developer creates additional tasks, the default settings allow only for launching the application, pinning it to the taskbar, or closing all windows that are currently open.’ For forensic Investigations, the addition of the Jumplists provides yet another location to veri& the opening and/or creation of non-executable files on a Windows7+ operating system. We have already covered registry residue in RecentDocs, RecentDocs *.ext, Office Recent Docs, and LNK files in the Recent folder. This new artifact also records file access for a specific application that could extend the history of an application’s files back much further than the other artifacts that also record the history of files opening. Another advantage of Jumplists, like other artifacts, is that we can discern that a wiped/deleted file at one point existed inside the Windows OS and file system, We could probably also figttre out the exact location of the file because these artifacts usually include the full path of where they existed. In other words, items might remain in the lists long after they were deleted from the volume. Although only a few items are shown in the output in Explorer, hundreds more will exist in the Jumplists. We will show you how to find and extract these items. The Jumplists are enabled by default; however, they can be disabled from the Control Panel (on the second tab).

->

Taskbar and Start Menu

Special thanks for this section goes to Troy Larson from Microsoft who aided in the research and understanding for Digital forensicators the background behind Win7 Win 10 Jumplists. References: [I] http://blogs.msdn.com/b/yochay/archive/2009/0l /06/windows-7-taskbar-part- I -the-basics.aspx

8

©2017 Rob Lee

Frequent

Ta;ks

Documents

• Online

Downloads Day2

Do Not Disturb

Desbop

Invisible

Public

• Offline

finance 4osJPR:JPDATEJo1i

Set up Call Forwarding..

istockphoto 4O8,APR.,UPDATEJOI1 Qwt Skpe

Day 34 Windows Explorer

$

Unpin this program from taskbar Close window

i

Pin this program to taskbar

G

Close window

I Recent ;Z) Mndowsi Forensics-Jump.

I J) For4O8JiCoreWindR,. YiJ For4O8iCompFoLEDiscFu.. Micrcscft Outic20: 2iri

i0j ForSOS.2jiveRespnsjOlL. Oil New-SlideVoiatiiitv4A PCI

Mcz0e hrefr>

jJ

1j:’•r

P

Micrcart Pa erPnnt 2010

r€e

P

Ia,%I% •4J P

Ritcrcrt

I

For5O82jieflespnsJOiI

!J NewShde%ODay% i1 ForSO834Anailsis til For5O82LiveRespnsJOid.

2010

Oij

For5OS5ComputerLaw

oil !di

r

Microsoft DcwerPoint 2010 Pin this program to taskbar Close all wndows

02017 Rob Lee

9

%ELE1 I

Destinations (“nouns”)

Pinned category

I

Known categories

I L_____

User Tasks

Tasks (“verbs”)

Taskbar Tasks

F R

UFIR

j ‘‘I,’

I

I

I



ci

n

sis

Windows Jumplists make up both Destinations and Tasks. These are usually determined by the developer of the application. The default settings, though, show the most recent or frequent used media for the application in addition to allowing for the default tasks (pin application, start application, and close all windows of application). From the definitions from the Windows 7 SDK: Destinations are items that appear in the Recent, Frequent or custom categories (the “Important” category in

the diagram above), based on the user’s items usage. Destination can be files, folders, websites or other contentbased items, but are not necessarily file-backed, Destinations can be pinned to or removed from the Jumplist by the user.1

Tasks are common actions performed in applications that apply to all users of the application regardless of the

individual usage patterns. Task can’t be pinned or removed. Tasks are actually LNKs (with parameters to commands



optional)



There are two types of Jumplists: Automatic (automatically created for each application by Windows) and Custom (created with specific development information from the application developer). Each of these is found in the Recent folder we previously examined for LNK files. Note: An application must be a registered handler for a file type for an item of that type to appear in its Jumplist. It does not, however, need to be the default handler for that file type.[’l References: [1] http://msdn.microsoft.com/en-us/libra;y/dd378402%28v=vs.85%29.aspx

10

©2017 Rob Lee

C

ritPiChrd c45O7O3f?3P9P

noads

PPPMi

1f&e3533vOO5

PM PM

MMPMIPMPPM

2:P11PppPpPPM

112PM 2212 PM

12122112121 PM

j:PMPMIPOPPT

nt Pces c3caf1b6afdk :7rIa,O 1b86dtb54I

s,tcDsnMwn-’,i m

1121221121.PIPPIP

b74ThPc2bd3cc25

14.122104231 PM

cce$n87d17’M

1242122121%PPPIM

PPp% 2212

2212

PJP%M111%%1PT

012102121120122

g9McP9cM24e2b utomtDtabcn ?4d7t4i551fc1eaticDst ncn m fb324&PMce acpcDetw,m rbM;1L4o

P9c3I24398 qclcdlOffp%dlbd B9bOd9%r117f75c

E

1121L1P4.22 211 mtcbnaPorns

21221144011212 PM 121421121044

121231

1

120211112: IPPOM

PM

4123110120111114

P21112441.IIPM

4101%012312:M

4221141221

7t4d1435e2

DFIR

FORSOO

Wir dows

rensi

Analy

The location of the automatic destinations file is generally where we should focus our efforts in analysis because we know exactly how this list is populated because it is controlled directly by the operating system instead of the application. C:\Users\Profi1eI\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

The Automatic Destinations folder contains a list of applications sorted by AppID. File names are in a format XXXXXXXXXXXXXXXX.automaticDestinations-ms, where name is approximately 16 digits and the extension is automaticDestination-ms’. The creation and modification times in this folder are also important. Creation Time

=

First time item added to the AppID file. First time of execution of application, with the file open.

Modification Time open.

=

Last time item added to the AppID file. Last time of execution of application, with the file

The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the association application. The data in these files are stored using the Structured Storage format,[1 The data in these files can be parsed using MiTeC’s Structured Storage Viewer, located on your desktop and downloadable from its websitei21 These files most closely resemble the data that also simultaneously creates entries in RecentDocs, RecentDocs *,ext, RecentDocs Office, and LNK files, However, the data in these files could historically be used to map the history of the application from its first use. In some cases, this could be hundreds of files. References:

[1] http://msdn.microsofi.com/en-us/library/aa3$0369%28v=VS.85%29.aspx [21 http://www.mitec.cz!ssv.html ©2017 Rob Lee

11

r

:r :i—n’sr::,5q

Share w

‘5frv

tF

Burn

nnry:;: :nknr Nen folder

ae3f2acdS95b62Ze.automaticDest,naticns-rns

e

ntlv Changed 5c45O7Q9f7ae4396atgomatlcDestjnationsms

incFde ii libran,

Ic alB%93013d3%2b23,auton,atjcDestjnations-nis

tes

±op

Ii

:11Hz

1f6ce453a33cObO5.automatjcDestjnatjcnsms cd8cafbOfbóafdab.autcmaticDestinatjons-rns

H

nloads

L3bOSb%%dcd3OaOe.autcrnaticQestjnations-rns

)Ii4 H

2

%3%46%79aaccfaeOautornatecDestinationsrns

f%89e%BbbQatBajO.automatjcDestjnatjonsnyis

.

as

H H

1.:

28c8b86deab549aLautornaticDestjnatjons-ms

12

iments

1’

&&

-&

::

Ic

b7473%c2bd8cc8a&autornaticDestjnations-rns e4cc848937d177faautomaticDestinationsnis

H;

:.-:.

“V

ires

H H

9b9cdc69cIc24e2bautornaticDestinations-n,s 74d7f43c15%1fc1e.automatjcDestjnatrnnsms SeafbclO4ec863lce.automatjcDestjnatjons-rns

H

V I 2 1 1 42 11

.2

‘-‘

&

IN

2

-‘

V.

&

lbc3B2bSdO4aOOe.autornaticDest:nationr-rns

&

2. 2-11

2

9839aec31243a928.automatkDest matlens-ms

12

IH

9c7ccilOff56dlbd,automaticDestinatjons-ms

H

I

IH: 722:

&&

:1 H.

&

‘.

uter



89bOd939ftl7ff5cautomaticDestjnations-nis I ‘

C)

7e4dca80246%63eiautomaticDestjnations-rns lb4dd67f2BcblBó2,autornaticDestinatIcns-ms

1

a7bd7l6BPcd3SdIcautomaticQestinations-ms

group

as

S

nt Places

&

&

DVERY ID:) rk

2 2

I

&

&

t

12

nC



&

&

-

H ‘

H

‘•



H

1. 2 1

,.

1

7

I

&&



2 1 H.-

&

1 .-

‘‘‘

&‘

‘i’”’:

&

&

H H 1’1



ZH.’ I

&

H

I&



&

-

&

2’ 1

.

&

‘1

&

‘7 1

-.

:

I

--

.22

-:

&&

NV

-

&

&

-

H”

&



F

4

0) 0) -J -0 0

0 C—i

©

@1

J

es nUy Changed

ib4JaC7fcit6.ct:mDtirLns-m

‘fe4d’1L’—.ci’.

C’etitn: n’

top nioads

fl

nt Places

3i.

74d7f3:1

-t

rn

if c1e.uc m[Je- tInattr--rn.

3.;bi:’h’3 ‘cj:a:e.’ u:c;rnDt:Mmncrn-rn Cs

ments ‘C

res

;t;’4;

;9.-

i[tn

-

-

DFIR

FOR500 j Windows Forensic Analysis



The location of the CustomDestinations folder is under the Recent folder where the LNK files are generally stored. This list is created by each application and therefore “custom.” Extensive testing would need to be perfonTled on each application to ensure validity testing has occurred because the operating system does not have as much control over the population of the data in the Custom Destinations folders. Although there could potentially be important information in this folder, additional research, per application, needs to be

accomplished to ensure proper analysis interpretation can be performed. C:\Users\JProfileJ\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

A custom Jumplist is intended to present content that the application has deemed significant based on either previous usage of the application or through an action that has indicated that an item is of importance to the user, such as the user adding an item to a Favorites list or pinning an application to the start bar.1 Custom destinations are also made if a programmer might need to store custom data in them such as history from a browser. Most browser applications have a custom jumplist as a result. One way a custom destination file (*.customDestinations_iTls) is created is when a user pins an item in ajumplist. Custom Destinations is a folder with a list of Applications sorted by AppiD with the extension customDesinations-ms. The creation and modification times in this folder are also important. Creation Time = First time an item is added to the AppID file. Typically, this corresponds to the first time of execution of the application. Modification Time

=

Last time the item was added to the AppID file,

Unlike LNK files, in the Recent folder where we can see a modification time and a creation time for each LNK file, we might tell only the first time and last time an item was added to each file. We can still use other data sources, though, to cross reference because this is not going to be the only location where this information is likely to be found. ©2017 Rob Lee

13

Although data in the custom folder is stored as LNK files, it is not stored in an easily examinable format. Examining the custom definition files is easiest using a hex editor, but to automate the examination, you need a file carver such as Foremost (discussed in F0R508) or to use an advanced data carving examination using Live Searching in FTK inside the specific file. When performing forensics against this directory, you should also notice that many of the files also have temporary files. References: http:!/msdn.microsofi.coin/en-us/library/dd378402%28v=vs.85%29.aspx

(

4Aa Aàa;ii Enet r4’’v

include n hbrar

Bun

C,

r

A

Cate mcthfted

Name ntiy Changed IC

oP nicads nt Places



1b%dcf57f29cb196LcustomDestinationsms %afe4delb92fc382,custornDestinaticns-ms 6f647f94%Bd7asustomDestinaticnsms ie4dcaSO%4%863e3,custornDestinatiens-rns 2BcBbS%deab%4gaLcustomDestinationpms 74a7f43ci%61fc1e.custcmDestinaticnsrns 83bO3b4%dcd3OaOecustomDestinationsms 52ia29e%d22c13b4custcmDestinationsms

:ments

b7%73%c2b&cc8a5customDesinaticnsms b91O5Od8b4377a4eBcustcmDestinations-ms

res

f7feQg47d%g1b339,custcmDestinationsms

14

©2017 Rob Lee

!ee

S’:e

hEIR

FOR%OO Windows ForensicAnalysis

In each Jumplist in either Custom or Automatic, you see application IDs. Each application has unique identifiers but they are not unique to the system. The unique identifiers will be universal across all the Windows systems. For example, the AppID for Word 2007 is adecth853d77462a, This identifier is on each system where a Word 2007 Jumplist has been created and maintained by the operating system. The reason why this was created was to allow for independent taskbar control for each application. However, it had to make each application unique. The Unique AppiD is one way to ensure that the application’s preferences are not going to conflict with similar applications even of the same family (for example Word 2007 or Word 20l0).[u1 Although it is possible to have a unique ID for each process instead of a universal one, the majority of applications do not follow this model and, instead, have a traceable AppiD across the Win7—Win 1 0 family. This makes it easier on the investigator because you would simply need to identify the application you are seeking and locate the corresponding App ID file in the Custom or Automatic folders for your Jumplist. This chart shows many common AppiDs for major applications on a Win7Winl0 OS. If you seek something specific, you could research it online or reverse-engineer the application on a separate system to identify the correct AppID for your application to track the media it was used to manipulate. One of the more interesting elements many individuals miss is that this also is definitive proof of a specific application existing and executing on the machine. The creation date and last modification date of the Jumplist files will and should map to the first and last execution of the application that used the file. For a full list of the currently known AppIDs for Win7—Winl 0 Jumplists applications, reference this website: http://www.forensicswiki.org/wiki/ListofJumpListl Ds References:

[1] http://b1ogs.microsofi.co.il/blogs/sashaIarchive/2009/02/1 5/windows-7-taskbar-application-id.aspx

©2017 Rob Lee

15

16

AppID

Application

27le6092$8el2lOa

Access 2010

23646679aaccfae0

Adobe Reader 9•***

9839aec31243a928

Excel 2010

b$c29862d9f95$32

InfoPath 2010

5da8f997fd5f9428

Internet Explorer

28c$b86deab549al

Internet Explorer $

b91050d$b077a4e8

Media Center

91$eOecb43dl7e23

Notepad

9b9cdc69clc24e2b

Notepad

3094cdb43bf5e9c2

OneNote 2010

be7lOO9ff8bbO2a2

Outlook

c7a4093$72176c74

Paint Shop Pro

fSac539Ob9ll5fdb

PowerPoint 2007

9c7ccllOff56dlbd

PowerPoint 2010

1bc392b$elO4aOOe

Remote Desktop

1b4dd67f29cb1962

Windows Explorer

d752$034b5bd6f2$

Windows Live Mail

b91050d$b077a4e8

Windows Media Center

74d7f43c1561fc1e

Windows Media Player

290532160612e071

WinRar

a$c43ef36da523b1

Word 2003

adecfb$53d77462a

Word 2007

a7bd71699cd38d1c

Word 2010

e36bfc$972e5ab1d

XPS Viewer

2b53c4ddf69195fc

Zune

©2017 Rob Lee

(

Ib4dd67f29cb1962autcrnatkDtnatinn, n,



1bc3g2bSe1O4aO.autnaDtnatn

5aft2del tSf647f94t8d7actomDestinationrn ie4dcaO246&63o3., —

at

fbdO4ec863lce u amat cD

t n t an

74d7f4c1561fc1etuttornDetinatantnn 83bO3b4dcd3OaOecutomDoaanattant-m, 521a23o5cf22c13b4.jaomDettnatantm

9a7caflOff%6d1bdaoornatDeatnatian rn 23c8b86dab549a1autornaacDest:rtnrnr..

tomDetanationsm5

28c8b86dtab54Stai.cuttornDettoiatono-m;

a

——

74d7f43ci551fc1aautotcDaaanat,onarns

b91O58bO77a4o8cutomDoaOnationt-m,

23bO3b46dcdOaOcatornatDtttnatiornrn

f?f947UStt1b3%9.cuaornDetttnattont mt

89bOd939f117fThcuttkD€ntinatontmt

g839c31243a928autamatkDtnatian,ms 236466Q

citaD tutan

t

Da t nat on

m

a7bd716dt8d1autamatkDttinationa-rn± a1t2S3Oi 3d352b25atcniaacDtinaDcntn af2acd395h622eatornatkDenaton,rn b74?35c2bd8cSa5.automaOcDetnabon mt’ dcafb6afdabautomabcDo;tnaDonsrnt e4ccS489a7d177faautomatkDeatnatons-m cq

2bbQ o8alO

omat Do t nat on

rn

IiiW:

DFIR

0R500

Wr ows o enskAnalyss

One thing you can note is that many of the Automatic Destinations match a Custom Destination AppID. This is where many of the developers have created additional modifications to their programs to create user preferences or additional features using tasks and destinations in their products—a clever capability on WinT-Win1O, for sure. It is recommended to examine both Automatic and Custom definition files to determine and examine LNK files found in both. Remember it is easier to examine the AutomaticDestiation files because it can be easily parsed using M1TeC’s Stored Structure Viewer. CustomDestinations files must first be carved for LNK files or manually extracted using a hex editor (more difficult).

©2017 Rob Lee

17

Every Stream is actually a “Shell-Item”

-

•-

I

4

• Stream is a separate LNK file • Export Stream to save LNK ifie (right-click)

4;

4%,

I

4%

4

A 344

Optionally Can dump out all LNK files using JLECmd, exe and the -dumpTO options

I

r

FORS

DHR

‘ir

o

si

ni sis

Using the Structured Storage Viewer (located on your desktop), open up one of the AutomaticDestinations Jumplist files. In the left column, you see one of the many streams embedded into this file. Each one of these files is a separate LNK file. They are also stored numerically in order from the earliest one (usually 1) to the most recent (largest integer value). To recover a LNK file from the JumpList file, right-click the stream, and you have several options to save the data.

18

©2017 Rob Lee

2

o

JLEcmd exe JumpList Explorer Command By SANS Instructor Eric Zimmerman —

VFIR

line edition

COR500

f Wu eows F tens’ ‘ialyss



JLECmU, or Jump List Explorer Command line edition, is a tool to decode information contained in custom and automatic destinations jumplist files found on Windows operating systems, starting with Windows 7 and continuing through Windows 10. [1] JLEcmd.exe -d “” --csv “” -q -d “” = Dir to recursively process. —f “” yile to process -q Quiet Output use w/ ---csv -dt yyyy:mm:dd hh:mm:ss = Requested Date/Time format --dumpTo = Dump LNK files to this ——csv “” = Dir to save CSV (tab separated) --html “” Dir to save html --ld More detailed Information

Exporting Ink files

As we have already discussed,jumplists are full of embedded Ink files. JLECmd has an option, --dumpTo, that allows for exporting all of these Ink files to a directory. Once exported, any other tool can be used to further analyze the Ink files, Flere we are using the -d switch to recursively process a directory for all automatic and custom destinations jumplists. We are dumping Ink files to c:\temp and are also using the -q switch to minimize output so things process faster. When processing is complete, any failed files are listed at the bottom of the output along with the reason the file couldn’t be processed. In the example below, the custom destinations jumplists were empty and contained no Ink files. After the export is finished, the Temp folder will contain several new folders based on the name of the processed jumplist. These directories will contain the embedded Ink files. [1] https://binaryforay.blogspot.com!20 I 6/03/introducing-jlecmd.html

©2017 Rob Lee

19

Source file: dOO6S5d2aai2ff6d. automati cDesti nations-ms AppID; d00655d2aa12ff6d Description: Unknown Appld Expected DestList entries: Actual DestList entries: 3 DestList version: 1

3

I

Entry #: 3 Path: \\VALHALLA\users\Publ ic\Documents\Lean startup\Successful ly—Apply-Lean-St s-PM399 ppt Pinned: False Created on: 2013-10-20 13:27:24 ÷00:00 Last modified: 2013-10-21 19:53:38 ÷00:00 Hostname: valhalla Mac Address: 00:Oa:f7:04:83:53

I

.

I

Lnk information

Path: \\V.LHALLA\UseI \Publi\ ocuments\1tan s .artup\Lan Startups & EP.pptx Pinned:

False

FR5D”

U fl

.

hr.

1w Foensi’ Ama sis

At the top, we see information about the AppID and its description. JLECmd has many built in AppiD descriptions and when a match is found, the program the jitmplist relates to is shown. In this case, we are looking at Windows Explorer. Since this is an automatic destination jumplist, information about the DestList is displayed which includes how many expected entries there should be as well as the actual number of entries that were found. This lets you see any discrepancies between the two. Below that, each DestList entry is displayed including the entry number, the path, the created and modified dates, host name, and MAC address. Below that is the target created, modified, and last access time stamps along with the absolute path the related Ink file points to. The information about Ink files is kept to a minimum, but to get a bit more detail, use the id switch for more Ink detail. The additional information in this case is highlighted in the red box, If you need to see ALL Ink detail, the best option is to export all embedded Ink files and then use LECmd to analyze them. We will discuss extracting Ink files below. Custom destinations jumplists work more or less the same way, but custom jumplists do not have DestList information.

We will have the AppiD but after that, it is only embedded Ink files.

20

©2017 Rob Lee

20

I

C \> 3IEatd exe -d

“SE

\ [root) \Users\Dona1d\çData\Poanang\Microsoft\Windows\Recent”

--csv “G \cases” -q

(DIRECTORY PARSING) -

, —

Note Selective fields of CSV Output for JLEcrnd ee

UFIR

FORSOO

Wrndows Forensic Ana’ysis

This is an example of running the same tool against Automatic Destinations and dropping it into a CSV file for analysis. AutomaticDestinations files are filled with more specific information than the CustomDestination files. Part of the reason is that the AutomaticDestinations files are generally created when a user opens a file inside an application. The second reason is the time the file was opened up is recorded in the jumplist entry. Each entry has a unique timestamp that shows when that entry was updated this is the last modification time which is when the entry was added to the jumplist. It is oniy added once thus why it is the last modified time. With the automatic destinations, we can see when the user actually clicked these values via the MRU/MfU date/timestamps (stored in the DestList stream) for each specific ApplD in the CSV file, which is quite useful to specifically tell when a specific type of activity occurred. The last piece of information is the location of the target. The exact location shows the full path of the directory or file that was access via a specific application.

©2017 Rob Lee

21



• jmp .exe By TZWorks LLC

• Jumplist Parsing Utility— Parse both Automatic and Custom Destination Lists

FORSOO

OFIR

I

Windows ForensfcAnalysls

There is a command-line tool from TZWorks.net that can parse both Custom and Automatic Destination files. The tool works from the command line and similar to the input of the lp.exe tool can easily output into CSV format as well. The benefit of running a tool such as jmp.exe against a range of files in the Automatic or CustomDestinations directory is that it makes easy work of parsing the vast amount of data contained in these areas, The tool also makes easy work of both Automatic and Custom destination Jumplists. Similar in use to the LNK file tool, lp.exe, jmp can parse the hundreds of embedded LNK data found in the Automatic destinations file and extract the custom application data stored in the Custom destinations file. Typically, the easiest way to examine the information from the jmp.exe tool is to use Excel and process all the items in both lists.

22

©2017 Rob Lee

22

appid

MRU/tã’n I M5U/M

1b40d671191b1962 1e4dd67t29cb1952 lbOddG?f29cb1762

3

4dd6if2acb136 1o4dd&7’2cb195%

4

4dd6712 c61962

6

1646d&7f29cb1962

7

lb4ddSSf2tcbiIO2

S

RU/MFar

et name

9

4/4/2012

15:42:5u051

{ClflMyCornouterM:\Usern\nromanoff0ocuments\Undercover

0

4/4/2012

15:42:19351

{CLSID Mycom

7

4/4/2612

15:37:1L56%

3L 3/2012

15

541 233

2% 04° 597

4°476

ter\C:\Usern\nronsanofPDocumencn\CC 6331 Sackstopped Accounts

f”SiD My omputet}\C \U rs nroma off ictures\Nes S to tCLJDUseruF%es

C And Landirg ° d\Ca r

r anth p Pad

2 3

3

/201 4/3/2012

2

4/3/2012

22:tl:47A7%

(CiSiDUnerUbranesi

1b3dd66f29cb1962

9/2012

22:00:47A76

(01530 Useftibrartes(

9333ec31243a921

/2012 2!2012

15:43:17129 1 4257566

{CtSioMvconsnuter(\C:\Users\nromanoff\Documenrs\Undercoser Agen0List-C3astified\Atenzs-Ust-CLA5SiF1ED-T0P i 3D MyCt. 1 3 ter(\C \ r \nroma .stftDowme S \LMdsrc s Aent Is (las ed\Aen Us 00.5513130OP

15.. 19379

(C53DS4jcoirputer(\C Mi ers\nromanoW/yccumnrts\CC R&D cIa katopped nsns n s\ C Baskstopped Acco s S.. Its

9

Sans I 437921

9 3Saec 14

928



3

[ (j 11ff°1I1i’

012

22:01:47676

C

I0inombrarien}

C3MDUseaibrades}

Note: Selecti\’e Fields of CSV Output of jmp.exe

V FIR

FOR500 I WihdowF F rensIcA9aIyss

This is an example of running the same tool against Automatic Destinations and dropping it into a CSV file for analysis. AutomaticDestinations files are filled with more specific information than the CustomDestination files. Part of the reason is that the AutomaticDestinations files are generally created when a user opens a file inside an application. The second reason is the time the file was opened up is recorded in the MRU/MFU entry. It also shows the exact sequence that the files were opened up. The MRU/MFU index is a chronological list of entries, where #1 is the latest. Each MRU/MFU entry has a unique timestamp that shows when that entry was updated. With the automatic destinations, we can see when the user actually clicked these values via the MRU/MFU date/timestamps for each specific AppiD in the CSV file, which is quite useful to specifically tell when a specific type of activity occurred. The last piece of information is the location of the target. The exact location shows the full path of the directory or file that was access via a specific application.

©2017 Rob Lee

23

23

appid lb4dd%7f29cb1962 164dd67f29cb19t32 1b4dd67f29cn196% 1b4dd67f2%cblSE% 1b4dd57f29cb1962 1b4dd67f29cb1962 1o4ad67f29cb196% ItAdd67f29cbl%6% 1b4dd67f29ch1962 9839aec%1243a928 9839aec31%43a928 9839aec3124%a9%8

4’

H.

15:42:19,551 15:37:11,568 15:36:41,238 22:40:40.597 22:08:47,476 22:08:47,476 22:08:47.476 22:08:47.476 15:43:17,129 15:42:57,566 15’42:19.379

(CLSiDUsersiIes {C1SDJserLibrades} {cLSDuserubranes CSDUserUhraries} cL5DuserLibrarses) CSIDJv1yCornputer]\C:\Users\nrornanoff\Docurnents\UndercoverAgentHist’Ciass;fied\4gent>Ust’CASSJFIED’TOP ’TOP’ {a5Dj4yComputer\C:\Users\nromanoff\Documents\Undercover Agentt st’CIassafied\4gents’LstCLAS5W1ED x {C1&DMyCornputer)\C:\Users\r’romanoff\Decumerits\CC R&D Backstopped Accounts\CC-Backstcpped-Accountsids

RU,MF%*/flictnrget name% 15:42:58.051 {Ct&Q,Mycornbuter}\C:\Users\nrornanoft\Docurnents\Undercover Agentust’CLassfied\4ents’Ust’CLASSW1ED-TOP’ {CL&DMycornputer)\C:\Users\nromanoff\Docurnents\CC R&D Backstcpped Accounts CHSDMyComputer\C:\Users\nrcmanoff\Pctures\New’Stte’HQ’And’Landmg’Pad\HQ iandng PaO

L; .J

stream P MRU/MjI I 4/4/%01 9 4/4/2012 8 7 4/4)2012 4/4/2012 4/3/201% 4/3/2012 4/3/201% 4/3/2012 4/3/2012 4/4/2012 3 4/4/2012 4/4/2012 J

0 0 -J .0 0

N

0 (N

©

(N

‘tTh,:Artt’t

A

-

-

-

-

nd1ne argo: http: //www.goog1e.com/search?q—wikiped;a..2Oegress’ 2Ofi1tring&eutf- 8& 8&t&r1sorg mozi11a:nSc ±ficaa1&:Iiontfirfox a&ourc-chp&hannoi -np

DFIR

FOR500

I

Fr.t,.

b-.’

Windows ForensicAnalysis

25

One benefit of collecting Custom Destination data from browsers is we can see recent websites visited. Shown here is a custom destinations field in Mozilla Firefox called “Frequent.” We can easily see the Google search that the user executed in that populated this value under the Frequent list. in this single output of one stream from a custom destination file associated with Firefox, we can see a Google search that took place. The downside of the entry is that it doesn’t have an MfU/MRU sequence or date/timestamp associated with it. We can tell by the CustornDestination-ms file’s creation and modified times the general timefrarne for the activity, but we cannot determine the exact time that the Google search was accomplished. We can tell only that it was accomplished somewhere between 4/3/12 22:24:1 5 UTC and 4/3/12 22:41:31 UTC. Given this drawback, it is still obvious that the parsing of the CctstomDestinations file can yield useful results that include history, actions, and specific activity that occurred within an application. The best way to truly understand what the values could relate to (Tasks, Frequent, and so on) is to load the application on another system and perform specific tests and compare the results. This is especially true for the CustomDestinations files because they are tied to the developer’s desires and not a universal specification that is applied in each application, such as the AutomaticDestinations files.

©2017 Rob Lee

25

-

04103/12 22:41:31 34/03/12 22:41:31

[TIC]

04;03/12 22:24:15 [TIC] HashinkTaraetlll.ist, Haslinklnfo, HasName, HasArguments, 07/08/11 07:16:20.030 [UTC]

0x0000082b [2091 bytes ] [924632 cytes

C:’.Prcgram Files\Mozilla Firefox\firefox.exe Gocgle Seamch wikipedia egress filtering

acC3- 6525

[1] 0she1132.dl1,21781 fixed

[SWSHOWNOPMAI {ClSlnMyComputer}\C: \Prcgrac Ci les\Mczilla Firefox\firefox. cxc

Frequent

About The Artifacts

fr IEF s% Use?s Manual

a)

G)

Open newtab

N

0 C”

0

+

Open ne.s uundo;s

-o

-J

+

©

Unpin thIs program from taskbar

• Mozilla Firefox (2)

J/

Enter private brovsing

Thiks

1 Thank Vou Magnet Fcrenscs Haslco:j H http:/*’n.aow.magnetfcrensics.cc... H Digital Forensics Computer Fore..

F: \Users\vibranium Applata\Roaming\Microscft\Windows\Recent\Cust source path/filename: omoestinations\ae5cd8ebf4af 1227. customflestinations-um file modified: file accessed:

08/15/11 14:16:10.612 [UTC]

[UT2]

UTC]

file created: Target flags: Target mcdafaea: 08/15/11 14:16:13.612

12495

Target accessed: Target created: 07/05/11 18:00:11.172

fie offset:

Target ObJID time: OxOOCelbdE

UTCj

Parsed size: Target file sice: ID list:

Show cad: ID list info: Volume Type: Volume serial nina: local base path: Description: cmdiine args:

http: /.Jl1TI S : official&client=firefox-a&source=hp&cbannel=np Ct\Prcgrcn Fi1es’Mczi11a Firefox\firefox.exe

Coogle Search]

%Progranwiles%\Mccalla Firefcx\firefox.exe

-

Icon filename:

[wikipedia egress filtering

Icon environ name:

663224 a8-227e—4f96—84af-34a0€3f788cb

wks-win732bita a05b4%ac-a730--1le0b49e—005056a5 1269

name:

Object ID:

00:50: 5E:aS:12:69

1€TBIOS

MAC address:

[f%9f85e3—4ff%-1068—ab9l-08012b2Th3d9}

Volume ID:

format IC [value]

Co

C-.’

ah

rograrn F s\MocUa ros\hreto cxc ‘rogram fUes\Mozifla Ftrefox\firefoxese ‘rogram Fitex\MozIUa FirefoxVirefox.exe

2c7o] S’Cf 63245. 63’45.a e2f

2 ;efod ‘ 75th 2 7Sf b ./fsd

‘rogMEirefox\iirefoxexe

‘rogram F ss\MozRIa Ftrefox\Rrefoxexe ‘rogram FiNs\Moz1ta Firefox\Rrefoxexe

fbd

‘rogram FiNs\MoziPa Firefox\firefoxexe

cmgm moos tDescripoonl: SANS Computer Forensics Training Incide onse; [CrndAretl: htm:ilcoooute [DescriptionJ About The Artifacts; CrndArgsj: fie/J/C:/Program frmnt IDescription: SF vS Users Manual; ICmdArgsi; te;///5./Program%20 hrefoxWebRrowser—PluginC.. Descrcstmnj; Thankyou Macnet Forensics; CmdArgs]: http;/wssw, LnescnptionC http;/fv:wwmagnetforens .com/trial/; [CmdArgsJ lot : SANS Computer Forensics Trmnr. [Description); Digital Forensics Computer Forensics Recover files Ma AbcutThe.srt cs -

IEF vS Users Manual

Thank You ) Magnet Forensics

H H

Note: Selective Fields of CSV Output

DFIR

FOR500

I

http5.Nsww.macnefforensicsco. Oge& Forenscss, Computer Fore..

Windows ForensicAnalysis

27

In this example, we ran the jmp.exe tool against a CustornDestinations file for Firefox and exported it into a CSV file. We have selected specific fields in the CSV file to show only the AppID, local path, and extra information. We can clearly see the application name in the local path. We can also see the Tasks and Frequent websites visited in the Jumplist for Firefox. However, without seeing graphically which one is associated with a Task and which one is associated with Frequent, it would be hard to tell which one is the result of user action or automatically populated for the application. Rigorous testing is suggested for the application of interest as a result, especially for the CustomDestination-rns files.

©2017 Rob Lee

27

a

C C

a

..

90J

qod

L[.O©

it

.‘



L.

es

7.- 7)

C)

U..

C

.

e

‘a

11 t

E

o a

a

an

C C a ff1 f-I

-:

200 F

r

+

a)

0

CL U.

a)

44

a E

o

r

‘a

e...n

C)

‘a :3 0

>.. S

‘a



C’

an

c

C)

0

Vt

C:

tjf

-%

H

If

‘V

0

.4

F

F

.-

.-

a) a 0

Cf

a 4”

be

0

P S

(-

(U

2

au C)C;

0 a

t-

‘j

0

.7 -

14

3

(

(U

C.

7

;



ft

it.

La

9

Ct)

U)

(U N N ‘t -;

(3

N

t :-

‘a

fl

‘C .4 (.

U

U 0 N

C

1-

t ci) t

C

a’

7.

t.

C).

CL’

(7.77

C

..

.-

1-.

i

0

r.

ar

-I;

0

C’

n

n

7.

k..

a .

-

r



2



7,

c”

CI

t

.r

-: -

7!’

I. If

t*7 C

.4

C

r

r c.

?t

c4 0

C.

er

C)

a’ •-t

-

f-f

I

7..

J

#7,

•1-

-

C”

f4

(3

-

7

This page intentionally left blank.

©2017 Rob Lee

29

2



I

-

-

---

Contains user-specific Windows OS folder and viewing preferences to Windows Explorer

1

• Explorer Access:

• USRCLA.SS DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags • USRCLAS$ DAT\Local Settings\Software\Microsoft\Windows\She11\Bagb’.U .

.

