Module 06 - Windows Forensics-1

Download as pdf or txt
Download as pdf or txt
You are on page 1of 59

Module 06

Windows Forensics
5 NIDS Ali GHORBEL
2024-25 [email protected]
Course Outline
Module objectives

After completing this chapter, you will be able to:

6.1. Understanding the Collection Of Volatile and Non-volatile


Information

6.2. Understanding the Windows Memory and Registry Analysis

6.3. Understanding How to Examine Cache, Cookie, and History


Recorded in Web Browsers

6.4. Understanding How to Examine Windows Files and Metadata

3
Introduction to OS Forensics
Windows, Mac, and Linux are the three most widely used
operating systems (OSes). Thus, the probability for an investigator
to come across these OSes at the crime scene is very high.
Performing OS forensics to uncover the underlying evidence is
a challenging task as it requires the investigator to have thorough
knowledge of these Oses
To conduct a successful digital forensic examination in
Windows, Mac, and Linux, one should be familiar with their
working, commands or methodologies, in order to be able to
extract volatile and non-volatile data with OS-specific tools
Collect

Volatile & Non-Volatile


Information
5
Collecting Volatile Information
Volatile information can be easily modified or lost when the
system is shut down or rebooted
Collecting volatile information helps determine a logical timeline
of the security incident and the responsible users
Volatile data resides in registers, cache, and RAM

Volatile information includes:


 System time  Process-to-port mapping
 Logged-on user(s)  Process memory
 Network information  Mapped drives
 Open files  Shares
 Network connections  Clipboard contents
 Network status  Service/driver information
 Process information  Command history
Collecting System Time
It provides details of the information collected during the investigation

It helps in re-creating the accurate timeline of events that occurred on the


system

System uptime provides an idea of when an exploit attempt might have been
successful
Collecting Logged-On Users

PsLoggedOn is an applet that displays both the users logged on locally


and via resources for either on the local, or a remote computer

Syntax:
psloggedon [- ] [-l] [-x] [\\computername | username]
Collecting Logged-On Users

net session command displays computer and usernames on a server,


open files, and duration of sessions

Syntax:
net sessions [\\<ComputerName>] [/delete] [/list]
Collecting Logged-On Users

net session command displays computer and usernames on a server,


open files, and duration of sessions

Syntax:
net sessions [\\<ComputerName>] [/delete] [/list]
Collecting Logged-On Users

LogonSessions Tool: It lists the currently active logon sessions and,if the -p option is
specified, the processes running in each session are listed
Syntax:
logonsessions [-c[t]] [-p]

 -c Print output as CSV


 -ct Print output as tab-delimited values
 -p List processes running in logon session
Collecting Open Files: net file Command

Collect information about the files opened by the intruder using remote login

net file command displays details of open shared files on a server, such as a name,
ID, and the number of each file locks, if any. It also closes individually shared files and
removes file locks.

Syntax:
net file [ID [/close]]
Collecting Open Files: Using NetworkOpenedFiles
NetworkOpenedFiles
Source: https://www.nirsoft.net
It is a utility for Windows OS that lists all the files currently opened on the host
system through remote login
It displays the Filename, Computer and Username, Permission information
(Read/Write/Create), Locks count, File Size, File Attributes, etc.
Collecting Network Information
Intruders after gaining access to a remote
system, try to discover other systems that are
available on the network

NetBIOS name table cache maintains a list of


connections made to other systems using NetBIOS

The Windows inbuilt command line utility


nbtstat can be used to view NetBIOS name table
cache

The nbtstat -c option shows the contents of


the NetBIOS name cache, which contains NetBIOS
name-to-IP address mappings

Syntax:
nbtstat [-a RemoteName] [-A IP address] [-c] [-n][-r] [-R] [-RR] [-s] [-S] [interval]
Collecting Network Information
Collecting information about the network connections running to and from the
victim system allows to locate logged attacker, IRCbot communication, worms logging
into Command and Control server
Netstat with –ano switch displays details of the TCP and UDP network connections
including listening ports, and the identifiers

Syntax:
netstat [-a] [-e] [-n] [-o] [-p <Protocol>] [-r] [-s] [<Interval>]
Process Information

