Search Results

Windows 7-10: and Volume Name In newer Windows versions (Win7-Win10), there's a nifty key that logs the Volume Name and GUID for each connected device: SOFTWARE\Microsoft\Windows Portable Devices\Devices You can also grab the Volume Name and GUID, which can be handy for future reference. Another example Taking # ---# value for further analysis: The Win7 Challenge Windows 7 adds a twist. Not every device will have its last drive letter recorded in the Windows Portable Devices key. In such cases, you might need to cross-reference with the MountedDevices key using the device GUID to find the last mount point. The Windows XP Dilemma For those still dealing with Windows XP, the game changes a bit. The drive letter won't be in the Windows Portable Devices key, but you'll still find the Volume Name. This is where temporal analysis comes into play. LNK Files to the Rescue Even if the drive letter isn't directly mapped, don't lose hope! Many LNK files in the Recent folder on the Windows machine will include the Volume Name, sometimes alongside the drive letter. With timestamp analysis and LNK file correlation, you can often deduce the potential drive letter. Time Isn't Always of the Essence Interestingly, this Volume Name and drive letter data seems to stick around longer than the usual 30-day limit set for USB and USBSTOR registry keys. Plus, it dodges the Plug and Play Cleanup task, making it a more stable source of information. Windows 10 Example Here's how it looks on Windows 10: Windows Portable Devices Key: You'll find the Volume Name here. Drive Letter: Unfortunately, not listed directly. But armed with the Volume Name, you can often trace it back using Shell Item historical information. Will continue with another blog to identify Drive letter............... Akash Patel

In the realm of digital forensics, collecting and analyzing artifacts from various system paths is crucial for uncovering valuable information. Here, A pdf related comprehensive list of paths where key artifacts can be collected from Windows systems. These artifacts can provide insights into user activities, system events, and potential security incidents. Click Me for file: These paths and artifacts are critical for digital forensics professionals when investigating user activities, system events, and potential security incidents on Windows systems. By collecting and analyzing data from these locations, investigators can uncover a wealth of information to support their investigations. Akash Patel

USBSTOR Registry Key Where to Find USB Key Info: Registry Key: SYSTEM\CurrentControlSet\Enum\USBSTOR Disk&Ven :- Referred as Device class ID: 57583.. :- Referred as Unique device Serial What's in a Serial Number? According to Microsoft's USB FAQ, every USB device that wants to play nice with Windows needs a unique Serial Number. This number is like a fingerprint for the device—it helps Windows remember it and speed up future plug-ins. Why Serial Numbers Matter: Quick Recognition: Windows uses the Serial Number to recognize if the device has been plugged in before, making it quicker to connect next time. Plug and Play: If the device has been recognized before, Windows won't waste time reinstalling drivers. Watch Out for Clones! Not all USB devices are created equal. If a Serial Number has an "&" in the second character (like 4&762219b0&0), it's a red flag. This means the device doesn't have a unique Serial Number and might not meet Microsoft's standards. Handy Tips for Analysis: Search Smart: Use the "Find" option in Registry Explorer to search for keys with specific Serial Numbers across all loaded registry hives. Look Everywhere: Search in key names, value names, or value data to identify all relevant keys. Act Fast: Remember, this info might not stick around forever. On modern Windows 10 systems, the USBSTOR keys could be cleared after 30 days. USB Registry Key: The key under SYSTEM\CurrentControlSet\Enum\USB not only stores the Serial Number (YID) and Product ID (PID) but also contains details about the device type. The Serial Number Quirk Here's the catch: Only MSC devices are required by Microsoft to have a unique Serial Number. So, for MTP and PTP devices, you might encounter more generic or even identical Serial Numbers. What Else Can You Find? This key is like a treasure trove for forensic investigators. Apart from storage devices, you can spot other gadgets like phones, tablets, and printers that were connected to the system—even if Windows didn't recognize them as mass storage devices. Keep an Eye on the Clock Remember, the data in these keys gets wiped out by the Plug and Play Cleanup task. On Windows 10, you might have only a 30-day window to access this information. Decode YID and PID If you stumble upon an unknown VID or PID, there's a handy website to help you out: linux-usb.org/usb.ids. Just plug in the numbers, and it'll reveal the manufacturer and product details. How to Proceed? Identify Device Type: Look for keys related to MSC, MTP, or PTP to determine the device class. Decode YID and PID: Visit the USB ID database to find out the manufacturer and product details. Record Everything: Note down all relevant keys, Serial Numbers, and other details for your forensic report. By taking these extra steps, you can elevate your USB key analysis game, making it easier to identify and trace any device that's been connected to a system. Happy investigating! 🕵️‍♂️🔗 Akash Patel