• Desktop Access: • NTUSER. DAT\$oftware\Microsoft\Windows\$hell\BagMRU - NTUSER. DAT\Software\Microsoft\Windows\Shell\Bags

Why Cey is Uleful? • Which folders were accessed on the local machine, network, and/or removable devices • Evidence of previously existing folders after deletion/overwrite • When certain folders were accessed

FOR500 j Windows ForensicAnalysis

OFIR

Windows uses the Shelibag keys to store user preferences for the GUI folder display within Windows Explorer. Everything from visible columns to display mode (icons, details, list, and so forth) to sort order are tracked. If you have ever made changes to a folder and returned to that folder to find your new preferences intact, then you have seen Shellbags in action. In the paper, “Using Shelibag Information to Reconstruct User Activities,” the authors write that “Sheilbag information is available only for folders that have been opened and closed in Windows Explorer at least once.”1 In other words, the simple existence of a Shellbag subkey for a given directory indicates the specific user account once visited that folder, Because of the wonders of Windows Registry last write timestamps, we can also identif’ when that folder was first visited or last updated (and correlate with the embedded folder MAC times also stored by the key). In some cases, historical file listings are available. Given much of this information can be found only within Shelibag keys, it is little wonder why it has become a fan favorite. The Shellbag information is extremely useful because it can help us track a user through seeing which folders they have recently utilized. In some cases, Shellbag info collects information regarding the files in the folders that are listed. This information can be particularly useful in cases in which an individual claims to have no recollection of knowing about a folder, You can tie it back to the user by examining his Shelibags. At this point you are probably thinking the following:

30

°

We can tell what you executed through UserAssist examination.



We can tell what you touched through file/registry and timeline analysis.



We can tell which folders you opened throttgh Shelibag analysis.

©2017 Rob Lee

°

Registry Hives Windows XP: Network Folders NTU$ER.DAT\Software\Microsoft\Windows\Shell -

Local Folders NTUSER.DAT\Sofiware\Microsofi\Windows\ShellNoRoam -

Device Folders NTUSER.DAT\Software\Microsofi\Windows\StreamMRU Windows 7—10: Desktop Access NTUSER.DAT\Software\Microsoft\Windows\Shell -

Explorer Access

-

UsrClass.dat\Local Settings\Sofiware\Microsofi\Windows\Shell

The architecture of Sheilbag keys within Windows is well understood and has been broadly covered especially because of some of the latest research by Dan Pullega and Eric Zimmerman.[li We have recently had good luck using Shellbags within computer intrusion cases to show evidence of file system enumeration by attackers using compromised accounts. To get all Shelibags information, we now need to parse both NTUSER.dat (DESKTOP) and USRCLAS$,dat (EXPLORER) for each user account. These Registry hives are located in the %userprotile% and %userprofile%\AppData\Local\Microsoft\Windows folders, respectively. The specific Shellbag keys follow: NTUSER, DAT\$oftware\Microsoft\Windows\$hell\BagMRU NTU$ER. DAT\Software\Microsoft\Windows\Shell\Bags NTUSER. DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU NTUSER. DAT\Software\Microsoft\Windows\ShellNoRoam\Bags USRCLASS DAT\Local Settings\Software\Microsoft\Windows\Shell\BagNRU .

USRCLASS .DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags USRCLASS DAT\Local Settings\Software\Microsoft\Windows\ShellNoRoam\BagMRU .

U$RCLAS$ DAT\Local Settings\Software\Microsoft\Windows\ShellNoRoam\Bags .

Purpose •

You can track user window viewing preferences to Windows Explorer.



You can tell if an activity occurred in a folder.

You can track if a user opened/closed/created/deleted/copied a folder. •

In some cases, you can see the files from a specific folder as well.

Location NTUSER,DAT\Sofiware\MicrosoffiWindows\Shell\Bags NTUSER.DAT\Soffware\Microsofi\Windows\Shell\BagMRU NTUSER.DAT\Software\Microsofi\Windows\ShellNoRoarn\Bags NTUSER.DAT\Sofiware\Microsofl\Windows\ShellNoRoam\BagMRU

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\StrearnMRU NTUSER.DAT\Sofiware\Microsofi\Windows\CurrentVersion\Explorer\RecentDocs

©2017 Rob Lee

31

Why Key Is Useful?

You can store information about which folders were most recently browsed by the user. Microsoft documents additional Shelibag keys may be present on Win7Win1 0 systems, but after a review of several Win7—Win 10, Vista, and 2008R2 systems, I have not found any evidence of them used.[’l For reference purposes, the additional keys follow. ( Wow6432Node keys are located on x64 systems.) U$RCLAS$.DAT\Wow6432Node\Local Settings\$oftware\Microsoft\Windows\Shetl\Bags USRCLASS,DAT\Wow6432Node\Local Settings\Software Reference:

[1] http://www.4n6k.com/2O 13/1 2/shellbags-forensicsaddressing.html

32

©2017 Rob Lee

F! _

Wrn7—Wrnlo Explorer



Windows XP Explorer

Lc Fk ‘C

Prcjrrn Fk Prcqram Fd ‘5

“I

Pubhc C DPV Ce Danc “

tieLc,

OFIR

FORSOO j Windows ForenskAnalysis

Shellbag information in the registry location is based on the structure of what you see when you view files via Windows Explorer on either Windows XP or Windows VistaJWin7Win1O. However, Shellbag information is written only when a folder is opened for the first time or when the folder settings have been adjusted. Windows Explorer not only creates the Shellbags information for the folders but also ZIP files. Setting the window size, changing file view options, looking at thumbnails, sorting options, and more, would cause the Shelibags key to update. This creates an opportunity to prove that a user opened and last manipulated a folder on a specific day. However, in some cases, it would take at least two registry keys to be accurate as to what the user changed to cause the key to be updated. Multiple updates to the same folder can be identified through analysis of previous versions of the registry hives (via Restore Points/Shadow Copies). Reference: You can find a full listing of this technique in the following paper title: “Using Shellbag Information to Reconstruct User Activities,” written by Yuandong Zhu, Pavet Gladyshev, and Joshua James, http://www.dfrws.org/2009/proceedings/p69-zhu.pdf.

©2017 Rob Lee

33

5355345555353333 4535Sf 3533534443345.. i35333353333ê35t,e3a5334SI535373325 555355535553535535555313

5 ‘5 5

‘5 f

*

‘*53 (3 3*

35

55

5

4

4 1

33

4

4 3 3 631 1532555 33 4 ‘5 55 535, 3’ 5,4 s 3 53 33 5 ‘*3 1 4 4 4

g:°,

3

3.r2;

1 2’

‘*35

3

4

‘*5,,ft*

5,3.

“‘‘

$

-

S’S

the Value This shows you the data you would look at in the Sheilbags key. The values in the parent key list in key several for layout data the folders that are below it. It initially seems confusing, but after you examine the values, the structure becomes readily apparent.

34

@2017 Rob Lee

34

-

4

.7

DFIR

FORSOO

I

Windows F rensic Analysis

Parsing the Sheilbag structure can be tedious because each corresponding directory is given a number. The value that is listed for that number will be embedded in a value inside the parent of the key. The internal structure links Shellbag data and the original explorer folder is found in the MRU value. Finding which folder is being referenced examine the specific key and select the MRU value. The MRU will like the associated child folder which will map directly to each subkey beneath the current key you are in. As a result, you can map the folder structure from the file explorer and find a near equivalent mirror in the registry hive file being examined. Why is this important? Based on the keys that are here, you can tell which directories were open/closed during a time period. When you compare between previous Shelibags information, it may prove useful, during analysis, to be able to specifically identify when a folder was opened. Even though no file changes occurred within that folder, it shows that the user had knowledge of a specific folder. With Windows XP it is a slightly different layout especially at the start, but the concept is exactly the same as before. In this case, we have a ShellNoRoam, which represents our local folder, The BagMRU key begins with the Desktop. The second key is My Documents, and then you finally get to My Computer. The rest chains out like you saw with Win7—WinlO and Vista.

©2017 Rob Lee

35

You should explore your own Shelibag information to get comfortable examining the data manually to understand the structure. When you get it, it isnt difficult, but it sure looks overwhelming when you initially examine it, The following picture shows the Sheilbags layout as it pertains to Windows XP.

j :. tos +

*

•J Ce’t J sr J Sre. %or -

lVQ: -

s__a

+Jo

j

4

J

S +

__j

tJ

36

©2017 Rob Lee

Last time directory accessed (MRUListEx Indicator) :

• MRUListEx indicator = directory was accessed at that time (Last Key WriteTime) • All other timestamps within tree are reset to that timestamp

Differentiate devices (FAT/NTfS) • file record number (mode number) and sequence number allow you to separate drives • fAT32 = Sequence numbers null • NTF$ = Sequence number exists • Matching a retui ned device to dirCctOfles accessed to mak( sure you are looking at the right device

DFIR

FQR500

Wirdows Forensic Anal sis



There is also a value named MRUListEx, which is the Most Recently Used list and reflects the order the Shelibags were opened with the most recently opened bag listed first. As Shellbags are opened, the MRUListEx values are shifted to the right, and the most recently opened value is added to the leftmost position. The MRUListEx field is important because it is the only indicator that a directory was accessed on that day; all other timestamps within the tree are reset to that timestamp creating false positives. The file record number (mode number) and sequence number that some tools (sbag) produce enables you to separate drives where data is stored (fat32 makes sequence numbers null) and matching a returned device to directories accessed to make sure you look at the right device. The best evidence you can take away from the Shelibags is the existence of a directory on a device and its timestamps at that time, putting non-mru Shellbag data into a timeline with just the regdate is prone to failure and false positives. Reference:

For a good collection of Sheilbag GUIDs see https //github com!randomaccess3/4n6 stuff/blob/master/GUIDs

©2017 Rob Lee

37

1!Q r It 0

VaLe SUIO %OO4496a U4edsotD 4,Oa9ML.

,Iwem

Icon

rrda

Sh& Type

ettery

t%scebnews

Last Interacted

Fret Interacted

yRU Ponten

PAT

%20s1%cSS

0 201201 2120r1%%S

Detads Value: F: Shel Type: Onve letter Sac Path: L%aNRU\L Slot : 13, NSa) Poodw: 5, Node Slot: 206 Absolute Path: DesktopMv ClomputerF:

I

,nd FuUe, Ue

FOR500

UFIR

I

Windows Forensic Analysis

Sheilbags Explorer by Eric Zimmerman Why Another Sheilbags Program?

Tools like RegRipper and sbags from TZWorks have processed Shelibags for quite some time now, but Sheilbags Explorer (SBE) is different in that it presents a visual representation of what a user’s directory structure looked like. Also, SHE exposes various timestamps such as First Explored and Last Explored for a given folder, the file system where a directory existed, and so on. SHE also contains a commandline version, which can produce output (while still including the additional relevant timestamps and file system info, etc.) similar to sbags and RegRipper. Capabilities Overview SBE is meant to be an all-inclusive tool for Sheilbag artifacts. It negates the need for laborious manual steps, decoding of data, and determining contextual relationships between directories, etc.: • Included support for all known Extension blocks and auto-detection of unknown blocks, unknown Sheilbag types, etc. Data interpreter to Hex view. As hex values are selected, the values update from the cursor’s position. • Support for NTUser.dat and USRClass.dat. Consistent display of data for bags. • Ability to view all bags recursively to easily sort, filter, etc. • Ability to ingest multiple registry hives and remove duplicate Sheilbags. This allows for a comprehensive view of directory access spanning the range of data in all registry hives. Ability to show what directories were accessed on CD and DVD media (and therefore showing what °

°

drive letters were optical readers).

38

©2017 Rob Lee

Usage: SBECmU -U

--dedupe

Required. Directory file to look for registry hives (Default: False) When trues SBECmU processes all hives and removes duplicate shelibag items Deduplication is based on BagPath, Slot MRUPosit.ion, Values CreatedOn ModifiedOn, AccessedOn MhEntry MFTSequenceNumber FirstExplored, and LastExplored

--timezone

(Default; GMT Standard Time) The timezone to use when displaying dates and times (Default = GMT Standard Time). Enclose in quotes. Use --timezone&’” to see a list of all available timezones

--help

Display this help screenS

Using -U, SBECmU will process each file in and create one TSV report per file found in \Out. Using -d and --dedupe, SBECmd will process each file in and create one report containing the information from ALL hives with duplicated shellbags removed.

DFIR

FORSOO

I Wrdows ForenicAnalysis

c:\cases>S B ECmd.exe —d c:\cases\Shel Ibags Parse time: I £6 seconds Total Shell Bags found: 303 Totals by bag type Variable: Users property view: 62 GUID: Control panel: 16 Control Panel Category: 8 Root folder: GUID: 19 Directory: 141 Drive letter: 6 Users Files Folder: 6 History folder: 4 Variable: MTP type 1: 5 Variable: MTP type 2: 1 Root folder: MPT device: I Variable: 10 Network location: 8 Variable: HTTP UR1: 14 Users property view: 2

©2017 Rob Lee

39

Sheilbags Explorer Command line edition • SBEcmd. exe By SANS Instructor Eric Zimmerman • Start by copying all usrclassdat and ntuserdat registry hives to an analyst created Sheilbag-Hives Folder

I

c:\cases>SBECmd.exe —d c:\cases\Shellbags Parse time: 1.86 seconds Total Shell Bags found: 303 Totals by bag type Variable: Users property view: 62 GUID: Control panel: 16 Control Panel Category: 8 Root folder: GUID: 19 Directory: 141 Drive letter: 6

Users Files Folder: 6 History folder: 4 Variable: MTP type 1: 5 Variable: MTP type 2: 1 Root folder: MPT device: I

Variable: 10 Network location: 8 Variable: HTTP URI: 14 Users property view: 2

40

©2017 Rob Lee

Parse time: 1 .86 seconds Total Shell Bags found: 303 Totals by bag type Variable: Users property view: 62 GUID: Control panel: 16 Control Panel Category: 8 Root folder: GUID: 19 Directory: 141 Drive letter: 6 Users Files Folder: 6 History folder: 4 Variable: MTP type 1:5 Variable: MTP type 2: 1 Root folder: MPT device: I Variable: 10 Network location: 8 Variable: HTTP URI: 14 Users property view: 2 Finished processing c:\cases\Shel lbags\usrclass.dat’ Exported to: ‘c:\cases\Shellbags\Out\usrclass.dattsv’

Processing complete! Processed I files in 1.86 seconds! Total Shell Bags found: 303 When completed, it can be easily imported into a new Excel sheet. Select import text -> select the output .tsv file select Delimited -> select Tab -> select Next -> select Finish.

->

©2017 Rob Lee

41

Usage: SBECmd -d

(Default: GMT Standard Time) The timezone to use when displaying dates and times (Default = GMT Standard TimeL Enclose in quotes Use --timezone”” to see a list of all available timezones

--dedupe

--timezone

Display this help screens

Required Directory file to look for registry hives (Default: False) When true, SBECmd processes all hives and removes duplicate shellbag itemsa Deduplication is based on BagPath, Slot MRUPosition, Value, CreatedOn, ModifiedOn, AccessedOn, MhEntry, MFTSequenceNumber, FirstExplored, and LastExplored

--help

Using -d, SBECmd will process each file in and create one TSV report per file found in \Out% and create Using -d and --dedupe, SBECmd will process each file in one report containing the information from ALL hives with duplicated shellbags removed

CN

I

L h.IST’c Dc

01cc

C

S ‘cc-

cc

SD

Ccc -cc

S

‘‘C

S

-

-ccc’

c.\r

-

icci \tc \\‘,\D ‘‘jt ci

‘Cc’

0

ccc

cc Ii] cS

0

-

\c,vf c-I

cc

i-C-cc’

ccl

c.,

1’ccc

k

0

I

c”’sDccc

is r’cO cc

cc.

ccc

‘cc’cc

scm cc C -ccccc cc’ \cCtccscC c’ C’:’, Occpl pO.1”c’ccc cc\Scvc -cc ‘cc-’—’ c-c c sO

cc

‘c

cc ccl

I,

‘Sf

\ci cc’\c’,c-,f cii Dc-c’S”

f—S -

r

cc

-

C!, ci

--‘‘

1

\

-cc

(c-c

1 0cc

t(”

-Sf

cc scccy

cc.

cccc

t’

,j

Sf

cf

cc ci ‘c-St

c-cc

‘cc

5”

5

Wcccc

cc

Cc 1,1,P,

Ic

-Ic’

I

f

c-

p’ I

-

4

Ccccc

ft cc\ -eD -5 -c’1S,vc

‘cci

tIe

•‘.c-\’

-

1 -‘cc’-’



t

7A1

1 cc)

c-ri c

1

c/ -c-c

cc

ccci

T

cc’

D FIR •

02

Cc

c

*

FOO0

,c) ‘,

c’ 0

I Windows Forensic Analysis

Absolute path: The absolute path from the Desktop to the location of the shell bag Type: The human readable description of what kind of data the shell bag represents (file, folder, and so on)

MFT entry MFT Seq. number • •

First Explored: When available, the timestamp a folder was first explored Last Explored: When available, the timestamp a folder was last explored

If entry number> 0 and sequence number> 0, then the file system is NTFS. If entry number> 0 and sequence number == Null, then the file system is FAT. (further checks against the accuracy of Last Access are then done to determine FAT versus exFAT.)

“E:\Documents nd Ic: \>5ba9Ibgsdbiake• txt

ISe’\shel

Settings\DonaId B1ake\NTUSERDAT” > c:\case5\blake_ca

©2017 Rob Lee

43

Win7—Winlo Explorer Access C: \> sbag.exe \usrclass .dat >> results. txt —

I

FOR500

OfIR

Windows ForensicMalysis

sbag is a $hellbag parser written by TZWORKS LLC used to parse the evidence of folder opening data that is stored inside USRCLASS.DAT and NTUSER.DAT hive files effectively. To determine the “last folder opened” in a key, examine the output of the C$V from sbag.exe and examine at the MRU column looking for entries marked with the Perform search for Volume GUID in the Drive Letter Or NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs -> Perform Search for Volume Name Or Perform Shortcut File (LNK) tile analysis

Perform Search for Volume Name

->

Drive Letter = 6. Determine Volume Name Device Mapped to SOFTWARE\Microsoft\Windows Portable Devices\Devices-> Perform Search for USB Serial Number and

Match with Volume Name Volume Name= Drive Letter (VISTA ONLY)= 7. Determine Volume Serial Number SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt

->

Perform Search for Volume Name

and/or USB Serial Number. Convert the decimal Vol. Serial Number to a Hex Value for LNK file analysis. Volume Serial Number (HEX) = 8. Find User That Used The Specific USB Device NTUSERDAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2-> Search for Device GUID User = 9. Discover first Time Device Connected C:\Windows\inf\setupapi.dev.log -> Perform search for USB Unique Serial Number Time/Timezone SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven Prod Version\USB iSerial #\Properties\ {83da632697a6-408$-9453-a1923f573b29}\0064 -> Value = Windows 64 Bit Hex Value timestamp Use DCodeDate 10. Determine Last Time Device Connected SYSTEM\CurrentControlSet\Enum\USB\ VID_XXXX&Pl D_YYYY

->

Perform search for Serial Number

(Last Written Time of USB Serial Number Key) or NTUSERI/Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{G UID}

>

Perform

search for Device {GUID} Tirne/Timezone SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USB iSerial #\Properties\ {83da632697a6-40889453-a1923f573b29}\OO66 -> Value = Windows 64 Bit Hex Value timestamp Use DCodeDate —

ii. Determine Time Device Removed SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USB iSerial #\Properties\ {83da6326-

97a6-40$8-9453-a1923f573b29}\0067

->

Value

=

Windows 64 Bit Hex Value timestamp

©2017 Rob Lee



Use DCodeDate

69

For Windows XP XP USB KEYlfhumhdrive

I. Write Down Vendor, Product, Version SYSTFM\C rrc ttontrolS t\F um\USBSTOR Vendor Product ersion -

2. W ite Down Sera N m e s SYSTEM\CurrentControlSet\Enum\USBSTOR

Serial Number 3. Determine Parent Prefix ID e tC nt ISe \E SYSTEM\C

ii

\USBSTO

Parent Prefix 1D

4. Determine Vendor-ID (VW) and Product-(HD) SYSTEM\CurrentControlSet\Enum\tJSB -> PerForm search For S/N ID XXXX= PID YYYY=

1. Write Down Vendor, Product, Version 2. Write Down Serial Number 3. Determine Parent Prefix ID 4. Determine Vendor-ID (VID) and Product-(PID) ‘v”

“1To

i

2

7.

70

©2017 Rob Lee

5. Determine Drive Letter Device Mapped to SYSTEM\MountedDevices-> Perform search for ParentldPrefix in the Drive Letter Drive

6. Write Down Volume GUlPs SYSTEM\MountedDevices> Perform Search for ParentldPrefix in the GUIDs {GUID} =

7. Find User That Used the Specific USB Device NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2-> Search for Device GUID User

=

8. Discover First Time Device Connected C :\Windows\setupapi.dev.log -> Perform search for Serial Number Time/Timezone 9. Determine First Time Device Connected After Last Reboot SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-1 I dO-94f2-OOaOc9l elb8b}-> Perform search for S/N or SYSTEM\CurrentControlSet\Enum\USB\ VID XXXX&PID YYYY (Last Written Time of Serial Number Key) Time/Timezone

->

Perform search for Serial Number

=

10. Determine Last Time Device Connected NTUSER//Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{GUID} search for Device {GUID} Time/Timezone

->

Perform

=

©2017 Rob Lee

71

r • Track MSC USB devices plugged in to a machine

• $YSTEM\ CurrentControlSet\Enum\USBSTOR

C • Identily vendor, product, and version of an MSC U$B device plugged in to a

machine

• Identify a unique USB device plugged in to the machine • Determine the time a device was plugged in to the machine

U FIR

FOR5C

1n w

oru.sic Anal 3j

USB Key Analysis is one of the most talked about areas in computer forensics. The forensic analysis is useful because you can track USB devices that have been plugged in to a machine. With US3 key analysis you can



Identif,’ Vendor, Product, and Version of a USB device plugged into a machine. Identify a tinique USB device plugged into the machine.



Determine the time a device was plugged into the machine.



The USB Key information is stored at the SYSTEM\CurrentControlSet\Enum\USBSTOR key. From the US B FAQ: I ntennediate (www. microsoft.corn/whdc/connect/usb/usbfaq intermed. mspx): “If the device has a Serial Number, Microsoft requires that the Serial Number uniquely identify each instance of the same device. For example, if two device descriptors have identical values for the id Vendor, idProduct, and bedDevice fields, the iSerialNunther field will distinguish one from the other.”

72

©2017 Rob Lee

7

C

Err

.J,.

JT.

Device Class ID



D.r

I J

j Dk.5Ver_MSyo&Prd.DrLMrmyry&Reo.33O j D o& r (‘LYMPUS.P c d o,1O 1OP Re I o Kr J dwr Pro, J Sr cr Sont rISO

Unique Serial #

...

Note: Devices without a unique Serial Number will have an “&“ in the 2nd cha;acter of Serial Number

D flJ

0R500

Wií ows Fc rensic AnaIyss

To qualify for the Windows Logo Program, “Designed for Windows,” the USB device must contain a unique Serial Number. Essentially, although the vendor ID, product ID, and the revision number might be the same for similar devices, each unique device contains a unique Serial Number to differentiate it from the other devices. The Serial Number does not include the &O or &l at the end of it. Reference:

http://www.microsofi.com/whdc/archive/usbfaq.mspx#EPCAC However, not all devices conform to this standard and thus do not include a unique Serial Number. Devices that do not have a unique Serial Number will have an “&“ in the second character of the Serial Number. For example, if a Serial Number were listed with 4&762219b0&O that would mean that this device does not have a unique Serial Number and possibly all similar devices would have the same unique ID. This device does not conform to the Microsoft standards.

©2017 Rob Lee

73

+

L

+

L

0 0

4:

÷:

+

+

+

+

-4:

+:

LLLLLLLLLLLL L

40

RI

in

rr

r I

C

L1

RI F0

0

I:J

LLg

I

m

[I

+

IU)

C CO 0

F

0

RI

L

I0

C CD

CD CD fl3 C) (ID

CD

C) 0 E0 I_I

I

F

-

IN

C) CD

C

co Fo

I 74



I

C (D C) CD CD

Di

Di

©2017 Rob Lee

r5p0

j LPTENUM i PU Zi EUlER J Root J STORAGE

jSW

J USE iJ ROOT HUE r Porn ttrrem .j Vrd_P5ec&Pd_1iO1

I

j 00002100RLCCESRE _I d0Th4&Pd 109 C] Vidj3Sec&PidO012 J Vid 1307&Prd 0163 J USESTOR Hardwrt ProIrlm j

Inst Written Time

REG5Z to., RErTSZ REQDWORD lumber REQDWORD HardwttejD REG MULTI ST CnmpotrbIIEtt REGMULTI5Z OoGUtD ERG 52 Oem ERG ST REQSZ REQSZ REQSZ rOe REQDWORD

DoW USE Mass Storage Desice i2o9 660000014 (20)

000000000 (0) USB\VdGSac&Pid1361&RevOlrSD USBWidO5ac&P.. US Class 0S&SubUass 06&Prot 50 US00IrssOE&. (R0FC9E60-C46541CFR05644455354T000( USE {SOFC9E-C46541CFO056444553TI0r160)6011 Compatrble USE storage dostrm USESTOR 0o00000000 (0)

(1/16/2009 262400 UTC

DHR

FOR500

I

Windows ForencicAnalysis

Find the VID and PID for later use to determine the last time the device was connected to the machine. Under the USB Key, it details the VID and PID of the device but not the named manufacturer and vendor. This key details all three key types inserted into the system. The keys found here can be used to reference any of the three types of storage classes. Unfortunately, only MSC is required by Microsoft to have a unique Serial Number ID, so you are likely to see many more generic USB Serial Numbers for PTP and MTP devices especially. You can look up unknown VID and PID using the website http://www.linux-usb.org/usb.ids

©2017 Rob Lee

75

75

Located in Windows Server 20t)8 W1)K t :IIhitI r/ck8lI J FORSO

DFIR

Viriow. Fotsi Ana ysis

In many cases, you might find a USB Device where you need to pull the Serial Number off before finding the system that it was connected to. In this situation, you can download a UVCView tool that details the unique information associated with the currently plugged-in USB device.

76

©2017 Rob Lee

16

Discover the Volume Name of the USB Device when it was plugged in the machine

•MSC



Removable Media

•MTP •PTP

;1)CatIoii • SOFTWARE\Microsoft\Windows Portable Devices\Devices

—!AVA tV

i i rn

• ldenti’ the USB device that was last mapped to a sI)ecthe Volume Name using USB unique S/N Number of the USB Device (WIN7 only) •(Note: Drive Letter can only be mapped from this keywhen a volume name does not exist) •find Serial Number via USBSTOR SYST4\ curren tcontrc1Set\num\USBSTCR\

•Volume Name can be mapped to Drive Letter via examination of LNK files (Discussed in next section)

DFIR

FOR500 i W dows F rensi-’ Analysis

We can map information back to the drive letter by examining a new key created on Win7—Winl 0 that logs the last drive letter and Volume Name for each device plugged in to the computer. You can easily find the drive letter for the device by performing a search for the device’s unique Serial Number. SOFTWARE\Microsoft\Windows Portable Devices\Devices

You can also identify the Volume Name of the device that was mapped to a specific USB device and Serial Number. Windows Ti 0 seems to change this a bit as not every device will have the previous drive letter recorded. With Win7, you need to check here as well as use the MountedDevices key with the device GUID to determine the last mount point of the device. In comparison on WinTWin10, we cannot map the drive letter back to the USB Device because the drive letter no longer is listed in the Windows Portable Devices key in Win7. Only the Volume Name of the device will be listed. This will still be useful to an investigator because many LNK files will exist in the Recent folder on the Windows machine which will include that same Volume Name and include the drive letter. Using temporal analysis you can identify using timestamps and LNK file analysis, the correlation, and the potential drive letter of the drive, You can ttse the WinXP method to map the drive letter using the MountedDevices key.

©2017 Rob Lee

77

0 Type





USPD O54C&fTD1197&MI pyyp TJ?

USE

MRCOTUME2&S71T%E1STO

GFeVGUJM

O%&OID5T&PDSDT16TPF’:S ?Sr’eJIE ST DID 5’44&F SDOSG&RE tS

&TT42_BE&T&OP

O9OlD5D2: WPDEUSUMSOOTCU2SsT7(1&S&STORAGEPVOLUMEP USBSTCROISK&EN &PROD &RSV e SK&VEM &PROD Glc’AWAREEyl(14IOyp57&EUP9&O WPDBUSENMROOTiMB2&37CiS6E&1&STOGE’VGLUME3 SSE31ORDI TC: STGR03ISP03EN &PRDQPATPI0.TJ2EMOR(AREIyMAPypTEIYilgS 1051003 E=2ULUMyp 1E 20370: OPDEUSE UI. 0OTUl E0.??USE0T0PeOiSS&0EN&PP0E5jYS Lllslç.2 505 PMAPSOISUO4000IyS&03 S5PDEU$EtJUMR00T#UMEe2f37C1S5E30&ST0RAGEV0LUM 3DDS5SC& IOOeSAS5Z 003506EV RASH APDEUSENUMRCOT0JM5e2037CIS3E&I&ST0RAGE oLuMp::USEsTCorn5k03EH 01000 056 03I?j5ES1C10 1550550 APPLt&PRCDJ30D&R6V276eTSHA27CUl5C4E057 WPDEU3EHUMR0003UMB03&57C1366&1&STOR2GE030CUM WFDEUSENUMSO0TSHElEOS7CI1GBC0&S1003GE03

FORSOO

OFIR

I

Windows ForensicAnalysTs

you can identify This is an example of looking at the Windows Portable Devices key on Windows 7—10 where between change critical but minor was a This letter. the Volume Name but cannot determine the drive Windows VISTA and Win7—WinlO. Serial Later, when you examine link files (.LNK), mapping the Volume Name back to the unique device letter. Number enables you to still determine the drive

78

©2017 Rob Lee

©

(0

-1

0

0

r

0 0

N) C

I

a

I

c 4’

: : :

HhH9 1\cjt1t?:jcj51%ç;g’:

.

0MtJ :

:

II

4

JSESk*)LP1s)O!!iVt 1*I?tsLf&:&s7’cg;,;uq::jsssL4pMe1!;1 &P’C U! Fb’N CRM&[4 1 41SEYC &4EDD1tPD1P1%!1&E1 1::1erY:::li9!E v:v

:

T;Y:TC1SR;S2AEt, C’S\fl’ :*

h

Jst:e&144%%fIl&*t,

:f4’ i4 t4S’? E1”& LSU’:%>1

i

1:”g: :s)T2AGE:4

%‘C;T;

rrJ!%C

r

!aJ &;:)

1 %fi : :ir i>ev

::i:

I t.

-

-‘ ..

0

V:.;!c F.’2r.’.V

tth.,s

(

Next, we want to deterniine the last drive letter. Alternatively, on Win7, you can use the Device SIN to find the the last drive letter of the device. This step is similar to the WINXP version, except with WINXP you use ParentlDPrefix to find the last drive letter. For Windows XP:

Discovering the drive letter of a USB device when it was plugged into a machine is a two-step process. first, you need to have written down the ParentldPrefix from the USBSTOR earlier. Then you open up the SYSTEM hive and examine the MountedDevices key. The last device that was mounted at a drive letter has its ParentlDPrefix listed in a value, Search for the drive with that parent prefix ID, and then you will know the drive letter of that device. If another device were plugged in and assumed that drive letter, then you will not know the drive letter for a specific device. This works only for the last device that was mapped to a specific drive letter. This is not historical like you find on Win7Win1 0 with the Windows Portable Devices key. finding the ParentIdPrefix is important for correlating some additional data later on for forensic purposes. When you click the Serial Number, you see the parentlD Prefix listed. This ID will be useful for tracking potential data found on this key in both .lnk files as well as correlating the information to the mounted device’s key, which we talk about shortly. SYSTEM\MountedDevices key works only for MSC devices

80

©2017 Rob Lee

OD

Edit

Report Vsew

Setup

_J :PA

Window

2

[7

\Do;Devices C: At.??;voIumeta6880l24boac-fldf4b7.. i0? 0olume(a6880l25b0ac41df”8b7... 1fj(\?? olurne(a6880l2%b0ac41df8bL.. ! W\?iVclume4a68S0l20-b0ac%ldf’8b7.,.

Name

GEt n

SF 4F 56 ‘2

03 DC DC DO 00 00 00

44 32 35 62 30 33 62

:: 32

00 00 00 00 00 30 03 DC 03 CD 00 CO 00 00 00 CO 03 00

r,

00 03 00 00 DC 32 02

66 36 2% 61 38

30 00 00 00 30

as oo

SF 52 63 6F 26 34 30

SF 23 68 64 32 23 30 31 55 62 39 50 62

00-35 20—44 00—SF 00—SF 02—65 02—41 33—33 02—26 00—36 03-66 02—34 03—63 OD—t

PEQBINARY

30 00 CO 00 00

35 2% 66 39

DC DC 00 DC

53 31 32 31

Data

i: :i





5300’? ‘‘55’5’3’ 65 00 1 CR 4 3 2% CO £V C ft SD OC P’:’O 4’ v I’D’

cr nn r net r An rr net CC etA

Ar. n

net ci n ci

ret

,t

SCUD 3F00 SF00 SC 00460044004300 230047 00 SC 00 3F 00 3F 00 SC 00460044004300 230047 00 SCUD 3F 00 3F 0050 004900 44 00 4S 00 23 00 43 00 241800420000500600000000 DB C3 AC 3D 0000100000000000 DB (3 AC 3D 00 00 10 00 00 00 00 00 SC 00 3F 00 3F 00 SC 00490014004500 230043 00 SCUD 3F00 3F00 SC 00490044 004500230043 00 SF00 3F 00 3F 00 SF00 5500 53004200 53 0:0S400 4...



51 1800 42 0000100000000000 241800420000100000000000 2A 1800420000500600000000 51180042 0000100000000000 SCUD 3E003E005C00A9..00.44f’04iGifl00A100

03 00 3100 CC 2203 d0’ 94±2’ DC 65 00 O0-a 0 a 9 1e I h’8 b 4

00 53 00 42 00 00 69 32 “5 00 00 48 DC 50 00 00 76 00 31 00 03 76 30 SF 23 0341203922 00 30 20 30 00

Jt Di. Velume{34c573bc-3490-11e3-a96... 03 SF 112 54 2026 50 50 40 30 52 30 62 31 roc 37 30 55 93 2% aD 64 b5 30 sO 66

.

RE BINARY REQBINARY RE BINARY REQBINARY PEG BINARY

Type

RE BINARY 3J(\DosDe:icesA: REG3INARY W%% Volurne(a9iOe59bb1e241dfa1L. REQBINARY a{SSafc2df4ea241dfb7df-0OOc29d2... REQBINARY “\#olume(4Q744t1c on ii€o 9951 REQBINARY O*tf49744fld 01 71 lieD 9951 flOOc290Z REG3INARY f\Do;Deáces\D: REG,,B1NARY f4?+Jclumetflbf5dUd127i41e0-8548.. REGJ3INARY

,1DWclume{a688012a-b0ac-1ldf-8b7.

Help

4 l420h1 3:24:36 UTC

McuntcdDeices RNG

J Select

J J

B Key Properties Last W?tter Tme

+

+

J CcntrclSet30l fl ControlSetOO2

L 5STEti1ccpy0

FHe

AccessD*t

ri’.______ rCLFo ‘ECU’&’4T. cMN HEjCJ ‘‘

lie] )57 7l3el’ -4cI,rne(l%i6l% i.b14ieIi5l6 7i8u7c, :is’i

5):lc’foi5S)s 042

YOc24204

;rne;Ycl ilb’4ll )i ‘i

SFTWA$

22f702li4li,i’00 01 12



5oo:04015i4o4ooco1i’0142e’.

