Investigate Data Leakage

Case
Keywords: Windows Registry, PC information, usage Account,
Application Usage
Topics
• Key concepts (image, volume, file system)
• Gather basic PC information
• User account investigation
• Application usage investigation
 The Sleuth Kit (TSK Layers)
error handling, types, and convenience functions

Can open and process disk images in various formats

create an index of
hashes and perform
Processing data as a volume system, e.g., DOS fast lookups of
partition tables them

processing data as a file system, such as FAT or NTFS.

integrates all of the previous layers

Gather Basic PC Information
1. What are the hash values (MD5 & SHA-1)
of the image? (Linux)
Verify you have the dd image
Compute MD5 and SHA1 of the DD image
2.1 How to identify the partition information
of PC image? (Method 1 -fdisk)
• What is partition/volume?
• Boot partition
• boot loader and kernel files for OS to start up
• OS folder: %systemroot%
• System partition
• contains system files and device drivers that
are required for the operating system to
function properly
• hidden from the user
• contains the file system (NTFS) driver, the
hardware abstraction layer (HAL), and other
important system files.
System Volume
contains essential system files and configurations
required for the initial booting process and system
startup
includes boot files such as the Master Boot Record
(MBR) or GUID Partition Table (GPT)
essential for the operating system to locate and
load the necessary files for booting.
Boot Volume
the core operating system files are stored
contains files like the Windows system files
(e.g., in Windows environments) and program
files.
is where the operating system continues to run
once the boot process is complete.
the boot volume is assigned a drive letter (such
as "C:" in Windows)
https://www.scaler.com/topics/operating-system/master-boot-record/
 Since it is a file containing a copy of the entire disk, you can
Show partitions of the image simply treat it like any other block device and run fdisk

“Boot" volume: core os, load the

remainder of an operating system
"system" volume: initial booting process and system startup

• What is Block devices? hard drives, CD-ROM drives, RAM

• What is fdisk ? Format disk
the device is bootable,
not a boot partition
How to Identify the partition information of a
PC image? (Method 2 -mmls)
• What is Unallocated Space?
• Any physical space on a hard drive that
doesn't belong to a partition.
• No programs can write to the space.
• The space doesn't exist to the operating
system.
• To make use of unallocated space
• you need to either create a new partition
using the space or expand an existing
partition.
• Media management ls (mmls):
• Can show unallocated sectors so it can be
used to search for hidden data
Show partitions and unallocated space using mmls

media management ls (mmls): Can show unallocated

sectors so it can be used to search for hidden data
MBR
How to Identify the partition information of
PC image? (Method 3 -parted)
do not list partitions
whose size is greater
than 2 TB
Display file system statistics and metadata information from a disk image (first partition)

-b: block size (default is 512)

-o: image offset
List the second partition details

-b: block size

-o: image offset

Serial number. Remember the #.

We will use it later.
2.2 How to show files (directories) in 2 nd
partition?
Use head/tail command to limit the
number of files to display

fls: List file and directory

names in a disk image

File Type | Metadata Address | File Name

2.3 How to list all deleted .docx files in the
whole partition? • . means "any character" in a regex.
• for literal string: “\.docx”

Other useful parameters

-d display deleted entries only
-D directories only
-r recursively display directories
-l long format
-F Display file (all non-directory) entries only
-u Display undeleted entries only
Verify system information

Verify Users’ information

Windows Registry Analysis Requirements
• All investigations involving Windows Registry requires
• Installed RegRipper 3.0
• Extracted files contain PC’s registry information
• Please follow the pptx to meet requirements

• Verify files on the next slide before any tasks

3. What is the installed OS information in
detail?
-r: registry hive file to parse
-p: plugin

(GMT)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Show rip.pl command help

Try it
List all 243 plugins of
SOFTWARE -l: list

Show the location of all

plugins
4. What is the time zone setting?
Search for timezone plugin and the file
that contains timezone