Investigate the processes running on a potentially compromised


system and and collect the information

Task Manager displays the programs, processes, and services that


are currently running on computer
Process Information

Tasklist displays a list of applications and services with their Process


ID (PID) for all tasks running on either a local or a remote computer
Process Information

PsList displays elementary information about all the processes


running on a system
-x switch shows processes, memory information, and threads
Process-to-Port Mapping

Process-to-port mapping traces the port used by a process, and protocol


connected to the IP
Tools and commands to retrieve the process-to-port mapping: netstat

Syntax:
netstat –a -n -o
Examining Process Memory
Running processes could be suspicious
or malicious in nature
Process Explorer can be used to check if
the process is malicious/suspicious
Process Explorer shows information
about opened or loaded handles and DLLs
processes
If the process is suspicious, it gathers
more information by dumping the memory
used by the process using tools such as
ProcDump and Process Dumper
The tool comes with built-in VirusTotal
support to check whether the running
process is malicious
Collecting Network Status
Collect information of the network interface
cards (NICs) of a system to know whether the
system is connected to a wireless access point
and what IP address is being used
Tools for the network status detection are:
 ipconfig command

 PromiscDetect tool
 Promqry tool

 Ipconfig.exe is a utility native to Windows

systems that displays information about NICs


and their status

Ipconfig/all command displays the network


configuration of the NICs on the system
Collecting Network Status

PromiscDetect checks if network adapter(s) is running in promiscuous


mode, which may be a sign that a sniffer is running on computer
Collecting Non-volatile Information

Non-volatile data remain unchanged even after the system is shut


down or powered off

Example: Emails, word processing documents, spreadsheets and


various “deleted” files

Such data usually resides in hard drive (swap file, slack space,
unallocated drive space, etc.)

Other non-volatile data sources include DVDs, USB thumb drives,


smartphone memory, etc.
Examining File Systems
Run the command dir /o:d in
command prompt
This enables the investigator to
examine:
 The time and date of the OS
installation
 The service packs, patches, and
subdirectories that automatically
update themselves often. For
e.g.: drivers, etc.
Give priority to recently dated
files
ESE Database File
Extensible Storage Engine (ESE) is a data storing technology used by various Microsoft-
managed software such as Active Directory, Windows Mail, Windows Search, and
Windows Update Client
This database file is also known as JET Blue
The file extension of ESE database file is .edb. Following are the examples of ESE
database files:
 contacts.edb - Stores contacts information in Microsoft live products
 WLCalendarStore.edb - Stores calendar information in Microsoft Windows Live Mail
 Mail.MSMessageStore - Stores messages information in Microsoft Windows Live Mail
 WebCacheV24.dat and WebCacheV01.dat - Stores cache, history, and cookies
information in Internet Explorer 10
 Mailbox Database.edb and Public Folder Database.edb - Stores mail data in
Microsoft Exchange Server
 Windows.edb - Stores index information (for Windows search) by Windows OS
 DataStore.edb - Stores Windows updates information (Located under
C:\windows\SoftwareDistribution\DataStore)
 spartan.edb - Stores the Favorites of Internet Explorer 10/11. (Stored under
 %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Micro
softEdge\User\Default\DataStore\Data\nouser1\120712-0049)
Examining .edb File Using ESEDatabaseView
The data stored inside ESE
database files can be parsed by
tools such as ESEDatabaseView and
ViewESE
During forensic investigation, the
data extracted from these .edb files
can serve as a potential evidence
ESEDatabaseView lists all the
tables and records found in the
selected tables of .edb database file
The data extracted from
ESEDatabaseView can be exported
to a HTML file

7
Windows Search Index Analysis
Windows Search Index uses ESE data
storage technology to store its data

It is stored in a file called Windows.edb,


located in the directory:
C:\ProgramData\Microsoft\Search\Data\Applications\
Windows

Forensic investigators parse those files to


extract data pertaining to deleted data,
damaged disks, encrypted files, Event
bounding, etc., which can be a good source of
evidence for investigation