[j6coo1ooooooocoeo cm cm cm cm oo io 5c 00 3f 00 3f 00 %c 00490044004!

FORSOO j Windows ForensicAnaly1sis

flfIR

The information that is needed is the MBR Disk Signature that is located in the MBR; it is a 4-byte value. I have not had the chance to test this with a GPT partition table, but according to the fifth edition of Windows Internals, it is supposed to use the OVID instead of the disk. How does this work? First, written in the MBR at decimal offset 440 will be the MBR Disk Signature. These signatures are kept in HKEY LOCAL MACHINE\SYSTEM\MountedDevices for connecting disk partitions and drive letters. This 4-byte value is written to the disk. If the disk does not have an MBR Disk Signature, Windows creates one for it. On the slide, the disk signature is 92 FA 76 00. If you want to profile this physical drive, you would write that value down and then open your SYSTEM hive from your Windows registry’.

i,:’

F

JR

4

4

t’< H

82

©2017 Rob Lee

rrti n tELrc

SY$TEM\MountedDevices for USB Hard Drive Enclosures Purpose:

The key for physical drives is only 12 bytes (4-byte signature and 8-byte partition location). Identify physical drives attached to the Windows machine: •

4-byte value located at the beginning of a physical drive entry in the key Identify partitions/volumes on a specific physical drive: 8-byte value stored in # of bytes following drive signature Discover drive letter assigned to a volume.

Why is the key useful? Track drive letters and physical drives attached to a windows Os. Track external enclosures attached to the machine. Determine the drive Volume GUID. The MountedDevices key is important to tracking physical devices plugged in to the Windows operating system because it incorporates the drive signature and the partition location into the key. Each physical device differentiates itself from a Thumbdrive by having only a 12-byte value instead of a much longer key value. The first 4 bytes of the key value corresponds to the drive signature. The next 8 bytes are the total number of bytes or byte offset until you reach the beginning of that partition or volume. This can be calculated by taking the 64-bit or 8-byte value in little endian order and calculating the integer stored at that location. After you have the byte offset, you can determine the sector location by dividing the integer by the sector size (512 or 4096). The key is important because you can identify which physical drive and determine the drive letter assigned to that partition. The investigator can track the external. It also helps you identify the Volume GUID used in additional examinations surrounding drive enclosures and the mounting of media on the windows operating system. —

c Compu54r f00EY CL’ ccc pcyr —fr-El U ENS UFr 4 501015400001Sf H000S2ARE SECURIW OFT FE

Or-STEM 1c tr Or-SOS Sr t F- 00r-’

Ncr-ne r-r-r-r- r-Dr-fcultS 525 Vclume17268E3-3Ib741e3195SG001053F369e7c525 52 r-3cIumr-51700O03523Ibi3Ir-I95di3i30S154cfO5 30 urne{I?203636 31b741e1 3376 67)33353c7r-f00 03 0cncrne0736S%36-31E5254e31557%7%33369c7d05 36 OS52cnrneSi?256706-?ib7 11e1-0046ni7535039i7d3) 355 cIunr-r-553b63b17-24c041e1000151 45?fer-dOthOS

S55 DocDer-er-c*D: 550SOocO cr-F-Er:nr..

Or-tr

00053 CEO FINOF I CEO ESISSEc CEO BINSRV CEO 51540Cc CEO EU 100 REt) 5154003

ncr-f cr-U 5100 Sf00 Sf fr-i Sf00550053304) 00530331 031 r-fCr-JFf00if00Sfr-10 r-r-0051004103530334334 Sc 00 Sf00 Sf0051 035500570042 00 53 00 5r- 03 Sf0) Sf 5031 505f0055005100425r-3520) 04004 Sf00 Sf003100 Sf00 550033004300530351 000 0 Bc Ff3600 Se 000000000000

r

ft

Sr-i

3. 1cm

Typr-

H H Sf05153303 PEG 515100) Ff0 £154003 EEGESNAR% -





r-f

Ii

315476000000504FF-) 5000 Cr-) I Sc 00 Sf00 Sf00040040004403450023001300 51 00 0000Sf Cr-) 5100 330033004100335054504,. 31Cr-S Sf00 Of, Sf 033300? 004100330351Cr-)

S t r-rt H54Y Ur-r-36 HKEYCURRENTCONFSG

Comr-uier-:,HKEi LOSAL MAcSHINES ISTEMMntedDeccr-ec

©2017 Rob Lee

83

You can see the value is 92 fa 76 00, which matches the drive signature found in the MBR. You might wonder aboutthe $ bytes of information that immediately follow it. Those bytes (00 00 10 00 00 00 00 00) are the byte offset of the location of the beginning of the partition. If you convert to little endian and convert to decimal the value stored in those $ bytes 1 048576 bytes. If you divide by the sector size (5 12 bytes), the value would be sector address 2048. If you look in the MBR, you can see that the first partition begins at sector sector 2048). The last 8 bytes of the signature stored in the registry key point to the address (00 08 00 00 byte offset of the start of the partition after you convert the bytes into the sector address. In the second example, you can see that the bytes that make up the partition location for the second partition are (00 00 10 4b 00 00 00 00). When we do the calculations in little-endian order, the total number of bytes until the second partition would be 1259339776. The sector location would be 1259339776/5 12 = 2459648. This also matches what we have listed in the MBR examination. The other thing you can use this information for is drive mapping. Notice that the \\DosDevice\C: maps to the second partition location. You now know exactly which partition was mapped to the C drive or any drive letter that is listed here using the drive signature and the partition location. i° Ge

ict C

Why is this? Simple if you have a drive enclosure or a disk drive with two or more partitions, the MBR Disk Signature is the same. Therefore, the last 8 bytes are needed to tell one partition apart from the other at the operating system. In some cases, you have two partitions that have the exact same MBR Disk Signature but are two different partitions from the same drive.

84

©2017 Rob Lee

]

NJ

©

0

r a a

C C

0

100

[

(Defeult 1% JCNolume41726862931b741e1-9576-d73339%9a7d0) IA \fc!urneI17263633-31b741ej-9575cl7333939e7d0) IA 2:voluni€1716s69b31b7-ild9s76-dm33;soa7do} 00 \?‘ teoIurne(1726S69d3jb741e1957EUd7833939a7d0) IA T5/olume[17263706*31b741e1.-957%d7633989e7d0) IA 7CVolumeb63b17.2da9ct1e19O%5-c417feed3eb9) IA TAo!urneIe30f1e44-2da3-fle1-ba52-E06e6f6th963I ?Volume(e%0fle4S2da341e1-ba5i80te%f6eb963) 00 ??\Volume{e30f1e4a2da3-11e14,a52-806thf6ed963) DcsDev:cesC: 00 OosDev:ceC D: IA \DosDeAceAE IA OosDences F:

t

Name

ComputerHKEY.jCCALt1ACHINE SVSTEltMountedDevces

4

Computer HkE’vCLASSESROOT HKEYCURRENTJJSER HKE LOCAL MACHINE BC00000CN)00 HARDVfARE SAM SECURIT ( SOFTVARE e SSTEM ControiSetOOl ControlSeto02 C urrentControlSet McuntedDeices PNG Select Setup Scft.are IJPA HEEV_USERS HKE_CURRENT_CONFIO

jçc

:L

k

RE6_SZ REQBINARY REGBINARY REG_BINARY REG_BINARV REG_BINARY REG BINARY REG_BINARY REG_BINARY REG BINARY REG_BINARV REG_BINARY REG_BINARY REG_BINARI

Type

Data

I

(AcNe not set) Sf00 3f 00 31 0051 005500 53004200530054 00 4 5100 3f 00 3f 00 Sf 005500 53004200 530054 00 4.. Sc 003100 3100 Sc 00 5500530042005300 5400 51 003f 00 3f 0051005500 53004200530054004. 5f0031003f005f00550053004200530054004. fe8c9f 3600 7e00000000 0000 92 Ia 76000000 100000 000000 92 Ia 7600000010 4b 00000000 5c003I003f005c0049004400450023004300. 7009990000990 Sc 00 3f 00 31 00 Sc 00 49004100450023004300 Sf0031003100 Sf00550053004200S3 0051 00t 5f003f003f005f00S500S3004200S30054004

041

J

02ooot

44 54034340045 -4 1434? 4&03o,0:352C o443-lI4i40340053s%bS450 4’S 410200010000021541 )oo-1133soo335%X0S3

J

:

-; •_J 0C00

J 4

C

S-Sow SoSSoow bbs

419004453 05450

0001-I [3%5d 45503I55027 0401 1533 owl 30bb040 5%So54,{5-S5050o’ oSo)-l iSo) sw5 035041003353’ 93413153026353155 54130355 ‘005 50 0005 -oS-32 1’5354’5431bb r((fl43k&9o&o411543S0500Co55E10

0572 0410 0033 0’ 04 044001 533544 P041744100 So 00 Co? 00417 15 357233335573455400021’ 4 032405 0741 15’o 0350000035)03 05% 37304 0003531535J73400345553325545o 5550535 5’ 30 soos 0052410341 00osl 413532% otssbbo 52Eo)35053 ‘F 55010000300% 00 4200’ 55051 FE, 353510 So. 002040330 50’ (03551004054 o ESoo’ ,owS$1400 54’ 002055’) CF 105050104103(0312001355034 5523 355543151 505°) ‘54195(442(457-? 3050300370 01-, 734330 5557-5052353700521500590042-70035? 00317 00553554450

30’-’

00--

•05E’S loSt 0031 lOSt S-OttO —25 lOSS 5544’ lOSS 10 54 05 40 00 SO 00 7 03 44 00 19 74 33 00 60 40 T0E0P1o03 ow ‘App 20 3 05 56 43 63 54 Is (0 50 4’ 41 3 7 0 70 230 2 toO 100 So St 34 (0 93 60 03 50-3% 23 30 40 00 65 05 6’ 00 45 (9 05 Co 50 60 sO 14 (3-26 55 ‘2 13 45 45 76 52 or-s 4’ ‘ DC 03 50 52 52 32 4’? 2? 04 2? 33—’0 05 27 23 55 79 02 41 5? 32 52 39 559-10 55 70 79 50 15 35 53 03-27-02’!- 5 333095004535-’253439?26003559550’E-(,-59043 0 10 23 00 50 44 35 15 33 03—46 CO 30 02 340033 U 37--bbs-Sot--SO 5354’05026006o3o-3600653S6400 6 0? 5-3-030—4-1sO 71 05 35 05 64 00 35 53-Os! 00 39 13 54 -S-os-3b0S20C240SS05-,3553-6iC05036SOO?OO02---l-O 50(2337355 1ttbS04 OS 31454305(4054155—555

2

4

It’s important to locate the volume GUID for the physical device you are analyzing. You accomplish this by searching for the devices Serial Number inside the data value of the various GUIDs in SYSTEM\MountedDevices. After you determine the GUID for your S/N of interest, write down this GUID. It is used in the next step to map to one or more users on the system via their individual NTUSER. DAT. Keep in mind that on a multi-user system, more than one user could have had the device connected. This GUID is used next to identify the user that plugged in the device. The last write time of this key also corresponds to the last time the device was plugged into the machine by that user. The number will be referenced in the users personal mountpoint’s key in the NTUSER.DAT Hive. We use the GUID of the device to map it back to a specific user that used the USB device. This GUID is used next to identify the tiser that plugged in the device. The number will be referenced in the user’s personal mountpoint’s key in the NTUSER.DAT Hive.

86

©2017 Rob Lee

86

iourej, .

h4

RE E;PP

i

I

+

Ii

A

J O-54thc —

U2

_J

114-.:

I

I

II

ft’ Hc.-,:;4+7’, fl. H 11 1+4

41

++);

‘+Jd

DFIR

FORSOO

I

Windows ForensicAnalysis

After we know the GUID, we can now use that information by searching through the MountPoints2 key found here: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2

Note: The mountpoints2 key contains only MSC-related data. Having mtiltiple users could slow the process down, but the GUID will be mapped to the user that inserted the key and appropriately recorded.

©2017 Rob Lee

87

•Key is traditionally used for ReadyBoost hut is disabled if the system drive is an SSI) •Key stores the Volume Serial Number of the ?ilesystem Partition en the USE •NOTh: This is not the USB Unique Serial Number; this is created when a fflesystem is initiall formatted —

L

L • SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDM9mt

Use Volume Name and USB Unique Serial Number to find Last integer number in line Convert Decimal Serial Number into Hex Serial Number • Knowing both the Volume Serial Number and the Volume Name you can correlate the data across SHORTCUT File (LNK) analysis and the RECENTI)OCs key -The Shortcut File (LNK) contains the Volume Serial Number and Name .RecentDocs Registry Kevu most cases &mtain the Vohane Name when the USB Device is opened via Explorer

A key identifier to help us correlate USB device information in Win7 Winl0 is the Volume Serial Number. The Volume Serial Number is created when the file system is initially formatted, It is assigned by the operating system. A new Volume Serial Number will be created each time that the windows file system (FAT, exFAT, and NTFS) is formatted, When a USB device is inserted, data about the USB device will be written to the

key is used for SOFTWARE\Mierosoft\W±ndows NT\CurrentVersion\EMDMgmt key. The EMDMgmt

the ReadyBoost technology that was first introduced with Windows VISTA and is still intact in Win 7- 10. The key is used to remember the specific key and whether it passed the ReadyBoost inspection test and if it is currently in use for additional performance for your host system. As a result of a system with disabled SSD ReadyBoost, this key will not be populated with USB device data.111 For each key in the EMDMgmt key, you can notice that the device manufacturer, ID, and unique USB Serial Number exists. In addition, you should see the Volume Name before a final integer value. That final integer value is the volume Serial Number, You can convert the integer to a hex value by dropping it into your calculator and switching it from decimal to hex view.

On the next page, you see where I formatted a USB Key called Rob Lee USB Key. I use a command called vol,exe to list the details about the volume, In it, you can see the Volume Label/Name as well as the Volume Serial Number. Using Regedit, I open the EMDMgmt key in the SOFTWARE hive and locate the USB Device by looking for either the USB Unique Serial Number or the Volume Name, The last integer is the decimal representation of the same USB key Volume Serial Number. Using a calculator, I input the decimal integer value and convert it to a hex value by moving the view from Decimal to Hex. The value for the EMDMgmt key’s integer decimal value matches what we saw in the output from vol.exe.

88

©2017 Rob Lee

Initially, this might not seem that useful to us. However, you can use the Volume Serial Number as a marker to track that specific key and it’s utilization through analyzing the RECENTDOCs key or via SHORTCUT File (LNK) analysis.

rmat Fea

Caty:

Fa matm

[1] Understand ReadyBoost and whether it will Speed Up your System http://technet.microsofi.com/en-us/magazine/ff356$69.aspx

Allocmbon umt me 496 bytas

Re&diaobs

‘oRxpe ab& Rob Lee U5E Kbyt Format options I Quick Format

Volume in drive L is Rob Lee USB Key

Volume Serial Number is BGB8-441%

I

7

SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt

Cskulator

icima

Edit

Hdp

3065529362

12 neon

none

ocee

Odd

a

F

B Rd

t4

ttP

B.—

I

one:

Id

COd

Id

II

dR 1)

adn4

5

4

04

C Cord Ri

eons eeion

nO

f

0

COd

0

Rh

F

Not

ton

f

2

1 4

+

Cindow\systern321cmdexe

1: \>vol

I Volume in drive L is P Serial Number

©2017 Rob Lee

y -

89

;i w

r

J

--

.J J J

?

SESTORD k&V App &PdjPcd&RvJ. €2 J5ESTORP &V’

?€€15A5A&252fS€3€7b€f

11JO 24f2’&9Ief

R(E LEE S!21€9325A CRKOUTP€jAO225733i

90

In this example, we look at the same key we examined earlier on the Windows XP machine, the WORKOUT

IPO with the USB Unique Serial Number as A270010C4E86E. We first open up the SOFTWARE hive and browse to the following key location. SOFTWARE\Microsofi\ Windows NT\CurrentVersion\EMDMgmt When we are there, we would search for the USB Unique Serial Number A27001 0C4E86E and also look for the Volume Name. If the user reformatted the key, the Volume Name might be different but the USB Unique Serial Number would be the same. The last integer of this key is the Volume Serial Number. Note the Volume Serial Number is NOT the same as the USB Unique Serial Number. The Volume Serial Number is assigned and created EACH time the key is formatted. The USB Unique Serial Number is part of the makeup of the USB device and should not change. Write the decimal value to your notepad because you want to convert this to a hex value using your calculator.

90

©2017 Rob Lee

I

n-I n-I

L Ii 00

n’j

m

rj 0

no a a

s—I

0

20 00 C

us a a a

H C

0

0 >

0 U

A % C

0 C

a *

0

5.

I

C

C 0

a 5. a

C C



C

a V 0

I

V .0

‘1! It,

©2017 Rob Lee

I

I

‘3

91

L’0RK0UT1P0U531

B%384803

—3O%3587331

1 4

8

9 Li

d

lx

O

F)

I

2

4

9

F

FORSOO

OFIR

9

9

Windows ForensicAnaysis

Convert the decimal value 3023587331 in the Calculator in Programmer View to a hex value by inputting the value and then switching it from Decimal to Hex. You can see the value change to 343 84803, which corresponds to the Volume Serial Number 3438-4803.

92

©2017 Rob Lee

92

(fl

tt ‘I

11



toto

en en

to to

44

to to 10

to

4

4,4

en

at

to° to to

to

to

54

to

to

to

to

to Li

to)

C

to

4,

j

to

w\

cc0

0

to C

It

to

-

to

r4

N

4

to

N

ti

to to 0

to

to to %to .10 “ to to

t

a

00 to-2 i 3!! to

-

“4 to4,.I.t

en enen en

a

0

S

e

11

54

en

N tO

it to

to to

to

to

Vt

tJ

N

t

t

a’

0•

en

(fl

N

to tO to

6

Ii.. 0)

ci

Li

C,

t!;I to

“4

0”4

j

4

N

cc

a a

0 to C to

Ct

c2to

ak

!! “4

to

Hr

-4

to

I;

cc

0

Ci

a

-4

a

tot

C LIE

S

©2017 Rob Lee

6

a

S

93

4

) Shortcut Analysis 0eiy P

%Dxe4 andSDdIcer

Vc& 0PtL NCW41E

055153’ 58/0 P;h 84)80880804. EAi 4)8053

t%-e4p%, ‘SECRET F\SVSECRETp

Cied

83)8) H-88 84)80)888 58485 082 80 83 -

5] \‘4 Tp

t440ed

5/18280111018

1/000M11 l4 18/2080188034

VIP1200PPOOPO 1/18428051330)

14). 1/1244-311 1/l/))5884(8381

1212801 ip.4/41 1/1/13805008080!

1/13008358053 11/ 205083(43/00

1116/200S11 25fl

P Ro*Pt 17488 F; 180311 842033 0 R;±33

Vol Type

Vol Se;ial

Removable Removable Removable Removable

8438 9438 8438 8438

FOR500

UFIR

I

4803 4803 4803 4803

V0e

V4Nc

5438 4803 53438 4103

8008080580 004)13843

534%) 44)0 8480 4803

84)5188/ 80080081/83

Vol Name

WORKOUT WORKOUT WORKOUT WORKOUT

lPO IPO IPO IPO

Windows Forensic Analysis

The real benefit to identifying the Volume Name and the Volume Serial Number associated with a specific USB key is through identifying specific files that reside on the U$B device. Via Shortcut (LNK) file analysis, you see that each LNK file contains the Volume Type (Removable, Fixed, and Network), Volume Label, and Volume Serial Number. Using the Windows File Analyzer on your desktop of your SIFT Workstation, you can open a directory of LNK files and parse them with similar output to above. In the next section, there will be an exercise to perform LNK file analysis. Remember how the values above correspond to USB Key analysis. Remember the Volume Serial Number is NOT the USB Unique Serial Number. In fact, each time the USB key is formatted, a new Volume Serial Number and Volume Label/Name will be assigned. By correlating the Windows Portable Devices key and the Volume Serial Number via the EMDMgmt Key you can have the best chance of factually proving a specific device had specific files on it that were opened via Explorer in the Windows system.

94

©2017 Rob Lee



en

CD

CD CD

r

0

0

C

© N)

-

Fdenane SEU3ET(211nL OECEETIt 11./a Re.eauhCONFIDENTVL EACgUP2h-& V12RL0U1lPOFtV.

Volume labeL NONAME Lathed path EWES/SET FVLEOcIEPolE:RETop F /1/St Re:ear:h CONRDENTML BACKUPSdoe F\

L.irecmri £ \Coc4fDocumer1 mid S&tnq\Dona!d SLke\Recerg Volume eual. 0235 ‘4030

Shortcut Analysis

LA Rooer

8438 480%

Removable

*

8438 480% 8438 4803

Removable Removable

0 1745€ 250812 •.‘O

Vol Senal 843848O3 84354003 8433- 4302 9433-4303

Vol Name WORKOUTIPO \VORKOUTIFC WORKOUT 150 W0RKOUTIFV

R

WORKOUT lPO

WORKOUT IPO WORKOUT IPO

Vol Name WORKOUT IPO

Removable Removable Removable Removable

Su’e(B) Vol Type

Vol Serial 8438 480%

LatAccessed 1’10020085’0000 W57200%50000 /l6!l0O3 50000. //l/1330500130AM

Vol Type Removable

Cieated Wuilen 1/16/2008112513 1/16/200811251$. v16/20031&5034 116/2003112513 1/16/1003112555.. 1/16/20031042 44.. i/1/133050500;&M 1/l/133050&%AM

Volume Serial Number Analysis (1)

What if USB device reformatted? Key USB Unique Serial Number remains: • Each Instance has a new VoL Name/Serial # 94f2 OOaOc91efb3bWn7 SiFT26977&g944

J

2148727888 MORYZE1I13%56113 c91efb8b)ME 2OO424OO11144421%5%E&O{53f5&3O7-b6bf-11dO4f2-OOO 2OO424OO11144421656E&O{53f563O7-b%bf-iIdO-94f2-OOaOc1efb8b}Win7 SIFT 2697709944

FOR500

OFIR

Windows ForensicAnalysis

Although this is complex, what would it look like if a key has been reformatted and a new Volume Name/volume Serial Number is assigned? In this example, each of the unique keys is a different instance of the same USB key that had been formatted multiple times. I have used this key in courses that I teach and it is used quite frequently. You can notice the unique Serial Number and the Volume Name for each, In one instance, there was an empty Volume Name. Although I haven’t done the research yet, each key’s last write time apparently looks like it corresponds to the first time the key was inserted after the format. We would have to do additional research to prove this is exactly the case, but at first glance, it looks like the theory might hold. Although at this point, it is only a theory. Research project anyone?

96

©2017 Rob Lee

96

(0 —1

0 0

o

o





.

-

S!FT)697709944

2004240011144421656 E&0{53f5630? b6bf-11 dO -94f2 -OOaO SI efb8 b}_2148727888 2004240OI1144421656E&o{53f5%3o7-b%bf-fldo-g4f2-ooocgIefbgb)MEMORvzEffl3%55113 200424001114442165% E&0{53f5%307 b%bf4l dO 44f200a0 SI efb8 b}WinJ SIFT_26977099U

_J

__I

URR

FORSOO

)

Windows ForensicAnalysis

There are three US3 times we can track when examining U$B Keys. One of the most difficult things to examine personally over the past 6 months is that each operating system changes its practice of where these dates might be stored. Remember, it is not Microsoft’s intention that these keys would be used in this manner. A simple service pack could change the entire precision of using this data effectively in a forensic case, However, given that, the following information is known as the most-up-to-date information regarding temporal data regarding USB keys on a Windows operating system. There are three times we can track: •

first Time Device Connected



Last Time Device Connected Removal Time

The benefits of these times could be quite useful to an investigator for a variety of situations. Some of these times could be obtained when viewing previously discussed keys, but to present it to you in a conceptual fashion, we go through them in order one by one.

98

©2017 Rob Lee

+

Li CdFom&IenHL DT SThfPiod DVDR,M.GPsNtL Rv1 1O .J Dsk& ‘enja%h&Prod Dn e MjJS J DsIr&WnjRE5PONS&Prod TACTtCAt cubjer &Pe+ 1Y J Dfr& n MBIL S ‘ePtoci 105Cr Beer Ois &Pe

Li Li Disk&Ven.SM{&ProcLUSB..DISK&Rev_1 iCi _J .‘C+ 1 )111 & J Device Parameterr J Properbe 40b1 l8Oe th6d°1 Li (%h47eO-45bca&a2-5eOb294cbda2} L (&t5497UYC-8c73%3b9-aad9ce3B7e19c56e} Li (&3da63267e64O9453e1923f573b29

Nerne

def

Deta E

pppiII””

LiCf674-_ 99

With Windows 8, new times exist within the registry structure that has been added to each USB device key in the USBStor key. The key is the properties key. Underneath the properties key is a GUID {$3da6326-97a64088-9453-al 923f573b29} that contains three new pieces of information that are useful in tracking U$3 devices on these systems. first documented by Yogesh Khatri on his blog in late 2013, these keys are now referenced in many toots including US3DeviceForensics by Mark Woan.’l 1. Win7 & Win8:

2. Win8+ Only: 3, Win$+ Only:

First Install Date of the device. According to the MSDN article, “Windows sets the value of DEVPKEY Device FirstinstailDate with the timestamp that specifies when the device instance was first installed in the systern.”21 Last Connected Date of the device Last Removal Date Is updated regardless if safely ejected/pulled out.

These three additional times in the registry help validate the information provided by the other sources of information. Namely the setupapi.dev.log file and the rnountpoints2 registry key for the NTUSER.DAT hive. The setupapi.dev.tog file and the mountpoints2 registry key (NTUSER.DAT) provide another official location to pull these important times from. This is also the first time that we have any type of logging that shows device removal. This is extraordinary and a wonderful find. References: [I] Windows $ New Registry Artifacts Part 1 New Device Timestamps http://www.swiftforensics.com/2013/l l/windows-8-new-registry-artifacts-part-1 .htrnl [2] DEVPKEY Device FirsttnstailDate http://rnsdn.microsofi.com/en us/library/windows/hardware/ff542500%28v=vs.$5%29.aspx -

©2017 Rob Lee

99

J

USBSTOR U CdRam&VnHLDT.ST&Prc&DVOP.AMGPNU&&Re j Di&Wn FIh&Prod Drre SM USE &Ri ii&O D k&VnM8LSM&Piod

A

I

I

Data

Type

dfauIt)

uxFFFF.)1C

lDDBDSDECEi

MorDk&Re8C7r

/

I

I

_JAA04012700011123&0 Add +

J

DecodeFormat;

(5476947eb4045bc2%aQb694cbcIa2} e19 e} {E I00 c7’—$ bO

U

0003

VaiuetoDecode; 6CDEO2S0CEC€01 a Oc3 18: D&Tte

J0000

I

_

c1

UC005 Jc066 j 0067

• U {a

doa:64btHexV&uat%eEndAn

6dd-2e3d409d06eS06a70c7Sd%}

J6 OTt

0aae4

www%gdetediweco.nk z++

FOR500

UFIR.

J

j

Cbae

I

Windows ForensicAnalysis

Browse to key -> SYSTEM\CurrentControlSet\EHum\USBSTOR\ Disk&Ven_$MI&Prod_USB_DI$K&Rev_1 I 00\AAO4OI 27000111 23\Properties\ {83da6326-97a6-40$89453-al 923f573b29}\0064 Value

=

Windows 64 Bit Hex Value timestamp.

Use DCodeDate to decode CBCDDBD28DCECEOI to 10/21/2013 18:46:16 UTC

100

©2017 Rob Lee

ica

fR t’ 1-P €n ,,J [ k’,€n

‘-

j

HL-Di

,,Jc..k,-(nfi2ff -

r-

fmh&F’rcd Oti P(R”P,cJ_T’

.

[PM

‘k

t[t

fl’.

c, ut.

xt.F: 1,

If

.

I

..

._J f,.-. ,J F’rc.t.rtt f-.. -4f-4

lro%69cEcEo1

DCod v402a (Build: 93

R.r2t .J

2

.

-r

“a-c. --i-cl’.L1:’

furc

4 b-

on t’p

t)

6-I bit frfocc Vakeit6o Bndan

ViuetoIiitOP%BEc9%CECEOl -----—

flrt. flOcto1’crO13 in 11:48 UI(

t+zi

citat c-c tnc’

a

DFIR

FOR500

Windows Forensic Analysis

Browse to key -> SYSTEM\CurrentControlSet\Enum\USBSTOR\ Disk&VenSM1&Prod_USB_DISK&Rev_1 1 00\AAO4OI 27000111 23\Properties\ {$3da6326-97a6-4088-9453.. al 923f573b29}\0066 Value

=

Windows 64 Bit Hex Value timestamp

Use DCodeDate to decode 8O96BEC599CECEOI to 10/21/2013 20:1 1:48 UTC ALTERNATIVE TO LAST TIME DEVICE CONNECTED

Purpose: Discover the last time the device was connected to the compttter Locations: SYSTEM/CurrentControlSet/Enum/USB/VI D_XXXX&Pl D_YYYY Perform search for Serial Number (Last Written Time of Serial Number Key) NTUSERI/Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{GUID} Perform search for Device {GUID} (Last Written Time of Volume GUID) Why Key Is Useful The key is useful because we can determine the last time a device is connected to the machine. SYSTEM/CurrentControlSet/Enum/USB/ VIDXXXX&PIDYYYY Perform search for Serial Number (Last Written Time of Serial Number Key) NTUSERJ/Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{GUID}

Perform search for Device {GUID} ©2017 Rob Lee

101

°1

A

J USESTOR

J CdRo&VenHIDTST&ProdDVDRA6PUNU40&Re Dek&VenF h&ProdDrieSMUSB20&Revj I j Diek&V FRESP0NS&ProdjACTIC?L Sub et&Rev0J 57 Li Dsk&VenMRIL SSM&PrDdMc ser ReerD k&Re.0 Li D&VenMulepu&PcdCerdResdrr&Pc.j.C2 U Drsk&’IenSPrcdUSB,NSKℜj 100 J AisC4i2700s011123&0 Li DevrcePrremeters

Neme

Data

Type

os z’ o os CE DCode v%O2a (Build: 6) —7

9!E

j Prepeities

U15 0700

J {0054f7a4-44-45b1925eDS00cb0dN2) J {54 47e0bi045bc e20bS0cbda2} J {854971500c?3-4Sb9aad9(t3810056}

ecode srset:

ndcoss: 64 Nt Hex v&seL6e Sodsess ss

Exernpe: ,k

J {53d6-9fa60S3-ai92Sf53b55

Li

e%mNrcEcEo1 Dete STore: t4o, 21 October2013 2016:45 UK

www45etta1odetective,co.uk j (cOb

5dde3d4D93adO7-eS93a7Dc75d6}

FOR500

UFIR

J

Windows ForensicAnalysis

Browse to key -> SYSTEM\CurrentControl$et\Enum\U$BSTOR\ Disk&Ven_SM I&ProdUSB_DISK&Rev_1 I 00\AA0401270001 II 23\Properties\ {$3da6326-97a6-40$$9453-a1923f573b29)\0067

Value

Windows 64 Bit Hex Value timestamp.

Use DCodeDate to decode 9A6b2779ACECEOIto 10/21/2013 20:16:45 UTC

102

©2017 Rob Lee

02

• Plug and Play Log files •xP C: \Windows\setupapi log

• W1n7—Winlo

/

C: \Windows\inf\setupapi dev. log .

• Log

file tiuws are set to local tlme

zone

• Mandiant Hihlihter Helps • Search for Device Serial Number and look for first entry

DFIR

FOR500

I

Wh dows ForermcAnclysis

To determine the first time a device was connected is similar on both Win7, Win8, and slightly different locations.

XP, but the files are in

The setupapi.dev.log file is modified during the install of a USB device. The setupapi log keeps track of hotfix installs, device driver installs, and service pack installs for troubleshooting purposes. Microsoft has a decent website that details the information in the log file. http://www.microsoft.com/whdc/driver/install/setupapilog.mspx This shows us the device that we previously discussed and the first time it was installed into the system. Correlating this information along with user activity with RegRipper might give the investigator more delineation of how USB devices are utilized on a system. On Win7—WinlO, it looks as though the setupapi.dev.log file has been slightly renamed to SETUPAPI.DEV.log and moved, but the concept is exactly the same. This is good to know. It also looks as though the logfile also has been rewritten. It actually is a bit easier to read now. You can clearly see when the device was first plugged in to the machine and the time it occurred. Using the setupapi.dev.log file in C:\Windows\inf directory via Mandiants Highlighter, we can easily view the values that it contains. We, again, perform a search for the unique Serial Number and identif,r the first time the device was plugged into the Windows Win7 operating system.

©2017 Rob Lee

103

03

File

Help

43534:>>>

r

Keywo;dOQCL%270011E33E2CW



0 Cumulative



Case lnsentive

463533 disployed(C hidden).

v

L±!!iLJ

463533 lines, longest is number 114706.

USBSTOR\Disk&Ven ApplesProd iPod&Rev %.70\555iflOOi1!39E%Cf [Device Install (Hardware initiated) Section start 09/03Th4l3:34:lO.%8j xe 13:34:10.430 ump: Creatiita11 Process: Drvins ndv: Re%ng device info.. ndv: Setting device parameters, ndv: Building driver list.. 13:34:10.547 dvi: (Build Driver List Searching for hardware ID(s) : dvi: 2.70 usbstor\diskapplezpod dvi: ipod____________ dvi: usbstor\diskapple usbstor\thskapple dvi: 2 usbstor\appleipod dvi: appleipod2 dvi: usbstor\gendisk dvi: gendisk dvi: dvi: Searching for compatible ID(s): ushstor\disk dvi: dvi: ushstor\raw Enumerating INFs from path list 4C:\Windows\INF dvi: ([stri: C:\Windows\System32\DriverStore\FileRepository\disk. inf 90722180\disk, inf Opened PNF: inf: Created Driver Node: dvi: GenDisk HardvarelD dvi:

Highlighted Stems, 3 Total

V



5

0

0 ,_

A

I

I

1*

*

S

I I

*

*

*

5*

*

1*

*

S

*

1

***I*I,,

B FIR

FOR500

I

Windows ForensicAnalysis

USB M$C Device Forensics on Win7—WinlO 1. Write Down Vendor, Product, Version SYSTEM\CurrentControlSet\Enum\USBSTOR Vendor Product = Version

=

2. Write Down USB Unique Serial Numbers ID SYSTEM\CurrentControlSet\Enum\USBSTOR USB Unique Serial Number ID 3. Determine Vendor-ID (VID) and Product-(PID) SYSTEM\CurrentControlSet\Enum\USB -> Perform search for USB S/N VIDXXXX PID_YYYY

=

=

4. Write Down Volume GUIDs SYSTEM\MountedDevices-> Perform search for Serial Number in the Drive Letters Volume GUID

©2017 Rob Lee

105

‘as

5. Determine Drive Letter Device Mapped To SYSTEM\MountedDevices-> Perform search for Volume GUID in the Drive Letter Or NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs -> Perform Search for Volume Name Or Perform Shortcut File (LNK) file analysis Drive Letter =

->

Perform Search for Volume Name

6. Determine Volume Name Device Mapped To SOFTWARE\Microsoft\Windows Portable Devices\Devices-> Perform Search for US3 Serial Number and Match with Volume Name Volume Narne= Drive Letter (VISTA ONLY)= 7. Determine Volume Serial Number SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt -> Perform Search for Volume Name and/or USB Serial Number. Convert the decimal Vol. Serial Number to a Hex Value for LNK File analysis. Volume Serial Number (HEX) = 8. Find User That Used the Specific USB Device NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\ExpIorer\MountPoints2> Search for Device QUID User = 9. Discover First Time Device Connected C:\Windows\infsetupapi.dev.log -> Perform search for USB Unique Serial Number

Time/Timezone

SVSTEM\CurrentControlSet\Enum\USBSTOR\VenProd_Version\USB iSerial #\Properties\ {83da632697a6-4088-9453-a1923f573b29}\0064 -> Value = Windows 64 Bit Hex Value timestamp Use DCodeDate 10. Determine Last Time Device Connected SYSTEM\CurrentControlSet\Enum\USB\ VID XXXX&PID YYYY

->

Perform search for Serial Number

(Last Written Time of USB Serial Number Key) Or NTUSERJ/Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{C UID}

->

Perform

search for Device {GUID} Time/Timezone SYSTEM\CurrentControISet\Enum\USBSTOR\VenProd_Version\USB iSerial #\Properties\ {83da632697a6-40$$-9453-a1923f573b29}\0066 -> Value = Windows 64 Bit Hex Value timestamp Use DCodeDate ii. Determine Time Device Removed SYSTEM\CurrentControlSet\Enum\USBSTOR\VenProd_Version\USB iSerial #\Properties\ {83da6326-

97a6-40889453-ai923f573b29}\0067 > Value

106

=

Windows 64 Bit Hex Value timestamp

©2017 Rob Lee



Use DCodeDate

USBDeviceForcnsics

http ://www.woanware Co .uk/usbdeviCeforensiCs/ H

import

IS

1’, S.,

DHR

S

S

S’SSI’

FOR5G

S.



