Forensics

Windows

Recover deleted files

Like the File Allocation Table, there is a Master File Table in NTFS. However, the Master File Table, or MFT, is much more extensive than the File Allocation Table. It is a structured database that tracks the objects stored in a volume. Therefore, we can say that the NTFS file system data is organized in the Master File Table. From a forensics point of view, the following are some of the critical files in the MFT:

#Get Info about files in $MFT
MFTECmd.exe -f <path-to-$MFT-file> --csv <path-to-save-results-in-csv>

Open Disk image, local disk, etc with autopsy and run any desired modules.

Evidence of execution

Windows Prefetch files

When a program is run in Windows, it stores its information for future use. This stored information is used to load the program quickly in case of frequent use. This information is stored in prefetch files which are located in the C:\Windows\Prefetch directory.

#EZTools
PECmd.exe -f <path-to-Prefetch-file> --csv <path-to-save-csv>
PECmd.exe -d <path-to-Prefetch-directory> --csv <path-to-save-csv>

Windows 10 Timeline

Windows 10 stores recently used applications and files in an SQLite database called the Windows 10 Timeline. This data can be a source of information about the last executed programs. It contains the application that was executed and the focus time of the application. The Windows 10 timeline can be found at the following location:

C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db

#EZTools
WxTCmd.exe -f <path-to-timeline-file> --csv <path-to-save-csv>

Windows Jump Lists

Windows introduced jump lists to help users go directly to their recently used files from the taskbar. We can view jumplists by right-clicking an application's icon in the taskbar, and it will show us the recently opened files in that application. This data is stored in the following directory:

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

#EZTools
JLECmd.exe -f <path-to-Jumplist-file> --csv <path-to-save-csv>

Shortcut Files

Windows creates a shortcut file for each file opened either locally or remotely. The shortcut files contain information about the first and last opened times of the file and the path of the opened file, along with some other data. Shortcut files can be found in the following locations:

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\

C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\

#EZTools
LECmd.exe -f <path-to-shortcut-files> --csv <path-to-save-csv>

IE/Edge history

An interesting thing about the IE/Edge browsing history is that it includes files opened in the system as well, whether those files were opened using the browser or not. Hence, a valuable source of information on opened files in a system is the IE/Edge history. We can access the history in the following location:

C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat

The files/folders accessed appear with a file:///* prefix in the IE/Edge history.

Setupapi dev logs for USB devices

When any new device is attached to a system, information related to the setup of that device is stored in the setupapi.dev.log. This log is present at the following location:

C:\Windows\inf\setupapi.dev.log

RedLine

RedLine is a software developped by Fireeye and can help a red/blue teamer to identify malicious and/or abnormal activities. It works a little bit like Volatility but has a nice GUI and a better approach, in my opinion, about cross-platform analysis. Redline is good to get an overview or maybe even the full details of specific events but a combination of RedLine and Volatility can go a long way.

Simply install RedLine and proceed to analyze your system with the default script or start a custom scan using the script customization engine. You will, most of the time, use the Standard Collector, it only takes a few minutes and collects the minimal amount of information to proceed to said scan.

https://www.fireeye.com/content/dam/fireeye-www/services/freeware/ug-redline.pdf

1. Standard Collector - this method configures the script to gather a minimum amount of data for the analysis. This is going to be our preferred method to collect data in this room. It is also usually the fastest method to collect the data you need. It takes only a few minutes to complete.

2. Comprehensive Collector - this method configures the script to gather the most data from your host for further analysis. This method takes up to an hour or more. You will choose this method if you prefer the full analysis of the system.

3. IOC Search Collector (Windows only) - this method collects data that matches with the Indicators of Compromise (IOCs) that you created with the help of IOC Editor. You will choose this method if you want to run the data collection against known IOCs that you have gathered either through threat intelligence (data feed or narrative report), incident response, or malware analysis. You imported them into IOC Editor. We'll look at the IOC Editor a bit further in the next task.

Finish configuring your analysis and you can then proceed to selecting an empty folder to store your scan configuration and results into it. You can then proceed to execute the batch script that will start the analysis of your system with your customized configuration.

A command prompt window will appear and after a few minutes or hours, depending on how you configured your analysis, will close by itself after it's completed. A new folder named SESSIONS should be created with the results in it.

You can then open your Analysis Session file using RedLine. This can take a few minutes to import.

• System Information: this is where you will see the information about the machine, BIOS (Windows only), operating system, and user information.

• Processes: processes will contain different attributes such as Process Name, PID, Path, Arguments, Parent process, Username, etc. When you expand the Processes tab, there will be four sections: Handles, Memory Sections, Strings, and Ports.

A handle is a connection from a process to an object or resource in a Windows operating system. Operating systems use handles for referencing internal objects like files, registry keys, resources, etc.

Memory Sections will let you investigate unsigned memory sections used by some processes. Many processes usually use legitimate dynamic link libraries (DLLs), which will be signed. This is particularly interesting because if you see any unsigned DLLs then it will be worth taking a closer look.

Strings - you will see the information on the captured strings.

Ports - this is one of the critical sections to pay attention to. Most malware often initiates the outbound or inbound connections to communicate to their command and control server (C2) to do some malicious activities like exfiltrating the data or grabbing a payload to the machine. This situation is where you can review the suspicious connections from ports and IP addresses. Pay attention to the system processes as well. The threat actors like to avoid detection by hiding under the system processes. For example, explorer.exe or notepad.exe shouldn't be on the list of processes with outbound connections.

Other important sections:

• File System

• Registry

• Windows Services

• Tasks (Threat actors like to create scheduled tasks for persistence)

• Event Logs (this another great place to look for the suspicious Windows PowerShell events as well as the Logon/Logoff, user creation events, and others)

• ARP and Route Entries

• Browser URL History

• File Download History

The Timeline will help you to better understand when the compromise happened and what steps the malicious actor took to escalate the attack. The Timeline will also record every action on the file if it got create, changed, modified, accessed.