Windows Forensics
Windows Forensics is the method of gathering information about the target Windows system.
- [Windows Forensics](https://tryhackme.com/room/windowsforensics1)
System Information
- IP Address & MAC Address
Below are the location of the file which contains the information of IP address and MAC address.
# Look@LAN is a network monitoring tool. So if the system uses the tool, we can retrieve the information of the network.
# LANIP -> IP address
# LANNIC -> MAC address
c:\Program Files (x86)\Look@LAN\irunin.ini
- Network Cards
The name of the network card is such like “Intel(R) PRO/1000 MT Desktop Adapter”.
c:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_1_2_3_45_67.etl
- PowerShell History
Sometimes PowerShell command history contains the sensitive information about the system.
- Malware History
Suspicious activities are likely detected by Windows Defender.
Event Logs
- Event Viewer
Below is the list of item worth noting.
- --
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational-- - --
Applications and Services Logs/Microsoft/Windows/PrintService/Admin--
In each item, we can find the desired list by specifying the keyword in the “Find” action in the right pane.
- PowerShell
Also we can see event logs from a logfile in PowerShell.
Processes
-
Process Monitor
-
To get the parent PID of the specific process, click --“Filter”-- icon and enter the process name (e.g. “spoolsv.exe”) then select --“Include”--, and click Apply. Right-click on the highlighted item and go to --“Process”-- tab. We can see the parent PID.
Registry Hives
A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.
- Registry Editor
We can find registry keys in the Registry Editor.
- Click on the Windows icon and select Run.
-
Enter “regedit” in the input form. Registry Editor opens.
-
File Locations
--Registry Hives-- are located in C:\Windows\System32\config.
- --DEFAULT (HKEY_USERS\DEFAULT in regedit)--
- --SAM (HKEY_LOCAL_MACHINE\SAM in regedit)--
- --SECURITY (HKEY_LOCAL_MACHINE\Security in regedit)--
- --SOFTWARE (HKEY_LOCAL_MACHINE\Software in regedit)--
- --SYSTEM (HKEY_LOCAL_MACHINE\System in regedit)--
The other hives are located in user home directory (C:\Users\<username>)
-
--NTUSER.DAT (HKEY_CURRENT_USER in regedit)--
It contains the information of the user account settings.
It is located in --C:\Users\<username>-- . -
--USRCLASS.DAT (HKEY_CURRENT_USER\Software\CLASSES)--
It stores the ShellBag information for the Desktop, ZIP files, remote folders, local folders, etc.
It is located in --C:\Users\<username>\AppData\Local\Microsoft\Windows-- .
--Amcache Hive-- is located in --C:\Windows\AppCompat\Programs\Amcache.hve-- .
It stores the information on programs that were recently run on the system.
Acquire Registry Data
- --KAPE--
- --Autopsy--
- --FTK Imager--
Gather Information From Registry Hives
We can retrieve information using Registry Viewer or Registry Explorer.
OS Version
- SOFTWARE\Microsoft\Windows NT\CurrentVersion)
Current Control Set
- SYSTEM\ControlSet001
- SYSTEM\ControlSet002
Computer Name
- SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Time Zone
- SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Network
- SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
SAM Hive & User Information
- SAM\Domains\Account\Users
Recent Files
- NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explore\RecentDocs
Microsoft Office Recent Files
- NTUSER.DAT\Software\Microsoft\Office\VERSION
ShellBags
- USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bag
- USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
- NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
- NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
ShimCache
- SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
AmCache
- Amcache.hve\Root\File\<Volume GUID>\
BAM/DAM
- SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>
- SYSTEM\CurrentControlSet\Services\dam\UserSetitngs\<SID>
UserAssist
- NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<GUID>\Count
Devices
- SYSTEM\CurrentControlSet\Enum\USBSTOR
- SYSTEM\CurrentControlSet\Enum\USB
- SOFTWARE\Microsoft\Windows Portable Devices\Devices
Windows Disk Management
Disk Management is a system utility in Windows that enables you to perform advanced storage tasks.
Partitions
Check partitions with it.
-
--Open the 'Disk Management'--
-
--Right click the partition to view the properties--
-
--Check 'Security' tab or 'Shadow Copies' tab--
-
--Check Partition in Windows Explorer--
- Right click the partition and click 'Change Drive Letter and Paths'
- Open dialog.
- Click 'Add'. In the dropdown, choose a letter (ex. Z:) and click 'OK'.
- At the top, in the Volume column, you should see that the partition has a letter (Z:) assigned to.
- Open Windows Explorer and check if Z: exists on 'This PC'.
- Click the partition (Z:) and click 'View' tab at the top then check 'Hidden Items'.
-
--Restore the previous version of partition--
- Right click the partition and click 'Properties' -> 'Previous Versions'
- Select shadow copy you want to restore and click 'Restore'. The Confirmation popup open, then click 'Restore'.
Windows Memory Dump Analysis
A memory dump file (.dmp), also called as 'crash dump' is a crash report file.
Investigation
Static Analysis
We can also read contents of this file by usual static analysis such as below.
strings example.dmp
strings example.dmp | grep -i password
# Open pager
strings example.dmp | less
xxd example.dmp
-
Using Debugger
-
--IDA, ILSpy--
-
--Visual Studio--
-
Using Online Viewer
This file can also be read with online DMP viewer.
Dump KeePass Master Key (CVE-2023-32784)
If the --.dmp-- file contains --KeePass-- memory, we might be able to dump the master key. This vulnerability exists in --KeePass 2.x before 2.54--.
keepass-password-dumpter is useful to do that.
In Windows, run the follwoing command.
git clone https://github.com/vdohney/keepass-password-dumper.git
cd keepass-password-dumper
dotnet run example.dmp
Windows XML EventLog (EVTX)
EVTX is used for Microsoft Windows to store system log information.
- Read EVTX in Linux
We can parse --.evtx-- file in Linux using evtx_dump.
wget https://github.com/omerbenamram/evtx/releases/download/v0.8.1/evtx_dump-v0.8.1-x86_64-unknown-linux-gnu -O evtx_dump
chmod +x evtx_dump
./evtx_dump example.evtx > parsed.txt
Now we can find sensitive information from the parsed text.
- Search Suspicious Activity in EVTX
Chainsaw is a command-line tool to rapidly search and hunt through Windows Forensics Artifacts.
git clone https://github.com/WithSecureLabs/chainsaw.git
cd chainsaw
cargo build --release
./chainsaw hunt evtx_files/ -s sigma/rules --mapping mapping/sigma-event-logs-all.yml
Reading OneDrive Logs
OneDrive log files can be read by deobfuscating.
- Deobfuscating Log Files
To read OneDrive logs, we need to deobfuscate log files (--.odl, .odlsent, .odlgz--).
These logs are located in the following on --Windows--:
C:\Users\<username>\AppData\Local\Microsoft\OneDrive\logs\Personal\C:\Users\<username>\AppData\Local\Microsoft\OneDrive\logs\Business1\
This repository is useful to deobfuscate OneDrive logs.
python -m venv venv
# on Windows
.\venv\Scripts\activate
pip install construct pycryptodome
python odl.py -o .\output.csv c:\Users\\AppData\Local\Microsoft\OneDrive\logs\Personal\
After that, we can read the output file (output.csv) with tools such as VS Code and Excel.
This file contains sensitive information such as OneDrive account email, access token, etc.