55’

S



I Windows Forensi inalysis

USBDeviceForensics is an application to extract numerous bits of information regarding USB devices. Per the website: “It should be noted that whilst the information in the blog posting is accurate, there is a caveat to be aware of. During my testing, I have found that an unknown process can update the Date/Time values across all keys, in particular, the USBSTOR keys. Therefore, you could see the same Last Written Date/Time value on each device key. If you see this occurring, then you obviously cannot rely on the values retrieved. All of the dates should be UTC. It is possible to set a time zone offset by using the Time Zone window e.g. Tools >Time Zone menu item. The Install date time zone is currently unknown; it is either UTC or the local time zone of the system where the files were extracted from.”

©2017 Rob Lee

107

!7

SDFIR DIGiTAL FDRENSICS

INCIDENT RESPUNSE

Exercise 3.3 USB MSC Device Profiling and Analysis

FORSOO

UFIR This page intentionally left blank.

108

©2017 Rob Lee

Windows ForensicAnalysis

‘°

SDFIR DlBITA FUREN$ICS

NCDtNT RESPONSE

Exercise 3.4 BitLocker Key Recovery

OFIR

FOR500

Windows ForensicAnalysis

This page intentionally left blank.

©2017 Rob Lee

109

PT?

PAT?

K





x





Sc

P

K

X

K







K

K

X

K

K

M

K

K

M

K

?M K K

1dO94f2OKK91ebAb\

RM -

d2O1f-OOcO4fb9S1ed\

K

K K crtntContro\€.m\$TORGE\

K

(rremContrst\Pnm\USc\

K

K

K *

K

K

RM





K





K







K

K

K

Mowfled\DoDenLet

K

Micnsoft\WBEM\WDAUSBSTOM

K

ccft\Mfdo

:

.

K

L. L —



OS Z

ftwreSro

*

WdG

OS

I 10

If Windows 7 appears to use two different factors in determining if a device should be installed with WPD support. a device is installed with WPD support, the registry entries used to install and enumerate a device reflects this classification. The factors that Windows appears to tise to determine WPD support follow: A. The protocol used: PTP and MTP are automatically installed and enumerated as WPD supported. MSC devices are installed as mass storage class devices, some having WPD support, which is determined by the next factor. bit B. The state of the Removable Media Bit for MSC devices: For devices with the removable media support. WPD with devices these installs Windows MSC), using devices other turned on (Flash drives and External drives appear as “fixed” drives and have the removable media bit turned off. They are not installed and enumerated with WPD support. In Table 2.2. 1, registry entries that incurred changes at first insert with the removable media bit turned on is marked as “RM” under the column MSC.

2, 3.

4.

when As with Windows XP, Windows 7 does not provide artifacts in the NTUSER hive for PTP and MTP devices Stage. Device supports device the a device is first inserted into a system unless With the advent of Windows 7, a new feature was introduced called Device Stage.1 Depending on manufacturer of implementations, some USB devices are equipped to support Device Stage. Within Windows 7, the installation hive, NTUSER the those devices offers additional artifacts that can be of forensic importance. For example, within hive an examiner can identify which user inserted a particular device. The entry that is generated in the NTUSER ContaineriD name for Device Stage devices contains a value in the name DDO that can be linked back to the value in the SYSTEM hive registry key ENUM\USB specific to the device. In the table, registry entries for devices identified as supporting Device Stage are labeled DS under the MTP column. One final item of importance that should be noted is that for devices enumerated with WPD, Windows identifies what functions a device supports. Depending on the supported functions of a device, Windows uses different registry keys to install and enumerate the device. Due to the limited number of MTP and PTP devices tested, accounting for all possibilities was not possible. The functions a device supports can be extrapolated indirectly from what keys are utilized to enumerate the device, or directly by viewing the registry’ keys, subkeys, and values in the SOFTWARE hive under Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceHandlers\ for the device in question.

110

©2017 Rob Lee



t 0 “

— ‘,

.

Key

MSC

CurrentContrdSet\Contro1Ctass1%6FC9E6OC4654 1CF4OS64%4SS%%4OOOO)Nfffl CurrentCnntrd5ez\Controt\CbssM4O%6E9%%E%2S% ICE43FC 1O8OO2fl 1O%t8)\*t%##\

x

K

K —---——-—-- —

CurrentControtSeflControPC$assM71A%7CDD4i2A4 1DO-BEC%OBOO% Bt%09%F)\*i##U\

K

ld%*%OibOtO4fhSSlcd)\

tIM

K

RM

*ttfltt

CurrentConrrolSet\ControftocMccCtasses\f33fdcO4-dlac4eSe9a3G-i9bbd4blOSae)\ Cunentcontrolset\Controftusbflags\vwvpppprrrr\

K

.

].“

“.

.

.



K

.

Rb)



K

rTTL

-

CurrentControlsefltnum\VipdBusEnumRootWMB\ RM n-rn K n__—_________ —

c...

-——-

K

K

RM

CurrentContro!Set\contro!\ctassMEECSAD98*8O8O425f.922ADABF 30E31%%APfl###\ CurrentControISet\ControPDev,ceCIasses(5%fS%%O7b6bf4 1d044f24Y0a’0c9 1efb8b)

RM

.

CurrentConuolseñControftDeøceClassesMs3f5%%044,%bf4idO%4f%%$OaOc9lefbBb]\ CunentContro1SetControI\DevceCbsses\(6Sa9a6cf64cd48Ob443e-%2c86eiba 19f)\

tL_

CurrentControIScz\ControI\DeviceCIasses\{6bdd1’fc68iOf-1 ldO-bec7-O800%be2OS%Q\

L__—_

CurrentContrdSee’kEnum\SYORAGE Currentcontrolset\Enum\US6\

K

CurrentContrdSeflCantrot\DevtceCtasses%j1049%blbwbasl*4%eSJ% 18*ze%5c8%7b%66 fl\ CunentControISet\Contro1\DewceCbsses\{6ac278%8a%fa4 I SS%a8S498f491d4f33)\

CurrcntContro15etEnumUSBSTOR\

K

RM

MountedDevkes\P\Volume(VoIumeGUID) MountedDevIcesDosDevsces\OrisAeLetter:

;

Mtcrosoh\WBEM\WOM\u$BSTOR\ Microsoft\WindowsNflCunenWersion’EMDMgm!

MicrosoftWindowsCurrentVersion\ExpIorer\AutoØayHandIen\DeviceHandiers\ Microsoft\Windows Portable Da’tcesDeveces

K

PTP

x

K

x

MW

X

K

X

K

K

err



K

K

K

X

K

K





K

K

K na



K

*



0$



Software\Microsoft\Wmdows\CurrenzVersion\tExpIorerMountPomts2jVoksrneGUiDfl Sot tware\MIcrosoft\ W,ndows\CurrentVersion\Exp1orer\AutoptayHandLersKnownDevices\



OS

Key: RM DS

Removable Media. i.e., USS devices with the removable media bit turned on. \Afindows Device Stage supported device.

UUtUU-JWLJMiIUWAJWJiUJ1ILMLULJ

Software\MicrosofflWindows NT\CurrentVersion\Deviceoisplayobjects\

I

a)

a)

SD 0

r-.

0

©

DONALD BLAKE CASE TIMELINE

18:24 Begins accessing many folders, local and remote, over a “21iour period

19:21 Opening Dropbox folder tvia Shellbag analysis)

(via Shellbag analysis)



Following USB Exercise

18:45

20:16

“USB2.0” Last Inserted 18:46 “SMI” first installed

Accesses folder on F:’jTemplate (via Shellbag)

(uia USB

SMI USB

analysis)

removed

20:16:45

I I

I 18:04

18:51

16:38

Skype chat from Jordan tells Donald to check email (via IEF carving)

Runs BitLocker Unlocker (via UserAssist analysis)

Donald account last logon (via SAM analysis)

UFIR

FQR500

J Windows ForensicAnalysis

I

112

I.

This page intentionally lefi blank.

I (

I

112

©2017 Rob Lee

t.*)

i;

/tOfl(fl)>

Optn

L

\

Recent I’ih-s

‘.

,

_../Z_

t 1 ‘ndu

St

1 ast\i it d MP V ,,?

,

/

I

Recent FiIe I .txt) -

I’ S nn ii

-

i

N’ /

_/



PuILll’I t- Rtiii

s.

)

Tirnezone

7/

“‘

-

--he

(

Oltiec Rvecnt’ . ,> ShrIthirs 1’ile _/L___

_._

a’ ti

-

‘L__’

_h

liii

/

I

t\e

i

.Y

d

.TkI

Wireless S$ID

ç Wit;7-WinzO Network

1_ast i.ast raileti Logi1_)> 1A)__)

Histon

Li-ct [ivtl (iiant

DFIR

f

LTt)U1) Mem1’ex.hip

FOR500

User Comms

I

N. ,,‘

Wir1dows Forensic Analysis

Physical Location

Web Based E-mail

Timezone

E-mail

Wireless SSID

Calendar

Winf-WinlO Network History

File Download

USB Key Usage

Open / Save MRU

Key Identification

E-mail

First/Last Times Connected

Program Execution

User

UserAssist

Volume Name

LastVisited MRU

Drive Letter

RunMRU Start->Run

Account Usage (SAM)

MU! Cache

Last Login

File Opening! Creation

Last Failed Login

Recent Files

Last Password Change

Recent Files (*.ext)

Group Membership

Office Recent Files File Knowledge XP Search - ACMRU

Win7 Search

WordWheelQuery

LastVisited MRU

©2017 Rob Lee

113

DONALD BLAKE CASE TIMELINE



Following String Search Exercise

18:24

Begms accessing many folders, local, and remote, over a 2 hour period (via Shellbag)

18:45

20:16

“USB2,O” Last Inserted 18:46

Accesses folder on F:\Template

“SMl” first installed tvia Use)

20:16:45

(via Sheilbag) SMI 1158 removed

Runs BitLocker Unlocker (via UserAssist) Decrypted BitLocker US8 image 003 f:\) (AA04012700011123 has business plan docs in root and \Templates (via String Search)

FORSOO

BFIR This page intentionally left blank.

114

©2017 Rob Lee

Wtndows ForensicAnaysis

FORs*o%

WINDOWS FORENSIC ANAlYSIS

Core Windows

SANS DFIR Forensics III:

OIOITAL fORENSlS B lNlOENT RESPONSE

E-Mail, Key Additional Artifacts, and Event Logs

© 2017 Rob Lee All Rights Reserved IVersion # FORSOO_C0Ij)1

Welcome to Core Windows Forensics. Rob Lee [email protected] Chad Tilbury ctilburysans.org —



http://twitter.com/robtlee http://twitter.com/chadtilbury http://twitter.com/sansforensics

©2017 Rob Lee

115

j1

Part 4 USE Device Analysis

S

L

CtIt)11.

J

=

13

FIR

FOR500

This page intentionally left blank.

116

SccionLJ

©2017 Rob Lee

I

‘Nindows ForcnsicAna!1sis

OFIR

FORSOO

Windows Forensic Analysis

This page intentionally left blank.

©2017 Rob Lee

117

1)7

Host-based e-mail

Where are the files? • How do we acquire those forensically? What can we find?

E-mail servers Cloud-based e-mail

Mobile e-mail FORSOG

UFIR

Windows ForensicAnalysis

through the Depending on the type of investigation and authorization, a wealth of evidence can be unearthed investigation and analysis of e-mail files. Recovered e-mail can bring excellent corroborating information to an and particularly its informality often provides very incriminating evidence. When conducting forensic reviews, evidence can in the eDiscovery world, an investigator must be savvy about the various locations where e-mail company e-mail exist. It is common for a user to have e-mail that exists locally on his or her workstation, on the server, and in multiple webmail accounts. to find e In this section, we will discuss what types of information can be relevant to an investigation, where analysis process mail files, and how to use forensic tools to facilitate the analysis process. We will find that the finding and is similar across different types of e-mail stores, but the real work takes place in the preparation— extracting the e-mail files from a variety of different sources.

118

©2017 Rob Lee

118

seth

>

E-mail address

>

IP

Contextual clues

idail set ver timestamps

f



7

-.

C

/7

-

__&



--

—-

Mt s.•age tSSiy

\ttachments

)Addn

-/

DFIR

FOR500

S

hf 5)1

CaknFu

/

ics

Wm lows Forensic Analysi

For such a simple protocol, e-mail can provide the examiner a wealth of information to aid an investigation. When conducting e-mail examinations, we focus on answering four questions: Who sent the e-mail? Computers don’t generate e-mail autonomously and when reviewing e-mails, we will spend a considerable amount of time attempting to identify the originator of a message. This isn’t always as easy as it sounds, particularly taking into account the ease with which e-mail communications can be faked. However, we do often have some good leads to follow, including the originating e-mail address, the IP address of the originating computer, and whatever contextual clues we can pick up from the message itself (such as signature block, texttial anomalies, references, etc.). •

When was it sent? We can usually determine when a message was sent with a high degree of accuracy. The message itself will have a timestamp associated with it, but more importantly, we will focus on the mail server timestamps that have been added to the message. These are more difficult to fake, and we often have logs and some control over at least one of those servers in an enterprise environment.



Where was it sent from? Determining where a message was sent from can be difficult, but we do have some good places to look. If it exists, the originating IP address can be very helpful, particularly when paired with geo-location databases that can pinpoint the physical location of that IP address. Tracking the domains and lP addresses of the various ISPs and mail servers referenced in the message header can also allow us to narrow down on a location and at a minimum give tis a starting location to issue subpoenas for ISP records.

©2017 Rob Lee

119

I 19



Is there relevant content? This is usually where an investigator will start. After all, if the message isn’t useful to the investigation what does it matter where it was sent from7 We see in this section that e mail

evidence can provide an amazing amount of information, even beyond the messages and attachments we will find in e-mail stores. The contact information, calendar appointments, and task lists we find during e mail examinations can be extremely helpful in tying the case together.

120

©2017 Rob Lee

0 r

flon, 7”:



O1

,.

0 P

F

1

11

I

0,4

‘plo ‘o

:

rh 17

0

——

.1

714’

P o” ‘F’:., boond,1, Pt’i

40?

1’ px/o1

P

“7

J’1. 1’

0

‘1

+0 ‘,,fl

1

h 1.1

-ho11.

,

F 11712

F’’+

‘41,,...,

1,1,.

..

0’

“..%7.,.,’,0.,”4’ I,.

nTrr

di’

F

111’

.1

=

7

0

liv

r log p

liP.

,

—1._I

‘j.

‘ll’,,

ii

‘1

1._.,’’f

0..

,,

p

1.’

_ii,

I’

,d’)

OFIR

FOR500

I

Windows ForensicAnalysis

E-mail has a relatively simple file structure, giving us three basic components to analyze. This slide shows the way an e-mail message is displayed using Access Data’s Forensic Toolkit (FTK). The standard e-mail client configuration hides the majority of the mail header information from the user. Although most clients have the option to display header information, a dedicated e-mail analysis tool simplifies the process. Analysis of the e-mail message body is relatively straightforward. Unlike e-mail headers where the mail client and server add information, the message body is a result of actions taken by the sender. Signature blocks and other information can be added to the message body by the e-mail client. A great example is the plethora of messages floating around stamped with “Sent from my iPad.” The easiest way to analyze e-mail messages is via manual review. This entails using an appropriate e-mail client (or forensic tool) to manually read each message. When working with foreign languages, care should be taken to use a client that can parse Unicode characters. If you are working with a large number of messages, string searches and de-duplication can be used as data reduction methods. A keyword list is created and a forensic tool is used to search each message (and sometimes the entire image file) for instances of those keywords. Any duplicate e-rnails are removed from the review pool. After data reduction is complete, a manual review is conducted on any keyword matches. A key point to remember is that although e-mail messages are always text based, e-mail clients/servers can store them as binary’ data. Thus it is critical to use a forensic tool that is capable of native searching within the e-mail database—a simple text-based search of the entire drive will fail to find matches within binary e-mail files. Unsurprisingly, e-mail attachments are a key source of information during forensic analysis. The e-mail industry estimates that 80% of e-mail data is stored via attachments. Thus, you should expect to spend 80% of your analysis time reviewing them.

©2017 Rob Lee

121

121

Attachments can be cumbersome to catalog and review, particularly individually. In some cases, specialized viewers or applications will be necessary’ to open files. Some forensic tools allow you to export all attachments for later review but it can be difficult to match an attachment of interest with its original e mail message When reviewing raw e-mail messages (that is, looking at a message as it was transmitted over a network), it is important to remember that the e-mail standard allows only ASCII text to be transmitted. Thus, attachments must be encoded (typically in MIME/base64 format). In this format, attachments will look like a long line of garbled characters. They can often be unencoded manually (using a base64 conversion tool) or an e-mail client can be used. Attachments are a leading cause of virus infections, so it is important to treat them with care. Scanning attachments for viruses is critical. If the attachments have been exported, then a simple scan of the directory is sufficient. Otherwise, you can install virus software on your analysis machine with the correct e-mail client plug-in.

122

©2017 Rob Lee

0

NJ

NJ 0

aaaaaaanwa.a waaa

‘ear

1888224779. 1418085540988——

LJE5DBBQAAAAAAHuehEAAAAAAAAAAAAAAAAAJAAAAU3RhckE 1cnkvUEsDBBQAAQAIAHaebEC2c. C IkAAI 1 ZAAAkAAAAU3RhckZ1cnkvRUFydGhfUOEtMI ZfVGhlhmRlcmJvhHQuanBnOoAULm+iS 18W XBSomlTGd6OMaDh63 ijGS8qXNRaVxVNytV1QPU4LXH7nPAE 1 63XiOFxTS Z7hEHtnOV4Gi5uDVSr I q5pwUQimm7EPD7J IuRD:QyLyHj XV 149/cD isQuyIkTZ8?bsdj9ft5 6bAGQI/8 zh+eNddUtMdUnWHR%

naw ‘area a wraaaar.v ‘a wear ‘aweararas ‘ireawira waaaaaaMflaaaaaaaa1taIaaWaflK PartO8%714%889. i%180855%0738 Content—Type: app licat ion/x— zip—compressed; nameStarFury. zip Content—Transfer—Encoding: base64 Content—Disposition: attachment

Best, Maria

Attached are the Star Fury designed you asked for. Please let me know We certainly hope to have a working prototype soon if possible.

Nick,

1888224779, 1418085540988 Content—Type: text/p lain; flatflUTF—$ Content—Transfer—Encoding: 7bit

Content—Type: 2nultipart/alternative; houndary=”—-——= Part 1888224779. 1418085540988”

0 827142889. 1418085540738

a aaa naaa *rnvaw

K—Nailer: YahooMailWeh5ervice/0,8, 116.338427

.

Reply—To: Maria Hill

Message-ID: e.ua

cSr,r

7% ar5Jnvon

ave-onn

pntJ,



in a Son

I I

Qd

What inlotmat*on Can Yahoo! ProvIde? Subscriber iaformabcn >t7%d In ! td;ne5%W dty ISa ala j Vt q’Vat n -kerr 57% d4eiirrrne alIn nealrcvaa’ssed lPacflre%sAaacarannan%w5hSe 711. nrwr-avcin!e n drr’rrel > j71*t7%J t7%I5% * 51711’ Petflrra-t I yuiwkcr5

>40

Yahoo! Mall (including email associated with specific properties such as Personats Small

a

Busnwss, Domains, and Fhckr) Aswnrv avMin%O rite >w-> r o>rtj’1t

1



onJntrnd Vain’1 s tpVcear S 5jx 1>74 !htVr)’nn4’wnrnvr 75iI

rq I fl!’oes

cne5rre%a’4Na

art, aYnxrotn>i%a’unt

I

Yahoo! Chat Messenger irrrcslrb;tVcsen;r

‘t*tI’SSar71

©2017 Rob Lee

>-554kin

171

Webmail is often transferred in a compressed format • Internet cache will contain gzip compressed files Must be “unzipped” to view HTML data

• File signature analysis might be required to identify compressed files D HR

FORY\,

Vir ow or

Si

na’ sis

172

A recent trend with webmail is the sending of data in compressed files. Starting with HTTP version 1.1, browsers support the receiving (and inflation) of compressed content. Although this reduces content transfer times, it also creates a layer of obfuscation when conducting computer forensic analysis. Simply put, it is very easy to overlook webmail evidence within the Internet cache files because it might not be stored in HTML format, Forensic tools, and specifically file signature analysis, make identifying compressed content much easier. In browsers such as Mozilla Firefox, cache files are not stored with extensions and thus identifying relevant items can be a laborious process. After a file signature analysis is complete, it is necessary to inflate (or decompress) the found files, which can then be reviewed using a standard web browser. it is important to point out that string searches will not find content that is in a compressed format. Tools like EnCase require the investigator to first mount each compressed file, allowing string searches to be conducted within the uncompressed files.

172

©2017 Rob Lee

CnttTve

I —

t

trn

ci asp htm I, &sdd1ast aspx his Rf=W 44 flIS7 S=i7;i) n=1546932ci5it=Q17ais2e7P.. Rppis4.is4pi=5sp7pps=p6sp4.. -RF’Wis44364SDis57O7SPS97i5O

GTh3 r conO tp Iod doub http ;Isci27w ntic7 mad ka onplm/paga hip ffsn;Pia nt127 mae has ccmm(cea/

taxt’ciui ciarsetutf textftcam &aset-ut i ae/a exvcncs; &set=utf3 hrapeipf ccaspspf asage/pf

htip;iaelThsaet127,mad ccc raeticcmta,. http;jfadstmsad cat fl)U GaeXOOljXl.. http://hmancc.pff=Wt=44is4!ZP=5..

Cth Cd rrxa=S, pccat oc so-cacce cc

extra large

Windows 8/10 has additional sizes including 16, 48, 1600, and also a new database type called “iconcache” that follows the similar format.

196

©2017 Rob Lee

The Thurnbcache stores the thumbnail copy of the picture based on the thumbnail size in the content of the equivalent database file. One of the more interesting things about the Thumbcache is that it stores thumbnails of office documents. In these thumbnails, you can often see the first page of the PowerPoint, the Word document, or Excel spreadsheet and some of the data it contained. In addition, folders, where you can peer into some of the file contents, are also visible. This is nice to have because we might be able to extract a keyword or two to find the original.

4

1

I

©2017 Rob Lee

.4 _.6 4.

.4.44

4.4.4.% 444. 444.%.4..444

L: 44

4.%4.4.44. 4444444

197

9%idf9247%c0bOpg Edit

View

TooK

4

F enema

41 2

fe32a45d9d14473b.jpq

Data Cffset

13 KB 103KB 115KB

1128 3579568 46’266B

R3KB 6d316725ft1 103KB 3%77671a17 115KB bddbfa’44t

125 KB 27 KB 27KB 27KB 27KB 27KB 27KB 27KB

2267948 114 B 266028 552928 677725 111656 B 139534 B 1674428

125 KB 27KB 27KB 27KB 27KB 27 KB 27KB 27KB

c87522c8b651%adSjpg

45 46 17

72afaaac433h71jp e78f4675d6590666hmp fd4adaed52ab5b4bb dd792672126c9435b %d22Ed5d733ed670b 8lbdfad367%d226b,b,, %Seud76SSStb2bfbmp SSTO9dcSSabc20ff.bmp

2234678 248 272128 552058 53672 8 111576 B 1394678 1573528

5 H 1% 1 Ii 11 Ic

ec

Data Check

Cache Entrc S

42

t9bcfbEb5b%a23751p9

Data Size

Cache Entr, Offeet 248 3577668 4555668

49

i

H&p

6c541e3a74 B2acS2SlffS eldc9clfef! 945cF93f1e d5dd679b9 6942446673 256b93b3b 25e229aac3 a

%

7

eaew24attw wccvpsw raaeacew’ 7%wa%wrt%tew’a%cwan

FOR500 (Windows Forensic AnaI’sis

OFIR

Thumbcache_*.db and iconcache_*.db Thumbcache Viewer allows you to extract thumbnail images from the 8.1, and Windows 10, The program Windows 8, Windows database files found on Windows Vista, Windows 7, interface.[’l e command-lin comes in two flavors: a graphical user interface and (comma from the Google Code page [1.2): The main menu allows you to save entries, export entries to a CSV CRCverify entries, byte 0 hide modified), not is database separated values) file, remove entries from the list (the hashes. 64 header and data checksums, and map files to entry them will Some of the column headers for the list can be clicked (while pressing Ctrl), and the entries below displaying in from will change entries the example, for change. If you press Ctrl and click the Data Size colttmn, The three kilobytes. to bytes from change will column kilobytes to simply bytes. Likewise, the Cache Entry Offset to lowercase from will change Hash) Entry Cache hash columns (Data Checksum, Header Checksum, and uppercase. image around When an item is selected, an image window will pop up to preview the thumbnail. You can move the By that direction, in pixel I image the will move key the window with the mouse or arrow keys. Each arrow key, arrow an pressing and Shift holding By pixels. 5 move holding Ctrl and pressing an arrow key, the image will the image will move 25 pixels. To center the image in the image window, yoit can either press the Home key or middle mouse button, wheel, you To scale the image you can press the + or keys to zoom in or out respectively. If yott have a mouse the right hold can you wheel, mouse a have don’t can scroll forward to zoom in or scroll hack to zoom out. If you the click and down button mouse left the hold or mouse button down and click the left mouse button to zoom in, right mouse button to zoom out. Are you confused? -

References for tool use [1] https://thumbsviewer.github.io/

198

©2017 Rob Lee

198

o

Co Co

CD CD

r

0

-.3

N) C

IM4

1rbin -f “F: \[tootj\I1D’itThR\S-1-5-21-1OO4336348-492894223-854245398-1OO3\INEc2” 41 Fri Jan 16 23:27:24 2009

C:\J)ocinats aixi Settirçs\prnaJ.d B1ake\Iy t

ci

ts\B.isimss P1ans\XII

W1n7/8 $1 Parsing C: \>rethin -f “E: \[oot]\$1c1e.Bin\S-1-5-21-718I262O7-il71771683-1750804747-1001\$IG1QC.x1s’ C: \Users\1 2013 Z

aid Sicyt ive\ftc1tB1ts\1D C1c eails1t -.x1s c1ethi a. Mn ft!t 21 18:32:52

©2017 Rob Lee

205





D

x

Go

z

I

D

0 —m



— *

D

m 0

206

©2017 Rob Lee

Windows Search Index

Thumbnail Analysis

AppCompatCache (Shimcache & Amcache.hve) DFIR

FQRSOO

Wir dow. Forensic Ana ysis

This page intentionally left blank.

©2017 Rob Lee

207

07

__________

A

s C of system by pi •Increases 1 them into a .pf file. maps and directories files and all monitors • Cache manager • Utilized to show application execution (What and When) Disabled on systems with SSD drn e otherwise enabled by def’mlt on X? and • Limited to i • Limited to 1024 files for WinS/Winio ‘

fexename)- (hash) .pf

• Starting with Wi;uo—Prefetch files are compressed • Hash calculated based on path of executable & the command line options of certain programs (e.g. svchost.exe) • Lookiip table for file-hash found on course USB: prefetch hashes lookup. txt in the Prefetch i names of the I contaifls original l • layout. mi • Disk l)eh agilK-iltel USC la\ out.iill tO I elovat all diieetm ics and file. to a conti’uou .

area of

FOR500

D FIR

I

the disl:

Windows ForensicAnalysis

When the operating system uses Prefetch it will pre-load pieces of data, files, and code into memory before the information is needed. The Prefetch directory is populated once an application is executed, thus why it might be of a a good idea to grab the contents of the Prefetch directory manually before performing any incident response monitors manager machine because the contents of this directory could be considered fairly volatile. The cache all files and directories referenced for each application or process and maps them into a .pf file. The Prefetch directory will be limited to 128 files,[11 On Windows 8 and Windows 10, there can be up to 1024 files in the Prefetch folder. Starting with Windows 10, the Prefetch files are compressed. line The file’s name is the name of the executable file followed by a dash and hash of the file’s path and command [2] svchost.exe options invoked by specific “hosting applications” such as svchost,exe, mmc.exe, dllhost.exe, and (exename)

-

(hash) pf .

Each version of the Windows OS uses a different prefetching filenaming algorithmt3] Windows XP 32-bit sum of hash xp (on devicename and c:

=

volumel)+ hash xp(quoted path+command line)

Windows Vista 32-bit sum of hash vista (on devicename and c: Windows 7 32-bit sum of hash w7 (on devicename and c: Windows 7 64-bit sum of hash w7 (on devicename and c: with extra blank character

208

=

volumel)+ hash vista(quoted path+co;nrnand line)

=

voltime2 )+ hash w7(quoted path+command line)

=

volume2 )+ hashw7(unquoted path+command line prefixed

©2017 Rob Lee

208

Windows 8 32-bit sum of hash_w7 (on devicename and c: with extra blank character Windows Server 2003 32-bit sum of hash xp (on devicename and Windows Server 2008 32-bit sum of hash w7 (on devicename and with extra blank character)

C:

C:

volume2 )+ hash w7(unquoted path+command line prefixed

=

=

volume I )+ hash xp(unquoted path±command line)

=

volume I )+ hash w7(unquoted path+comrnand line prefixed

Lookup table for file-hash found on USB: prefetch hashes lookup. txt [3] Windows XP/2003/VistalWin7 are set up by default for boot prefetching to decrease the time to boot the system. NOTE: On Windows 7 machines that are built on a Solid State Drive (SSD), the prefetch directory will not exist because it is not enabled by default. A prefetch file will be named with the executable followed by a hash of the path the file resides in. Located within the file are the number of times the application has been executed, the original path of execution, and the last time of execution. Windows regularly examines the contents of the .pf files and writes the files and directories used by the process to the layout.ini file, which contains original path names of the files located in the Prefetch. The disk deftagrnenter will use data in layout.ini to move commonly used files to the same location on the logical drive. To disable Prefetch:[41 Update the EnablePrefetcher registry key in your run-time image: Key: HKEY LOCAL MACH IN E\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters Name: EnablePrefetcher Type: REGDWORD Value: 0 The EnablePrefetcher key has the following values: 0

Disabled =

Application launch prefetching enabled

2

=

Boot prefetching enabled

3

=

Application launch and boot enabled

To disable Prefetch, set the value to 0.

References [1] http://blogs.msdn.com/b/iyanrny/archive/2005/05/25/42 I 882.aspx [2] http://msdn.microsoft.com/en-us/magazine/cc302206.aspx [3] http://www.hexacom.com/blog/201 2/06/i 3/prefetch-hash-catculator-a-hash-lookup-table-xpvistaw7w2k3w2k8/ [4] http://msdn.rnicrosoft.corn/en-us/libraiy/ms940847(vwinembedded.5).aspx

©2017 Rob Lee

209

SuperFetch

SuperFetch has been on the forensic radar since the preview versions of Windows Vista. It was lauded as an upgrade to the venerable Prefetch with the promise to proactively optimize application memory with regards to time and usage scenarios. The applications you use first thing in the morning are often different than those after lunch and perhaps different still from those run after work hours. It is important to note that it does not replace the Prefetch service. SuperFetch must have had the desired effect on performance as Microsoft chose to continue its use in Windows 8.1 and Windows l0.V1 SuperFetch consists of a series of “Ag*,db database files located in the %SystemRoot%\Prefetch folder, It is wildly complicated with a variety of different header formats for different databases, versions and, architectures (x86 and x64) of Microsoft operating systems. On systems with SSD drives, it may be turned off by default (similar to Prefetch). There are still many gaps in our knowledge of SuperFetch, but it feels like the community is inching closer. Joachirn Metz started a specification document for the format In April of 2014 as part of the libyaldocumentation project. However, the number of “Unknown” values in the document make it clear that [3j we have a way to go in developing a true understanding.[21’ Loca Disk (C:)

Windows

>

Prefetch DLLHOSLEXE-E38D2pf DLLHOSTEXE-324949B9pf

Readyaoot .

AgAppLaunch

DLLHO5TEXE-A8DE%D%Bpf DLLHOSLEXE-DBE67EDcpf

• A9Cx_SC4 AgGlFaultHistori AgGlGlobalHtstorv

DSMUSERTASKEXE-35CC7B6.pf

AgRobuct

Parsing SuperFetch

SuperFetch tracks “performance scenarios” and is specifically designed to anticipate frequently run applications after system activity like standby mode, hibernation, and fast-user switching. It records the set of memory pages used over a long period of time, allowing it to model user behavior and make better decisions about when to pre load application data into memory. It is these databases recording what has been loaded in the past that we can take advantage for application execution artifacts. We can currently derive the following information: °

Application executable names



Execution count



Foreground count Supporting files (includes the full paths of a wide range of files that have been mapped into memory including DLLs, zip files, documents, database files, and files and folders present on removable media, the recycle bin, temp folders, and even volume shadow copies and encrypted volumes)



Volumes accessed (example: HardDiskVolumel) Full path information providing data on folders present on various volumes access by the system



Timefrarnes of application activity

°

Timestamp (from the AgAppLaunch database execution time in testing)

210

purpose unknown but appears to not be reliably tied to

©2017 Rob Lee

The timeframes of application activity fall into the following ranges: •

Weekday 6AM to 12PM Weekday 12PM to 6PM



Weekday 6PM to 12AM

o

Weekday Global



Weekend 6AM to 12PM



Weekend 12PM to 6PM

o

Weekend 6PM to 12AM



Weekend Global

Curiously, there seems to be a blind spot in the 12AM to 6AM range. It is a good thing so many hackers are working business hours these days! Although timeframe information stored by SuperFetch has yet to be vetted for its reliability, it presumably can help identifv application activity occurring at strange times. For instance, is it normal to see your company database application accessed over the weekend? Tools The first tools that I became aware of for parsing SuperFetch were released by TMurgent. Superfetchlist.exe is a CLI tool providing hill path information for files referenced in the various SuperFetch databases. SuperFetch Tree is a clever GUI application that provides a graphical tree structure and neatly identifies what databases a given file or folder were referenced within.141

et p

:

‘-

feLi-

Zc’

C

4

hi

5

ft

:‘

C 2 S.