Run timezone plugin

The Bias property represents the

difference in minutes between
Greenwich Mean Time (GMT—also 'Z' stands for Zulu time, which
is also GMT and UTC.
known as Coordinated Universal Time,
or UTC) and local time. For example,
Eastern time (US and Canada) has a
Bias property value of -300.
HKLM\SYSTEM\ControlSet###\Control\TimeZoneInformation
5. What is the computer name?
Search for computer name
plugin and the file that
contains timezone

Run compname plugin

HKLM\SYSTEM\ControlSet###\Control\ComputerName\ComputerName (value: ComputerName)

HKLM\SYSTEM\ControlSet###\Services\Tcpip\Parameters (value: Hostname)......
User Account Investigation
6. How many accounts does the system have?
(except Administrator, Guest, systemprofile, LocalService, NetworkService)

Search for profiles

resolve SIDs to user

 Find and search for Security
Accounts Manager (SAM)
information
SAM stores accounts
information, e.g., passwords in
a hashed format (NTLM).

grep –E <regular expression>

• login created
• last login: 3 days
later but failed
6.1 What are the NTLM of these accounts?
6.2 How to Crack Windows 10 passwords?

Crack Win 10 password using NTLM and Rainbow table.

Follow the PPTs
7. Who was the last user to logon into PC?

successfully logged in

HKLM\Software\~
HKLM\SAM\~
 8. When was the last recorded shutdown
date/time?

A control set contains system configuration

information such as device drivers and
services.
• ControlSet001 may be the last control
set you booted with.
• ControlSet002 could be what is known
as the last known good control set, or
the control set that last successfully
booted Windows NT.

HKLM\SYSTEM\ControlSet###\Control\Windows (value: ShutdownTime)

Conclusion: informant was the last one logged on at 13:05 (previous slide) and shut down the PC at 15:31pm
9. Explain the information of network interface(s)
with an IP address assigned by DHCP.

HKLM\SYSTEM\ControlSet###\Services\Tcpip\Parameters\Interfaces\{GUID}
Application Usages Investigation
A state diagram for application usage investigations
10. What applications were installed by the
suspect after installing OS?

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
10.1 What applications can be uninstalled by
the suspect after installing OS?

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\~
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\~
11. List application execution logs
(Executable path, execution time, execution
count...)
• Shimcache: speed loading
• Amcache/RecentFileCache
• UserAssist
• Prefetch
• MuiCache: Multilingual User Interface
11.1 Primary purpose of Shimcache
• The primary goal is to optimize program loading
• speed up loading frequently executed programs by caching information about
them (think about Amazon’s local distribution center).
• Shimcach records execution history
• program names, file paths, timestamps, and execution counts.
• NOT serving as a dedicated compatibility checker.
• it is closely tied to Windows' compatibility features.
• when a program is launched, the Shimcache checks if there are any known
compatibility fixes or "shims" associated with that program.
• shims are applied to ensure the program runs smoothly on the Windows platform.
• not fix compatibility issues
Registry for Shimcache
• Known as AppCompatCache
• HKLM\SYSTEM\ControlSet###\Control\Session Manager\AppCompatCache\
• Two actions that can cause the Shimcache to record an entry
• A file is executed.
• This is recorded on all versions of Windows beginning with XP.
• A user interactively browses a directory
• if a directory contains the files “foo.txt” and “bar.exe”, a Windows 7 system may record
entries for these two files in the Shimcache.
• On Windows Vista, 7, Server 2008, and Server 2012
Shimcache entry
• Stores various file metadata depending on
the operating system
• File Full Path
• File Size
• $Standard_Information (SI) Last Modified time
• Shimcache Last Updated time
• Process Execution Flag : set this flag during
process creation/execution
• Only contains the information prior to the
system’s last startup
• current entries are stored only in memory
• The oldest data is replaced by new entries.
Extract shimcache from registry
11.2 Main purpose of Amcache
• Assist with application compatibility (Application Compatibility Cache)
• ensure that software updates or system changes do not break existing applications
• used to apply compatibility fixes or "shims" to programs
• maintain information about installed applications on the system.
• including file paths, version numbers, and compatibility settings.
• Software Inventory
• a repository of information about installed software.
• C:\Windows\AppCompat\Programs\Amcache.hve
• Focus on software installation and updates
• ShimCache entry is updated each time the application is executed
Amcache replaces RecentFileCache.bcf
• Amcache
• Windows 8 and Later
• It includes information about executed programs (similar to Shimcache) and
also contains details about recently accessed files and folders
• RecentFileCache.bcf
• In Windows 7 and earlier versions, the RecentFileCache.bcf file was used to
record recent file activity.
Find the location of RecenfFileCache.bcf (Win 7) rip.pl –r Amcache.hve –p amcache (Win 8)