Hey again! So, you've plugged in a USB device and opened some files. Ever wonder what traces you leave behind? What's the Deal with MSC Devices? What Happens? When you open files from an MSC device (like a flash drive), you get these little LNK files. These files point back to what you opened and where it came from. Where to Find Them? C:\Users\\AppData\Roaming\Microsoft\Windows\Recent: LNK files for all files and folders you opened. C:\Users\Win 7SP1\AppData\Roaming\Microsoft\Office\Recent: Just for Microsoft Office files. MTP Devices: A Bit Tricky What Happens? MTP devices (like newer smartphones) handle things differently. When you open files, Windows makes a copy and puts it in a temp folder. Interesting Stuff: The actual LNK files might point to these temp folders, not the device itself. A folder named WPDNSE keeps copies of most files you've opened from the device. Where to Find Them? C:\Users\\AppData\Local\Temp\WPDNSE: This is where the temp copies hang out. File Types and Their Trails JPG Files Opened from the device? A true LNK file points right back to the device folder. PDF, TXT, XLS Files No LNK files created when opened from MTP devices. Mysterious, huh? Quick Tips MSC: Expect a LNK for every file you open. Look in Recent folders. MTP: Files get copied to a temp folder. Check WPDNSE and temp folders for clues. MTP Devices and the Mysterious WPDNSE Folder So, you've got a Windows 7 or 8 system, and you're curious about MTP devices. Great! But there's a twist—it doesn't exist on Windows 10. Where's My WPDNSE Folder? Windows 7 & 8: When you open files from an MTP device, copies get saved in C:\Users\\AppData\Local\Temp\WPDNSE\. Each folder you open from on the MTP device gets its own GUID-named folder here. Making Sense of GUIDs You'll see these weird GUIDs like {02601-000-01CD-8801-7I017K017} as folder names. Without a map, they're just gibberish. But fear not! You can link these GUIDs back to the original MTP device folders using the Windows registry. How? Dive into the registry and look for the BagMRU entries related to your MTP device. Find the folder GUIDs listed under these entries. Match them up with the GUID-named folders in your WPDNSE directory. Quick Heads-up Temporary Storage: Remember, the WPDNSE folder is temporary. Windows likes to clean it out when you reboot. So, next time you're snooping around a computer, keep these spots in mind. You'll find some cool clues about what was opened from which device. Happy investigating! Akash Patel

Hey there! USB devices are everywhere these days, and they can hold a ton of info. Knowing the basics can really help if you're looking into something fishy or just curious about how these things work. Mass Storage Class (MSC) What is it? Think of MSC like a USB drive you plug into your computer. You can see all the files and folders just like any drive. Where is it used? Old Android phones before Android 4.0 iPods Flash drives, external hard drives Quick Tip: If you're snooping around, look for these in Windows Explorer under "Devices with Removable Storage." Picture Transfer Protocol (PTP) What is it? PTP is all about photos and videos. You can pull stuff from your device to your computer, but you can't put stuff back on it. Where is it used? Older Windows versions like XP Cameras and some smartphones Quick Tip: You'll find these in Windows Explorer under "Scanners and Cameras." Just images and videos here! Media Transfer Protocol (MTP) What is it? MTP is like PTP's cooler cousin. It can handle more than just photos—think music, docs, and more. Where is it used? Newer Windows versions Smartphones, tablets, cameras Quick Tip: Look for these under "Other" in Windows Explorer. But heads up, not all tools can read these right, so be careful! Windows Portable Devices (WPD) This is the big umbrella that covers both PTP and MTP. It's like the universal translator for different device types. Cool Stuff: Works with all sorts of gadgets Customizable for special devices Wrapping Up So there you have it! USB devices come in different flavors, and each has its own quirks. Whether you're digging into some suspicious activity or just satisfying your curiosity, knowing these basics can really come in handy. Keep an eye out for these when you're poking around on a computer. You never know what interesting stuff you might find! Akash Patel