In the given screenshot, ESEDatabaseView


is used to parse Windows.edb file and extract
the details of deleted data on the system
7
Detecting Externally Connected Devices to the System
Attackers connect external storage media to the system and steal sensitive data or
perform illicit activities
As a part of the forensic investigation, identifying the devices connected to the system
helps investigator to determine if any external media is used by the suspect
Later, the investigator can get the specific external media from the suspect in a legal
manner for further analysis
The utility, DriveLetterView, lists all the drives on the system even if they are not
currently plugged

7
Slack Space

Slack space refers to the portions


of a hard drive that may contain Steps involved in collecting slack space information
data either from a previously deleted
file or unused space by the currently
allocated file
Non-contiguous file allocation
leaves more trailing clusters leaving
more slack space
The data residue in the slack
space is retrieved by reading the
complete cluster
DriveSpy tool collects all the slack
space in an entire partition into a file 7
Perform Windows

Memory

and Registry Analysis


Windows Memory Analysis
Windows memory analysis involves acquisition of physical memory or RAM
dumps of the Windows machine
Examining these memory dumps help investigators detect hidden rootkits,
find hidden objects, determine any suspicious process, etc.
Windows Crash Dump
Windows memory analysis involves acquisition of
physical memory or RAM dumps of the Windows machine
Examining these memory dumps help investigators detect
hidden rootkits, find hidden objects, determine any
suspicious process, etc.
Windows crash dump file contains the contents of
computer’s memory at the time of a crash
It helps in diagnosing and identifying bugs in a program
that led to the system crash
You can check the memory dump information using
DumpChk utility
In Windows 10, the OS creates the following memory
dumps:
Automatic memory dump
Complete memory dump
Kernel memory dump
Small memory dump
Examining the crash dumps can sometimes help a
forensic investigator in finding out if the crash is caused due to
an internal error or by a remote attacker, who was successful
in exploiting a bug in the OS, or a third-party application
installed on the OS
Collecting Process Memory
Collect the contents of process memory available in a RAM dump file
Process Dumper (pd.exe) dumps the entire process space along with the
additional metadata and the process environment to the console; it redirects the
output to a file or a socket
Userdump.exe dumps any process without attaching a debugger and without
terminating the process once the dump has been completed

Another method of dumping a process is to use adplus.vbs script


Once done with the dumping process, use debugging tools to analyze the
dump files
Random Access Memory (RAM) Acquisition
Examining volatile memory is as important as non-volatile memory
During live acquisition, investigators use tools such as Belkasoft RAM
Capturer and AccessData FTK Imager to perform RAM dumps
From forensics point of view, examining RAM dumps provides system
artifacts such as running services, accessed files and media, system
processes, network information, and malware activity
Memory Forensics: Malware Analysis Using Redline

Redline is a security tool


to identify malicious
activities through memory
and helps forensic
investigators to establish the
timeline and scope of an
incident
Analyze the RAM dump
using Redline by loading it
from ‘Analyze Data’ section
Under ‘Analysis Data’
tab, you can find all the
processes running on the
system when the RAM dump
was acquired
Windows Registry

The Windows registry is a hierarchical database that contains low-level


settings for the Microsoft Windows OS and for applications that use the registry

Investigating the data present in the registry help forensic investigators obtain
information on software installed and hardware driver’s configuration settings,
track suspicious user activity, etc.

This information help investigators build timeline analysis of the incident


during forensic investigation
Windows Registry

Every action performed by the user on the machine is recorded in the


Windows Registry; Hence, it is a good source of evidence during forensic
investigation
With respect to data persistence, Windows Registry hives are divided into:

The volatile hives are captured during live analysis of the system while the
non-volatile hives are stored on the hard drive
Windows Registry

Hives in the Windows registry play a critical role in the functioning of


the system:

HKEY_USERS: It contains all the actively loaded user profiles for that system

HKEY_CLASSES_ROOT: This hive contains configuration information related


to the applications used for opening various files on the system

HKEY_CURRENT_CONFIG: This hive contains the hardware profile the system


uses at startup

HKEY_LOCAL_MACHINE: This hive contains a vast array of configuration


information for the system, including hardware settings and software settings

HKEY_CURRENT_USER: It is the active, loaded user profile for the currently


logged-on user
Windows Registry

Registry Structure within a Hive File

Various components of the registry called “cells” have a specific structure and
contain specific type of information
Types of cells:
Windows Registry Forensic Analysis

