In digital forensics and incident response (DFIR), Windows operating systems are among the most commonly analyzed environments. After a cyber incident, artifacts retrieved from Windows systems play a crucial role in understanding attack vectors and tracing the actions of malicious actors. To conduct an effective forensic analysis on Windows, careful examination of event logs, registry entries, file system artifacts, and memory images is essential.
In this article, we will cover the key artifacts found in Windows systems, detailing how each can be collected and how they shed light on cyber incidents. Forensic experts must be well-versed in these critical Windows components to provide more efficient and timely solutions in the world of cybersecurity.
DFIR stands for Digital Forensics and Incident Response. This field involves the collection of forensic artifacts from digital devices such as computers, media devices and smartphones to investigate an incident. It helps Security Professionals identify the footprints left by an attacker when a security incident occurs, use them to determine the extent of the threat in an environment, and restore the environment to the state it was in before the incident occurred.
The Need for DFIR
DFIR helps security professionals in several ways, some of which are summarized below:
- Finding evidence of attacker activity on the network and distinguishing false alarms from real events.
- Eliminating the attacker once and for all, so that they no longer have a foothold in the network.
- Determining the scope and timeframe of a breach. This helps to communicate with relevant stakeholders.
- Finding the gaps that led to the breach. What needs to be changed to prevent future breaches?
- Understanding the attacker’s behavior to prevent further intrusion attempts in advance.
- Sharing information about the attacker with the community
Some Important Terms
Artifacts
Artifacts are pieces of evidence that point to an activity performed on a system. When performing DFIR, artifacts are collected to support a hypothesis or claim about attacker activity. For example, if we were to claim that an attacker used Windows registry keys to establish persistence on a system, we could use that registry key to support our claim. In this case, that registry key would be considered an artifact. Artifact collection is therefore an important part of the DFIR process. Artifacts can be collected from the Endpoint or Server’s file system, memory or network activity.
Evidence Preservation
When conducting a DFIR, we must protect the integrity of the evidence we collect. For this reason, some industry best practices have been identified. We must remember that any forensic analysis contaminates evidence. Therefore, evidence is first collected and write-protected. Then, a copy of the write-protected evidence is used for analysis. This process ensures that our original evidence is not contaminated and remains safe during the analysis. If our copy under scrutiny becomes corrupted, we can always go back and make a new copy from the evidence we have protected.
Chain of Custody
Another critical aspect of protecting the integrity of evidence is the chain of custody. Once evidence is collected, it must be ensured that it is securely preserved. Anyone not involved in the investigation should not be in possession of the evidence, otherwise the chain of custody of the evidence will be contaminated. A contaminated chain of custody raises questions about the integrity of the data and weakens the case being built by adding unknown variables that cannot be resolved. For example, suppose that a hard disk image is transferred from the person who took the image to the person who will perform the analysis, but ends up in the hands of a person who is not authorized to use such evidence. In this case, we cannot be sure whether this person handled the evidence correctly and therefore did not contaminate it with their own activities.
Order of Volatility
Digital evidence is often volatile, meaning that it can be lost forever if not captured in time. For example, data in the memory (RAM) of a computer system will be lost when the computer is turned off, because RAM stores data only as long as it remains on. Some resources are more volatile than others. For example, a hard disk is a permanent storage space and retains data even if the power goes off. A hard disk is therefore less volatile than RAM. When performing DFIR, it is vital to understand the order of volatility of different evidence sources and capture and preserve accordingly. In the example above, we will need to protect RAM before protecting the hard drive because if we don’t prioritize, we may lose data in RAM.
Timeline Creation
Once we have collected the artifacts and preserved their integrity, we need to present them in an understandable way in order to make full use of the information they contain. For effective and accurate analysis, a timeline of events should be created. This timeline of events puts all activities in chronological order. This activity is called timeline construction. Timeline construction gives a perspective to the investigation and helps to collate information from various sources to create a story about how events happened.
Windows Registry and Forensic
The Windows Registry is a collection of databases containing configuration data for the system. This configuration data can be about hardware, software or user information. It also contains data about recently used files, programs used, or devices connected to the system.