In the realm of cybersecurity, incident response (IR) is a critical function that helps organizations detect, mitigate, and recover from security incidents. A robust incident response strategy requires access to various logs and data sources, which provide insights into potentially malicious activities. Key Logs for Incident Response When responding to an incident, one of the first steps is to gather logs for egress connections. These logs are vital because they serve as filter points for all traffic leaving the environment, helping to identify command and control (C2) points and compromised internal systems. The primary sources of egress connection logs include: Firewall Logs: These logs capture all outbound connections, providing a comprehensive view of egress traffic. Firewalls are configured to monitor and control the flow of network traffic based on predetermined security rules. DNS Logs: DNS logs are powerful tools for detecting malicious traffic. They can reveal domains and IP addresses associated with known malware and botnets. Comparing DNS logs with known bad domain lists can quickly highlight potential threats. Web-Filtering Device Logs: Web proxies and content filters restrict access to objectionable content and can detect malicious outbound traffic. These logs help identify access to known bad domains and suspiciously long URLs used by malware for C2 or payload delivery. The Power of DNS Data DNS data can be instrumental in detecting malicious activities within an environment. Traditional antivirus solutions may fail to detect certain well-known malicious programs, but DNS logs can still reveal their presence. Here are some reasons why DNS data is so valuable: Static Domains: Many botnets and C2 channels use relatively static domains, making it easier to track them through DNS logs. Comparison with Blacklists: Tools like dns-blacklists.py allow responders to compare DNS server caches with lists of known malicious IPs and domains, such as those provided by Malware Domain List. This helps quickly identify compromised systems. Utilizing Web Proxy Content Filters Most enterprises deploy web proxy content filters to manage and restrict employee access to various websites. These devices are not only useful for enforcing internet usage policies but also serve as potent tools during incident response. Here’s how: Identifying Known Bad Actors: Web proxy logs can be checked against updated blacklists to identify access to known malicious IPs and domains. Analyzing URL Lengths: Malware often uses long, encoded URLs for C2 communication or payload delivery. While legitimate sites also use long URLs, combining this indicator with other signs of compromise can be effective. Reviewing User Agent Strings: Anomalies in user agent strings, such as outdated versions or unexpected operating systems, can indicate the presence of malware. Detecting Beaconing Activity Modern malware often uses intermittent beaconing to communicate with C2 servers, rather than maintaining a persistent connection. Detecting this type of activity requires analyzing connection logs from egress firewalls that perform Network Address Translation (NAT). Regular or irregular intervals in outbound connections can indicate beaconing behavior. Pulling Data from Multiple Systems In an enterprise environment, gathering data from multiple systems simultaneously is crucial for a comprehensive incident response. The Windows Management Instrumentation Command-line (WMIC) tool can be used to collect software inventory across multiple systems efficiently. Here’s an example command: C:\> wmic /node:@systems.txt product get name, version, vendor /format:csv > SoftwareInventory.txt This command retrieves the software inventory from all systems listed in systems.txt, providing a detailed overview of installed software, which is essential for identifying vulnerable or unauthorized applications. Conclusion Effective incident response relies on leveraging various data sources to detect and mitigate threats. By utilizing firewall logs, DNS logs, and web-filtering device logs, responders can gain critical insights into malicious activities. Akash Patel

In the realm of cybersecurity, responding to incidents promptly and effectively is crucial. This detailed guide covers best practices in incident response, focusing on identification, containment, and eradication. Failure to Take Complete Notes: The most common error incident handlers make is failing to take comprehensive notes. Detailed documentation is essential for understanding the incident and for legal purposes. Forensics Imaging: Critical Importance: A good forensic image is crucial. Without it, you risk the data's integrity and admissibility in court. System Backups: Often, systems haven't been backed up in years, making forensic imaging vital for preserving irreplaceable data. Tools: Use tools like dd for bit-by-bit imaging on UNIX and Windows. Tools like Google Rekall and Volatility Framework are excellent for memory analysis. Cryptographic Hashes: These validate that the evidence remains unchanged since collection. Write Blockers: Usage: Prevent write operations to disks, preserving the state of evidence. Available in hardware and software forms. Practicality: Not always feasible, especially for live systems. Drive Duplicators: Advantages: Faster imaging and on-the-fly hash calculation. Ideal for frequent imaging tasks. Disk Size Consideration: Storage Needs: The storage drive should be at least 10% larger than the original to account for file system overhead and metadata. Short-term Containment Goals: Stop Attack Progress: Prevent further damage without altering the impacted system. Keep Drive Image Intact: Until a backup is made. Methods: Network Isolation: Disconnect network access or power to the impacted system. Switch Port Isolation: Control switch infrastructure to isolate the impacted machine. VLAN Isolation: Place the system on an isolated VLAN for continued communication without infection spread. DNS Alteration:*********************Important and useful method*************************** Redirect Traffic: Change DNS records to point to a secure machine, mitigating attack based on IP address. Long-term Containment Actions: Patching: Apply patches to the system and neighboring systems. Intrusion Prevention: Insert IPS or in-line Snort/Suricata. Routing Changes: Null routing and firewall rules. Account Management: Remove attacker accounts and shut down backdoors. Eradication Preparation: Temporary Solutions: Implement solutions to maintain production while preparing for eradication. Eradication Protection Techniques: Firewall/Router Filters: Apply appropriate filters. System Relocation: Move the system to a new name/IP address.******Very useful********** DNS Changes: Change DNS names to avoid further attacks.******Very useful********** Vulnerability Analysis: System and Network Analysis: Perform detailed vulnerability assessments. Port Scanning: Use tools like Nmap for network scanning. Vulnerability Scanners: Tools like Nessus, OpenVAS, Rapid7 NeXpose, and Qualys help identify vulnerabilities. Attack Patterns: Multiple Machines: Attackers often exploit multiple machines using the same methods. Search for related vulnerabilities across the environment. Conclusion Effective incident response involves strategic containment, and thorough eradication. By adhering to these best practices, organizations can significantly enhance their resilience against cyber threats and ensure a swift recovery from incidents. Akash Patel

