Windows Forensic

Run this command in power

shell on server 2019.
Ubuntu file convert zip file.
Extract the ubuntu file in download
folder.
Open the power shell and run this
command then after ubuntu
installation will be start.
Create a username – forensic
Create a password –
Admin@123 (Any..)
Ubuntu start in
server 2019.
Run this command in power shell on Windows 10
target machine.
Install ubuntu in
Microsoft store.
Create username and
password.
6.Open server 2019 and chage the following setting.
setting > date and time setting > select (UTC) Coordinated Universal time.
Go to the c drive and create a two folder Cases and Tools.
setting > virus and threat protection off > cloud-delivered protection off > Exclution – Add click
and select cases and tools folder one by one. And create a snapshort.

7. Install the tools in server 2019 for windows Forensic.

1.Download the Arsenal Image Mounter- https://arsenalrecon.com/downloads
2.Download the KAPE Tool- https://www.kroll.com/en/services/cyber-risk/incident-
response-litigation-support/kroll-artifact-parser-extractor-kape
3. Download the Eric Zimmerman Tools - https://ericzimmerman.github.io/#index.md
4. Download the Regripper tool - https://github.com/keydet89/RegRipper3.0
5. Download the event log explorer – https://eventlogxp.com/
6. Download Notepad++ - https://notepad-plus-plus.org/downloads/
All tool copy in c drive Tools folder.
Installl the setup of Event log and Notepad++.
Go to the C:/Tools/Get Zimmer tools > open powershell > .\Get-ZimmermanTools.ps1 –
Netversion 4.
Using this command
all tool install in Eric
Zimmerman tool
All tool show Here.
8. Install the windows 10 Enterprise version as a Target Sysytem and create a
snapshort. https://bluecapesecurity.com/prepare-your-target-system/
Go to the setting > Windows Update > Advance option > Update off.
Virus and threat protection > manage setting > Real-time protection off and Cloud
delivered protection off.
Attack Script Preparation - Go to the url https://github.com/bluecapesecurity/PWF
zip file download and extract file.
2 script is execute here.
1. Sysmon script – C:\users\denisha\Desktop\PWF-main\PWF-main/Install-
Sysmon > powershell as administrator > .\Install-sysmon.ps1.
2. ART Attack script - C:\users\denisha\Desktop\PWF-main\PWF-
main\AtomicRedTeam > open powershell as Administrator > .\ART-attack.ps1.
Sysmon Script Run
ART Attack Script
Data Collection
 9.Memory Acquisition of the target system

Step for Memory Acquisition :

1.Create a Evidence Folder in Main PC.

2. Go to C:\Users\Documents\Evidence > open cmd > “C:\program Files\Oracle\Virtual
Box\VBoxManage.exe”
3. SET PATH=%PATH%;”C:\Programs Files\Oracle\Virtual Box”
4. vboxmanage.exe
5. vboxmanage list vms
6. Vboxmanage debugvm id paste machine(target machine) dumpvm core –filename win10-
memory.raw
7. Certutil –hashfile win10-memory.raw > win10.memory –hash.txt.
10.Disk Acquisition target system
Data Examination
Mounting the disk Image with Arsenal Image Mounter
You can enter the Target system harddisk

Open image mounter.

Select the disk of target machine
Show the hard disk of Target system in
Forensic Workstation and you can show all
data.
Creating a triage data collection with KAPE Tool

Using kape tool store the

permanent data of target system
in forensic workstation.
All Data is store in Cases Folder.
Show the hard disk data in
Cases folder.
 Disk Analysis Process
Go to the link and Download the materials.
https://github.com/bluecapesecurity/PWF/blob/main/Resources/Analysis-Notes-Template.docx
 Windows Registry

The registry or Windows registry is a database of information, settings, options, and

other values for software and hardware installed on all versions of Microsoft
Windows operating systems. When a program is installed, a new subkey is created in the
registry. This subkey contains settings specific to that program, such as its location, version,
and primary executable.
Registry Explorer with Eric Zimmerman Tools
Go to this path and open Registry
Explorer.
Go to this path and load all Registry
hives on Registry Explorer.
Using Software hives
gathering the information
about current version of OS.
Using System hive
gathering the
information about
computer name of
target system.
 Gathering system information with RegRipper

