This blog post will be a continuation of my previous post and will deal more with technical issues. Please check out my other blog post before reading this one…
Data Acquisition
When performing forensic computing, we encounter either a live system or an image of the system. For the sake of accuracy, it is a recommended practice to take an image of the system or create a copy of the necessary data and perform forensics on it. This process is called Data Acquisition.
Tools that can be used:
- KAPE
- Autopsy
- FTK Imager
- Belkasoft Live RAM Capturer
Even if Belkasoft runs a memory Anti-Debugging and Anti-Memory protection systems, it bypasses them by running itself in Kernel mode.
KAPE
KAPE (Kroll Artifact Parser and Extractor) focuses on quickly collecting and processing relevant data.
KAPE has two main phases; target collection and module execution:
- Targets are essentially collections of file and directory properties.
- Modules are used to run programs that can target anything, including files collected through targets, as well as other types of programs you might want to run on a system from a live response perspective.
gkape.exe is the GUI version of the KAPE application and allows us to more accurately build KAPE queries and obtain acquisitions.
In Target Source I set “C:\” to make the whole file system my target and “Add %d” will overwrite our acquisitions with the date value. I set the targets I want to collect according to the values defined in the “!SANS_Triage” module. Here you can double click to see the details. I assigned the value “Zip” to the Container parameter, and if you notice in the module section on the right side, I left the “Module Source” blank, because KAPE will automatically run these modules on my targets. We activated the “Add %d” value again. As a module, we selected the “!EZParser” module. As you can see, a cmd code was created below.
I copied the following CMD code and pasted it into my system rights console. As you can see, KAPE takes the targeted files and runs the relevant modules on it to produce output.
We can see the output of targets and modules in a ZIP file. I extracted the modules zip here and as you can see I was able to extract many files that are important for Forensic processes.
We can examine these .csv files using EZViewer. As an example, I opened the file “UserAccounts_C_Windows_System32_config_SAM.csv” on EZViewer. As you can see, we were able to get a list of existing users on the system. Here we can also get detailed information about when the account was created, when it was last logged in, when it last changed its password. Since this is a blog series about the basics, detailed Forensic processes will not be covered.
Belkasoft Live RAM Capturer
As we have already mentioned, Belkasoft RAM Capturer tool is only used for taking RAM images. Since there are more bypass methods compared to other tools, as soon as we encounter an incident, we can obtain the RAM image of the directly related system with this tool and manage Forensic processes through that RAM image.
We can use the corresponding RAM output for Memory Forensic. Be sure to check the Volatility tool for this!
FTK Imager
FTK Imager (Forensic Toolkit Imager) is a powerful tool used in digital forensics. Widely used in both incident response and digital evidence collection, FTK Imager has the ability to extract data from file systems and create disk images. It was developed by AccessData and is commonly used for secure and robust copying of digital evidence.
You can find dozens of articles on how to obtain a disk image via FTK Imager. For this reason, I will not explain it here. You can add the disk image you have taken by clicking “Add Evidence Item” from the top left menu and manage your Forensic operations in this way.
Here we can even download a file of our choice and study it in detail! You can search further for detailed usage…
Be sure to run the resulting disk image through Autopsy…
Exploring the Windows Registry
I have already covered most of the basics on this topic in my previous blog post, please check it out!
Registry Editor (regedit.exe)
regedit.exe is a tool used in the Windows operating system to open the Windows Registry Editor. The Windows Registry is a hierarchical database that stores configuration settings for Windows and installed programs. With regedit.exe, users can view, modify, add, or delete these settings.
Zimmerman’s Registry Explorer
Zimmerman’s Registry Explorer, can load multiple hives simultaneously and add data from transaction logs to the hive to create a ‘cleaner’ hive with more up-to-date data. It also has a handy ‘Bookmarks’ option that contains forensically important registry keys that are often searched for by forensic investigators. Investigators can navigate directly to interesting registry keys and values via the bookmarks menu item.
When installing hives in Registry Explorer, please do not forget to transfer the transaction logs!
RegRipper
RegRipper is a utility that takes a registry hive as input and outputs a report that extracts data from some forensically important keys and values in that hive. The output report is a text file and shows all results sequentially. One shortcoming of RegRipper is that it does not consider transaction logs. For a more accurate result we should use Registry Explorer to merge the transaction logs with the corresponding registry hives before sending the output to RegRipper.
Current Control Set
The hives containing the machine’s configuration data used to control system startup are called Control Sets. Typically, we see two Control Sets in the SYSTEM hive on a machine, ControlSet001 and ControlSet002. In most cases, ControlSet001 points to the Control Set from which the machine boots, and ControlSet002 is the last known good configuration. Their location will be as follows:
- SYSTEM\ControlSet001
- SYSTEM\ControlSet002
Windows creates a temporary Control Set called CurrentControlSet (HKLM\SYSTEM\CurrentControlSet) while the machine is running. This is the hive we will consult to get the most accurate system information. We can find out which Control Set is used as the CurrentControlSet by looking at the following registry value: SYSTEM\Select\Current
Similarly, the last known good configuration can be found using the following registry value: SYSTEM\Select\LastKnownGood
OS Version
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Computer Name
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Timezone Information
Timezone Information is important because some data on the computer will have timestamps in UTC/GMT and others in the local time zone. Knowing the local time zone helps to create a timeline when combining data from all sources.
SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Network Interfaces and Historical Networks
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Each interface is represented by a unique identifier (GUID) subkey that contains values related to TCP/IP configuration. This key will provide us with information such as IP addresses, DHCP IP address and Subnet Mask, DNS Servers and more. This information is important because it helps you make sure that you are performing forensic operations on the machine you need to perform them on.
The historical networks to which a particular machine is connected can be found in the following locations:
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed
These registry keys contain historical networks as well as the last time they were connected. The last time the registry key was written indicates when these networks were last connected.
Autostart Programs (Autoruns)
The following registry keys contain information about programs or commands that run when a user logs in:
- NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
- NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce
- SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run
For information about Services: SYSTEM\CurrentControlSet\Services
In this registry key, if the start key is set to 0x02, it means that this service will start at startup.
SAM Hive and User Information
The SAM hive contains user account information, login information and group information. This information is mainly located in the following location: SAM\Domains\Account\Users
File/Folder Usage or Knowledge
Recent Files
Windows keeps a list of recently opened files for each user. As we may have seen when using Windows Explorer, it shows us a list of recently used files. This information is stored in the NTUSER hive and can be found in the following location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Another interesting fact about this registry key is that there are different keys with file extensions such as .pdf, .jpg, .docx, etc. These keys provide us with information about recently used files of a particular file extension. So, if we are specifically looking for recently used PDF files, we can look for the following registry key: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pdf
Office Recent Files
NTUSER.DAT\Software\Microsoft\Office\VERSION
The version number is different for each version of Microsoft Office. A sample registry key will look like the following: NTUSER.DAT\Software\Microsoft\Office\15.0\Word
Starting with Office 365, Microsoft now links the location to the user’s live ID. In such a scenario, recent files can be found in the following location: NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU
ShellBags
Shell Bags are artifacts created when a user interacts with the shell (the user interface used to access the operating system and file system), the GUI-based file explorer in Windows (not to be confused with shell, which stands for CLI). Shell Bags contain information about the state of a folder, such as its size, location and the items it contains. This information is stored so that when the user accesses the folder again, it is displayed as it was when the user last interacted with it. We can find this information in the following locations:
- USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
- USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
- NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
- NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
Registry Explorer does not give us much information about ShellBags. However, another tool from Eric Zimmerman’s toolkit, ShellBag Explorer, shows us the information in an easy-to-use format.
Open/Save and LastVisited Dialog MRUs(Most Recently Used)
When we open or save a file, a dialog box appears asking where to save or open this file. It may be noticed that when we open/save a file in a specific location, Windows remembers this location. This means that if we have access to this information we can find recently used files. We can do this by examining the following registry keys:
- NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
- NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Windows Explorer Address/Search Bars
Another way to determine a user’s recent activity is to look at the paths typed into the Windows Explorer address bar or searches using the following registry keys respectively.
- NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
- NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
Evidence of Execution
UserAssist
Windows keeps a record of applications started by the user using Windows Explorer for statistical purposes in User Assist registry keys. These keys contain information about the programs started, when they were started and how many times they were run. However, programs run using the command line cannot be found in User Assist keys. The User Assist key is located in the NTUSER hive and is mapped to the GUID of each user. We can find it in the following location: NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count
ShimCache (Application Compatibility Cache)
ShimCache is a mechanism for keeping track of application compatibility with the operating system and monitors all applications launched on the machine. Its main purpose in Windows is to ensure backward compatibility of applications. It is also called Application Compatibility Cache (AppCompatCache). It is located in the SYSTEM hive in the following location: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
ShimCache stores the file name, file size and the last modification time of executable files.
AppCompatCache Parser takes the SYSTEM hive as input, parses the data and outputs a CSV file.
AppCompatCacheParser.exe -f <path to SYSTEM hive for data parsing> — csv
The output can be viewed using EZviewer, another of Eric Zimmerman’s - Tools.
AmCache
The AmCache hive is a related structure to ShimCache. It performs a similar function as ShimCache and stores additional data related to program executions. This data includes the execution path, load, execution and deletion times, and SHA1 hashes of executed programs. This hive is located on the file system at: C:\Windows\appcompat\Programs\Amcache.hve
Information about recently run programs can be found in the following location in the hive: Amcache.hve\Root\File\{Volume GUID}\
It can be examined with Registry Explorer.
BAM/DAM
Background Activity Monitor or BAM monitors the activity of background applications. The similar Desktop Activity Moderator or DAM is part of Microsoft Windows that optimizes the power consumption of the device. Both of these are part of the Modern Standby system in Microsoft Windows.
In the Windows registry, the following locations contain information about BAM and DAM. This location contains information about recently run programs, their full paths, and the last run time.
- SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
- SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}
External Devices/USB Devices
Device Identification
The following locations keep a record of USB keys inserted into a system. These locations store the vendor ID, product ID and version of the inserted USB device and can be used to identify unique devices. These locations also store the time when devices were plugged into the system.
- SYSTEM\CurrentControlSet\Enum\USBSTOR
- SYSTEM\CurrentControlSet\Enum\USB
First/Last Times
Similarly, the following registry key tracks the first time the device was connected, the last time it was connected, and the last time the device was removed from the system.
- SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326–97a6–4088–9453-a19231573b29}\####
In this key, the #### sign can be replaced by the following digits to obtain the required information:
- 0064 : First Connection Time
- 0066 : Last Connection Time
- 0067 : Last removal Time
Registry Explorer already parses this data and shows us if we select the USBSTOR key.
The device name of the connected drive can be found in the following location: SOFTWARE\Microsoft\Windows Portable Devices\Devices
Stay safe…