The landscape of digital forensics is ever-changing, with tools and techniques continually evolving to meet the demands of modern investigations. One such recent addition to the arsenal of SRUM analysis tools is NirSoft's Network Usage View (NUV). Link:- https://www.nirsoft.net/utils/network_usage_view.html Introduction to NUV NUV, like many of NirSoft's offerings, is both free and user-friendly, designed to assist investigators in their triage efforts. Upon launching the tool, it defaults to displaying the host system information. However, it's versatile enough to be pointed to a mounted image for deeper analysis. Loading SRUM Data with NUV To load SRUM data from a specific image, such as the Donald Blake image, follow these steps: Access Advanced Options: From the menu bar, select "Options" and then choose "Advanced Options." Select External SRUMDB.dat: Under the "Load network usage data from:" dropdown menu, choose "External SRUMDB.dat database." Navigate to SRUM Database: Click the "..." button and browse to the location of the SRUM database on the mounted image. Analyzing SRUM Data with NUV Once the target SRUM database is loaded, NUV provides a snapshot of applications running each hour, the user responsible for each application, and the inbound and outbound network traffic per application, per hour. This data can be invaluable for understanding user activity and network behavior. What's Missing in NUV? While NUV offers a comprehensive view of network usage data, one notable omission is the network name to which the system was connected at a given time. However, this gap can be easily filled using additional tools like as per my preference esedatabaseview (And I have created a blog) Link Below:- https://www.cyberengage.org/post/examining-srum-with-esedatabaseview Conclusion NUV by NirSoft is a valuable addition to the toolkit of digital forensic analysts, streamlining SRUM analysis and providing quick access to essential network usage data. While it may not offer a complete picture on its own, when combined with other tools and techniques, it becomes a powerful asset in the quest for digital evidence. Akash Patel

You can download tool from link below: https://www.nirsoft.net/utils/ese_database_view.html Opening SRUM Database with NirSoft Using NirSoft's utilities, you can open the SRUDB.dat ESE database to access its tables. In a typical Windows 10 setup, you'll find around 13 tables. By default, the MSysObjects table is displayed, sorted by the first column. We're focusing on the Windows Network Data Usage Monitor table, identified by the unique identifier {973F5D5C-1D90-4944-BE8E-24B94231Al74}, which is consistent across Windows 8.1 and Windows 10. Examining the Windows Network Data Usage Monitor Table Once you've selected the Windows Network Data Usage Monitor table, you'll find entries detailing the system's network connections. Each entry features an "AppID," identifying the application using the network during that time period. The AppID corresponds to the "Idlndex" field in the SruDbIdMapTable. This table also reveals the drive and full path of the application executable via the "IdBlob" for each "Idlndex." Additionally, you'll find the "Userld," network interface (lnterfaceLuid), network profile index (L2Profileld), and bytes sent and received for each application during that time period. Mapping Network Profiles To map a network profile, start by identifying a network with a profile identifier(l2Profileld), such as 268435461. Navigate to the SOFTWARE registry hive to find the corresponding network name. Here's how: Navigate to \Microsoft\WlanSvc\lnterfaces\{8DE3771B-64C5-4F1A-B37B-7B7A9917E10E}}\Profiles key. 2. Look for profile identifiers and check the Profilelndex key value to find the matching identifier. 3. Expand the matching profile identifier key and select the "MetaData" subkey. 4. Check the "Channel Hints" key value to reveal the network name corresponding to the Profilelndex 268435461. By following these steps, you can gain valuable insights into the network connections made by a system, the applications involved, and even the network names. This information can be pivotal in forensic investigations, shedding light on user activities and potentially uncovering malicious intent. Conclusion The SRUM database, when explored using NirSoft's utilities, offers a comprehensive view of network usage data on a Windows system. By understanding how to navigate and interpret this data, digital forensic analysts can uncover critical insights that may be instrumental in their investigations. Akash Patel