Follow the Step for Regripper

1. Go to the C:\Tools\RegRipper\ > open cmd > dir > rip.exe

2. You can create a folder in c drive with Analysis and also create registry folder in Analysis
3. Insert the file in Analysis folder:
C:\Cases\F\Windows\system32\config - DEFAULT
SAM
SECURITY
SOFTWARE
SYSTEM
C:\Cases\F\users\Denisha - NTUSER.DAT
C:\Cases\F\users\Denisha\Appdata\Local\Microsoft\Windows\ - UserClass.dat
4. Back to cmd and type rip.exe –r C:\Cases\Analysis\Registry\SOFTWARE –p winver
5. rip.exe –r C:\Cases\Analysis\Registry\SOFTWARE –p nic2
6. rip.exe –r C:\Cases\Analysis\Registry\SYSTEM –p timezone
7. rip.exe –r C:\Cases\Analysis\Registry\SYSTEM –p shutdown
8. rip.exe –r C:\Cases\Analysis\Registry\SOFTWARE –p defender
Go to this path and open cmd.
Using plugins gathering more details
Here using winver plugin show detail
about windows version.
Timezone plugin use for
detail about time.

Nic2 plugin use for

detail about network
card.
Detail about last shutdown time of
target system.

Detail about Microsoft defender

 Parsing registry hives in bulk with RegRipper

1. Go to the Registry folder location > open cmd > dir > attrib * > attrib –h NTUSER>DAT > attrib –h
UserClass.dat
2. For /r %i in (*) do (C:\Tools\RegRipper\rip.exe –r %i –a > %i.txt).
3. Show in Registry folder text file automatic created then after all file selected and edit with Notepad++ and show
the all detail of target system.
Execute the command for create the text file of
registry hives.
Show the all text file of
registry hives.
Open any file with Notepad++ and
collect all detail about particular
hives.
Show any
information
using plugin.
User Accounts and SIDs Overview
 Analysis of user accounts , groups and profiles
All Hives load in Registry Explorer and open SAM hive and click the on the user folder.
Open this file in
timeline explorer
this file in Time
Go to the Get-Zimmerman tools and show the timeline
explorer and open it.
Show the detail about
Target system user.
SAM file open with
notepad++
Show the user detail
using Notepad++.
 RecentDocs Analysis

Information about the files that were recently opened/saved and the
folders that were opened are maintained in the RecentDocs registry
key.

## Load the Ntuser.dat hive on Registry Explorer. And open Recent Doc.
Open the Registry Explorer. And
load the Ntuser.dat file.
Open Ntuser.dat file in Notepad++.
 ShellBags Analysis

Analysis of shellbags is useful as it can aid in the creating a broader picture

of an investigation, providing indications of activity, acting as a history of
what directory items may have since been removed from a system, or even
evidence access of removable devices where are no longer attached. And
also store Malicious Activity.
Usrclass.txt file edit with Notepad++.
Usrclass.txt file edit with Notepad++.
Open the ShellBagsExplorer

Go to this path and open

ShellBags explorer.
Insert the UsrClass.dat
Show the output
 NTFS- File system Analysis

NT file system (NTFS), which is also sometimes called the New Technology File System, is a
process that the Windows NT operating system uses for storing, organizing, and finding files
on a hard disk efficiently
 MFT(Master File Table) records

Master File Table (MFT) MFT or $MFT can be considered one of the most important files in
the NTFS file system. It keeps records of all files in a volume, the files' location in the
directory, the physical location of the files in on the drive, and file metadata.
Analysis of MFT Records with MFTECmd

You can show MFT file in Cases folder. This

file is use in MFT Records Analysis.
 Open the
MFTExplorer in
cmd.

You can show MFT file in Cases folder. This

file is use in MFT Records Analysis.
You can go in Get-ZimmermanTools
path and open cmd and type this
command for all helps
Show all option you can use in
Analysis.
Using this command gathering
the information about this file.
MFT parsing and in-depth analysis with MFTECmd

Using this command all

MFT file entry store in one
file (MFT.csv) and then after
show the details open using
timeline explorer.
Show the MFT1 file in
NTFS folder and open with
Timeline Explorer.
You can show any
malicious activity and
show detail, Here we
find PWF-main script
because this is run on
target system.
 MACB Timestamps Analysis

M – Modify You can Analysis MFT file so all

timestamps are show you like all modifying
time ,Access time, creation time, last Access
A – Access time are known as MACB.