Show RecenfFileCache.bcf
11.3 UserAssist
• Microsoft uses UserAssist to populate a user’s start menu
with frequently used applications.
• Every GUI-based program launched from the desktop are tracked
• These values are located in each user’s NTUSER.DAT
• ROT-13 encoded.
• Timestamp of last run
• Count: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
UserAssist\{GUID}\Count
• Good to analyze the behaviors of users
List executed programs by the user informant
Search if “chrome” has been executed by the user informant. Show lines before and after the matches
11.4 Prefetch
• A memory management technology
• Save prefetch (executables) information in .pf
• %SYSTEMROOT%\Prefetch\*.pf
• To improve customer experience,
• Introduced by Microsoft in Windows XP and Windows 2003 Server.
• Preloads most frequently used software (with parameters) into
memory
• To speed the operating system booting and application launching.
• SuperFetch On Windows Vista
• An improved version of Prefetch
Prefetch registry configuration (enable/disable)

Exam prefetch setting from registry

Verify Prefetch folder has .pf files
Verify prefetch command
Parse Prefetch of chrome.exe

-f FILE, --file FILE Parse a given Prefetch file

Parse Prefetch of chrome.exe and save the results to .CSV
-c, --csv Present results in CSV format
11.5 MuiCache: Multilingual User Interface
• What is MUI
• To support multiple language for software
• Drawback
• the MUI scheme is that it’s a bit slower
• Solution: MUI caching for localized strings
• When the right version of a string is retrieved from MUI file for a given app,
it’s stored in the registry.
• Then if the string is needed again, it can be retrieved from the registry, which
is faster than having to open up the MUI file again.
Windows 2000, Windows XP, Windows Server 2003: HKEY_CURRENT_USER\Software\
Microsoft\Windows\ShellNoRoam\MUICache.

Windows 10:
Search for muicache plugin

Exam muicache
Search usrclass.dat
Extract usrclass.dat

Search muicache from usrclass.dat

Summary of 11.
[File] Windows Prefetch folder \Windows\Prefetch\*.pf Executable file paths and their execution
timestamps (+ execution counts)
[File] IconCache \Users\informant\AppData\Local\IconCache.db Executable file paths and their
icon images
[Reg] UserAssist HKU\informant\Software\Microsoft\Windows\CurrentVersion\Explorer\
UserAssist\*\Count\ Executable file paths and their execution timestamps (+ execution counts)
[Reg] Application Compatibility (Shimcache) HKLM\SYSTEM\ControlSet###\Control\Session
Manager\AppCompatCache\ Executable file paths and their modified timestamps
[Reg] Application Compatibility Cache HKU\informant\Software\Microsoft\Windows NT\
CurrentVersion\AppCompatFlags\Compatibility Assistant\ Executable file paths and their modified
timestamps
[Reg] MuiCache HKU\informant\Software\Classes\Local Settings\Software\Microsoft\Windows\
Shell\MuiCache\ Executable file paths