:fe C

Fit

1-



vS

eec .ess

“O.

-

¼,

“S

-t

from databases w;th “

!‘

[“

-

bst

$

sfructxe

Xpress xpress Xpress

mappio

keys to SuperFetch Database

Pies

‘H ‘‘‘r,

i: [JF:r rri’r

5 jnr%.

C

.•

.

1

4 5 7

,

B

lf



,,

:

Ii

iJHAZ:,,2L.



j.:

,

: -1

7



©2017 Rob Lee

211

The latest version of the free CrowdResponse tool now supports Prefetch, Shimcache, and Superfetch application execution artifacts. CrowdResponse includes a SuperFetch module providing the most solid and useful data from this artifact that I have seen. It is the brainchild of research and development by Alex lonescu and Robin Keir and can be used for live data collection or run against databases files exported from a system or forensic image. CrowdResponse parses data from the AgAppLaunch.db SuperFetch database and provides output in XML, CSV, or HTML. The tool extracts an abundance of application execution information, execution counts, and timeframe informationi5l Conclusion It is exciting to have the capability to parse yet another Windows application execution artifact. However, given the state of our knowledge of SuperFetch, I recommend taking a cautionary approach to interpreting data found within these files. There is still much to be discovered, and the good news is that early indications show this artifact will likely continue to exist in Windows 10. Hopefully, with more eyes on the databases, we can get more comfortable with the available data and continue to learn more. References [1] forensics Wiki: SuperFetch: http://www.forensicswiki.org/wiki/SuperFetch [2] Prefetch Hash Calculator http://www.hexacorn.com/blog/20i2/06/1 3/prefetch-hash-calculator-a-hash lookup-table-xpvistaw7w2k3w2k$/ [31 Windows SuperFetch (DB) Format from libyal Project: idoc [4] SuperFetch Tools from TMurgent: http://www.tmurgent.com/appv/index.php/resources/tools [51 CrowdResponse with @superfetch plugin: http://www.crowdstrike.com/community-tools/

212

©2017 Rob Lee

Date/Time .exe was first executed* Creation date of .pf file (—-;o seconds)

Date/Time .exe ‘last executed • Exact time stored in .pf file as well for the exact time Windows 8 and Windows 10 store the last 8 times executed embedded in each .pf file • Last modification date of .pf file (—-io seconds)

OFIR

FORSOO

I

Windows ForensicAnalysis

The filesystem timestamps of the .pf files can show you some very important details regarding the first and last time of execution of an application. Date/Time exe was first executed Creation date of .pf file Date/Time exe last executed

(- 10 seconds)

.

Last modification date of .pf file

(.-- 10 seconds)

Last execution time also embedded in .pf file Generally, the first time of execution will be connected to the creation time of the .pf file. This would be the rule 100% of the time if the Prefetch folder itself wasn’t limited to only 12$ files, if an application has not been executed in quite some time, it might be deleted from the Prefetch folder. If the application is executed after it was removed from the folder, the new Prefetch file (.pf) will be assigned a new creation time because it is a brand new file. In other words, although interpretation here is critical of the .pf file, the first time of execution is the first time the application was executed while the file has not been deleted. This is not the first time the application was ever executed; although, it could be the case. NOTE: Just because a .pf was created, it does NOT mean that the program was successful in execution. Many ,pf files of “broken” programs will still register a file in the Prefetch. Last execution: Date modification and embedded in the .PF file itself The last time of execution is generally tied to the last modification time of the .pf file. The .pf file is generally re written every time the application is executed again. Not only that, the last time of execution is embedded into the .pf file as well. This allows the investigator to hone in on the last time a specific application was run.

©2017 Rob Lee

213

213

Other analytical considerations: In some cases, we have seen certain programs executed from a different location Generally cmd cxc is executed only from C \Wmdows\system32 directory If someone executes a command prompt from another location, it will show the crnd.exe program but with a different hash in it. In a variety of intrusion scenarios, this information is quite handy.

(

214

©2017 Rob Lee

• PEcmd. exe Prefetch Explorer • By SANS Instructor Fnc Zimmerman —

Command line edition

C\>3Eard e,-f SDEIE]!E PF

(SINGLE Pf PARSING)

DFIR

FOR500

I

Windows Forensic Analysis

Similar to the other Eric Zimmerman tools, Pecmd.exe has many similar options. We need to specify either -for -d. The rest of this post will demonstrate processing a single prefetch file since the -d option essentially does the same thing for all prefetch (*.pf) files found in the given directory. Additionally, the -d option processes directories recursively. Next, let’s take a look at how you can augment the bui It-in keywords. The -k switch allows you to supply a comma separated list of values you want to highlight in file names and/or directories. Be sure to surround the list with double quotes. The Windows API contains support to decompress Windows 10 prefetch files starting with Windows 8. Since Eric relies on the Windows API to decompress prefetch files created on Windows 10, you must run PECmd.exe on at least Windows 8 in order to process Windows 10 files.

©2017 Rob Lee

215

21S

i:’22;G13 t..25.! i’/22[10!3 ib:25.24

-

.-

c\’ 1

.“

L

Li’

‘‘

.:

.‘‘‘.

.

H.)’’

‘‘[‘‘‘

22.?U3

i’i.,/u

.

-‘

U.(Jj’.. •

.1





c:\7ROGRAM RL:s\Mtccosotr ‘F’9CE :3Vtc3T\DiFicE\ExcEL.t>,E c?t,EX ,\w’:oc’ ‘is\s’.’sT:’c

R’’

, *

:;.

W/22)2013 i,’33:t7 !r,’fl- ±‘: ;t.

-

—;

.d/.’.a3,..



U,,,.

H

I

‘?‘



,

c;?. c .L

,



-UO U3\’e,TEV.t\iMfl,,.EXE D5 ) t-T ui i.,iJQ

sc.

‘,

•‘‘iU’

‘.

1

22h”i2 .in:’3:Si ...2

cr

_

L

I

1. ‘l..:





.1

“.u:. ‘

.1

It ‘1I’-’V- I

•:

• “

.

‘ ‘

..:r.

IL.IIt

•%‘.‘.‘

‘v-’.

‘H ‘IHUA

,



S

ii.-.. “5 H

‘U

r

t:Uj:’rcS\DC)N4t fl\OOwN 1j%JS’,SjEcrT”.E f1f H ..5 1 Ji Fr rlr

cIL

2.’. ‘:I;

S\

MLI

r•.

s,”

.

S:C4

c’,,’” -JOt 1W “,S’x ,Tt).;2\Rn’3I

,

,



it.’

F( R5O

U FIR



-

i...

‘,:

Ct

)...

c-i-

I

•\

\ i,.iC

Sb’

.

C/)2I’C1.

L)lI

O1.c

22..JL..b.( -

r •

u-”‘c’v1

aa

2_i L

‘I

,r

§1

,,,‘



ul

/ ilU_ ‘UIUH”.”cC. 1,

..tA,T

‘\v ‘H.’’,

Oi’\,:lt

‘,



.;



j .Viri v or



.

*

mi

,

.1’.na

sis

21

At the top, we can see the basics like executable name, the hash, and the version of the prefetch file. Below that is the run count and last run timestamp. When more than one run date/time is found, they will be displayed. After the last run information is the volume information sections. In most prefetch files there is only one volume as we can see above. We get information about the name of the device, when it was created, and its serial number. For each volume, a listing of directories is maintained. These directories follow the volume information. I asked for the capability to generate a timeline when processing prefetch files. This feature was added to the CSV export functionality. Here we are processing a directory’ for prefetch files and generating CSV (well, tsv, but you get the idea). The implementation is very simple. For every run time stamp in the prefetch file, add an entry in the timeline with said run time and the full path to the executable. This can then be copy/pasted right into a super timeline. Opening the timeline output in Excel achieves output similar to what you see in the slide above.

216

©2017 Rob

Lee

(

• pf.exe By TZATorks.net

f-re

.-

:.‘ec 3r

r

.

ime ..tc

t--

te



OFI!?

FORSOO

Wi idows orenc1cAnaIy is

From TZWORK$ website [1]: pf is a command-line tool that parses Windows Prefetch files. pf has a number of command-line switches. There are two available options that tell pf how much data to display to the analyst. The first is the default mode, which displays one line per Prefetch entry. The second is the verbose mode (using the v switch), which displays as much information that pf can parse. -

The default behavior will output the (a) application name and path, (b) number of times the application was run, (c) last time run, and (d) Prefetch file MAC timestamps. The verbose option includes all the same information the default option outputs, plus module dependencies loaded and volumes used to run the application. When desiring detailed data on a certain Prefetch entry, the verbose option is the best choice, without using the CSV option. The output will be unstructured text where multiple lines will be used for one Prefetch entry. When analyzing Windows 8 Prefetch files, there are extra timestamps available that can be extracted using the prevtimes option. Although Win8 has predefined locations for these other timestamps, this option actually uses heuristics to find other dates that might be present in the Prefetch file and extracts them.

-

[1] https://www.tzworks.net/prototypepage.php?protoid=l -

©2017 Rob Lee

217

217

r

Execution History

Prefetch Files 313 sf 313333-133. _‘%S%,l 55 1:C’33t5-TE’1P 33%122—11pl 33 S

5.3113 (lESIPpI 332135413 ‘ilSSPpf MI-FlIP p1 521:3’ 131 11371331 pl

I

153505133,3-31513333 pl I P-3E5031%1.1435511 3sf 31531233 p1 P 115103151 143511 III 42335(5311 51 11154 341111.35515332143 p1 • 33311,15 PIP FC2’I’T sI

35551, 05555115

545155555

51550

.2.5435,112131:13,513435 33 3,1533.4%54 13112

‘11155,41 54331 33 l51.2--,53P54 1123 133,5135335 lI13%l35%331M 12’ 2313345,44135 332 2413 321 533PM I 23.2132 4525 PM

CCs,N3TM2.

33 C

1322-11315-021435 5 22-2133

5013151453313 32s2’E45 1:33233353 131:54311 1:2254111

22 3

oPtt 13-J’5333 333PM 13.21-1135-3 -23-3333153142-35.15-22 ISSIILS-IPI’,lC :1-112 1211 2343333 1521/2 35333’ PM 1’ 22.2’132-51 33 PM 113312153 5533 PM I 1’ %133’333 F’4 IC IF 2131 1, ‘411421 311334351 P1t 1%’ 213132

322 333325 PM 113231123322254 13 21s1.,.1 PM l%3%315%5’41554 53 ‘335’1’ 1’ .3511

13330333 p31

C

P235,53

5

5.21213 3s3-51 P14 1,21 233

23

533.1312 33333,333 PM 33 11.2131 15’2 335 123:21:5.3

13 22213 1s13% 121

3 PslEMAI%%lE1III P3111:5143



3

11:53 1s1354I.,1 CM 3523 213 ‘.55411 33 22.221134231 PM 13321S3%131 1:52PM 13-11 sIll 3 ‘121 PIsI 15’ ,151i5 ‘51 33113 1.13 531 343.51331, ‘233313 5 5333143553415 21 33I3’’i’’ PM IC “2111331133353.1 13’ 33 -111F3 11 33 21151 31-33411

3,ssMF,Ih ‘311 1315.PSC.SSICOLUMI5.11113331133.5CX3MI’,TCC3,1s,%5TEI E55.15113-1152%C5C 534353355 311331335%P33355131535411 1%313555013%LI 5Pp0A133134331333M:,R05CFr31F5 1153115T10%22315-I5C%55,3 5153333 H4155,’5401145435 151P50C’P4%51: 43153143%1I(5%54315133s PCjI 53055133333315313 IMINTIC%SOD/215L111P513”Fl

• 3133453131:3333555 PCCP5%131 33332.45131 351514355153131353 P’IUPC2NT3C’35153 11015413111

523 33’ .,52

511513 PCI

31523 H3c15C3151051M1( 55133,1:3531031145 ‘2.513 ‘5 H4R53535350tUM1’ IPI,33’lI 33151-25 3123332123 1131’33&I2315’ 4’4’ 113313155103 is 1:11(3 IISPPC’9s,OWM’1-55113-503111C1 51553(2. 3151 1sF ‘33 C3311E’KSPC2. 31 13531.115 101533335231 3(153212513 11:313531:

‘4 DC’ISTI’F’N_ 1 35551 353, 3533315

‘.3 131

11513051,3

DFIR

FORSOO

Wi2ndows Forensic Anaysis

The Win Prefetch View is relatively easy to run. When you execute it, you type in the case name, the Prefetch directory, and the output directory to where you want the report to be written. NirSofi Prefetch view works on all Prefetch file types XP WinI 0. This includes the new compressed .pf files found in Windows 10. —

When you first execute the tool, you will need to select the Prefetch directory you would like to examine via OPTIONS -> ADVANCED OPTIONS -> PREFETCH FOLDER > E:\[root]\Windows\Prefetch What I like about this tool is that it shows the last execution date and total number of executions, in addition to allowing the user to click a .pf link to see the file handles stored within.

218

©2017 Rob Lee

218

0 -

I

1-

‘cEiE:T..

L

-ii ‘h

[I

.

L

-

SLELc .EE

ii

*

-

L

.!..

-.

-

--

EtL,rT iEMTi -l;l-t ,Iil —IF li

iIi

-:e lath

It. hE’ H L u-is’:’. Lt ME SE TEl-iC ,:c. Wit’ r: HE J,FP .i.CD flEE i’: “Pi.!I’-’i jRflEF’ Mi.’ I- t ‘-i- .-[ -‘;t II F’: ‘1 i,—.T’I—P ‘‘i p r .c _:i,i r-’--LH-: 1’ _.i tF1IRi’.’LLL U.Et’t *.ERE -ct’ C. -I .TclH.i .TfrI Df’.lE H.i1ilSis’ OIHME UcEP [..i,t” t’ irt-: i iN I- TERiE BfliUE’S PiW.D* c U— .lcE’ H*DClSt,. QI UI tE USEP .rQUID eflE;JMEWT NQl-i TRTEQ C ‘--

Hit’1, T-;3t.-f ‘Et:i.iJ PLti.’ 1ii’1I’ I itH stIlE pIJ:Jics Pt .NJ’ (;kl.. TI.,Ttt.’( I/i.

-

-‘‘

--

...



j’’-

IEl.E HAFflDiSE.’.’LUI IE; LER’_ I- :-LQ’ fl ..tV,L’S EUL..r\T r’*irt t?ffll’4 t’Lll-3, UEP’ E’iLD’D(’ ‘:ifl’D’ ‘E”iV.E I .i’;’.’c;LI. LII’ irD,,, ,TE.’ -a’: I ‘.-_l 1 .LI ,L ‘1 1, :‘,iJEi ,I;,.cL*.I;E ,iI’1t3 .., IEF JILILL L’

I

‘(



‘.‘

ti

j’’

(4

DFIR

-

‘-TI.t

I’

_r

FORSOO

ii

I

Windows ForensicAnalysis

After you click one of the .pf links from the Win Prefetch View, you will notice in the bottom window a listing the files, folders, and devices used when the program was executing. Even if the file or folder was used in independent subsequent executions of the application, there will be evidence stored in the single .pf file. We can use any Prefetch analysis tool to easily parse in a graphical manner the files referenced inside the Prefetch file. In this example, we can see that sdelete.exe referenced multiple Microsoft office documents. In all likelihood, these are the files that were wiped by sdelete when it was executed. In many cases, anytime an executable opens a handle to another file for editing or maniptilation, that file will generally be referenced inside the Prefetch file itself. Many of these files might not have a referenced shortcut (LNK) file associated with them and because sdelete is a non-graphical program, trying to correlate its use with the target file might prove difficult. Here we have a good shot at understanding what target files were wiped by sdelete.exe.

©2017 Rob Lee

219

29

______ ___________

gD

1ff

-

Process Path —

;\Export\Prefetch>pf UINW0RDEXE’CECSA770.pf An1yzin fi1e WINJ0RD.EXE-CECBA770.pf 03/27/2015 17 02 43 i’od1f ed 03/27/201521 1809 02/27/2015 21:18:09 SETUP,EXit WIM4GRD.EXE run 518 tiee Ib,rget cue:

\DEVlCE\HARDDlSKVOLUME% DRIVERS\CONEXANT AUDIO DRIVER \DEVICE\HARDDlSK’JOLUME%DRlVtRS\lNTEL VIDEO DRIVER\StTUPEXE

FLp

DEVlCEHARDDlSKVOWME5\DRiVERS\VGA DRIVER\SETUP.EXE

‘DEVICE HARDDISKVOWME%\DRIVERSVNLAN AND BLUETOOTH DRIVER\SET! \DEVlCEHARDtflSKVOLUME%\PROGRAtv1 FILES X86’ADOBE\READER I I.O\RRJ4

\DEVICE\HARDDlSl’OLUME%\PROGRAM FILES tX86COMMON FlLES\APPL \DEVICE\HARDDISIJOLUME%\PROGRAM FILES X8%\COMMON FILES’APPL ‘ol E \DEVICE\HARDDISKVOLUME5\PROGRAM FILES (X&6ACOMMON FILES\APPL

go%RoDrsKvoLuME%uNoos\FoNrs\sEGuIs8. directories mepped \DEVICE\HARDDISKVOLUHE1 path: rd: 11/13/2013 00:28:45.067 —--—-

\DEV!CE\HARDDISKVOLUME2 peth: PFVICFHARflflcgVO1 IIMFS PRflfRAM FU FS (‘XRFiCOMMON Fli FS\Mwpt’ol LIme creeted: 07/08/2014 18:35:08,935



2020

Prefetch Device information mciudes Volume Serial Number (viewed m pf . exe output)

OFIR

eria1 nurn:

b66e49B3

vol peth: tice created: aerial flue: tot path: time created: er1al num:

\DEVICE\HARDDISKVOLUME3 07/08/2014 17:41:36,980 84defbe8 \DEVICE\HARDDISKVOLUME4 03/04/2013 09:04:34,276 4c4f-d%dd

FORSOO

I Windows ForensicAnalysis

Notice that in the “Process Path” column, we see multiple devices listed. These will list the local, network, or removable devices where the files were found. The exact path of the files is not listed, but we can clearly see that the files are probably found on more than one device, in the above example, we are looking at \Device\HarddiskvolumelO. On this device, we find that multiple processes have been logged as running including data on it. Specifically, tve see FTK lmager as being one of the executables. This is the drive we attached to the system to gather a disk image. Being able to pinpoint specific volumes that are referenced by the Prefetch execution history is incredibly important to us as investigators to track what programs might have been used on a removable device or network drive. It wasn’t that long ago that every report we read containing Windows Prefetch artifacts included only the basics: executable name, first and last time executed (now eight timestamps in Win8), and number of executions. There is much more information stored in Prefetch files, but tLntil recently there were few tools to easily parse and provide it to the examiner. Mark McKinnon wrote one of the first Prefetch parsers to include full path names for additional files accessed within the first ten seconds of application launch. TZWorks’ pf tool now also provides this information. Depending on case type, this information could be overkill, but imagine a Prefetch file tracking execution of a malicious binary while also identifying a related malicious DLL loaded, or the location of keylog output. A lot of files are accessed within the first ten seconds of execution, so you might find evidence of specific documents opened in the Prefetch file for the Microsoft WinWord application or in the case of Figure 1, files accessed within zip archives via a 7zip Prefetch file.

220

©2017 Rob Lee

Ut’

: 7 C t

5 6

YIN\;PPZcEWYNT ViN\US CRA?!’Z EiN?’)iTFACIFC ?

EVICE\IAP!SMW1\OX 3Tfl YGVN UR SPE\NE!NFOIT\U\5AXk 5IC YW!N’ t RE\% WF Pt1\PCtTXCNE EViCE\HkUf’Ei\F:C iYiFiP S1iAE\

But wait, there’s more! In fact, if you take a quick look at the Prefetch documentation in Joachim Metz’s libyal project, you will find data structures storing a wealth of information. We intend to demonstrate one of the lesser used structures, the Volume Information Entry, in this post. Windows operating systems have expanded the data structure over the years, but even the simplest version includes extremely useful volume information like device path, creation time, and serial number.

Offset

Size

Value

Description

The offset s reiatIv from he start of the vome :nomaton 4

Njmbe! o tIe rfeene

Unknown

©2017 Rob Lee

221

Windows Volume Device Paths

If you have been doing Windows forensics long enough, you have inevitably run into artifacts referencing “\Device\HarddiskVolume” in the path. We see this most often during event log review. As an example, the graphic shows a Windows Filtering Platform event in the security log referencing a device “harddiskvolume3.” Date:

3/1312015

Source:

F6aosaftWindows-Seoxity-Audlbng

lime:

6:59:20 AN

Category:

Fdtermg Platform Connection

Type:

Audit Succesa

Event ID:

5156

User:

N/A

Computer:

-

Description: The Windows Filtering Platform has pernitted a connecbon Appl:cation information: axe Inbound Suection: Source Address: Source Port: DestInation Address: Destination Port: 6 Protocd: Filter Information:

1%700 I 5612 1%7.00. I 52924

What does “harddiskvolume3” mean? The nomenclature belongs to the MS-DOS device naming scheme and can be referenced via the Windows API QueryDosDevice function. Correlating a volume device path to a specific device can be a great exercise in frustration. Even on a live system, there is no built-in command to tie everything together. Diskpart perhaps is the most useful, but does not provide the volume serial number or GUID information. Mountvol and the WMI Win32 Volume class can map drive letters to GUIDs, but do not include device path information (try: Get-Wmiobject win32volume). The built-in Filter Manager Control Program (try: fltmc volumes) maps drive letters to device path. To get all the pieces together, you will have to write some code. Mart Graeber created the PowerShell script Get-DevicePath that maps device path to drive letter, and it could be modified to also include volume GUIDs for a reasonably complete solution. NirSoft’s DriveLetterView does the most complete job of any tool we have tested, but it must be run on a live system and does not scale for remote use, As we will see in the next section, finding a way to record some or all of this data during live response is a worthy effort because it can save significant time during subsequent analysis.

Nicrosoft DiskPart version 63.96OO copvri ght Cc) i999-2Oi3 i crosoft corporation. DISKPART> list volume volume #C# volume volume Volume volume volume

222

0 I 2 3 4

Ltr

Gdocs ToSHIBA sri

Ps

Type

Status

NIPS NIPS NIPS NIPS

DVD-ROM Partition Partition Partition Partition

No Media Healthy Healthy Healthy Health

©2017 Rob Lee

i!e

*ct Pith

oue fl

Dre Te

Dece Hdfr:imt.

ec a tun be

umt $eru tkrnttr

Lc Hrtr ç Hv

>

Mapping Volume Device Paths from Disk Artifacts

If you are stuck investigating a volume device path from only artifacts on disk (that is, deadbox analysis), you are at a disadvantage. Luckily, event logs can offer a little more information. If the mounted volume was formatted as NTFS, you might find an event ID 9$ entry in the System log providing the mapping between device name and mountpoint.

6:56:17AM

Type:

Categoy:

None

Event ID:

98

Computer:

Descron:

If you are incredibly lucky and chkdsk was run on the volume, the chkdsk event recorded in the Application log correlates the volume device name and volume label.

4:11:24PM

Cateoy:

None

Cornpute:

Examirnig 75 onrrupton records.

©2017 Rob Lee

223

Interestingly, the Volume Information Entry present in Prefetch files holds a key piece of the puzzle. If any application was executed from the volume of interest (\Device\HarddiskVolume3 in the previous example), the resulting Prefetch file will record the device path, serial number, and creation time for that volume. Device information will also be recorded for any volumes where files were accessed by an application within ten seconds of application execution. This is a big win because most applications are executed only from the system drive, but arbitrary files can be opened from many different volumes. Figure $ illustrates relevant data present in a Microsoft Word Prefetch file. Note that data on four different volumes was stored within this Prefetch file. Taking things a step further, collecting this data from all 1024 Prefetch files on a Windows 8 or 10 system would provide an excellent historical reference of volumes attached to a system. However, one caveat is that Prefetch post-Windows XP does not appear to be reliably recording volume device path information for objects accessed on devices with the removable media bit set, such as many thumb drives. However, the good news is that USB hard drives, eSATA connections, mounted VHDs, and many other devices do not fall into this category.

-•.-

.LJL.

r-e-,,

run:

:

‘..

C

?70. pf file: WINNORD. EXECECBA 17

odif ied ‘cessed

_.j-

r:v r

.

-.

.1

)

0/7/I0...5 i1: ià:.9 X/L/’ J.3

—/

03/27/2015 1640:58.244

\t V CR\H ‘RflD I SKVOI UM% NT NDflW\SYS T EM32\N TM AR

L C24 ‘—-

r

326

SDiS IS< i3LUML2\L1P’JDDWS\SSTEt132\M \DE\ £CL\1’RDD C% prrr y it \ “E’ ‘3’ Jr L. \DFV I CE\HARL:D I SK/OL.’JM2\N I NDON\F Y t S\SEGtJi S. t

o I th:

d

-

!T

-.

\:)EV I CE\HARL)DI SK VQLIJME I d/v

93 V?:’S

-

‘o I

pitt t .ëL.

I SKVOLUME% ‘\E I CE\HAPDD .1 ‘:

‘..

rm

I

2EIA)t’SV 1E’? & — 84de-f bed ! mr$’j .Y... .C.:.. +. .J/-4 4c4f—d2dd .

scria;

nurn; .1

irr ‘(.Jt d eriaI nurn:

224

-‘

—\





©2017 Rob Lee

-

Putting It All Together

Our work is not finished once information is collected from Prefetch. At this point, we have mapped a volume device name to a volume serial number (via Prefetch) and might have an associated drive letter (via event logs). To gather more information about the volume of interest, a search for LNK files and jumplist entries should be conducted. These two artifacts record myriad data about files and folders opened by a user, including the volume serial number from where an object was opened. By matching this serial number to what was found during Prefetch (and event log analysis), we can resolve additional information like the volume label, file timestamps, and full path information of files and folders present on that device. source path/filename 2OTaryrkQiJnk roectALPHA.hr PrtSTk 012555Jnk 110314irk BackupsJnk ntaccessJrk Backup121SJn SAES1 (Hiek



file size Ox4bSd

vol type

volserial 4c%fid2dd Oe228 fixed 4c4fid2dä ffxeu Oxe2%8 4c4fid2dd Ox%7e%680 fixed e4beh Ox%60583f fixed de4be8 Oxi000 fixed aefb S Ox3ddS fixea b%%a%983 0x46%16a removable d8dc-%SeO remcvable dSdc7SeO fixed

vol label TOSN8A EXT TOSHBA EXT TOSfiBA EXT Gdocs Gdcrs Odocs SAiES1 SALES I



local path H:\2O15TaresQ5xx 4:\PrcectAPHA,dccx 4:\Proert8EASTdocx

G:

ckups\Oi%51&Sz G:\ acs\i;C3147 G: cps C:\Temp\htaccess H\Backupjl4121&1z

Although certainly not a painless process, with some good investigative work, we can determine the following: •

Volume Device Name: Event logs, Prefetch Volume Serial Number: Prefetch, LNKijumplist

Volume Creation Time: Prefetch •

Volume Name: Event logs, LNKljumplist



Volume Mount Point: Event logs, LNK/jumplist



Times of Use: Prefetch, LNKljumplist



Files and Folders Present: LNKljumplist

©2017 Rob Lee

225

Thumbnail Analysis

OFIR

FORSOG

This page intentionally left blank.

226

©2017 Rob Lee

Windows ForensicAnalysis

226

spo’

• Application Compatibility checking within Windows operating system • Checks to see if application needs to be “shimmed” (properties applied) to run application on current OS or via older OS parameters • AppCornpatCache will track the executable file’s last modification date, file path, and if it was executed • Advanced: Applications will be shimined again (w/ additional entry) if the ifie content is updated or renamed. Good for proving application was moved, renamed, and even time stomped (If current File’s Mod—time ShimCachc Mod-time)

r1hitiT1T • SYSTEM\CurrentCantro1Set\Contro1\ScssionNanager\AppCoznpatibi1ity\AppCcwpatCache • Server 2003/2008/2012 Win7-10 -> • SYST%\CurrentContro1$et\Contro1\Sessionanager\AppCosapatCache\AppComptCache

• Last Modification Date • Xi g6entriea

• Last Execution Time = Last Update Time • 1024

entries

• InsertFlag “True Application Executed lnsertPlag False Application not Executed

I

OFIR

YES

FQR500

I

YES

Windows Forensic Analysis

The Application Compatibility Cache was designed by Microsoft to detect program compatibility challenges when a program launches. A program might be built to work for another version of Windows, so to avoid compatibility issues, Microsoft created a subsystem that would allow a program to invoke properties of different operating sy stem versions and environment changes. The compatibility capability is seen by regular users when they execute a program through the compatibility wizard or when they set an application’s capabilities to run in “WinXP” mode. The different modes are essentially called “Shims.” By default, there are I OOs of shims that exist on a standard Windows installation. Windows looks at the AppCompatCache registry key to figure out if a program needs shimming for compatibility.111 To the responder, the most useful piece of this is that the AppCompatCache will track the executable file’s last modification date, file path, and file size. On Windows XP (32 bit), it also tracks the last time executed (last update time.) The reason this key is useful to examiners is that it is one step closer to showing whether an application has possibly been executed and could aid an incident responder looking for malware executed on the system. When a program is shimmed, registry entries are created to notify the system. As the program (.exe, .bat, or .dll) loads, it will be checked in the Shim database and perform lookups in the system compatibility database. One of the more interesting aspects of the AppCompatCache is that each application is checked regardless of whether it has been shimmed. The registry key paths for the AppCompatCache are: xP •

SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility\AppCompatCache



96 entries

©2017 Rob Lee

227

I 227

Server 2003/2008/201212016 Win7-10 •

SYSTEM\CurrentContro1Set\Conre1\SessienManager\AppCompatCache\AppCompa tCache



Server 2003



Win7- 10, Server 2008/2012/2016

512 entries =

1024 entries

The AppCompatCache is implemented in one of four ways depending on the operating system. This also ends up changing the type of data stored in each of the registry entries tied to the AppCompatCache entries. The most notable difference occurs in Windows XP, which lists the last execution time of a program in addition to file path, file size, and the application’s last modification time. In Win2003, Server 2008/20 12, and Win7-10, the registry location stores the following useful information: file path, file size, and the application’s last modification time. The last execution time does not exist in the latter operating systems.[21 The cache does not exist on Windows 2000 systems or older. [2]

W1n7/8, Server 2002/2012

YES

YES

YES

1

YES

The registry for the AppCompatCache entries is written only on system shutdown and not before.

When reviewing the output from the AppCompatCache, it is good to note the following: I. Most recent events are on top. 2. New entries are written on shutdown. One of the most useful capabilities of the AppCompatCache is the fact that if an attacker has removed the maiware from the system and was careful to also delete the prefetch (.pf) file as well, then the AppCompatCache entries might provide some of the only clues that the application existed in the first place. Also, if the application is rewritten to disk, modified, or renamed the application will be shimmed again resulting in additional AppCompatCache entries. This is exceptionally helpful in determining if a file is renamed after downloading on the host. It is also useful in determining if time stomping has occurred. If the last modified time of the AppCompatCache entry is not the same as the actual application, the application likely had its last modified time adjusted. Starting with VISTA+, the existence of an entry in the AppCompatCache registry key does not prove execution; however, it is likely. In VISTA+, there is an existence of a flag called the “InsertFlag” in the structure of the AppCompatCache Entry structure (VISTA+ systems only) that shows, on initial testing, that if it is set, the [4] program was executed on the system. If the flag is not set, the application did not executei3]’

[]] “Secrets of the Application Compatibility Database”: http://www.alex-ionescu.com/?p39 [2] “Understanding Shims”: http://technet.microsofi.com/en-us/library/dd837644(vvs. I 0).aspx [3] “Leveraging the Application Compatibility Cache in Forensic Investigations”: https://dl.mandiant,com/EE/Iibrary/WhitepaperShimCacheParser.pdf [4] “Johnny AppCompatCache”: https://digital-forensics.sans.org/sumrnit-archives/DFIR Summit/Johnny AppCompatCache-the-Ring-of-Malware-Brice-Daniels-and-Mary-Singh.pdf

228

©2017 Rob Lee

odifledPacPIag

DFIR

FORSOO

Windows Foren. cAnJ sis

ShimCacheParser.py is a tool for reading the Application Compatibility Shim Cache stored in the Windows registry. Metadata of files that are executed on a Windows system are placed in this data structure on the running system. Upon system shutdown, this data structure is serialized to the registry in one of two registry paths depending on the operating system version. [11 The format of this data, as well as the types of information stored, also varies between operating systems, which is summarized here: • Windows XP 32-bit: File Path, $STANDARD INFORMATION Last Modified Time, File Size, and Last Update Time • Windows 2003 and XP 64-bit: File Path, SSTANDARD INFORMATION Last Modified Time, and file Size • Windows Vista and later: File Path, $STANDARD INFORMATION Last Modified Time, Shim flags The script will find these registry paths, automatically determine their format, and return the data in an optional CSV format. During testing, it was discovered that on Windows Vista and later, files may be added to this cache if they were browsed to by explorer.exe and never actually executed. When these same files were executed, the second-least significant bit in the flags field was set. During testing, it was possible to identify if processes were executed based on this flag being set. This flags true purpose is currently unknown and is still being testing for consistency, so it should not be currently used to definitively conclude that a file may or may not have executed. The output CSV file is set with the (-o, --output) argument. If no output file is specified, the data will be printed to STDOUT, ShimCacheParser will search each ControlSet and will return only unique entries by default. If you want to display duplicates as well as the full registry path where the data was taken, use the verbose (-v, verbose) option. --

[1] hftps://github.com/mandiant/ShimCacheParser

©2017 Rob Lee

229

229

When reviewing the output from the AppCompatCache, it is good to note the following:

230



Most recent events are on top.



New entries are written on shutdown.



If Exec flag

=

True, then application was executed.

©2017 Rob Lee

• Application Experience Service • New AppCompat structure and full of additional information

Location C: \windows\AppCompat\Programs\mcache .hve (Windows 7/8/8.1/10 mcache.hve\Root\File\ (Volume GUID}\#######

and 2012/2016)

•Keys =

• Entry for every executable run, full path information, file’s $Standardlnfo Last Modification Time, and Disk volume the executable was run from • First Run Time = Last Modification Time of key • SHM hash of executable also contained in the key

flflJ

FORSOO

Windows ForenslcAnalysis

Starting in Windows 8+ and in recently updated Windows 7 systems a new registry hive exists called ‘Amcache .hve.” This new hive contains an exciting amount of new information related to tracking executables, where they were executed from, and more. The Amcache.hve will contain the executable full path, file’s $Standardlnfo Last Modification Time, SHAI hash (remove leading 0000), and in some cases, file information such as Version, ProductName, CompanyName, and Description. Generally, Amcache hive will track both installed programs and programs executed. Programs that are installed via an installer will also show up under the Amcache hve\Root\File\ and the 1mcache hve\Root\Programs location. These paired locations are called “associated entries.” .