The registry on any Windows system contains the following five root keys:
- HKEY_CURRENT_USER (HKCU)
- HKEY_USERS (HKU)
- HKEY_LOCAL_MACHINE (HKLM)
- HKEY_CLASSES_ROOT (HKCR)
- HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER (HKCU):
This key contains settings specific to the currently logged-in user. It stores user-specific preferences such as desktop settings, application preferences, and network connections. For example, UI preferences or settings for installed programs unique to the user are stored here.
Location: HKEY_CURRENT_USER points to the user-specific subkey under the HKEY_USERS key.
HKEY_USERS (HKU):
This key contains the profiles of all user accounts on the system. Each user has a unique security identifier (SID), and settings specific to each user are stored under their respective SID. In essence, HKEY_USERS stores a separate profile for every user on the system.
For example: HKEY_USERS\S-1–5–21-… is a subkey corresponding to a specific user’s SID.
HKEY_LOCAL_MACHINE (HKLM):
This key contains settings that are global to the computer, including hardware, software, and security settings. These system-wide settings are independent of any particular user and are necessary for the operation of the operating system and applications.
Location: It contains information such as hardware configuration, installed software details (e.g., HKEY_LOCAL_MACHINE\SOFTWARE), system driver settings, and more.
HKEY_CLASSES_ROOT (HKCR):
This key contains information about file associations, defining which application opens which file types. It maps file extensions (e.g., .txt, .jpg) to the applications that handle them.
Location: It is actually a combination of HKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes, bridging the gap between system and user settings for file associations.
HKEY_CURRENT_CONFIG:
This key contains information about the current hardware configuration of the computer. The data here is typically updated when the system restarts or hardware changes occur. For example, display settings like screen resolution are stored here.
Location: It links to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles and shows the current hardware profile.
Most Registry Hives are stored under “C:\Windows\System32\Config”:
- DEFAULT (mounted on HKEY_USERS\DEFAULT)
- SAM (mounted on HKEY_LOCAL_MACHINE\SAM)
- SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)
- SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)
- SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)
Apart from these hives, two more hives containing user information can be found in the User profile directory. For Windows 7 and above, a user’s profile directory is located in the “C:\Users\<username>\” directory, where the hives are:
- NTUSER.DAT (linked to HKEY_CURRENT_USER when the user logs in)
- USRCLASS.DAT (mounted on HKEY_CURRENT_USER\Software\CLASSES)
- The USRCLASS.DAT hive is located in the C:\Users\<username>\AppData\Local\Microsoft\Windows directory.
Amcache Hive
The Amcache hive is a Windows Registry file used primarily by the operating system to store information about applications and executables that have been run on the system. It provides forensic investigators with valuable insights during digital forensic and incident response (DFIR) investigations, especially when tracking the execution of programs and identifying persistence mechanisms used by malware.
- Program Execution Tracking: It logs when programs have been executed, which is valuable for determining which files were run and potentially which files are suspicious.
- Timestamps: It captures timestamps related to when an executable was first run, which can provide investigators with a timeline of events.
- File Hashes: Sometimes, the SHA-1 hash of the executable is stored, helping to identify known good or malicious files by comparing the hash to malware databases.
- Persistence Information: Amcache can also provide insight into installation paths and modules, which can be used to identify persistent malware or suspicious software installations.
- Location: C:\Windows\AppCompat\Programs\Amcache.hve
Transaction Logs ve Backups
Some other very important sources of forensic data are registry transaction logs and backups. Transaction logs can be thought of as a log of a registry hive’s change log. Windows often uses transaction logs when writing data to registry hives. This means that transaction logs can often have the latest changes in the registry that have not reached the registry hives in the registry. The transaction log for each hive is stored as a .LOG file in the same directory as the hive itself. It has the same name as the registry hive, but the extension is .LOG. For example, the transaction log for the SAM hive is located in the C:\Windows\System32\Config directory under the file name SAM.LOG. Sometimes there may be more than one process log. In this case, their extensions will be .LOG1, .LOG2, etc. It is wise to look at the transaction logs when performing a registry forensic examination.
Registry backups are the opposite of transaction logs. They are backups of registry hives located in the C:\Windows\System32\Config directory. These hives are copied every ten days to the C:\Windows\System32\Config\RegBack directory. This is an excellent place to look if you suspect that some registry keys may have been recently deleted/modified.
In the next article we will take a deeper look at Windows Registry Forensic.
Stay safe…