Forensic analysis of Windows registry helps the investigator to extract


forensic artifacts such as user accounts, recently accessed files, USB activity,
last run programs, and installed applications
The forensic investigator should analyze the Windows registry in two
methods:
 Static Analysis: The investigator examines the registry files stored on the
captured evidence file. These files are located in the
C:\Windows\System32\config folder.
 Live Analysis: The investigator can use built-in registry editor to examine
registry and also use tools like FTK Imager to capture registry files from live
system for analysis
Windows Registry Forensic Analysis
The extracted subkeys of
HKEY_LOCAL_MACHINE contains following
information:
 SAM (Security Account Manager): It is a
local security database and subkeys in the
SAM contains settings of user data and work
groups
 Security: It includes local security database
in SAM
 Software: It contains information about the
software applications and their configuration
settings on the system
 System: It contains configuration settings of
the hardware drivers and services
 Default: It includes default user settings but
NTUSER.dat file pertaining to the currently
logged-on user overrides the default user
settings
Note: The forensic investigator can examine these registry files using tools such as Hex
Workshop to extract useful information
Examine

Cache, Cookie,
and History Recorded in
Web Browsers
42
Cache, Cookie, and History Analysis

Web browsers, such as Microsoft Edge, Google Chrome, Mozilla


Firefox, etc., store a detailed account of all user activities performed on
them in caches, cookies, and browser history.
By analyzing this data, forensic investigators can determine the
online activities that were performed on the system, such as websites
visited, files downloaded, last accessed website, the last accessed time
for a particular website, number of times a user has visited a website,
etc. Such data can be of great evidentiary value in a forensic
investigation.
This section discusses how to examine and analyze the information
recorded in caches, cookies, and browser history of different web
browsers.
Cache, Cookie, and History Analysis: Google Chrome

Cache, Cookie, and History Analysis: Google Chrome


Google Chrome records information about browsing history on the system at the following
locations:
 History, downloads, and cookies location
C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default
 Cache location
C:\Users\{username}\AppData\Local\Google\Chrome\UserData\Default\Cache
Cache, Cookie, and History Analysis: Google Chrome

Analysis Tool: ChromeCacheView

ChromeCacheView is a
small utility that reads
the cache folder of
Google Chrome and
displays the list of all
It displays
files the stored in
currently
information
the cache such as
URL, Content Type, File
Size, Last Accessed
Time, Expiration Time,
Server Name, and
Server Response

https://www.nirsoft.net
Cache, Cookie, and History Analysis: Google Chrome

Analysis Tool: ChromeCookiesView

 ChromeCookiesView displays the list


of all cookies stored by Google
Chrome, and allows investigators to
export the cookies into a
text/CSV/html/XML file

 It displays information such as Host


Name, Path, Name, Value, Secure
(Yes/No), HTTP Only Cookie (Yes/No),
Last Accessed Time, Creation Time,
https://www.nirsoft.net
and Expiration Time for each cookie
Cache, Cookie, and History Analysis: Google Chrome

Analysis Tool: ChromeHistoryView

 ChromeHistoryView reads the history


data file of Google Chrome and
displays the list of all visited Web
pages in the last days

 It displays information such as URL,


Title, Visit Date/Time, Number of
visits, number of times that the user
typed this address (Typed Count),
Referrer, and Visit ID for each visited

https://www.nirsoft.net web page


Examine

Windows Files

and Metadata
48
Examine Windows Files and Metadata

While investigating a Windows system, investigators often need to detect any


changes that attackers may have made to application files on the system.
To detect these changes, investigators need to examine the following:
Restore Point Directories: These directories store information related to
installation or removal of application files and any changes made to them.
Prefetch Files: Examining the prefetch directory helps determine the
applications that have been run on a system.
Metadata: Metadata associated with any type of file reveals various
characteristics and finer details related to the creation, access, and
modification of files.
Image Files and EXIF Data: Examining JPEG image files and the EXIF data
stored in them helps determine the metadata associated with those JPEG
images.
Windows File Analysis

Forensic examination of restore point log files and prefetch

files provide information such as MAC timestamps, file name, file

size, number of times the application has been run, process

name, etc., related to the installed/uninstalled applications.


