Part 1: Introduction to Computer
Forensics for Windows: https://tryhackme.com/room/windowsforensics1
Microsoft Windows is
by large the most used Desktop Operating System right now. Private users
and Enterprises prefer it, and it currently holds roughly 80% of the Desktop
market share. This means that it is important to know how to perform forensic
analysis on Microsoft Windows for someone interested in Digital Forensics. In
this module, we will learn about the different ways we can gather forensic data
from the Windows Registry and make conclusions about the activity performed on
a Windows system based on this data.
In computer forensics, forensic artifacts can
be small footprints of activity left on the computer system. On a Windows
system, a person's actions can be traced back quite accurately using computer
forensics because of the various artifacts a Windows system creates for a given
activity. These artifacts often reside in locations 'normal' users won't
typically venture to. For our purposes, these artifacts can be analyzed to
provide the trial of activity for an investigation.
Assuming the same build of Windows is installed
on a system, excluding the actions taken during installation, the out-of-the-box
experience is similar for all users. However, with time, each user personalizes
their computer according to their preferences. These preferences include the
Desktop layout and icons, the bookmarks in the internet browser, the name of
the user, installing of different applications, and logging in to different
accounts for each of these applications and other accounts using the internet
browser.
Scenario:
One of the Desktops in the research lab at Organization X is
suspected to have been accessed by someone unauthorized. Although they
generally have only one user account per Desktop, there were multiple user
accounts observed on this system. It is also suspected that the system was
connected to some network drive, and a USB device was connected to the system.
The triage data from the system was collected and placed on the attached VM.
Can you help Organization X with finding answers to the below questions?
1.
Objective
The objective of this lab is to provide expert
knowledge about the tools used in the forensic
investigation process. This includes knowledge of the
following tasks:
o Recovering deleted file from the evidence
o Generating hashes and checksum files
o Calculating the MD5 value of the selected file
o Viewing files of various formats
o Handling evidence data
o Creating a disk image file of a hard disk partition
2.
Solution
2.1 Preparation and Planning:
The
first step is to create a plan for the investigation, including determining the
scope of the investigation, identifying the individuals involved, and securing
the affected systems to prevent further damage or data loss.
2.2 Collection:
The next step is to collect all relevant
data and evidence related to the suspicious activity. This may include
gathering logs from network devices, seizing hard drives, and analyzing email
and other communication records.
·
Imaging: Create bit-by-bit copy
The first step in the
collection process is to create a forensic image of the digital device or media
that is being investigated. This involves creating an exact copy of the device
or media, including all data, file systems, and metadata. The imaging process
ensures that the original evidence is preserved and can be examined without
altering it.
1.
List all devices
$fdisk -l
2.
Create image of sdb1
(clone) https://www.cyberciti.biz/faq/unix-linux-dd-create-make-disk-image-commands/
$ sudo dd if=/dev/sdb1
of=/home/sansforensics/Desktop/cases/usb
bs=128K conv=noerror,sync status=progress
·
Dump memory using Dumpit or FTK which we
copy to USB
·
Dump registry
The Windows Registry is
a collection of databases that contains the system's configuration data. This
configuration data can be about the hardware, the software, or the user's
information. It also includes data about the recently used files, programs used,
or devices connected to the system. As you can understand, this data is
beneficial from a forensics standpoint
The Windows registry
consists of Keys and Values. When you open the regedit.exe utility to view the
registry, the folders you see are Registry Keys. Registry Values are the data
stored in these Registry Keys. A Registry Hive is a group of Keys, subkeys, and values stored in a single
file on the disk.
Structure of the
Registry:
The registry on any
Windows system contains the following five root keys:
- HKEY_CURRENT_USER
- HKEY_USERS
- HKEY_LOCAL_MACHINE
- HKEY_CLASSES_ROOT
- HKEY_CURRENT_CONFIG
You can view these
keys when you open the regedit.exe
1. Navigate to the registry key you want to export. You can expand
the folders by clicking on the arrows beside them or by using the left-hand
navigation pane.
