When it comes to forensic analysis, Windows is an incredibly revealing operating system. It leaves behind numerous traces that can provide critical insights into ransomware incidents.
Windows Event Logs (WEL)
Windows Event Logs are a treasure trove of information for forensic analysis. They record a wide range of events, from logins and logoffs to application crashes and security incidents. By analyzing these logs, you can reconstruct a timeline of activities and identify potential indicators of compromise.
Endpoint Detection & Response (EDR)
Many organizations rely heavily on EDR during incident response because of the depth of insights it provides. While EDR is crucial, remember to collect artifacts beyond what EDR offers.
File and Folder Access
Windows keeps detailed records of file and folder access. Every time a user accesses a file, several forensic artifacts are created, documenting what was accessed, when, and where it was located. These artifacts are invaluable for understanding the scope and impact of an incident.
NTFS Metadata
Analyzing NTFS metadata, such as $MFT, $UsnJrnl:$J, and $Logfile, can reveal a lot about the activities that occurred within the Windows file system. These metadata files track changes to files and directories, helping you piece together what happened during the ransomware attack.
Registry Hives
The Windows registry is a central repository for configuration data. Collecting and analyzing registry hive files is essential for identifying persistence techniques.
Evidence of Execution
Prefetch files, UserAssist entries, ShimCache, and Amcache. These artifacts can show what programs were run, when they were run, and even how often they were executed.
Web Browser Databases
Web browsers store a wealth of information, including search history, bookmarks, downloads, and more. Analyzing browser databases can provide insights into an attacker’s online activities, such as searching for specific tools or visiting malicious websites.
Most common artifact that must be collected and Tool CyLR collect below artifact automatically.
Tools:
Me personally prefer Kape. But this was another very useful tool or collecting forensic artifacts is CyLR. This tool can be configured to gather a wide range of files and logs from a Windows system. The default collection paths used by CyLR are a good starting point for your analysis.
Check it out:
Info About tool:
CyLR, short for Cyber Live Response, is an open-source collection tool developed to assist forensic analysts and incident responders. It automates the collection of critical system artifacts, reducing the time. CyLR supports both Windows and Linux environments, making it versatile for various incident response scenarios.
How to Use CyLR
Using CyLR is straightforward. Here’s a step-by-step guide:
Download and Prepare:
Download CyLR
Extract the tool and copy it to a USB drive/Remotely or a secure location on your forensic workstation.
Deploy on Target System:
Insert the USB drive into the compromised system.
Open a command prompt with administrative privileges.
Run CyLR:
Navigate to the directory containing CyLR.
CyLR.exe -o <output_directory> (for Windows)
./CyLR -o <output_directory> (for Linux)CyLR will start collecting artifacts and save them to the specified output directory.
Outputs:
Kindly Note: Few artifact will be in raw format. For example $MFT, $LogFile. You have to parse them manually or using other tools. Kape will do that for you.
Stay prepared, stay vigilant, and let tools be your ally in the fight against ransomware.
Akash Patel
Comments