C – Changed(last Access $MFT)

B - (Birth) / Creation
Finding Evidence of deleted filed with USN Journal analysis

MFTFcmd open

Using this file for

journaling part.
MFTFcmd open
Using this command use
for store the all journal
file in one folder.
Show the Two file auto created and gather the information deleted file.
 Evidence of Execution
1. BAM ( Background Activity Moderator)

Load the system hive

in Registry Explorer
System.txt file edit with
Notepad++.
 2. AppCompactcache Analysis/Shimcache

The shimcache is a Windows registry entry that records metadata

about executed applications, including timestamps and filenames.
Using this location
open this file in cmd.
Go to the Appcompatcacheparser.exe in cmd
Create the folder Execution in Analysis and run this command and store the output in Execution folder.
Show the file in Execution
folder.
Output show in Timeline
Explorer.
System hives
edit with
Notepad++
3.Analyzing the Amcache with AmcacheParser

AmCache. hve is a Windows system file that is created to

store information related to program executions. The
artifacts in this file can serve as a huge aid in an
investigation, it records the processes recently run on the
system and lists the paths of the files executed.
Load the Amcache.hve on Registry Explorer
Launch VM feature
is disable
Go to the target system and Download the Amcache in link https://ericzimmerman.github.io/#!index.md and open
cmd with Run as a Administrator.
All File create in Amcache folder. Amcache folder copy the main pc and open with
excel and show the output.

All file paste in main pc.

All file shown in main pc and open with
excel.
Amcache
Entry
Open the task Schedular and click the Application Experience then manually run task.
Save the file Amcache2 folder and open with excel.
Output
Updated.
 4. Windows Prefetch Analysis

Accessing Prefetch Files for Forensic Analysis. A digital

forensic investigation often aims to determine the activities
of a user on a computer. Prefetch files are an important
type of evidence, which provide detailed information about
the programs that were run on a computer.
In the windows 10 target system many prefetch files available in this path.
Open the PECmd tool and type the command for particular application.
 5. Windows Prefetch Timeline Analysis
In this command all prefetch file store in specific folder and open with timeline explorer
Open this file in timeline explorer
Show the All prefetch file with time
 Auto run keys Analysis

Autorun and run keys are registry entries that allow programs to
execute automatically when a device is connected or a user logs
on. Malicious actors can use them to launch malware, bypass
security controls, and maintain persistence on compromised hosts.
You can insert the NTUSER hives in Registry Explorer
and then search run.
You can insert the Software hive in Registry Explorer
and search run and show the autorun activities.
NTUSER hives open with
Notepad++.
Fine the run
command in All
current documents.
Find the run command in
software hives in current all
documents.
 Startup Folder Analysis

Two location mention for startup folder.

1. C:\Cases\F\ProgramData\Microsoft\Windows\Start Menu
2. C:\Cases\F\Users\Denisha\AppData\Roaming\Microsoft\Windows
Open the given file location with ubuntu linux and use mnt directory , show mnt.csv file and using grep command
show startup folders and scripts.
Show the bat script in target
system
 Windows Services
A Windows service is an application that usually serves a core operating system function
running in the background and has no user interface.
Loaded the system hives in
Registry Explorer
System hives edit with Notepad++
and Find the services on target system
and show the given output.
 Detecting and Analyzing scheduled tasks

Load the Software hive on

Registry Editor and click
taskcache then click task
Open cmd as a
Administrator and
type this
command.
Open the software hives with
Notepad++ and search
taskcache and show this
Result.
 Analysis with Sysinternals Autorun tool
Autoruns for Windows - Sysinternals | Microsoft Learn

Autorun tools use for detect and Analyze the autorun

file like malware and virus Affected file , run file with
boot time etc.

Download the tool

from microsoft
website
Open the tool as run Administrator
Show all autoruns file like
malware , virus file , boot load
file.
 Event log Analysis

The main purpose of the event logs is to provide information to

administrators and users. They are structured in five levels (information,
warning, error, critical, and success/failure audit). In terms of forensic
analysis, this is a valuable source to understand the course of actions on a
system.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

Enter the event ID and show the

detail.
Analyzing Windows event logs with EventLogExplorer and EvtxCmd

Show The All

Event Log Of
Target system.
Open the
Event log
explorer
and load
the first
event.
Open the
command base
EvtxECmd.
Create the Event log folder
in Analysis folder then After
this command is execute.
Show the all event output in this file
Show the output
 1. Windows Event Logs Defender Analysis
Source Event IDs Description
Microsoft-Windows-Windows Defender 5000 Defender enabled
5001 Defender disabled

Load the Windows

Defender log on
Event Log Explorer
Show the
output of
windows
defender
log.
Filter the
Particular
log as your
requiremet
 2. System log Analysis
Source Event IDs Description
System 7045 A new service was installed

Lod the system log

on Event log
explorer
Click
this icon
Description about the attack
script.
 3. Security and Authentication Event logs
Source Event IDs Description
Security 4624 An account was successfully logged on

Click the security event

log and load on the
event explorer
Click this
icon for filter
the event id
Fill the event
id and
description
as per
requirement
Show the all detail about this
event log.
 4. Authentication & Logon IDs logs