.

When you open the hive in a registry viewer of choice, browse to the mcache hve\Root\File\{Volume GUID}\ parent key. The Volume GUID will line up with the .

MountedDevices key found under System\MountedDevices.[H This is a critical piece of information to understand as you can determine the exact volume an executable was run from using this information. Under the mcache hve\Root\File\ {Volume GUID J \ key, you will find numeric keys (for example,100000 1454). Each of these keys represents a different executable file run under Windows. The last write time of the numeric key is most likely the first time a specific program was executed. .

Value Names are in hexadecimal and range from 0 to 1 7, and then two extra entries for 100 and 101 are seen. Yogesh Khatri has reversed out these values and their meanings.[21 (Note: For Encase users, Yogesh also created an EnCase EnScript to parse this key downloadable from his website.)[21 [1] Covered in detail in FOR500

Window’s Forensics

Section 2

[2] Amcache.hve in Windows 8 Goldmine for malware hunters: http://www.swiftforensics.com/20 13/12/amcachehve-in-windows-8-goldmine-for.html -

©2017 Rob Lee

231



Data Type

Description

Value

0 Product Name 1 Company Name 2 File version number only 3 Language code (1033 for en-US)

UNICODE string UNICODE string UNICODE string

4SwitchBackContext 5 File Version 6 File Size (in bytes) 7 PE Header field SizeOfimage

UWORD UNICODE string

DWORD

DWORD

-

8 Hash of PE Header (unknown algorithm) 9 PE Header field Checksum -

DWORD QWORD

Unknown b Unknown File Description d Unknown, maybe Major & Minor OS version 1 Linker (Compile time) Timestamp

QWORD UNICODE string DWORD DWORD Unix time -

10 Unknown 11 Last Modified Timestamp 12 Created Timestamp

DWORD

15 Full path to file 16 Unknown 17 Last Modified Timestamp 2

UNICODE string

FILETIME FILETIME DWORD FILETIME UNICODE string UNICODE string

100 Program ID 101 SHA1 hash of file

232

DWORD UNICODE string

©2017 Rob Lee

L

Fe

j

Ewt

Repwt

chh JRcct

Wmdo

Kp

Nrn

-

.

b



-

‘:; 2b

1:1le51?C J 1C,CD1cfD4 j

SVSTE. C ontrSeG)1 J DrwrDat,be HrdwrConfiq U

çJ

-_J RNG

Executab1e Name

O!af

F Execution fOr “New” Apps ,

Vc4ume(afd25S98-3b?1 I e-bRc-2%fd%256bede ??\Vakime(bcdOC2d-3b8--I 1 eI-beScJ-24fd%256&d

F125E19257) F%50F3EE

SHM

3251fb6Cecc5b42

S3SThM fflvE

OFIR

FOR500

I

Windows Forensic Analysis

When you find an entry in the “File” entries that has data filled out, such as product name, file size, product name, and more, then you have found this program was actually truly executed versus simply existing on the system. In the above example, you could associate the first time of execution with the program name by looking at the registry key’s last write time. This has generally been accurate for the “First Run” time of the program for new applications added to the system, but usually a poor indicator for system native applications. In the above graphic, there are three key items that are likely to be found in every executable entry in the Amcache.hve: 1. Executable name/path 2. First Time of execution for new apps (Last write time of key) 3. SHAI hash of the executable; remove leading four zeros before submitting to VirusTotal for lookups. In addition, you can parse the Volume GUIDs using and correlating the information from the SYSTEM hive’s MountedDevices key. J iL2t1b

Name

5a1c

I Jif 1

JiC 1D2a34

Type

Data

REdOPD REG SZ REGSZ PEC SZ

D6I2FFE9 115 25%73459213455Oj \programfilesixS5)Lenovc\lenovotranntion\umnstalLe

r’’

i:1

— -



refet

Rent

XPSearch)

n7SeareliZ)

1st’iited

Key 1d1’)’ T

I

I

-::: I

I

U

f;IIp M eb

-

DFfR

\

i

FOR500

User Comms Web-Based E-Mail E-Mail Calendar Chat and IM Chat!Webmail Memory Artifacts File Download

I

Windows ForensicAnalysis

File Knowledge XP Search ACM RU Win7 Search WordWheelQuery Last Visited MRU Thumbs.db -



Vista!Win7 Thumbnails Recycle Bin Physical Location Timezone

Open/Save MRU E-Mail Skype History Program Execution

Wireless SSI.D VISTA!Win7 Network History USB Key Usage Key Identification First/Last Times Connected

UserAssist LastVisited MRU RunMRU Start->Run MUI Cache Win7/8 Jumplists Prefetch File Opening/Creation Recent Files Recent Files (*ext)

User Volume Name Drive Letter Shortcut files (.LNK) Account Usage (SAM) Last Login Last Failed Login Last Password Change Group Membership Browser Usage Memory Fragments of Private Browsing

Office Recent Files Shortcut Files (LNK) Win7!8 Jumplists

©2017 Rob Lee

239

239

LI

SANS DFIR

DI1TA1 FQRENSIIDS B INCIDENT RESPDNf

FOR500 [Windows Forensic Analysis

OFIR This page intentionally lefi blank.

240

©2017 Rob Lee

24G

DFIR

FORSOO

Windows Forensic Analysis

In many high-profile cases today, the media highlights how digital evidence is some of the most significant evidence in proving criminal activity. As a result, digital investigative analysts often find criminals using counter-forensic programs in an attempt to destroy proof of their activity. The System Resource Usage Monitor (SRUM) is one of the newest digital artifacts discovered and can help prove several user actions even after execution of counter-forensic programs. As an example, when investigating a corporate system compromise, examination of SRUM data could help an analyst identify applications running on a system each hour covertly exfiltrating data to a competitor or foreign nation. Another situation in which SRUM data could be useful is to document the activity of an employee transferring mass amounts of data from the corporate network to his or her laptop before leaving the company. SRUM would likely show the significant amount of network data inbound to the employee’s computer using the Windows Explorer application. SRUM would also show if the employee went to a local coffee shop, connected to the wireless network, and then uploaded the data to a web-based storage location (such as Dropbox). SRUM would show the date, time, and network name the computer connected to, the duration of the network connection, the user logged into the computer, and the large outbound network transfer on the coffee shop’s wireless network. In one case, where a seized computer remained powered up and running after the seizure, digital investigative analysts used SRUM data to refute the defense expert’s claim that the investigative agency had logged into the computer using the defendant’s login credentials and planted evidence. Because SRUM records how the application runs and the user ID responsible for launching the application, the SRUM was conclusive proof that no one had logged into the computer under any account after the seizure of the computer.

©2017 Rob Lee

241

241

Pr0

Task Mafla_ger

No Optons stew won Potfcnnanoe

(

App

5 ctorp Slertup tOtun tkta0n co

ne1J non: no:

Poxeweo 60nlorrnwste App B story

startup

0)0

Users OeM tu Stun ten

Status

eu0MrerXe

Syrtem dfTrt wager one 9soFcehrr ,

000

0MB

0MB

0053

01)6

OMO

OMP

06003

Use: name

CytM Memory

01°)

SauSfsrOnsesAOtS

00

3

1:0 atuOs

‘0 woO bIes

48 auto bjses

558PM 110 NT Keen) A Sputum

Ruur:n

SYSTEM

00

0-

hooK

3040525

1503572100

2074

R-nsr)ig

sausfrtenurts400

00

0

100124%

1111 aSS 601

19105t

sOIl

Rurrng

sansforenu:cu403

00 t0

4

1117484

235:607 125 310

4007010504

48)6) IOnS

0

11776%

UFIR

Denertpt:oa

°5026113483 Moron B

48772 4

4

p

FORSOO

13% longer °%orMffr’e 4 l.

Windows ForenskAn1y5is

The System Resotirce Usage Monitor (SRUM) is part of the Windows Diagnostic Policy Service11 (DPS) that tracks various system performance elements. Starting with Windows 8, SRUM is on all versions of Windows, including Enterprise, and is enabled by default upon system startup. SRUM was not really known by the mainstream digital investigative analysis community until February 2015 when Yogesh Khatri, an Assistant Professor at Champlain College, published his paper, “Forensic Implications ofSystem Resource Usage Monitor (SR UM,) Data in Windows 8.”[21 He presented the paper at the SANS 2015 5,[4] DFIR Summit31 and was subsequently interviewed on the CyberSpeak podcast in August 201 Users can see a small sampling of information maintained in SRUM by looking at the Task Manager under the “App history” and “Details” tabs. The Task Manager aggregates several items in the SRUM database and shows current performance statistics and approximately 30 days of historical information under the “App history” tab. Under the Task Manager “App history” tab, users are presented with a link to “Delete usage history;” however, testing revealed this does not immediately delete data from the SRUM database. Data beyond 30 days may be purged from the SRUM database, Recent tests of Windows 10 Professional showed that if the system is powered off for a significant period of time (weeks), when rebooted, SRUM data beyond 30 days is purged. Additional testing is needed to determine the exact parameters for SRUM log maintenance, but it is not uncommon to see 60 days of historical performance data in SRUM. References:

[I] https://technet.microsofi.com/en-us/library/cc774639(v=ws. I 0).aspx [2] http://www.sciencedirect.com/science/article/pii/S1 742287615000031 [3] Video of Yogesh’s talk at the 2015 DFIR Summit https://www.youtube.com/watch?v-l6-83WU95Sw [3] https://files.sans.org/summit/Digital Forensics and Incident Response Summit 201 5/PDfs/Windows8SRUMForensicsYogeshKhatri.pdf [4] http://cyberspeak.libsyn.com/cyberspeak-aug-3 l-2015-srum -

242

4

©2017 Rob Lee

242

___

0 \Piand

I —\pi.

A

4PP 11)

I

i

St nt 1..s

y

\\ P;d

(ser

/ _____\_

—-—---

--

-

1

OFIR

lb(’

FQR500 I Windows Fat ensic Analysis

The SRUM database can provide a wealth of information to investigators. four of the most exciting pieces of information include what applications were running on the system during a particular hour, what user account was responsible for launching each application, how much network bandwidth was sent and received as a result of that application in a particular hour, and what network the system was connected to.

©2017 Rob Lee

243

243

Hive \Microsoft\Windows NT\SRUM\Extensions i’ WARE

coFTwRF J J

a Cc pumc Cm.

J ccmmta J Cuosc C J NCTFramawm j La

J Wmdows Cmessam a StCasem

L

cam a

J CrmatLetcc J AceschLy 4* Symap

J CRUY a J ‘pCmD51 YC*-4944 BE8E ‘4PC314174* J 7CCCP2L 4PIB Lm.O PiCa BFICOP41ECC mi d1Qca2(e 61cC 4166 64Cc 62e1}62C61aP61 464 1eLQ641*fpBal Cc all aCCealCfd 41 j cayaa4ac4 Cc 9 4626 9Z21CO4%A4CcalC Cc l,m4a12*CZacalj9-Ccce falcaCcaaaal Cc Paaamalca Cc Teleaamt’j

Ta;fra

Windows\System32\sru\ FQR500

OFIR

I

Windows Forensic Analysis

Performance data is initially collected in the SOFTWARE registry hive and written to the SRUD3.dat database approximately every 60 minutes of system runtime or during proper system shutdown. The timing when data is written to the SRUM database is an important factor to remember as it can potentially be a point of confusion.

and When reviewing SRUM database entries, you will see a series of entries recorded all at the same date, time, occurred. activity the when second. An analyst needs to remember this is when they were recorded and not Additionally, if the time period between entries is less than -60 minutes since the previous entry, it may suggest that entries were made as a result of the system being shut down. Because in most incident response procedures, systems are not cleanly shut down, it is possible that the SRUM for database file may be cormpt or in a “dirty” state. Fortunately, Windows contains a built-in tool (the esentuti)

diagnosing and repairing ESE databases. The esentuti tool performs defragmentation, recovery, integrity checking, data dumping, and repair for ESE databases. When files are deleted from the SRUM database, it may be possible to recover them using a utility called “EseCarve.” We will talk about one during the browser forensics section. To determine if the SRUM database was closed, dirty run the command from the Windows\System32\sru\ directory: esentuti /mh SRUDB.dat

244

©2017 Rob Lee

244

ESE Database View NirSoft

Srum- dump Mark Baggett



SANS Sec 573

SrumMonkey David Cowen

Srum Parser Enscript Y(YTeSI[ Khatri FOR500

=

Wi dowc Forenic An, l,’sis

When parsing the SRUM database, there are four free tools worth mentioning. NirSoft’s ESE Database View111 is a great go-to tool for browsing any ESE database. The ESEDatabaseView will present information in the database in a raw format and is much like a Hex viewer for ESE databases. You will find that a lot of information is encoded, but this is always a great place to start. Srum-dumpl2i was created by Mark Baggett, a SANS senior instructor and author of Python for Penetration Testers[31 (5EC573). Srum-dump will process the SRUM ESE database and produce a single Excel spreadsheet with a tab for each table in the SRUDB.dat database. Srum-dump provides Excel spreadsheet templates that can easily be modified to format data in a manner to best meet the needs of the analyst (e.g. calculate network connection time, conditional formatting, etc.). Srum-dump also correlates some data fields from the Windows Registry, provides actual network names for networks connected to, and identifies system SID account names. Mark has also dedicated one day of his $EC573 course as a “Python for forensicators,” which teaches forensicators how to develop their own tools using Python. $rumMonkey[4] was created by David Cowen, a SANS-certified instructor, and is a tool you can use to convert the Microsoft SRU ESE database to a SQLite database. Further, you can create report templates to generate XLSX reports based off of YAML templates. YAML is a flexible, human-readable file format that is ideal for storing object trees. YAML stands for “YAML Ain’t Markup Language.” It is easier to read (by humans) than JSON and can contain richer meta data. Srum Parser Enscript[51 is an EnCase enscript (code for 6.19 and 7.02) created by Yogesh Khatri; it processes SRUM data (windows 8) and produces an Excel spreadsheet for each table in the SRUM database. References: [I] ESE Database View http://www.nirsofi.net/utils/esedatabaseview.html [2] Srum-dump hftps://github.com/MarkBaggeft/srum-dump [3] Python for Penetration Testers https ://www. sans .org/course/python-for-pen-testers [4] Srum Monkey https://github.com/devgc/SrumMonkey [5] Srum Enscript Parser http://www.swiftforensics.com/p/downloads.html -

-

-

-

-

©2017 Rob Lee

245

45

SOFTWARE\Microsoft\Windows NT\Current Vcrsion\SRUM\Extensions\ {973F5D5C-f

D9O-4944BE8E-24B94231A1 74}

Whidows Network Data Usage Monitor

{97C2CE28-A37B-4920-B1 E98B76CD341 EC5}

Energy Estimation Provider (Windows 10)

{d 1 Oca2fe-6fcf-4f6U-848e-b2e99266fa86}

WPN SRUM Provider

{dl Oca%fe-6fcf-4f6d-848e-b2e99266fa89}

Apphcation Resource Usage Provider

{DD6636C4892946$3-974E-22C046A43f63}

Windows Connectivity Usage Monitor (Windows 81, Windows 10)

{fee4el 4f-02a9-4550-b5ce-5fa2da202e37}

Energy Usage Provider

.

FORSOO

OFIR

J

WindowForensicAnaysis

Performance data collected for all desktop apptications, system utilities, services, and Windows Store (Metro) app data collected via $RUM are initially stored in the HKLM\SOfTWARE\Microsoft\Windows NT\Current Version\SRUM registry key. Data is transferred from the registry to the SRUM extensible storage engine database approximately once per hour or during proper system reboot or shut down. [11 Under the SRUM registry key, there are three (3) subkeys: Parameters, Telemetry, and Extensions. Temporary data is written to the five (5) subkeys in Windows 8.1 and six (6) keys in Windows 10 that correspond to the tables in the SRUM database. {973F5D5C-1D90-4944-BE8E-24894231A1 74) Windows Network Data Usage Monitor {dl Oca2fe-6fcf-4f6d-848e-b2e99266fa86) = WPN SRUM Provider {dl Oca2fe-6fcf-4f6d-848e-b2e99266fa$9} Application Resource Usage Provider {DD6636C4-8929-4683-974E-22C046A43763} = Windows Network Connectivity Usage Monitor {fee4e 1 4f-02a9-4550-b5ce-5fa2da202e37) Energy Usage Provider {97C2CE2$-A37B-4920-31E9-8B76CD341EC5} Energy Estimation Provider(WINDOWS 10) The Windows Network Data Usage Monitor table records information about networks the system connected to, applications receiving or sending traffic across the network, the user’s SID responsible for the application, and the total bytes sent and received by each application since the last SRUM entry (typically, the previous 60 minutes). The most significant information the WPN SRUM Provider table records Windows Push Notifications for Windows applications, the user’s SID the notification was sent to and responsible for the application, and the data size of the push notification payload. [1]

246

-

http://www.sciencedirect.com/science/article/pii/S 1742287615000031

©2017 Rob Lee

246

The most significant information types the Application Resource Usage Provider table records are the drive, directory, and the full path of the applications that are active during the recorded period (typically the previous 60 minutes). It also records the user’s SID the notification was sent to and that is responsible for the application. A number of other fields are recorded, including the foreground and background Cpu cycle time and the foreground and background bytes read and written, etc. that may be of value determining if a resource-intensive application was in use or merely idle. The Windows Network Connectivity Usage Monitor table is an excellent table to identify each network the system connected to, when the connection started, the duration of the network connection, and what interface was used to connect to the network (e.g. wireless, wired). You may remember from the Windows Registry section of this class that we examined registry keys from the XKLM\SOFTWARE hive and identified the interface each network connected with. This table contains the InterfaceLuiD[’] field, which corresponds to the table below. Value IF TYPE OTHER I lF_TYPE,,ETKERNELCSMACD 6 IFjYPEjSO88025jOKENRNG 9 lF_TYPEJ’?P 23 IF TYPE SOFTWARE LOOPSACK 24 !FJYPE_ATM 37 IF_TYPEjEEE8O2II 71

IFJYPEJUNNEL 131 IF TYPE 1EEE1394 144

Meaning Some other type of network Interface,

An Ethernet network interface, A token ring network interface, A PPP network interface. A software loopback network interface. An ATM network interface.

An IEEE 802.11 wireless network interface. On Windows Vista and later, wireless network cards are reported as lF_TYPEJEEESO2 11. Windows Server 2003, Windows 2000 Server with SP and Windows XP/2000: Wireless network cards are reported as IFjYPE,,ETHERNETCSMACD. A tunnel type encapsulation network interface, An IEEE 1394 (flrwi) high performance serial bus network interface.

The Energy Usage Provider table provides information about the current battery charge level, design capacity, and cycle count among other things. This table may be significant in determining whether the user was plugged into power (the system was charging) or running on battery at a given time. The Energy Estimation Provider is new to Windows 10 and appears to give an abbreviated summary of historical battery status.

References:

[I] https://msdn.microsoft.com/en-us/library/windows/desktop/aa366320(v=vs.85).aspx

©2017 Rob Lee

247

F.

Edt

EiEtGrv-

Hdp

Nmt •

920 BiE98B76cD!41EC% rrable ID 9fC2CE283 IGCA%FEFCFD848E52E99%66FA8%) ebleiD DiocE6Fc6D-348E-b2E99266FA89} jTable ID {DD664892946.%3-97E-22C046A437ó3> [Table ID = CFEE4EI02A95I85CE5FAIDA202E37) [Table ID 12A945CE5FA2DA20%E%7}U! Liable ID r45vLoales [Table ID ‘, 3 Cokmnbl MSysCSeds [Table ID 2, 28 Cblumab MSysDbIectsShado [Table ID = 3 28 Colurnnsj MSysObds [Table D 6 3 Cokdmns) DDbCheonTable Table ID 10, 5 Columns] 3 CblJmds SniDbIdMpTthle tTable ID

12. 5 rnij

i8 7Cobw] 14.. 19 Columns 20, 9 Cokrnits] 16 Ii. Cblurnrt] 2 16 Cokmns]

Of IR

(FEEt1EF

A

{FEE4Eufj2A; 4’5 BCEF2DA tf n5ddY4 E 4:_ E (tAdMrd 1FEffCF 4F’4EEE.,u (rirFEdFFm

‘n t

4:-EtE; fCm41EC;

FORSOG (Windows Forensic Analysis

NirSofi will allow you to open the SRUDB.dat ESE database. From here, you can review the tables (in this Windows 10 example, there are 13 tables). By default, the MSysObjects table is displayed and the table is sorted by the first column, but you can sort by another field by clicking the column header. In this example, you can see by the arrow adjacent to the “Name” column that the table is stored by the table name. By selecting the combobox located below the toolbar, you can see a list of all tables found in the database. In this slide, we are selecting the Windows Network Data Usage Monitor table, which is identified by the {973F5D5C-lD9O-4944-BE8E-24394231A174} identifier. This identifier is unique across Windows 8.1 and Windows 10.

248

©2017 Rob Lee

24

0 Autondd

10652

TimeStrnp

4ppld

Userid

intefceLud

W1W201%101000..

166

90

19984723.349056576 269035722



1

155:

5 1

154

,

.1

171

L

157 150

L2Profileld L2PrchRas BytesSent BesRecd

19554223340456576 199547233 0456576 19904223345456575 19984723746456576 17333

DFIR

0

13782

L2Pro:fii&d

24374

L2Prc’ 028 059

FOR500

I

Wr.dows Forni Analysis

By examining table {973F5D5C-lD9O4944-BE8E-24B9423lAl74} in Windows Network Data Usage Monitor, we can see the system connected to numerous networks. Each entry has an “Appld,” which identifies the application that was using the network during that time period. The AppiD corresponds with the “Idindex” field in the “SruDbldMapTable” table. In the “SruDbldMapTable” table, each “Idlndex” has a corresponding “idBlob” that contains a Unicode string of the drive and full path of the application executable. Also identified in this table is the “Userld,” the network interface (InterfaceLuid), the network profile index (L2ProfileId), and the bytes sent and received for that application during that time period. Highlighted in this slide is a network with a profile identifier of 268435722. To discover what the network name for L2ProfileId of 268435722, we will need to open the SOFTWARE registry hive.

©2017 Rob Lee

249

249

SOFTWARE\Microsoft\WIanSvc\Interfaces\{DE6EA13E-5E9R4CD7-9FA2-3FOF9OCA7OA9}\Proflles J WlanSvc J brnr J nteraes J (1 ?0DEDZ8.A2C3%A3FA4CC 04FA50D17452} J {1994B120Cl474$40BAF33R4E1B43W88} i jilt A1-REt4C[l1RFAZ-3N)90(%10AN

Data

Name

Type

?7(Profpendex

RERIWOR. )x000tXt000 ;fl RED. OWOR.. 010000i0A E-R43t722)

i

J Prcafitea J {O8ACBEFE A8cER4FEABECDDEB232Th5EDF)



*

*

J {0BlDCEEFE731 4D74 A8A2 C%C9BCF91 DUE) J {0ClA1661B08-4iDEt748-08033CFE145j ..J {0CI3236iA72146%FiNF840F6830(50A2} J 1154E1264 1FC2-445D 8307DC0429D6F828) .J (15CE74245DB% 487E ABF4-%41691 720181) J (19E2Bf546E70419AB826F1 E4(6CCE491) J {IA1IAD2O 4DF844D889129C0F3D96EE99} .J {1CA35AAE-4f8D-44A2-8238-A2661 858C8E) J { 1(80311 f DOlL. 480E8CE516709D70BFE9} .J {2347F155-1151483FBOFE75018C56297() U MetaData ease aaaa (aaar7lacealt

Data REG_DWOR Dx00000000

REGDWOR.

*

Cl y ppJ

Last Wrtten Tme

FOR500

UFIR

Windows ForensicAnalyis

2S

In the SOFTWARE registry hive, if we navigate to the \Microsoft\WlanSvc\Interfaces\ {DE6EAI3E-5E98-4CD79FA2-3FOF9OCA7OA9}\Profiles key, we will see profile identifiers for every network the system has connected to. By highlighting each profile identifier and looking in the Profileindex key value, we will discover the network profile containing the Profilelndex 268435722 key value,

250

©2017 Rob Lee

;iwunsvc -3 brnr J tntertaces _J (179DF8C3-A2C3-4A3FA4CC-04FA502__ —3 t1904Ei120 C147 4240-BAF3 364 J {DE6EA13E-5E94CD7-9FA2- s9OCA7OA9} ] Profiles + J {O8ACBEF2-ASCB-4F6 BECDDt8832785EDF} J OBIDCEEF-E731-4D -A8A2-C6C92CF9I6DF} + J (0CiA1E6E1B0B-4 E-8248-98033CFE1F45) S J 10C738367-A721 f-92F8-40F6B30C50AJi J {154E12641FC2 6D-2307 DC0429D6F828) * J (15C67424—508 87E-A6F4-541691720121) S U (1962BF54-OE1 19A-B82641E4C6CCE497} o U I1AI1AD2O-4D -44DB-891?-9C0RD96EE99 ÷ J f1CA35AAr-4 -44A2-823B-A86%12856C26} J ft CR031 if DO -4806-8065-167000708629) o 3 (23476155-11 —1836-B0F[-75919C56297C( Ui {29A6025A-D 3-4401 8852-DE8388DD8437) -i MetaData -

-

ifS;-s

-.—0OSft

+-

.-rc:[’ Souro

Xsucceeded Has Connected

%tt-c\

n-s ti -5

10

1 tj

REG3tNARY 01000000 REQBtNARY 01000000 PEG l%INARY 86 Cl 17 CA AZ PEG BiNARY 26610000 REGBtNARY 6A 93 66 7A DC CO 6 B3AR+ As 1 44 41 20 is

EsharedGuid iLNla ADwelt Stats Connected Bssids

66 00 55 45561 2 757 07 06

-h _th-/’,R

e,’ r cv

64 20 06 00

64—7927 57—65 2 00—0S 00 15—SO 00

7020 54 65575 25 45 65 26 46 65 7ii 00 15 06 09 05 5+ 00 04 00 00 05

• - —Maddy s Tap Rcco W-i-Fi Net

wcrkâ

5550 550 00

- -.

-

-

12

96676-606

6-2R-03QA( 16471+

Key Propertkss Last Wr6ten Trne

D FIR

FOR500

I

‘A’ndows orensicAnalyss

Once we have found the profile identifier that matches the Profilelndex 268435722 key value, we expand the profile identifier key and select the “MetaData” subkey. By selecting the “Channel Hints” key value in the “MetaData” subkey, we will see the network name that corresponds to the Profilelndex 268435722.

©2017 Rob Lee

251

iat XLS xplate should I use” (Press enter

for t1 fault SETexplate xlsx)

FORSOO

UFIR

Windows ForensicAnalysis

25%

Thanks to Mark Baggett’s free srum-dump tool, we don’t have to manually decode all the fields in the $RUM database. Mount your forensic image, launch srum-dump.exe, and you can type in the drive letter and path to the files from as prompted or you can open a Windows Explorer, navigate to the requested file, and then click and drag the file path output an Windows Explorer into the command terminal windows as srum-dump prompts you for them. Provide and name and in minutes you will be analyzing one of the newest digital artifacts.

252

©2017 Rob Lee

\mcrosoft\onednve\onedrive sxe \whatsapp\app-02.936\whatsappexe

Userid

interfaceTy

L2ProfHeic

S 15 71 37391013.12 2904524673466442662-1001

1FFE80221

268435722

IEEE8O2II

262’435722

1EFE80111

262’ 35722

l°01

IEFE%0 1l

68435722

13910/332 290452467-346684 ‘61 1001 S 1 5 214139107332-290452467 346644261 -1001

LL802 1

1%”4 5122

Moddys Tap Ronm Wi 0 Netwuri Maddy Tap Rom Wi 0 Netwirk iaddy’s lap Rooms’ J F Netwirk

6EE80211

268435/22

Maddy’s lap Room’s Wi Ft Network

91 5 i hrosw\ipplic tion\ rsrome.eye fk,\ppFe\internct servic:\idoudphuro, exe ,one\skype.exe

S1 S 22 3?a91 V33? 2504’ 54673466a420 S I 121

-.

L2ProfiieName MaddysTap Rooms WtFi Network Maddy’s Tap Rooms Wi Fi Network

‘roftteFl

Bytesse

0

OFIR

FOR500

BytesRe

2752

3042

12782

14524

0

5576

3442

0 0 0

20297 3/976 78526

3802% 5/558

Wiodows Fotensic naly is

253

The Excel spreadsheet output of srurn-dump makes analysis much easier than manually referring back to the Software registry hive and other SRUM tables. By using the sorting and filtering features of L\cel, you can quickly focus on the time pci iod or application of Intel est and determine hoss much hanthvidth was sent or received by that application. You may even want to use conditional formatting or you may ssant to build your own Gantt chart to depict netwoi k connection times or system run times.

©2017 Rob Lee

253

SRUM records: 30 to -6o days of historical system performance

• Networks connected to, duration of connection, and bandwidth usage per hour • Applications run, user account responsible for each, and application and bytes sent/received per application per hour • Application push notifications and payload size of each notification • Energy usage including battery charge and CPU cycles FOR500

UFIR

Wit.

ws Fot rs

At, .,js

The SRUM database provides investigators with 30 days or more of historical information on system performance, including aB networks the system was connected to, connection time and duration of each network connection, and bandwidth usage per hour. SRUM also records when applications are executed or push notifications are received, and it can provide a timeframe for how long they were run (within 59 minutes accuracy), the user account responsible for each application, and bytes sent/received per application per hour. Finally, $RUM records energy usage, including battery charge, Cpu cycles, and more.

254

©2017 Rob Lee

254

DllIA1 FORENSICS

DFIR

a INCIDENT RESPONSE

Exercise 4.3 SRUM Analysis

DFIR

FQR5O

W ndows Fot ensic Analysis

This page intentionally left blank.

©2017 Rob Lee

255

255

l}Eti1 Ectioi2

I

Part 4 USB Device Analysis

1iT1

Part 5 E-Mail Forensics



FQRSOO I Windows Forensic Analysis

O FIR This page intentionally left blank.

256

©2017 Rob Lee

256

SDFIR Dl%11J4L [IP N C _;_

.z

[[IlU NT EPO L

.

Event Log Analysis

OFIR

FOR500

Wirdow ForenscAnalysis

Fhis page intentionally left blank.

2O17 Rob Lee

257

257

Centralized recording of information about: • Software • Hardware Operating system functions Security

“Any significant occurrence in the system or in a program that requires users to be notified”

Multiple events comprise an event log F Event logging provides a standard, centralized way for the operating system and associated applications to record important software and hardware information. Microsoft describes an event as “any significant occurrence in the system or in a program that reqttires users to be notified, or an entry’ added to a log.”[’l Events are collected and stored by the Event Logging Service. It stores events from various sources in a single collection called an event tog. Event logs provide historical information that can help illuminate system and security problems as well as tracking user actions and system resource usage. However, what is actually recorded in the event logs is highly dependent on the application involved and the system settings. As an example, security event logging is disabled by default on most freshly installed Windows systems. If they exist, event logs can be an incredible boon to a forensic investigation, providing both local and network context that is diffictth to replicate with other artifacts. Reference

[1] http://supportmicrosoft.com/kb/3O8427

258

©2017 Rob Lee

7

Happene

User Account

Involved2 Involved2 Accessed2

Event ID

Event

Categorv/ 1)escription

i)ese ‘iptit)

\ //

,4 J

n

/

Files

,

Folders

DHR

\

TP ,LAt1t1r

.i..

/

/

Printers FORSOO

I

Services

WI idow Forensic Analysis

Event logs provide a wealth of information that can help an investigator piece together relevant actions that occurred on the system. Similar to other forensic artifacts, it is helpful to go through the mental exercise of determining what questions event log data can help answer. Some of the most common are: •

What Happened? Event logs can be cryptic to the lay user, but they are designed to provide very specific information about activities that occurred on the system. Items like Event IDs and Event Categories help us quickly find relevant events, and the Event Description can provide further information as to its nature.



Date/Time? Timestamps are a key part of event logs, providing a temporal context for the events. With systems recording thousands of events, timestamps can also help the investigator narrow his or her focus.



Users Involved? Everything accomplished within Windows is done within the context of an account. We can identify references to specific users as well as information about Windows operating system activities performed via special accounts like System and NetworkService,



Systems Involved? In a networked environment, we will very commonly find references to systems other than the host because resources are accessed remotely. Originally, only the NetB lOS name was recorded, making tracking and attribution much more difficult. In systems post-Windows 2000, IP addresses are recorded in the event logs (when applicable).



Resources Accessed? The Event Logging Service can be configured to store very’ granular information regarding the use of various system objects. With nearly every resource considered an object, this provides very powerful auditing. As an example, this can help identify attempted access to unauthorized files on a systeiri.

©2017 Rob Lee

259

259

FOR500

OFIP This page intentionally lefi blank.

260

©2017 Rob Lee

Windows Forensic Analysis

260

NT/Win2000 /XP/ Server %O3 • .evtfiletype • %systemroot%\System32\config

• Filenames: SecEventevt, AppEventevt, SysEventevt

• .evtxffle type • % sys temroo t% \ Sys tem3 2 \winevt\ logs

• Remote log server • filenames: $ecuñty.evbc, Application.evtx, $ystem.evbc, etc.

Default locations can be changed in the registry DHR

FOR500

WI dews Foren icAnalvsis

261

Event logs, as we know them today, originated with the NT 3.1 operating system in 1993.[11 Small upgrades were seen throughout the Windows NT evolution, but the names and locations of logs largely remained unchanged through Windows 2003. This original log format used the .evt extension. Logs are stored in binary format, complicating bytelevel string searching, and are implemented using a circular buffer. The circular buffer loops around to (eventually) overwrite the oldest entries to the most recent. Event logs prior to Vista can be found in: %systemroot% \$ystem32 \config

Starting with the Vista and Server 2008 product lines, significant changes to the event log structures, log types, and log locations were made. Event logs have historically exacted a huge performance drain on systems and hence the new format, using the .evtx extension, was created to fix this and many other problems. The good news is that with the new optimizations, we are more likely to find event logs being used on the newest operating systems. In addition to radical changes to the event log structures, Vista and above systems now employ a much, much larger number of logs, and hence a new folder was created to house these 60+ logs. These logs can now be found in: %systemroot%\System32 \winevt\logs Additionally, the new log format (finally) allows logs to be sent to a remote log collector, so it is important to remember that additional logs may be available on external servers. It is important to note that the folders listed here are only the default locations. The administrator can designate locations for individual logs within the following registry keys (Vista employs these and several others to describe newly added logs): HKLM\$YSTEM\CurrentControlSet\ Services \EventLog\Application HKLM\ SYSTEM\CurrentControlSet\Services\EventLog\ Sys tern

HKLM\SYSTEM\CurrentControlSet\ Services\EventLog\Security Reference [I] http://en.wikipedia.org/wiki/Event Viewer ©2017 Rob Lee

261

Memory efficiencies

Logjd

• Less costly to log

Evtnk v:

Anvtrn

Errer

XML and filtering • Improved messaging

Verbase

cti / nfcmtran

ByO3

Eeaogrr

By5ource

Evetreurces

fc

-

Iud&Eecluder EventiDa EnitriD nunrberr anrtorJD renger eprettd ky cnmmea Tn exclude crrtenx type e minux crgn brat Fee ex nplel’9, J5

• IP addresses • EventiDs changed

nAil

Taak retegory Keeeorde

Expanded number of event logs • Increased granularity of audit controls

Unee Cnmputer(r).