2. Accessing registry hives offline.
the path for the five main registry hives,
DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM: The majority of these hives are located in
the C:\Windows\System32\Config directory and are:
- DEFAULT (mounted on HKEY_USERS\DEFAULT)
- SAM (mounted on HKEY_LOCAL_MACHINE\SAM)
- SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)
- SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)
- SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)
6.
The Amcache Hive:
Apart
from these files, there is another very important hive called the AmCache hive.
This hive is located in C:\Windows\AppCompat\Programs\Amcache.hve. Windows creates this hive to save information on programs that
were recently run on the system.
3. Data Acquisition
When
performing forensics, we will either encounter a live system or an image taken
of the system. For the sake of accuracy, it is recommended practice to image
the system or make a copy of the required data and perform forensics on it.
This process is called data acquisition. Below we discuss different ways to
acquire registry data from a live system or a disk image:
Though
we can view the registry through the registry editor, the forensically correct
method is to acquire a copy of this data and perform analysis on that. However,
when we go to copy the registry hives from %WINDIR%\System32\Config, we cannot because it is a restricted file. So, what to do now?
For
acquiring these files, we can use one of the following tools
Autopsy:
Autopsy gives you the option to
acquire data from both live systems or from a disk image. After adding your
data source, navigate to the location of the files you want to extract, then
right-click and select the Extract File(s) option. It will look similar to what
you see in the screenshot below.
FTK Imager:
FTK Imager is similar to Autopsy and
allows you to extract files from a disk image or a live system by mounting the
said disk image or drive in FTK Imager. Below you can see the option to Export
files as highlighted in the screenshot.
Exploring Windows Registry
Once we have extracted the registry hives, we need a
tool to view these files as we would in the registry editor. Since the registry
editor only works with live systems and can't load exported hives, we can use
the following tools:
We can view the result
using Access data registry viewer or
Zimmerman's Registry Explorer:
Eric Zimmerman has developed a handful of tools that
are very useful for performing Digital Forensics and Incident Response. One of
them is the Registry Explorer. It looks like the below screenshot. It can load
multiple hives simultaneously and add data from transaction logs into the hive
to make a more 'cleaner' hive with more up-to-date data. It also has a handy
'Bookmarks' option containing forensically important registry keys often sought
by forensics investigators. Investigators can go straight to the interesting
registry keys and values with the bookmarks menu item. We will explore these in
more detail in the upcoming tasks.
·
Dump process
Using Procmon64 (how to configure Procmon64)
·
Recent open files https://ericzimmerman.github.io/#!index.md
(Jump List) is engineered to allow users to “jump” or access items have
frequently or recently used
quickly and easily.
1. Jumplists
store critical information about fi les and
folders that have been used in Windows. Among other things, Jumplists contain
information about the application used to open target fi les and folders and
store metadata specifi c
to them. Those metadata contain details
such as fi le name and location, dates and times, etc. JLECmd makes
parsing this data simple and quick.
PS C:\Users\ME\Desktop\Tool> .\jLECmd.exe
-d C:\users\me\AppData\Roaming\Microsoft\Windows\Recent\ -q --csv .\
We can open csv file using EZ viewer
·
Network Activity/Physical
Location
Review SANS Windows forensics poster
Once the
data has been collected, it must be analyzed to determine what actions were
taken on the system, who was responsible for those actions, and what data was
accessed or stolen. This may involve analyzing files, examining system logs,
and conducting searches for keywords or other indicators of suspicious
activity.
1.
Registry analysis
When we
start performing forensic analysis, the first step is to find out about the
system information. This task will cover gathering information related to a
machine's System and Account information.
1.1 OS Version:
If we only have triage data to perform
forensics, we can determine the OS version from which this data was pulled
through the registry. To find the OS version, we can use the following
registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion
1.2 Computer Name:
It is crucial to establish the Computer
Name while performing forensic analysis to ensure that we are working on the
machine we are supposed to work on. We can find the Computer Name from the
following location:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
1.4 Time Zone Information:
For accuracy, it is important to establish
what time zone the computer is located in. This will help us understand the
chronology of the events as they happened. For finding the Time Zone
Information, we can look at the following location:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
1.5
Network Interfaces and Past Networks:
The following registry key will give a
list of network interfaces on the machine we are investigating: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
1.5 Autostart Programs
(Autoruns):
The following registry
keys include information about programs or commands that run when a user logs
on.