4624 event id use for login detail which by filtering we can see
all login details same but same time same login details have
different login id. If the event log is viewed by filtering the
login ID , it will show any Malicious activity like user joined a
Administrator group, Any user is created , Any other user
change the credential details etc.
Filter with
login ID
Same login ID
and details
show different
Same login
ID and
details show
different
 5. Windows Event logs Power shell
overview,Analyse Malicious Activity.
Source Event IDs Description
Windows PowerShell 400 Engine state is changed from None to Available

Windows Power shell stored all logs about the command base
execution like run the any script , install the any applications , etc.
Load the windows
power shell logs on
explorer
 Memory Analysis

Setting up volatility3 in Ubuntu

Setting up the Volatility3 in the Ubuntu that open the link https://bluecapesecurity.com/build-your-forensic-
workstation/
Show the instruction linux based tools.
 What is memory Analysis

Memory forensics (sometimes referred to as memory analysis) refers

to the analysis of volatile data in a computer's memory dump.
Information security professionals conduct memory forensics to
investigate and identify attacks or malicious behaviors that do not leave
easily detectable tracks on hard drive data.
Copy the target machine memory image from host system and paste the memory in cases > Analysis > memory
folder create > paste Here.
Open the Ubuntu linux. Go to the path on memory image file did paste.
Gathering Windows system information with Volatility3

Type the command

for volatility help
and show all plugins
for different
operating system.
we have use
windows info
plugins .
Type this command how the
result.
Using the pstree plugin list out the how many services are
running.
Using pslist plugin
gather information
using pid.
Show the services
for individual pid
Search other files run on pid no 596
using dll list.
All dll file
here.
Extract the files and give
more information
Show the all dump
file in memory folder
Gathering deep information using
particular dmp file.
 Identify process owners and associated SIDs
Windows.getsids.GetSIDs plugin use for print SIDs owning each process.

Getsids plugin use for find the owner of

the process show the output here.
Detecting and Analyzing malicious registry key entries from memory

Using registry print key

and registry hive list find
information specific key
value.
Using this command find the detail about
Atomic RedTeam key value(any key enter).
 Super Timeline Analysis
A detailed timeline of everything that occurred on a system, also known as a Super
Timeline, can be extremely beneficial in determining what took place in a digital
investigation.

1. Prepare Tools 3. Run Tools

Volatility3 Memory-generate bodyfile
Plaso Log2Timeline Disk-generate plaso file
QEMU Merge files
Generate super timeline with psort

2. Prepare Evidence 4. Timeline Analysis

Disk image(RAW!) EZ Timeline Explorer
Memory image
 Prepare tools and Converting the disk image with QEMU
Use the link for install the Tools

Add the plaso GIFT repository for this

command.
Install plaso tool
Target Machine Virtual Hard disk copy
Paste here the hard disk.
qemu-ing convert –O raw win10-
disk.vhd win10-disk.raw

Using the Following Command

converting the disk image.
Disk Image Of the Hard
Disk.
 Memory timeline creation with Volatility3
Create a folder Timeline . Go to the folder path in ubuntu linux.
Using vol –h show all
plugins in detail.
Show the timeline
plugins and gathering
the all detail about
target memory using
timeline plugin.
Using this command
and using memory.raw
collect all eventlog and
store the one file.
Show the file in timeline folder
File open with
Notepad++
Show the All Events.
Creating a Timeline of the disk image with Plaso tools

Using the disk image

execute this command
and store the output in
one file with name
disk.plaso .
Take a more time for finish the process.
Show the file in timeline folder
and then after open the file
and show the all event logs.
All event show in this file.
Generating a Super Timeline with plaso tool

Merging timelines with

mactime parser using this
command.
Using this command plaso file convert
to csv file. And also create super
timeline.
Show the two new add file.
 Super timeline Analysis

A detailed timeline of everything that occurred on a system, also known as a Super Timeline, can be
extremely beneficial in determining what took place in a digital investigation.

Open the supertimeline file

with timeline Explorer.
Show All events.
You can filter the specific events.
Super timeline Analysis Malicious Events

You can show all

events
You can search specific events and
show result.
Using colorcode you know about execution on events.
Show all events in long
description also.
 Reporting types and consideration

Reporting Considerations

1. Establish expectations in the beginning !

2. Consider the audience that you are targeting.

3. Alternative Explanations.

4. Actionable Information.
 Types of Reporting

Forensic Report - Legal Cases

High-level presentation – Executive debriefs , Q &A documents

System Timeline – Events listed in temporal order

Etc. – Resolving Tickets like some proof screen shorts