All Uxerax

cAll Computeran

FORSOO

UFIR

Windows Forensic Analysis

26%

service is With Win2008 came a replacement to the “Windows Event Log,” named “Event Logging.” The new logging the of One NT. Windows of days early the vastly better and solves some of the pain points complained abotit since memory, into mapped to be had file log biggest issues was memory management. In previous versions, the entire just for event meaning up to 300MB (the maximum recommended event log size) of memory might have to be allocated rs to turn off administrato for justification excellent logs.[’l This had a very real impact on performance and hence was an Now only chunks. d 64KB self-containe by logging. Log files in Vista and later now consist of a small header followed a big boon be to out This turns benefits. the current chunk is required to be located in memory, with obvious performance enabled. being for forensic investigators because it increases the likelihood of logging making The format of event logs also changed. Logs now carry the .EVTX file extension and are stored in XML format, much create to filtering X-Path like standards log deconstruction much more intuitive and facilitating the use of industry searches string raw so form, binary in stored and more powerful searches and filters. That being said, logs are tokenized will miss much of the information in these files. Another pain point for analysts was the cryptic messaging provided in the old event logs. Microsoft increased the was also readability of the log messaging. it now includes I? addresses in addition to hostnames when applicable (this types. event new adding and series some added to later versions of Win2003), and it massaged the Event IDs, collapsing The number of logs has greatly increased, allowing for specialized logs to be used instead of filling the standard before into Application, System, and Security logs. With new logs come new events, giving us a better view than ever supports logging new the Finally, Play. many of the running processes on the system like Task Scheduler and Plug and less “all options previous the making the new Advanced Audit Policy Configuration giving more granular audit options, or nothing,” and allowing audit policies to be more intelligently crafted. Reference

[1] http://technet.microsoft.com/en-us/library/cc7223$5(WS. I 0).aspx

262

©2017 Rob Lee

.is,u...rs,reso1 Examp’e Service stopped, system ;ebooted •

St )itware events

e

Application



unrelated to operating wstei 1 SQL sewer fails to access a database

OFIR

FQR500

Wrdows ForensicAnalyss

Event logging began with three primary logs (Security, System, and Application), and these logs have maintained their importance throughout all Windows NT platforms. Along the way, additional logs have been added for specialized logging, which we have grouped here under “Custom” logs. Vista, Win7, Server 200$, and now Win 10 and Server 2016 have greatly expanded the number of “custom” logs, enforcing log segmentation and providing specialized logs for processes like the PowerShell, Task Scheduler, and the Windows Firewall. •

Security Log: Records events based on auditing criteria provided by local or global group policies.



System Log: Records events logged by the operating system or its components, such as the failure of a service to start during the boot cycle.



Application Log: Records events logged by applications, such as the failure of MS SQL to access a database or an antivirus alert.



Directory Service: Standard on domain controllers. Records events logged by Active Directory and its related services.



File Replication Service: Standard on domain controllers. Records updates within the domain controller infrastructure.



DNS Server: Standard on servers running the DNS service. Records DNS administrative information such as zone management and the DNS service starting and stopping.

©2017 Rob Lee

263

j

• Stored in same folder as standard event logs:

MicrosoftWindc sResou eExhausti

%systemroot%\System3%\winevt\Logs

• In addition to Application, System, and Security, we now have many more logs to potentially review • Logs often go further back in time than System, Security, and Application logs e

,

Forwarded Events

frJ MaosaftWmdowsWmdows Firesafl s1icrcsoftndcwsDrvierFtamewcrks -

Mcrosoft-ndcssUser Prcftte Ser.ic Mcrcsoft-Wndcws-GrcupPahcy4Op Appirction

gf

Repository for events retñeved from other

McrcscftViIndcws.Keme1WHEA%4Oj MicrosoftWindows-OffhneFIes%4Ope1

5ecuñty

systems

System

Contains over 6o logs Applications and Services

(

0Sesson

Useful logs include Task Scheduler, Remote Desktop, Windows Firewall, and TjjjJ0j5 Defender

j



i j MicrosoftWindowsResource-Exhausti

FOR%OO

UFIR

Windows Forensk Analysis

264

logs Starting with Vista and W1n2008, we have a new default location where event logs are stored. You will find event for reason in the %systemroot%\System32\winevt\Logs (C:\Windows\System32\winevt\Logs). The primary providing event logs with their own directory is that instead ofjust three logs, you will find over 60 logs in a standard forensic install! Although having that many logs to review is a daunting thought, it turns out to be a good thing for the is example notable analyst. For one, more logs mean a greater likelihood that important information will be stored. One purpose, the additions to plug-and-play logging. It also means that logs will be increasingly dedicated to a specific anti giving one-stop shopping for things like scheduled tasks, the Windows Firewall, and the Windows Defender can tell You malware solution. And of course, keep in mind that many of the 60± logs are unused on a typical system. this immediately by sorting the folder by file size. The new logs can be broken up into a few categories: a





264

Setup: This is a new log that is intended to be a close companion to the Application, System, and Security log. It identifies what Windows security updates, patches, and hotfixes have been added to the system. Forwarded Events: This log is part of a new, much-needed feature: the ability to consolidate logs from multiple machines on a “collector” system. If you are reviewing logs on such a system, you will see those logs sent from other systems present in the Forwarded Events log. Windows Audit Collection Service is responsible for collecting and forwarding logs. of Applications and Services: This comprises all of the new “custom” logs introduced in Win2008. A majority the logs are found in the Microsoft folder within the Event Viewer.

©2017 Rob Lee

-

d MicrosoftWndows±emeIEventTraa

• Records installation and update information for Windows •

Mctosott-WnaoKesc1yboostUpI MicrosoftWindcws-HomeGoup Prr McroftWindowsPrntSersceAAd

Most commonly reviewed log in forensics • User authentication and logon • User behavior and actions • File/folder/Share access • Security settings modifications

• Failure and success can be audited • Detailed logging can be enabled on specific user accounts • Only updated by the L$ASS process • Third-party applications cannot insert events D

HR

FORSOO

Win’ ows Forensk Analysis

265

Although almost all event logging has the potential to be useful during an investigation, most of the questions we are looking to answer during a forensic investigation tend towards answers found in the Security log. The System and Application logs store infonriation more useful for troubleshooting by system administrators. The Security log records an audit event whenever a given system or user action meets the criteria set forth by the audit policy in use. They can provide details on a variety of actions, including user authentication (logons, runas command, remote access, etc.) and what a particular user did on a system after authentication. As an example, privilege use and object auditing can trigger events showing that a protected file or folder was accessed, which user account accessed it, and the date and time it occurred. Auditing is also allowed on the security settings themselves, providing a good record of any modifications to the existing security policies on the system. An important concept is that the audit policy can be set to trigger events for both successful and failed attempts. This allows for a finer granularity of auditing and provides tailored data reduction-—only recording the exact actions that a security administrator finds useful in his or her environment. As forensic analysts, we would love to have everything logged, but that entails a performance and storage hit that is not possible in many environments. That being said, audit policy should be vetted, because it is not always obvious to a non-security professional why something like Successful AND Failed logon attempts should be logged (the former could allow us to track a compromised account being used throughout the environment, whereas the latter could indicate password guessing attacks). Keep in mind that it is possible to tailor auditing for a specific user account using the gpedit msc snap-in in Windows. Thus if you suspect a specific account has been compromised by an intruder, or you would like more detailed auditing on critical accounts like administrators, this tool can provide that capability on a per account basis. .

Due to its nature, the Security log has more protections in place than the System and Application logs. With XP SP2, the API was deprecated for applications other than the Windows Security Service to trigger events in the Security Log.[1] This ability is now held only by the Local Security Authority Subsystem Service (LSASS) because it is responsible for enforcing the security policy on the system. Additionally, only user accounts with administrator permissions can review, export, or clear the log. Reference [1] http://support.microsofl.com/kb/89l749

©2017 Rob Lee

265

torttl C ill ‘v’tem W ho ULthOrZZCCl logo i t that controller or local s stem for non—domain accounts) I

Account I ogon

Vdnt’

iaflce ai’id Illf xlii ications

AtC( Hilt iilaiiit(

Account NIgrnt

i omain

,

Attempted access of Active I)irectoi objects

Directory Service

og If

lo ‘v svst n

Logori Fve;lI%

L&f Ii

Object Access

Access to objects identified in system access control list

Polic3 change

luh;lw of user rights, audit ;)OACWS, oi trust policies

Pri ilege U%e

Fach

Process l’racMng System Events

-

A

0

mi

fl

of an account exert

‘lug a user

right

Process start, exit, handles, object access, etc. S’Ste1fl tU’

dl

(I sIiUt(

( Wfl ci tRflL

aitceing FOP 5(O

UFIR

Ci

ft 1og

W dow

o ,.r.sic An< ysis

266

Security Event Categories give us a quick means to identify event log entries that might be of interest to our investigation. They follow directly from the enabled audit policies on a Windows system. For each of these categories, the audit policy can be set to No Auditing, Success, Failure, or both Success and Failure. When events are triggered and recorded in the logs, they will be marked with the specific category that they belong to. When auditing is disabled for any given category, we should expect to not see any recorded events of that type. From Microsoft TechNet:11 •

in Audit account logon events: Audit each instance of a user logging on to or logging off from another computer which this computer is used to validate the account.



Audit account management: Audit each event of account management on a computer. Examples of account



Audit directory service access: Audit the event of a user accessing an Active Directory object that has its own

maintenance include password changes, user account, and group modifications.

system access control list (SACL) specified. •

o

266

Audit logon events: Audit each instance of a user logging on or logging off a computer. Note that this is different

than the “Audit account login events” category. This tracks the logon event to a specific server; the former tracks which domain controller authenticated the user. Audit object access: Audit the event of a user accessing an object that has its own system access control list (SACL) specified. Examples of objects are files, folders, registry keys, printers, etc.

©2017 Rob Lee

Account Logon Account Mgmt

Success/Failure Success

Success/Failure

Success/Failure Success

Directory Service Logon Events

Success/failure DC Only

Success

Success/Failure

Success

Success/Failure

Success

Success/Failure

Success

Success/Failure

Object Access Policy Change Privilege Use

Success/Failure

Detailed Tracking System Events

Success Success/Failure

Success/Failure

Success Success/Failure

Success/Failure

Windows 7 and above include more granular options, some of which audit by default

flflR

FOR500

1

Windows Forensic Analysis

267

There is nothing more disappointing during an investigation than hitting a dead end. A frequent dead end encountered is the lack of event logs. In certain types of investigations, such as intrusion cases, event logs are crucial for tracking activities throughout the enterprise. In others, such as employee misuse, they provide additional artifacts to strengthen the case such as after-hour logons, program installation, or restricted folder access. The sad fact is that most environments do not have strong enough logging policies and do not keep logs long enough to be useful. Traditional Windows logging can generate an overwhelming amount of logs if left unchecked. In more regulated environments, such as PCI-compliant shops, event logs will often be available and well managed. This chart shows the default audit policies for workstations and servers along with recommended auditing baselines for secure systems. Keep in mind that in modem Windows systems, each category consists of many “advanced auditing” options, which cannot possibly all be shown in a chart of this size. Instead, we attempted to show which general categories you will likely see events from and demonstrate that there is often a discrepancy between the default and recommended configurations. Microsoft publishes an excellent guide to default and recommended auditing settings that is worth reviewing.[’] Simply put, Windows installations have never had adequate event logging enabled out of the box. Enabling proper logging requires an administrator to modify the security audit policies after installation. Workstations are where we typically find the least amount of logging. This is particularly true for standalone installations. Thus in the average law enforcement search warrant served on a residence, there might be less security logging available than in an enterprise, but there will certainly be application, system, and custom logs worth reviewing. In an enterprise Active Directory environment, the local audit policy will be overridden by the group policy, which might increase local logging. Many investigators wrongly assume that Microsoft server products will have strong logging enabled. Similar to workstations, the standard server configuration has less than ideal default logging, btit this has improved with more recent versions of Microsoft server products (again, defaults are typically overridden by group policy in an Active Directory environment). Reference

[11 Audit Policy Recommendations: https://technet.microsoft.com/en-us/library/dn487457.aspx

©2017 Rob Lee

267

Significant problem; Loss of data or functionality Example; Semce fails to load

Error .

Warning ,

Not significant, but could indicate a future problem • Example: Disk space is low •

Successful operation of application, driver or service • Example: Event Log Service was started •

Success Audit

• Audited security event completed successfully • Example: Successful user logon

Failure Audit

Audited security event did not complete successfully • Example: Failed access to a network drive

flfffl

FORSOO

I

Windows ForensicAnaJysis

%6

Event types give us our first indicator of why an event was recorded in the first place. They can also give important information as to the severity of the event, allowing system administrators to focus limited time on those events that could pose critical risks to the health of the system. The following describes these event types in greater detail:] •

Error: Indicates a significant problem such as loss of data or loss of functionality (for example, a service fails to

load). •

Warning: Not necessarily significant, but could indicate a possible future problem (for example, low disk space).



Information: Describes the successful operation of an application, driver, or service (for example, the Event Log

Service was started successfully). Security logs are typically poptilated with Success and Failure audit event types (Information events are also sometimes seen). These event types are driven directly from the audit policy set up by the administrator. Hence for each Security Event Category, it is possible to see either Success or Failure event types. •

Success Audit: An audited security access attempt that was successful (for example, a successful user logon), Failure Audit: Records an audited security access attempt that fails (for example, failed access to a network

drive), Reference

{fl http://support.microsofi.com/kb/3O8427

268

©2017 Rob Lee

OFIR

FORSOO

Windows Forensic Analysis

This page intentionally left blank.

©2017 Rob Lee

269

269

I

IUu

FOR500

UFIR This page intentionally left blank.

270

©2017 Rob Lee

I

Windows ForensicAnalysis

270

Scenario • Determine which accounts have been used for attempted logons • Track account usage for known compromised accounts • 4624— Successful Logon Failed Logon • 4634 / 4647 Successful Logoff • 4672 Account logon with supeniser rights (Administrator) • 4625







Event descriptions provide a granular view of logon information • Windows does not reliably record logoffs (ID 4634) so also look for ID 4647 user initiated logoff for interactive logons • Logon events not recorded when backdoors, exploited services, or similar malicious means are used to access a system •

DFIR

FOR500

-

Wit dow ForensacAn ysis

271

Tracking account usage is one of the more common uses for reviewing event logs. Knowing when a user account logged on to a system and subsequently logged off can provide helpful corroborating evidence along with other forensic artifacts found. If account credentials are suspected to be compromised, reviewing successful logons throughout your network can help track where the hacker has been. We will also see that remote logons are recorded and can provide excellent profiling information on how an authorized or unauthorized user is traversing the network and attempting to authenticate with resources. With the introduction of Win2008, Account usage Event ID Codes were collapsed into oniy a handful of possibilities (in comparison, XP had 24 Event IDs for logon actions). The most common are the 4624/4634 pair, which shows a successful logon/logoff, as well as the time period of the complete user session. Windows is not always consistent with recording logoff events (type 4634), so it is wise to also look for 4647 events (user initiated logoff for interactive sessions). 4625 events indicate logon failures and are often reviewed for evidence of password guessing attacks. Event ID 4672 is recorded for administrator-equivalent logons in addition to the standard 4624 event. The IDs covered on this slide are triggered by a mix of Success and Failure audits. They can be used for justifying the inclusion of both Success and Failure into your Logon Events Audit Policy. When a hacker gains access to a system through some sort of an exploit (remote code execution, privilege escalation, service exploitation, client-side attacks resulting in backdoors, etc.), there is typically no record of”logon” within the event logs. This is intuitive because a backchannel is being used and the standard APIs for access are being circumvented. Corresponding event IDs in Windows XP/2003: 528-552

©2017 Rob Lee

271

• • Account

p FOPS 0

DFIR

“i icws Fo r.s An, ysi

27

We will be reviewing logs in this section using the built-in Event Viewer tool. It can be opened via the Run command bar or command line using its filename, eventvwr. exe. Alternatively, it can be accessed via the Computer Management Microsoft Management Console (MMC)—right-click My Computer in the Start menu and select Manage. Each record shown in the Event Viewer can be expanded for additional information. When auditing account usage events, we focus on five fields of the event record. Our preliminary information comes from the footer. There we find the timestamp information, providing the date and time that the account logon occurred. The Computer reference tells us the hostname of the system that the event was recorded on. This can be very helpful when reviewing logs from multiple systems simultaneously to find logon patterns. Finally, the Event ID tells us what type of Logon/Logoff event this is, and in this case, it is Event ID 4624, which is reserved for successful logons, An excellent reference for a wide range of Event IDs is the following website: http://www.ultimatewindowssecurity.com/securitylog/encycl opedia! We can gather further details within the Event Description. Most notably, the Account Name field tells us which account was successfully logged into. In this case, it was an account named “helpdesk.” The Logon Type field is easy to ignore, but plays a very important role in tracking account usage. There are multiple different ways that a logon can occur in a modem Windows system. It isn’t enough to just tell us that the Administrator account sticcessfully logged into this system at 6:21:15 PM on 9/26/20 13. We would also like to know whether they were using the console, logging in via some network protocol like SMB, or using Remote Desktop. The Logon Type can give us this further information. In this case, Logon Type 2 indicates that the logon was accomplished via a console. It is important to note that we usually don’t just rely on one event. After gathering information from this 4624 event, we would then review other events surrounding it in addition to looking for a matching 4634 event, indicating that the user logged off from this session.

272

©2017 Rob Lee

Although these are the most important elements, each recorded event contains additional information defining the event and providing valuable information regarding why that event was triggered.[11 In this slide, we are showing these elements using the detailed Event Properties function of the Event Viewer, However, it is important to note that the elements are all stored in an XML fbrmat and can be parsed and displayed using a variety of tools. The information available is as follows: •

Logged: The timestamp of when the event was triggered. Displayed in Local System Time.

Level: Provides the reason the event triggered and in some cases its severity. •

User: The account that triggered the event.



Computer: The name of the computer where the event occurred (useful when reviewing logs from different systems simultaneously).



Source: The application, service, or Microsoft component that logged the event.



Task Category: The category’ of the event; in Security logs, this will be the Security Event Category

managed via the audit policy. •

Event ID: A unique code assigned to various system ftinctions. Can often be the most useful

indicator of what triggered the event (if you have a good Event ID reference). General Description: A canned text description of the event, sometimes with additional information.

Descriptions can excel at “saying nothing,” bttt can sometimes provide valuable information including remote 1P addresses, hostnames, etc. •

Details: An optional field that can contain additional raw data (or error codes) generated by the event.

Reference

[1] hffp://technet.microsoft.com/en-us/library/bb726966.aspx

©2017 Rob Lee

273

• 1_on on I

m[\,

• Accou n t

r

[An account was successfully logged on, Subject ASGARD-HQI 9205 WORKGROUP 0x3E7 2

Security ID: Account Name: Account Domain: ID: Logon Type:

Impersonation

ASGARDHQ1920TheIpdesk 5CRD HQ1 &xi3AB22

926 2013 6:21:15 PM Logged: Task Category: Logon

(DX 000000-0000-OX000000000I

Kesv;ords:

Windows secu 4624

Computer:

Audit Success Information

sritLgflnhneHjp

NA

GUID

,.rcount Domain Logon ID:

Impersonation Level:

Level:

ntID:

• Ti ni esta rn p

• Event ID

• Computer

More Information:

a)

N

©

N (N

Network logon Batch Logon—Often used by Scheduled Tasks 1

9

t

10 L

L L

Different credentials used than logged on user—runas command i(R(

omDc ‘3

e Cached unlock (similar to Type f

DFIR

LYpL

FQR500

Windows ForensicAnalysis

Logon Events can give us very specific information regarding the nature of account authorizations on a system if we know where to look and how to decipher the data that we find. In addition to telling us the date, time, username, hostname, and success/failure status of a logon, we can also determine by exactly what means a logon was attempted. Logon Type Events are provided within the “Description” information of Logon Events and can give us this further information about how a logon was attempted. This information can be exceedingly helpful to an investigation, allowing us to determine whether actual “hands-on keyboard” were used to log on or whether the session was created using remote means via a Server Messaging Block (SMB) protocol connection or by ttsing something like Remote Desktop. Further, we can use this information to differentiate between system-based logons such as those performed by Scheduled Tasks, and user-based interactive logons. The following Logon Type Codes can be used:’1 2: Log on via a console (that is, using the keyboard) 3: Network logon (often using something like SMB for drive mapping) 4: Batch logon (Scheduled Tasks}—non-interactive 5: Windows Service Logow—non-interactive 7: Lock or unlock of screen 8: Network logon sending credentials in cleartext (potentially indicative of a downgrade attack or older admin tool) 9: Different credentials used to authenticate than those currently logged on with (Runas command or similar) 10: Remote interactive logon (Terminal Services/Remote Desktop Protocol) 11: Cached credentials used to log on due to system not in communication with the domain controller 12: Cached credentials used for a remote interactive logon (RDP). Previously rare, but now being seen when Microsoft “live” accounts are used for authentication on standalone workstations 13: Cached credentials used for an unlock operation

©2017 Rob Lee

275

275

In addition to helping our investigations, knowing these Logon Types can also be an excellent way to audit security within your enterprise. For instance, if you see Logon Type 11 in your event logs, this indicates that cached credentials are being used within your environment. That might be perfectly acceptable for a laptop system, but on something like a server, this can be a dangerous security misstep that could allow an attacker to very quickly harvest additional accounts. Reference

[1] http://www.windowsecurity.com/articles/Logon-Types .htrn I

276

©2017 Rob Lee

I

1:.

Lcn’ 2

U’ ‘ñ3t

Use the Logon ID value to link a logon with a logoff and determine session length

..y;,..p.j H.’ I

Ly’ff.

Ix.

F x

Session time 25 mm



[Jornn’ Lg IC.

I

F.entlCx

--it

. .

-

--

..

-d

.

-

-‘

=

Pr I

T: Ct’jri’ Ic.!f

DFIR

FOR500

-

Window’ ForensacAnalysis

Each account session is assigned a unique Logon ID at the time oflogon. This value can be exceedingly helpful for tracking user activities during that session. Examiners are often called on to determine the length oftime a user spent on the system. This can be used to profile account usage, as part ofa damage assessment in an intrusion case, or even for things like timecard violations. In this slide, we have two events: a 4624 successful logon and a 4647 user initiated logoff. The Logon ID allows us to tie the two events together and determine the amount oftime the user was logged in during this session. In this case, the initial logon occtirred at 6:25:57 PM and the user logged offat 6:50:43 PM, giving a total session time ofapproximately 25 minutes. Remember that 4634 successful logoffevents can also be used in place of4647 events when they exist. Determining session length is most useful for interactive (Type 2, 1 0, 1 1 I 2) logons. Other logon types like batch and network (Type 3,5) tend to connect for only short periods. As an example, if a user opens a document from a remote share, a Type 3 logon and logoff will be generated even if the user still has the document open. If changes are made and subsequently saved to the document, another Type 3 session will be initiated. ,

In addition to determining the session length, the Logon ID can also tie together other actions like special user privileges assigned to the session and granular views of user activity like screen locking and unlocking (recorded as Type 7 4624/4634 events as well as 4800/4801 events). One other interesting note about this slide is shown in the Account Domain field of the 4624 event. Notice it is marked as using a Microsoft Account. This feature made its debut in Windows 8, allowing system accounts to be tied to Microsoft online accounts (alexander.jamieoutlook.com in this case). The local account is inextricably linked to the online account, sharing configuration information across devices (this is not possible with domain accounts). In most cases, Logon Type 12 (cached credentials) will be recorded for these logons, Corresponding event IDs in Windows XP/2003: 528, 538, 551

©2017 Rob Lee

277

277

INew Logon: Security ID: Account Name: Account Domain: JLogonID: Logon GUID:

I I

I

/

Name SOurce: Event ID:

ASGARDHQ19fljaIexander [email protected] MicrosoftAccount MC97EI an

a a a an e an

a nan nanan an an

Security 91262013 6:25:5% PM Microsoft Windows security Logged: Task Category: Logon 4624

lUser initiated Iogoffi ubject:

I

I

Security ID: Account Name: aAccount Domain: ogonID:

Log Name:

Security

Source

9,26/2013 6:5t43 PM Microsoft Windows security Logged: Task Category: Logoff 4647

Event ID:

278

ASGARD-HQ1920\jalexander jalexander ASGARD:MQ1920 Oxi Cg7El

02017 Rob Lee

Evidence of a network-based (Logon Type 3) password guessing attack on the helpdesk account from 192.168.1.108 (hostname=BT -

-

-

-

-

.

.

-

fie

-

9

udit

2.-

i..

r

cti.jre

I L.qtn

.-

4.i

..

irr

cct

..

Fifu -

d .-ii

i’iit

ittr•

..

.

frir

F

:.

.

...

I

. -

I--ILfl

-u-ii

Ii-

.

.

.



-

...

..•.. i

...—

.5

.

.

i_ •

.



-ii.

F.Iurc

ud i

-



.‘

.E

•..

.1



•••

.‘r-r

-

.‘.

I gc. .t I

t,._t



[J.-

-

i

-. ;‘—irce

I . _

.tt.

crc-. i.irc.

i

cf

l

Um--

I t.-.jk P. rI.

.

nit

;_

.

D FIR

lrC3

i,tGU ii

.

r

it

-

FT 1;:

.

.

T.

.. .

PIG .

i

,,1C1it....

..-tt’ ‘i

i_li..

•i.t



iit: -‘

.

1.

I

.‘.

i..P

nlrn tc ii C,.;Ioi, r’

iltiC zct

I

I

..

rcn in

iirr.

Icjc’-n

.——

nt

...Qtj”t

i.icri

-

ij’..;C..

IL.

FOR500

.

•tej •.

r

_-

CrtGt

r.

r

I .

n

F

-ii irc

—q

Wudows o enslc Analysis

In this slide, we show another reason for tracking account usage. In this case, our review of the event logs shows a large number of 4625 Events, indicating failed logon attempts. Looking at the Event Properties tells us that the failed attempts are for the helpdesk account, and that they are being accomplished with Logon Type 3 or over the network. Given the Logon Type, this can be an attacker attempting to access network resources on the machine via SMB. The workstation name can give tis a clue whether the hostname was part of our enterprise (say another hacked machine), but in this case, it gives us only “BT”, which some of you might recognize as the default hostname for BackTrack penetration testing installations. Event logs starting with Windows 2003 now show both the hostname AND the IP address, providing a critical piece of information that was previously missing. A final piece of information we can discover from these logs is that by reviewing the timestamps, we see many failed logons occurring within the same second, indicating that this is almost certainly an automated attack. This attack was accomplished via the password dictionary attack tool, Acccheck, but similar results would be seen with other popular brute-force tools like Hydra and Medusa. Corresponding event IDs in Windows XP/2003: 529

©2017 Rob Lee

279

279

Date and Time

a aa

Keyv;ords Audit Failure

./ Audit Failure

9/22013 9;5a*24AM 9 27/2013 9:50:24 AM 9’2712013 9:50:24 AM

j Audit Failure Audit Failure

j Audit Failure 9’27j2013 9:59:24 AM 9:27/2013 9:50:24 AM

9/2f20l390:24M

*1 Audit Failure

Audit Failure

9127/2013 9:50:24 AM 9/27’2013 9:50:24 AM 9 2712013 9:50:24 AM 9/27/2013 9:50:24 AM 9/27/2013 9:53:24 AM

I Audit Failure I Audit Failure Audit Failure Audit Failure

9/27201% 9:50:24 AM 9/27/2013 9:50:24 AM %:T7i2013 9:50:24AM

%

Audit Failure Audit Failure Audit Failure

Event ID 4625 462% 462% l

:

3 NULL SID

Unknown user name or bad password.

helpdesk WORKGROUP

Status:

Failure Reason:

Sub Statun

Network Information: ST Workstation Name: Source Network Address: 192i6&110S 53[59 Source Port:

Security Microsoft Windows security Logged: Task Catego: 4625 Keywords: Information Computer N/A Microsoft Windows security auditing

9:2 2313 9:53:24 AM Logon Audit Failure Asgard*HQ1920

GxC:X403ED OxC000066A

An account failed to log on togon Type: Tas For Which Logcn Failed: Account Security ID: Log i Account Name: Log Account Domain: Log Yailure Information: Log Log Log Log

40ö 4625 4625

Log

4625 4625

4625 Log Log Name 4625 Log Source: 4625 Log Event ID: 4625 Log Level: 4625 Log User 4625 Logon

o

0 -J 0 0

N

0

0

0

C\J

cc

• Track Remote Desktop Protocol logons to target machines

• 477$ • 4779





Session Connected/Reconnected Session Disconnected

• Event log provides hostname and IP address of remote machine making the connection • On workstations, you will often see current session disconnected (r) followed by RDP connection (477$) • These events are also used to track “Fast User Switching” sessions • The auxiliary logs “Remote Desktop Services—RDPCoreTS” and “TerminalServices-RemoteConnectionManager” also record similar info

UFIR

FQRSOO

I

Windows ForenskAnalysis

In addition to the standard logon Event ID codes, there are some specialized Event IDs that are specifically tied to the Remote Desktop Protocol (RDP). RDP is used extensively within many enterprises and as such is often also used by those with mal-intent. Why install sophisticated backdoors when a Domain Administrator account can allow you remote access to any system in the Active Directory forest (this can be limited by group policy, but rarely is)? When specifically looking for RDP connections, two Event IDs can make our lives much easier: ID 4778 indicates that a RDP session was initiated and ID 4779 indicates that a remote session was terminated. These two Event IDs in tandem help us bookend a complete RDP session. The biggest advantage to IDs 4778 and 4779 is that they include the IP address AND the hostname of the system that established the connection. We should also expect to see a near-simultaneous ID 4624 event (successful logon) because ID 477$ indicates only a successful remote session was established, and ID 4624 indicates that the credentials provided were accepted. The same goes for ID 4779 and ID 4647 (successful logout) events. To further reinforce this idea of nearby events providing more context, we will often see on workstations an ID 4779 (session disconnected) event immediately before an ID 477$ (session connected) event. This is due to Windows workstations allowing only one interactive logon at a time. When a RDP connection is made to a system that currently has a user logged into the console, the console session must be first disconnected. Not every 4778/4779 event will be due to RDP usage. Windows also uses this same event to record the changing of Windows stations due to the “Fast User Switching” feature. It might also be worth checking the Remote Desktop Seiwices—RDPCoreTS and TerminalServices RemoteConnectionManager auxiliary logs located in the same folder as the other event logs. Event ID 131 within the RDPCoreTS log and Event ID 1149 in the TerminalServices-RemoteConnectionManager log record the remote IP address, user, and date/time of successful connections. Corresponding event lBs in Windows XP/2003: 682, 683

©2017 Rob Lee

281

281

Evidence of a Type 10 Logon (RDP) to M4500 using the helpdesk account from a system with hostname COOLER (19Z16$.L106) c

General Details

General Details

Ii

Event ProperUest47iAicrosoft W;ndows

!A session was reconnected to a Window Station.

Logon Type;

10

New Logoiv Security ID: Account Name; Account Domain: LogoniD: LogonGUlD.

M4500\helpdesk helpdesk 1A1500 0x5df9143 j000.0000.00C

kubject Account Name; Account Domain: LogonlD:

Aucbt Succc

i

201

05cf62%d

Session; Session Name;

Net.vork Information: M4500 Workstation Name: Source Network Address: 132.16&1105 55445 Source Port: Audit Sucse

helpdesk M4500

Additional lnformaton: Chent Name; Client Address; ItS 0 PM

2622C11 10;2;21 PM

41)0 4775

()thar oonLgof I I

Other Logon Logoff Evont:

FORSOO

DHR

COOLER 1921681ä0%

Windows Forensic Analysis

This is an example of a successful Remote Desktop Protocol (RDP) session being established. Looking at the table view of the Security Event Log, we see a successful logon (ID 4624) on system M4500. We can take a closer look at this event by looking at the properties, where we see that the event is for the helpdesk account and has a Logon Type 10 associated with it, indicating a RDP session. Subsequent to the helpdesk logon, we see a session logoff (ID 4779), which in this case happens to be the current session logged on at the console (physical screen/keyboard). This is immediately followed by a newly established session (ID 4778), which is the new RDP connection. Looking at the properties for the latter event shows us that the RDP connection was initiated by a system named COOLER at IP address 192.168.1.106. The Logon ID of the 4779 event indicates what account session was logged off to facilitate the RDP connection. This is an excellent example of using multiple events to paint the complete picture of an action taken on a machine, It is important to note that this RDP connection will be logged only on the receiving system. The system that initiated the RDP connection will not have these events logged (the only event log evidence might be in Process Tracking for the terminal services client being executed). Corresponding event IDs in Windows XP12003: 528, 683, 682

282

©2017 Rob Lee

28%

I

I

!

i

i

{00000000-0000-OOC

M4500

helpdesk

9/26/2013 10:25:24 PM 9;26’2013 10:25:30 PM 926!2013 10:25:31 PM

Audit Success Audit Success

Audit Success

‘Network Information: Workstation Name: M4500 Source Network Address: 1%216&L106 Source Port: 55445

I

M4500\helpdesk

10

Event 4624 aticrosoft Windows secur

Security ID: Account Name: Account Domain: Logon ID: Logon GUID:

New Logon:

Logon Type:

Details

t Pro di

Genera

j E

4778

4624 4779 -

-

Event ID

M4500

M4500

Other Logon/Logoff Events Oth& Lo;on/Logoff Events

NM500

I

COOLER 1921681106

RDP4cp#O

0x5cf627d

Logon ID:

Session Name:

helpdesk

M4500

Account Name;

Account Domain:

Additional Information: Client Name: Client Address:

ISubiect

session was reconnected to a Window Station

General Details

Event PmPedies4776&icrosoft Windowj

Logon

jJ

rThTiri

• Identify which users have attempted to access a protected file, folder, registry key, or other audited resource • 4656 • 4660 • 4663







Handle to object requested Object deleted Access attempt on object (read, write, delete,

Event includes times tamp, file or folder name, and user account that attempted access Filter by 4656 failure Events to identify users attempting unauthorized

access • Review 4663 events to identify what user actions occurred • Object auditing can quickly fill logs and requires tuning

DHR

FOR500

Windows ForensicAnalysis

Utilizing event logging to monitor important files, folders, network files shares, the registry, and even the SAM database is a powerful feature that few administrators take the time to implement. Object Access Events can qttickly fill a security log if they are implemented hastily. When done correctly, they can give the analyst ve;y detailed information about when critical resources are accessed, by what user accounts, and what actions were performed on them. With companies focusing more on intellectual property theft, you might find yourself lucky enough to have these events available during your investigations. Object Access Events are triggered based on resources that have been previously set up to audit. This can be accomplished through the Auditing options under the Advanced Security Options of a resource. For instance, Auditing tab. Options include Advanced button Security tab Properties right-click a file and select options from their parent these inherit to set be can objects Children etc. deletes, write, read, auditing access, folder.’1 -

-

-

-

For auditing access, we will focus on three Event IDs within the Security Event log. ID 4656 indicates that a handle (pointer) to a specific resource was requested by a specific user. This can be either a success or failure event. We are also provided with the timestamp, user account responsible, and the name or path of the resource accessed. If successful, this event will be paired with an ID 4663 event, which details the specific actions taken on the object (failed attempts will usually end at the 4656 event). A variety of actions are available, but those most pertinent to us are Read, Write, and Delete. These actions will be listed in the Description section of both events in the Access Request Information property (the 4663 Event can have more granular and relevant data). Finally, when auditing deleted resources, we can use Event ID 4660 to indicate when audited resources have been deleted. When found, this event will be paired along with an associated 4656 and 4663 event. An interesting implementation of this could be to set “write” actditing on system files in the Windows and System32 directories. These files should legitimately change only with Service Pack updates, hot fixes, etc. If an intruder has attempted to modify these files, it would be relatively easy to identify the activity within the logs.