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
1.6 SAM hive and
user information:
The SAM hive contains
user account information, login information, and group information. This
information is mainly located in the following location:
Computer\HKEY_LOCAL_MACHINE\SAM
We export the hives and
open it using reg viewer
1.7 Usage or knowledge of files/folders
Use FTK
image to export
C:\Windows\System32\config\sofware
In reg
viewer load hives
1.8 Recent Files:
Windows maintains a
list of recently opened files for each user. As we might have seen when using
Windows Explorer, it shows us a list of recently used files. This
information is stored in the NTUSER hive and can be found on the following
location:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Another interesting
piece of information in this registry key is that there are different keys with
file extensions, such as .pdf, .jpg, .docx etc. These keys
provide us with information about the last used files of a specific file extension.
So if we are looking specifically for the last used PDF files, we can look at
the following registry key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pdf
1.8 last folder opened
ShellBags:
When any user opens a folder, it opens in a specific layout. Users can
change this layout according to their preferences. These layouts can be
different for different folders. This information about the
Windows 'shell' is stored and can identify the Most Recently Used
files and folders. Since this setting is different for each user, it is located
in the user hives. We can find this information on the following locations:
1.9 1.10 Open/Save and
LastVisited Dialog MRUs:
When we open or save a file, a dialog box appears asking us where to
save or open that file from. It might be noticed that once we open/save a file
at a specific location, Windows remembers that location. This implies that we
can find out recently used files if we get our hands on this information. We
can do so by examining the following registry keys
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
2. Evidence of Execution
2.1
UserAssist:
Windows keeps track of applications launched by the user using Windows
Explorer for statistical purposes in the User Assist registry keys. These keys
contain information about the programs launched, the time of their launch, and
the number of times they were executed. However, programs that were run using
the command line can't be found in the User Assist keys. The User Assist key is
present in the NTUSER hive, mapped to each user's GUID. We can find it at the
following location:
NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count
2.2
last file open and actions
AmCache:The AmCache hive is an artifact related to ShimCache. This
performs a similar function to ShimCache, and stores additional data related to
program executions. This data includes execution path, installation, execution
and deletion times, and SHA1 hashes of the executed programs. This hive is
located in the file system at:
C:\Windows\appcompat\Programs\Amcache.hve
2.3
saves the full path of the
executed programs
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam
2.4
External Devices/USB device
forensics
2.4.1 Device identification:
The
following locations keep track of USB keys plugged into a system. These
locations store the vendor id, product id, and version of the USB device
plugged in and can be used to identify unique devices. These locations also
store the time the devices were plugged into the system.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
·
Note we connected 2 usb devices
· the serial number of the device from the manufacturer sandisk
·
It’s a forensics tools use to extract windows forensic artifices such as
registry, event logs, web activities, from live system , mounted image or
target data source.
·
How its work:
1.
Collect data (from live system, mounted image or target data source.)
2.
Parse (Processes) artifacts through modules (which is a tool use to
process artifacts)
3.
Run GKAPE or KAPE as command line
·
compounds :These are Targets that are compounds of multiple
other targets, Examples of Compound
trgets include !BasicCollection, !SANS_triage and KAPEtriage
·
The bin directory contains executables that we want to run on
the system but are not natively present on most systems. KAPE will run
executables either from the bin directory or the complete path. An
example of files to be kept in the bin directory are Eric Zimmerman's
tools.
·
KAPE GUI
-
Flush checkbox will delete all the
contents of the Target destination.
-
Add %d will append date info to the directory name where the
collected data is saved.
-
Add %m will append machine info to the Target destination
directory. We can select our desired Target from the list shown above.
-
The Search bar helps us search for the names of the desired Targets
quickly.
-
%d option has to be checked to append date and time information to
triage folder name
-
%m option needs to be checked to add machine information to the triage
folder name
-
EX: collect triage data using the KAPETriage package,
process it using !EZParser
Comments
Post a Comment