System Restore Points (Rp.log Files)

Rp.log is the restore point log file located within the restore point
(RPxx) directory
It includes value indicating the type of the restore point; a
descriptive name for the restore point creation event, and the 64-bit
FILETIME object indicating when the restore point was created
System restore points are created when applications and unsigned
drivers are installed, when an auto update installation and a restore
operation are performed
Description of the event that caused the restore point creation is
written to the rp.log file, and this log file helps the investigator to notice
the date when the application was installed or removed
System Restore Points (Rp.log Files)

File changes are recorded in the change.log files, which are located in
the restore point directories
Changes to the monitored files are detected by the restore point file
system driver, the original filename is entered into the change.log file
along with sequence number, type of change occurred, etc.
Monitored file is preserved and copied to the restore point directory
and renamed in the format Axxxxxxx.ext, where x represents a
sequence number and .ext is the file’s original extension
First change.log file is appended with a sequence number and a new
change.log file is created when the system is restarted
Prefetch Files

When a user installs an application, runs it, and deletes it, traces of
that application can be found in the Prefetch directory
DWORD value at the offset 144 within the file corresponds to the
number of times the application is launched
DWORD value at the offset 120 within the file corresponds to the last
time of the application run, this value is stored in UTC format
Information from .pf file can be correlated with the registry or Event
Log information to determine who was logged on to the system, who
was running which applications, etc
Prefetch Files

Prefetching is used by the Windows OS to speed up system boot process and


application launches
The data is recorded for up to first 10 seconds after the application process is started
Once the data is processed, it is written to a .pf file in the Windows\Prefetch
directory
The forensic investigator should identify whether the victim’s system has enabled
the prefetching process, before conducting examination
Image Files

The metadata present in a JPEG image file depends largely on the


application that created or modified it.
For e.g., digital cameras embed Exchangeable Image File Format
(EXIF) information in images, which can include the model and
manufacturer of the camera, and even store thumbnails or audio
information.
You can use tools such as Exiv2, IrfanView, and the
Image::MetaData::JPEG Perl module to view, retrieve, and in some cases
modify the metadata embedded in JPEG image files.
Tools such as ExifReader, EXIF Library, and ExifTool display EXIF data
found in a JPEG image.
Metadata Investigation

Metadata is data about data. It describes various characteristics of data,


including when and by whom it was created, accessed, or modified
Because it is not normally seen, users can inadvertently share confidential
information when sending or providing files in electronic form
In computer forensics, metadata obtained from the databases, image files,
word files, web browsers, etc., contains evidentiary data of forensic value
Metadata includes file name, file size, MAC timestamps, GPS data, etc.
The investigator can use tools such as Metadata Assistant, Paraben P2
Commander, and Metashield Analyzer to analyze metadata
Examples of metadata:
 Organization name  Document versions
 Author name  Template information
 Computer name  Personalized views
 Network name  Non-visible portions of embedded OLE
 Hidden text or cells objects
Metadata in Different File Systems

The most commonly known metadata about files on Windows systems are
the files’ MAC times; MAC stands for modified, accessed, and created
The MAC times are time stamps that refer to the time at which the file was
last modified, last accessed, and originally created
MAC times are managed by the OS depending on the file system used
 On the FAT file system, times are stored based on the local time of the
computer system
 NTFS file system stores MAC times in Coordinated Universal Time (UTC)
format

Investigate the way the timestamps are displayed, based on various move
and copy actions
Metadata in Different File Systems
Module Summary

This module has discussed the collection of volatile and non-


volatile information
It also discussed the analysis of Windows memory and Registry
Further, it explained in detail the process of examining the
cache, cookie, and history recorded in web browsers
Finally, this module ended with a detailed discussion on
examining Windows files and metadata
In the next module, we will discuss Linux and Mac forensics in
detail

You might also like