284

©2017 Rob Lee

284

After you move to a Windows Server 2012 environment, the “Global Object Access Auditing” allows much more flexible object auditing than simply success and failure auditing. New options allow narrowing the auditing focus to specific actions on a file including read, write, delete, change file permissions, etc. Auditing can also be focused on specific groups or users making it much more feasible to turn on this type of auditing [2] Corresponding event IDs in Windows XP12003: 560, 564, 567 References

[11 http://technet.microsoltcom/en-us/libraiy/bb727008.aspx [2] https://newsignature.com/articles/server20 I 2auditingfor-security

©2017 Rob Lee

285

Event ID Task Category

Source

Key.vorde

Date and Time

Audit Failure AudS Success AuditSuccess

10/2/2013 53:53 PM 10,2/2013 75ft44 PM 10/2/22137:5944PM

4655 ErIe System 4658 Fde System 4655 FrleSystem

Microsoft Windows security auditing. auditing. Mrcrosoft Windows Mrcrcsoft Windesss secuntv audrtrng.

Audit Success Audit Success

10/2’2013 7:59:44 PM 10f2/2013 7:56614 Sft

4656 File System 4653 ErIe System

Microsoft Windows security auditing. Microsoft Windows securrW audrtrng.

security

Event 4663. Mrcrosoft Windows searnty auditing. Genera!

Details

iSubiect:

Log Name: Source, Event ID:

Security Microsoft Windows security logged: Task Category File System 4563 information

KeystoNe:

WA

Computen

Audit Success Asqard4101920

F0R500

UFIR

Windows ForensicAnalysis

When analyzing file and folder access, we will took for 4656 and 4663 events. Depending on what you are monitoring, both success and failure events can be interesting. For instance, if you are monitoring writes to the \Windows\System32 folder, you might want to know what users attempted and failed, but even more interesting might be what users attempted and succeeded! In the latter case, the filename of the affected file would be available and worth looking into. On this slide, we see multiple success events and one 4656 failure event at 10/2/2013 7:53:58 PM. Notice that the failure event does not have a corresponding 4663 event as any access was stopped when the handle was requested by the user. To figure out what user was involved, we will need to look at the event description. One pro-tip on auditing is worth noting for those setting this up. Both “Audit File System” and “Audit Handle Manipulation” within the Object Access audit category must be set to Success/Failure in order to get proper reporting. For instance, if “Audit Handle Manipulation” is not set, you will not see Event ID 4656 failure events in your logs.

286

©2017 Rob Lee

286

10/2: 2313 7:59:44 PM 10/2/2013 7: 59:44 PM

w:

10! 2; 2013 7:53:58 PM 10/2i2013 7:59:44PM 1012/2313 7: 59:44 PM

Date and Time

User

Asqard-HQ1920

N/A

Event ID:

Computer

Microsoft Windows security Logged: 10/2/2013 7:59:44 PM 4663 Task Category: File System Information Keywords: Audit Success

Source:

Level:

Security

A

Microsoft Windows security auditing Microsoft Windows security auditing

Microsoft Windows securi auditin9 Microsoft Windows security auditing. Microsoft Windows security aa

Source

Log Name:

Subiect:

An aftempt was made to access an object

General Details

4656 File System 4663 File System

flit1

4656 File System 4658 File System 4658 File System

Event ID Task Category

Event 4663, Microsoft Windows security auditing

4:

‘?

Audit Success Audit Success

i

Audit Failure Audit Success ,Audit Success

Keywords

I

An atternptwao made to accea%e:tobj&L

IA handle to an objectwas requested.

,Subjeth

ISubjech

I

Secunt; ID;

Account Name: Açcut Dome:iv loon ID;

I

AARD-HQ1926otecder ;aleeonder ASGARDHQ192O

Account Domaut

OaEtP&B

bogonlD

lObjact Object Type:

IPrccess Information, Process in Process Name: Access Request informatson;

Accesses.

ASGARDHOl92t’.helpdesk helpdesk ASGARDHQl92J &IA9A7E

Oh ad:

Object Semen Object Name; Handle ID. Resource Attr;butee:

Secunty 1D Account Name:

DIe

CACon%dentral Dccs WesTransfeiinfo.tu tollS RAT

Object Semen Object Type: Object Name:

Socunty Fda

Handle Ito Resource Attnbuter:

Ott

• Access Request Information.

Cc4

C

If—

C

en WI en

V

enec

I0 ‘C

V

1

nJ

a e

0 0 xx %Vt 0tQ4 4q44 tn—WI

6

*4)

#0 c

tO

.t

V

3* S C

“Co

oZo .4

I II a r

1

*et 43 :

v

di

2

or

.0



>CC

a000 vUU0

WI

Ct V 0 41

z

b

I

Vt ‘4

43

V

0

4))

4)

IaZ

U o a

.0 .

WI

FTT a C

rse

E

V

flu

C a a

c-i

tf

en C

a; E

41 #0 0

C

2

*3)

041 0> WI UI

-J

‘-V Do

Cl

4;.; 03

I

2

@111

Qldlk-’E

; ,

-

4) C

43

-a

vi

-t 4-

4) 3

43

2

fr

a

gi C) en

-3

P

V -a

C tO

C

ni

i

;;

a;

Ut .

Hi

01 0 --3

:5

a

04 rn

en

0

44

i a 0

-a 4) en

t

S

0 en

ret

r

V

di

gt

H

Is

I-a 4)

H 0

IC

0

2— •V 3

4

4

—2

oW to

0

colC

vi

C

4)

Ceo viC.J



V

en

C

C

a

E. a— 5

-a -3 - - ,0 I V en a a jtliw.3tOO

j1

Scenario • Determine if and when hardware devices have been installed on the system EoiP1ug and Play driver install attempted (System log) 4663 Attempt to access removable storage object (Security log) • 4656 Failure to access removable storage object (Security log) ‘





• System log identifies device type and serial number but shows onlyfirst time a device has been plugged in • Security log can identify every time a device is accessed (starting with Win8/2o12)

DFIR

FOR500

I

‘N ndows Fo nsic Analysis

With the new update to event logging within Vistal2008, a large number of new entities started triggering events for the various logs. One of these additions is that the Universal Plug and Play manager is now logging events and it creates events for each device driver that is installed. Thus we can use these events to determine when a plug-and-play device was plugged in for the first time, since by definition the Pitig and Play Manager will attempt to install a device driver when a new device is detected. When a plug-and-play driver install is attempted, the service will log an ID 20001 event and provide a status within the event. If the status is anything other than “0”, an error was reported during the installation. The installation error codes have not changed since XP and can be found on the Microsoft website.[1l The ID 20001 event gives the particulars of the device installed, including the device name and vendor name and the serial number of the device (if it exists). The user account name that was logged in when the device was introduced is not stored in the event log. This information would need to be correlated with logon events or discovered via the Windows Registry. It is important to note that this event will trigger for any pitig-and-play capable device, including but not limited to USB, FireWire, and PCMCIA devices. Windows 8± includes a new “removable storage device” event (ID 4663) that can be used to record BYOD usage after “Audit Removable Storage” auditing is configured within the Object Access category of the Advanced Audit Policy Configuration. Similarly, Event ID 4656 is used to identify failed access to a removable device. Although a step in the right direction, it is difficult to tie this event to an actual device. Corresponding event IDs in Windows XP/2003: None Reference

[1] http://support.microsoft.com/kb/3 10123 02017 Rob Lee

293

293

E’centViewtr

System log Event ID

20001

Level

Date end Tens

I Informatron I lnformat:on I Informatron

3,9’2010 2:34:19 PM 33870102:11:10 PM 3192010 2:38:34 PM

a Jr I ovation

Timestamp

°

0132 35t4 Pr I

m&rantlDTaskategor1 Ser,ice Control Manager Service Control Manager Service Control Manager

7035 None 7038 None 7035 None 13 D

i’D Classirrtaller

er Pc

S

I



IC

Event 20001, UeerPnp General Details

Device information

Driver Management concluded the process to anslail dover FaleReposatorv\wpdfaanf..amdth ,neulraJjc3ebadff3a30ae4\wpdtrinI for Device inetanoelD WPDBUSENUMRGOrJJMM%&31C185E&O aELER)natrrvj00: l&STOaAGEetJDLUME:.n,u5aswR015x&YN4JUNGSTONStPRGQDATATP A920855201M838T math the following etatuer 0,

Device serial num

I10000cM55

Log Name:

• Status (o

=

no errors)

5

S

System UserPnp

LoggerS

EventlEL

20001

Task Categoay (7005)

Level:

Information

keywords:

User:

SYSTEM

Compraten

OpCode

Info

OFIR

*

319,2010 2:35’04 PM

Sorarser

FORSOO

I

Mercury

Windows ForensicAnaiysis

294

In this case, we are reviewing the System log and have selected an ID 20001 event triggered by the UserPnp service (plug and play). This event tells us the following: Timestamp: The time and date that the device driver installation was attempted (3/9/2010 2:35:04PM) •

Device information: Embedded device information captured by the Plug and Play Manager (Kingston Datatraveler 2.0 Revision 1 .0)



Device serial number: The unique serial number embedded in the device (001D0F0CAAC5A920855201A6)

o

Status: The error code associated with the device installation (OxO

no errors)

Thus, doing a simple search for ID 20001 events allows us to quickly view any devices that were plugged into the system and recognized by the Plug and Play Manager. Using the timestamp, it would be trivial to correlate this event with logon events to determine which user account was logged on when the device was plugged in. Corresponding event IDs in Windows XP/2003: None

294

@2017 Rob Lee

L

€1 rmt

I

finformation

Date and Time

Source

319/2010 2:44:19 PM 3’ 11

Service Control Manager Service Control Manager Service Control Manager

3/9/2010 2:35:04 PM

WPDCiassinstafler

Event ID

7036 7036 7036 24579

Task Category

None None None Driver Post-Lj

x

Event 20001 UerPnp

r

-

cjtr: tTcf-

:oir-’r—-—

D3

J

JEZ_ mci2n5szi,.s&oz

1’

JE’:: Li&.E. :cD C— EckvEZ t-i the fi:c :rq statu;

S RE-i.

t.fl

s cr rter

‘r,3.

Info More Information:

yes* Log/7n[me keip

©2017 Rob Lee

295

Fered Lo Sy1ern: rce Mrcro ft

/

rid

UserPrip Number of evems 766 Sent ID Tatk Cete3ory

trvef

INte end Tune

Source

Lnformetrcn I :Informetcn iInformatrcn Infcrmetton

47’2011 03120 PM 472011 93120 PM 472011 9:3120 PM 47/201193120 PM

UserPrip UserPrip UswPop UierPrrp

20001 20003 20001 20003

I Informetrori

411/201193126 PM

UserPnp

20003 (70051

7005) (7005) (Z005 (7005)



UserPup

I 3

General OderN r e P negem rit con ud’ p o e to nst o wet Fr e°epc Ccr bpc n’.ema6e neutral ‘fffle.61r’ 5r lj of Dunce Inctarice ID 13 WYA8LEAU CRiSSATMDET-RDGE303GE0020035F19E nth the fctonrrrg itatun OrG.

Source

System UserPrip

Coggerl

Event lID

20001

Task Categorc (7005)

Level

Informahon

Log Namo

4/1101193126 PM

FOR500

QFtk

Windows Forensic Analysis

2%

In this example, we show the same System log Event (ID 20001) for a 1394 FireWire device. Similar to USB, FireWire utilizes plug and play and has a unique identifier that can be used to track Windows artifacts pertaining to the device. This event tells us the following: •

Timestamp: The time and date that the device driver installation was attempted (4/7/2011 9:31:26PM)



Device information: Embedded device information captured by the Plug and Play Manager (Tableau forensic SATA/IDE Bridge) Device identification: The unique 64-bit GUID embedded in the device (0030E0020035F09E)[’] Status: The error code associated with the device installation (OxO

no errors)

Thus, doing a simple search for ID 20001 events allows us to quickly view any devices that were plugged into the system and recognized by the Plug and Play Manager. Using the timestamp, it would be trivial to correlate this event with logon events to determine which user account was logged on when the device was plugged in. Corresponding event IDs in Windows XP/2003: None Reference

[1] http://www.l394ta.org/developers/Seminars/GUlD.pdf

296

©2017 Rob Lee

.Use!np

%A1*23i:26PM 4:7; 2011 9:31:2% PM

V

I

Details

I

20003

(7005)

20001 (700%) 20003 (700%) 20001 (700%) 20003 05)

Event ID Task Category

Task Category

20001 Information SYSTEM Info

Eveo bgQn line HeAp

Level:

User:

OpCode:

More information:

Computer

Keywords:

Logged:

UserPnp

System

Log Name: Source Event ID:

M4500

(7005)

411/20119:31:26 PM

Driver Management concluded the process to install driver FileReposrtory\sbp2.inamd64neutrai)fffl2%%1375et%hsbp2inffor Device Instance ID 1394\TABLEAU&FORENSI5ATA/IDE BRIDGE\0030E0020035F09E with the following status: OstL

General

[; Event 20001, UserPnp

I information

1Wnbn. UserPnp

UserPnp UserPnp UserPnp UserPnp

4/7/2011 9:31:30 PM 40’2011 9:31:29 PM 4 7 2011 9:31:29 PM 411 ‘2011 9:31:28 PM

Informabon InformatIon Information Information

I I I I

Source

Date and Time

Level

Filtered: Log: System; Source: MicrosofPWindows-UserPnp. Number of aents: 766

-

-

ioitOPydstor

•: File

Action

View

D

Esent .5051 Microsoft indcs;s sesukty auditing

Help

lAn attempt was made to acctss an object.

Subject Audit Events

Subcategorv

-



-

Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Success and Failure Not Configured Not Configured Not Configured

Audit Application Osnerated Audit Certification Services Audit Detailed File Share Audit File Share Audit File System Audit Filtennq Platform Connection Audit Filtering Platform Packet Drop Audit Handle Manipulation Audit Kernel Obiect Audit Other Object Access Events Audit Registiv

w

t-.-At

aiA1 Audit SAM AuditCentralAccessPclicvStaginq

-

lOtiject

I



ASGARD4IQ1920 jalesander

Account Domes;; LogoniD.

ASGARD-HQ1920 Da31 052

Object Ser.eo Object Type; Object Name; HandleiD; Resource Attributes;

Secunit1

jalesander

File SDeice\HarddrskVolurne4\Bucines54aoij

Prr cess Information,

Oct50 COWind\erptsrer.ese

Process itt

Process Names SAccess Request Information; Accesses;

J Not Configured NotConfigured

Sscurit ID. Account Name.

I

j

ReadData (or Liswirectoiyj

Log Name Source;

Security Microsoft Wmdov,s Logged:

Event ID;

.5663

Task Categom Removable Storage

Lersi:

information

User;

WA

Keswcrds; Computer;

UFIR

FOR500

I

9’2W2013 104123 PM Audit Success Asgard’Ht21922

Windows ForensicAnalysis

Windows 8/20 12 added additional functionality to object auditing to provide logging of removable device usage. Microsoft describes the genesis of this new capability:[11 “Security auditing is one of the most powerftd tools to help maintain the security of an enterprise. One of the key goals of security attdits is to verify regulatory compliance. For example, industry standards such as Sarbanes Oxley, HIPAA, and Payment Card Industry (PCI) require enterprises to follow a strict set of rules related to data security and privacy. Security audits help establish the presence or absence of such policies, and they prove compliance or noncompliance with these standards. Many organizations are concerned about sensitive data being copied onto removable storage devices that are not controlled by their IT departments. Windows 7 and Windows Server 2008 R2 do not support auditing removable storage devices, As a result, enterprises lose the visibility of who accessed sensitive data after it has been copied to a removable storage device,” Event ID 4663 can now be used to record BYOD usage after “Audit Removable Storage” auditing is configured within the Object Access category of the Advanced Audit Policy Configuration.[2l The new events link account name with device (Object Name field) and action (Accesses and Process Name fields). You might also notice on this slide that folders present on the device might be recorded, such as the “Business Plans” folder identified in the Object Name field. Unfortunately, these events are missing a critical piece of information: How do we tie the Object Name (\Device\HardDiskVolume4\ in this example) to an actual device? Ideally, the event would record a unique identifier (serial number?) for the device being audited, but alas we are not that lucky. Instead, we will have to rely on other traditional forensics artifacts, such as USB device profiling. The examiner should be able to match a USB device’s last used time with a contemporaneous event ID 4663. Once this is complete, additional usage of that volume can be tracked during the user’s logon session (via the Logon ID and the Object Name). Additionally, previous usage might also be available via previous 4663 events that show a similar folder structure. 298

©2017 Rob Lee

298

To identify failed attempts to access removable devices (perhaps due to Removable Storage Access restrictions in Group Policy), you would also need to include Success and Failure auditing for the “Audit Handle Manipulation” category. Similar to what we saw in file and folder auditing, if a failed access occurs, it will be picked up as a 4656 failure event to get a handle on the removable device. If this occurs, a 4663 Event will not be generated because the user will not have been able to secure a handle to the device to even attempt to access it. Corresponding event IDs in Windows XP12003: None References

[1] http://technet.microsoft.com/emus/libraiy/hh84963 8.aspx [2] http://technetmicrosoftcom/en-us/library/jj5741 28.aspx

©2017 Rob Lee

299

Event 4663, Microsoft Windows security auditing. (An attempt was made to access an object.

ISubject:

I

I

Security ID: Account Name:

ASGARD-NQ1920JaIexander jaleander

Account Domain: LogoniD:

ASGA RD-HQI 920 31B%2

Object Serier: OWed Tv e: Object Name Handle ID: Resource Attributes:

Security File etic&HardiskVolum\BusinessPis c2%d6

lObject

I I

300

•rocess information: Process 1D Process Name:

I I

tccSO C:WIindows\explcrerae

lAccess Request Information: I Accesses

ReadData (or ListDiredory)

Log Name

Security

Source

Microsoft Windows Logged:

Event ID:

466%

Lack

Informaton

User:

N’A

9/29/2013 1th42:25 PM

Task Catego.y Removable Storage Audit Success Keywords: Asgard-HQ1920 Computer:

©2017 Rob Lee

• Determine what wireless networks the system associated with and identify network characteristics to find location Wireless network association started Successful connection to wireless network . 8002 failed connection to wireless network • 6100 Network diagnostics (System log) .

11000

.

8ooi









-

• New custom log introduced with Vista and Server 200$ WLAN AutoConfig Log • Contains SSID and BSSID (MAC address), which can be used to geolocate wireless access point *tno BSSID on Win8+) • Shows historical record of wireless network connections

A large number of “custom,” or specialized event logs were added with the new log formats introduced in Vista and Server 200$. The WLAN-Autoconfig log was created to store events related to wireless network access. It contains a wealth of information about each attempted connection to a wireless access point. Enough information is provided to help identify systems, which could have been targeted by a rogue access point, or to geolocate where that access point might be located based on database lookups of the specific SSID and BSSID. Logs in Windows 8 and above appear to not include the BSSID. However, this can still be obtained in the Windows Registry. Event ID 11000 shows the initial association attempt by the system to the wireless access point. Event ID 8001 indicates the association was ultimately successful, whereas Event ID 8002 indicates a failed connection. An important distinction of information held in this log versus information stored elsewhere (like the Windows Registry) is that the WLAN-AutoConfig log keeps a record of each attempt, providing an invaluable historical reference. Corresponding event IDs in Windows XP/2003: None

©2017 Rob Lee

301

Dnd1rn ripu

I

31001

X

3001 W1*N AftCtg

jMAN %uCh

I

WLAN-AutoConfig Log

Ent!O %LAN

w:z30

r-. hi

t0Mwcik Adç1ei ktt030 Cfr1(R3 40410000 AGN N&%1% Zk4752 dll 4c5 3024100dc3013130 nen M& Ct; c’ n urew ntwc% thcut cc00 Nim 1w

Historical record of wireless connections • Date/Time

Adapter

3

003$ T)pt 1fth.Nudur 1b3342330*0r 31

• SSID

PHYiyp 0O2i1j

A.4hnNcNon. C4tf

M#iA43’ckw WLAN4141’cr4*g Oior0 WN Ac03

8001

3

L30ed.

33i)fl3433)

cjcw 4Cntn

• BS$ID (MAC)* • Authentication Type

flFIR.

FORSOG

I

Windows ForensicAnalysfs

Beginning with Windows Vista and Server 200$, a new “custom” log was introduced named WLAN AutoConfig. This log contains a wealth of information for each wireless network association, including:



Timestamp: The time and date that the wireless access point connection occurred (6/21/201 6:42:47PM) Network Adapter/Interface: The network adaptor used to make the connection (Intel N6200 AGN)



$SID: Service Set Identifier for the WLAN (hhonors)



BSSID (MAC): Basic Service Set Identifier is the Media Access Control (MAC) address of the wireless access point (00:23:04:6E:OE:31)

Authentication: The type of authentication enacted by the wireless access point (none: open access point) This information is also available within the Windows Registry, but the value of this specialized event log is that it keeps a historical record of each connection, as opposed to just the last connection referenced from the associated registry keys. Corresponding event Ws in Windows XP/2003: None

302

©2017 Rob Lee

%GZ

t

WI

F

©2017 Rob Lee

303

!

System log

E.innt 41 Tadz Ca1032r0

Dnt and Trna 1nformaton morrnhr

S l323l4 1-33-31 AM

32agnootn.a Nwor3ing

5’323314133I1AM 32f 14 13.3;31 AM

[32nnfic Nato.crkin1j

6132 Hdr3aInfo 51131 Hde1ncn Into

1ETNb34

a

&naral

Info

A62 34 33-04-30-32-AS lb AS F? 10723 03-23.6 331-34 33-734154%

bOa bofra

32-5303333532

Info,

10-73-33221-SE AC-Fl-Of 51-30 34 AC 104311321323

bofra

bOa

br4fa bofra lofra

-33

zunkncnwna

-32

jnkncncn> unknnnvn

-39 -35

anknco-n--

.33 -33

-

9

0331353132

-3.3

x

04 C

‘5) 0 5.

I:

8 ‘U

dii

U’

41 C

‘U ‘U C ‘U

‘3

C C çp

2 t

%

:

Z e’

PD inS UIZ

V’L) C>

-% O41 ‘Ug WS)’U an,—. Cr’5

°N’’E

-“

S,C

£eJ

:?

3j

%n:v-

‘ç;

C

::

i3

n

8’?J-4 “j

0Ui0’U0

-.

‘U

C

s

a I ‘/4

‘U -

‘U C

2

C

CC CuC

tssS&vci

C *

‘‘

t-•



cC ‘a

k’s-

c

Eb

a t5

SC

C

I

CC C CIC

-‘

V

‘(7

t 2 VI

a

5

a?

C 1;; “U

‘U

CT

:

:

i Ic?: >

a

5t’ ‘5

(J’U’

-“C’

-—

stcn



t’

:&

tn*

4-

L”

22

rr.

41 b.

a

5

4-

‘C (fl&

2

C

2

C

gr

Ii %

tt:cfl

I

I

c_Ofle ‘USC1u

CCç CCC5C

:ZLI2

e

‘0’’0r’’U’’U

‘‘

At%AA0iA1

rrLCr! i>

5!%%C4

daSi%S t ‘U ‘CCCCCC C 24 a CCCCCC is’ C nI’ DZDDD , !ia,vvvvvoivo’

‘UUfU/4)’U’U’U’U’U

10>

!flfli%fli -

3%

n,r’jmnicowCinC

is>s

1r--rnfr-1-nnJnJt—njr’-

:



‘UO

Q ‘4

a

t> 4-

L

-

!

‘;





t

C in

‘U

‘U

C

‘U

.

P

‘U’



C,

C)

a

a

C

a

i

0

‘e 4

‘UU9

C,

‘U

‘U

in





)

)

o

(74 C

I

‘U

‘U 0 -J 0 0

in

0

(‘4

©

Logons

Security

4624,4625,4634,4647,4672

RDP

Security

477$ ,4779

RDPCoreTS TerminalServices-Remote

131

Object Access

Secunty

4656, 4660, 4663

Time Change

System I Security

1

Ext. Devices

System Security

20001

Wireless

WLAN-AutoConfig System

8001,8002,11000

{ 1149

4616

4656, 4663

6ioo

FOR500 j Windows ForenskMalysis

DFIR

A majority of the events discussed in this section are represented in this table. Keep in mind that this is just a taste, and there are many other events you will encounter and identify as useful to your investigations. The next section covers some excellent resources to help you in your journey.

306

©2017 Rob Lee

306

OFIR

I

Windows Forensic Analysis

This page intentionally left blank.

©2017 Rob Lee

307

3°?

a

Supports evt and .evtx formats Can open multiple logs at once for simultaneous searching and correlation activities bs 12ew Evs6S WiP6P6w 44 • Merge logs together to correlate x Tits J • Access remote event logs Very tolerant of log corruption Excellent filtering • Strings in event description Right-click for Quick filters Color coding by Event IDs x Free for personal use *

Ihp5$

46t.dfLX

Cssp-ssss i44566C*x)

246

CSC.6 1W74C4 Tpp

• •

DT$s 604630 511 A5d5*(725$s 1/5/2012 5$4555 55$

Inftmel E*er

ft W546va 4572 p5$yft $46* 5$

M721Ma0o5

As4t5uccecs

-

1/512612

tSaztas 1/5/2012

Sstoa

-

2041 20cce,,

115/2612

1Z3:3f4

2:25167511

216433534

4572 aft-25$C-5v-5$ ,aft-Wftdaw:

4524 Ilk

4672 1$ft 26$Ma Ia

w52 7216652f515 5$14161 on

So /2 535$/ed:

• •

Pourcs tnl 4524 Ma

1c’eo1D,

Ox’a7

L51C$1T146

Now 1460$

205126366

6161

FOR500 j Windows Forensic Analysis

UFIR

The built-in Windows Event Viewer has some significant drawbacks. It can be very cumbersome to review a large number of events within the interface. There is no capability to load multiple security logs (that is, from different systems) and filter or search in parallel. It is very intolerant of corrupted logs. Due to the nature of forensic data collection, we often encounter corrupted event logs, and I have seen less experienced forensic analysts give up when those logs could not be opened in Event Viewer! Never fear, we have alternatives. Event Log Explorer is a third-party event log management software package that runs circles around the built-in Microsoft tools.[11 it provides just about every feature that a forensic analyst could want when doing a log review and greatly speeds up the process. It supports logs from every current Windows NT operating system (Windows NT to Windows 200$) and as such can read both .evt and .evtx log formats. One of its biggest benefits is that it is very capable of working with corrupted log files, You can open up a log file in one of two ways: Standard Mode attempts to open up the log using API-like methods and Direct Mode parses the log in raw form. Thus we get the benefits of an offline parser tool combined with a GUI interface and review platform. Another area where Event Log Explorer shines is in its features that assist log review. It allows many log files to be opened simultaneously and even merged, greatly aiding with event correlation and reducing the amount of time needed to search. This ability extends to being able to open logs on multiple remote systems simultaneously for live reviews, It has a very robust filtering capability, including access to the text-based Event Description field where so many of our forensic artifacts are located (such as Logon Type in ID 4624 Security Events). Quick Filters (accessed by right-clicking an event column) allow options like showing only events of a specific type or removing types of events from view. Another nice feature is the ability to color code different Event IDs so you can quickly zoom into the places within the log where you want to focus your analysis. Event Log Explorer is free for personal, non-commercial use, and is approximately $150 for a full license. Reference

[1] http://www.eventlogxp.com/

308

©2017 Rob Lee

308

Waoso# ITechNet

flttp:/ /www.microsotLcom/technet/support/ee/ee_advanced.aspx http://www.eventid.net/

http //www u1timatewinc..

y1og/encyc1o11afATE. sEcuRrrY

USB Reference Material • Win7 and 2008 Security Event Description.xls • Active Directory Event ID Comparison.xls

O FIR

FORSOO

Windows For ensic Analysis

Unless you are a savant, it is nearly impossible for anyone to memorize all of the various event IDs and their related error codes. Luckily you don’t have to. There are a wealth of great online options for looking up all things event log related. Some of our favorites are listed here. Going to the source is not a bad starting place, and TechNet does a good job of documenting a vast number of the possible event IDs for a large number of different Microsoft operating systems AND applications. The real strength of this resource is in the codes for the Application and System logs that are poorly documented elsewhere. All that being said, prepare yourself for many of the same useless event descriptions that system administrators have agonized over for the last decade. EventiD provides a good span of information across the various event logs, but its descriptions aren’t as comprehensive as some of the other options. Ultimate Windows Security has done a good job of creating THE resource for all things related to the Security event log. It has a great free database that is regularly updated and crowdsourced. This is often my first stop when looking up an unfamiliar event. Last but not least, an anonymous former 500 student provided some excellent resources in spreadsheet form for the new .evtx log format. These documents are located on your course USB.

©2017 Rob Lee

309

309

tMISDFIR a DIGITAL FORENSIGS

INCIDENT RESPONSE

Exercise 4,4 Event Log Exercise

FORSOO

DFLR This page intentionally left blank.

310

©2017 Rob Lee

Windows ForensicAnalysis

31

DONALD BLAKE 4SET MELINE—Following Event Log Exercise 18:24

Begins accessing

--

19:21 Opi..nin’, I Dropbox folder (via Sheilbag)

[ I I

Dropbox, ‘ inword utilized (via Vent log)

tonnect to LOT3B SSID (via event

LL

F 18:45

folders, localand remote, ouera ‘2 hr period

“USB2.0” (BLAKEflIES E via iig Lastlnserted 18:46

(via ShbaJJ

“SM first

and FVENOTIFY

(via USBfl

Prefetch)

-

8/1/138/8/13

20:16 Accesses folder on F:\Templat e .

20:11-20:21 Uses Remote Desktop

Sheilbag) 20:16:65

L

10/21/13 17

5

Th’Od

Skype chat from Jordan tells Donald to check e-

Nokia Strategy .docx opened

(via IEF)

Donald

E-mail analysis shows e-mail read.

LNl

1 I

1S:1

7P-3

Runs Bitlocker Unlocker

Began copying files to

(via UserAssist) Depd

I

)

-

(via e-mail)

imageoo3 (AA04012700011 123 F \) has business plan docs in root and \Templates

16:31

(via INK)



(via String Search)

DFIR

1903 Donald changed time to

15’13

16:23

skyw/ Jordan. Sh’ been fired, Jordan asks

FirstRDP Session from Donald (via Event

Begins utilizin’ sdetete anti forensics (via jefetch)

10/22/13

t 13:00 ] 1

Donal U

16.38 Donald siccount last logan (via SAM)

19:20 Donald hanged tim to /1 9 20 (via event log) —

FOR500

Windows Forensic Analysis

This page intentionally left blank.

©2017 Rob Lee

311

311

lul

Whr/8

N

Group iastFaiJed \ LastPasswnrd Inst Change Login 7 Login / jy Membership Accounts

Memory Fragments of Private Rrossing

\

/

FOR500 j Windows ForensicAnalysis

UFIR

Thumbs.db VistalWin7 Thumbnails Recycle Bin Physical Location Timezone Wireless SS1D VISTA/Win? Network History USB Key Usage Key tdent First/Last Times User Volume Name Drive Letter Shortcut Files (LNK) P&P Event Log Account Usage (SAM) Last Login Last Failed Login Last Password Change Group Membership Account Usage (EVT) Success/Fail Logons Logon Types RDP Usage Account Logon/Authentication Rogue Local Accounts Browser Usage Memory Fragments of Private Browsing

User Comms Web-Based E-Mail E-Mail Calendar Chat and IM Chat/Webmail Memory Artifacts Download File Open/Save MRU E-Mail Skype History Program Execution UserAssist LastVisited MRU RunMRU Start->Run MU! Cache Win7/$ Jumplists Prefetch Suspicious Services (EVT) File Opening/Creation Recent Files Recent Files (*ext) Office Recent Files Shortcut Files (LNK) Win7/8 Jumplists File Knowledge XP Search ACM RU Win? Search WordWheelQuery Last Visited MRU

312

3L2

©2017 Rob Lee

I

I Part 4 U$B Device Analysis

L

Section3j

Part 6 E-Mpil Forensics Section 4



D FIR

FOR500

1

} Cciii. J

Windows Forensic Analysis

This page intentionally left blank.

©2017 Rob Lee

313

313

fORO8

F0R408

Advanced Incident Response

Windows Forensics

DIGiTAL FORENSIGS

INCIDENT RESPONSE

F0R572

Advanced Network Forensics and Analysis GNIA *

FORSJ8

Mac Forensics

ff

,

FQRSYB

j

Cyber Threat Intelligence

FOR6W

REM: Malware Analysis

A

Memory Forensics In-Depth

(

,.jj

jp

(

GCtH

Incident Response Team Management

sansforensics

dfirto/DflR1inkedIsCommunity

This page intentionally left blank.

314

Hacker Tools, Techniques, Exploits, and Incident Handling

MGTS3S

FoRsa

Advanced Smartphone Forensics GASP

© sansforensics

J J

©2OlfRobLee

dflrto/gpIussanstorensics

dlIr.no/NAILIISI

FOR%O8

-

fiji dfirto/DFIRLmnkedIn(ommunity

sansforensics

@sans1orenscs

OPERATING SYSTEM & DEVICE IN DEPTH

t71

sai

dflrioIgp1ussanslorensics

INCIDENT RESPONSE & ADVERSARY HUNTING

INCIDENT RESPONSE

Ii

I

-H

DIGITAL FORENSICS

Li

&

e1 f

Advanced Smartphone Forensics (

FORS8S

Memory Forensics In-Depth

F0R526

Mac Forensics

FOR5 8

Windows Forensics

SANSDFIN a FOR5OB

dfirso/MAII4IST

Incident Response Team Management

MGTS3S

Hacker Tools, Techniques, Exploits, and Incident Handling

SECSO4

REM: Maiware Analysis

FOR6W

Cyber Threat Intelligence

F0R578

Advanced Network Forensics and Analysis

F0R57%

Advanced Incident Response

Here is my lens.You know my methods. —Sherlock Holmes INSTRUCTOR CONTACT [email protected]

SANS INSTiUTE

twitter @ovie rlee©sans.org twitter @robtlee

8120 WoodmontAve., Suite 310

Bethesda, MD 20814 301 .654.SANS(7267)

[email protected]

twitter chadtiIbury

SANS EMAIL

i.rg GENERAL INQUIRIES: jf REGISTRATION: TUITION: Wjtjonsarg PRESS/PR presssans.org

DFIR RESOURCES digital4orensicssans.org

Twitter: @sansforensics

OFIR

FOR500

This page intentionally left blank.

316

©2017 Rob Lee

Windows

ForensicAnalysis

316