Enter the System Resource Usage Monitor (SRUM) — a treasure trove for digital forensic analysts. The SRUM Database: A Wealth of Insights The SRUM database serves as a goldmine of information for investigators, offering invaluable insights into user activities and system performance. Some of the most exciting pieces of information that SRUM can reveal include: Applications Running: Details on what applications were active on the system during a specific hour. User Account Information: Identification of the user account responsible for launching each application. Network Bandwidth Usage: Insights into the amount of network bandwidth sent and received by each application. Network Connections: Information on the networks the system was connected to, including dates, times, and connected networks. *** Timing and Data Recording*** Understanding the timing of data recording in the SRUM database is crucial. Data is written to the SRUM database approximately every 60 minutes of system runtime or during proper system shutdown. When reviewing SRUM entries, analysts should note that the recorded date, time, and second represent when the data was recorded, not when the activity occurred. Additionally, if the time period between entries is less than -60 minutes since the previous entry, it may indicate that entries were made due to the system being shut down improperly. SRUM Database Integrity and Repair Given that systems are often not cleanly shut down during incident response procedures, the SRUM database file may sometimes be in a "dirty" or corrupt state. Windows provides a built-in tool, esentutl, for diagnosing and repairing ESE databases. This tool can perform tasks like defragmentation, recovery, integrity checking, and repair of ESE databases. Additionally, deleted files from the SRUM database may be recoverable using a utility called "EseCarve. To check the status of the SRUM database, Windows\System32\sru\ directory: esentutl /mh SRUDB.dat SRUM Registry Keys and Subkeys Performance data collected via SRUM is initially stored in the Windows registry and then transferred to the SRUM database. The primary registry key is HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SRUM, which contains three subkeys: Parameters, Telemetry, and Extensions. Each of these subkeys corresponds to tables in the SRUM database and contains temporary data. Key Tables in the SRUM Database Windows Network Data Usage Monitor:  ({973F5D5C-1D90-4944-BE8E-24B94231Al 74}) Records information about networks, applications, user SIDs, and total bytes sent and received by each application. WPN SRUM Provider:  {dl0ca2fe-6fcf-4f6d-848e-b2e99266fa86} Captures Windows push notifications for Windows applications, user SIDs, and push notification payload sizes. Application Resource Usage Provider:  {dlOca2fe-6fcf-4 f6d-848e-b2e99266fa89} Records the drive, directory, and full path of active applications, user SIDs, CPU cycle times, and bytes read and written. Windows Network Connectivity Usage Monitor: {DD6636C4-8929-4683-974E-22C046A43763} Identifies network connections, connection start times, connection durations, and interface types. Energy Usage Provider:  {fee4eI4f-02a9-4550-b5ce-5fa2da202e37} Provides battery charge level, design capacity, cycle count, and power source information. Energy Estimation Provider (Windows 10): {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}  Offers a summary of historical battery status. Conclusion The SRUM database has revolutionized digital forensic investigations by offering a comprehensive view of system activities and performance metrics. As investigators continue to explore this rich data source, the potential for uncovering critical evidence and insights will only grow. Akash Patel

In today's digital age, the significance of digital evidence in criminal investigations cannot be overstated. As technology evolves, so do the methods employed by criminals to cover their tracks. Enter the System Resource Usage Monitor (SRUM), a powerful tool that has become a game-changer in digital forensic investigations. Real-world Applications of SRUM. Corporate Espionage Investigations: Imagine a scenario where a corporate system is compromised. SRUM data can be instrumental in identifying applications covertly exfiltrating sensitive data to competitors or foreign entities, providing invaluable leads to investigators. Insider Threats: In cases involving employee misconduct, SRUM can document suspicious activities such as large-scale data transfers from the corporate network to personal devices. This data can pinpoint when and where data was accessed, aiding in establishing a timeline of events. Refuting Baseless Claims: SRUM has also proven its worth in the courtroom. In one case, SRUM data conclusively refuted claims that evidence had been planted on a seized computer, demonstrating that no unauthorized access had occurred post-seizure. Understanding SRUM What is SRUM? SRUM is an integral part of the Windows Diagnostic Policy Service (DPS), tracking various system performance metrics. Introduced with Windows 8, SRUM is enabled by default across all Windows versions, including Enterprise. Accessing and Managing SRUM Data Task Manager Insights: Users can get a glimpse of SRUM data through the Task Manager's "App history" and "Details" tabs, showcasing performance statistics and approximately 30 days of historical data. However, a mere click on "Delete usage history" doesn't erase SRUM data immediately, requiring further investigation into data retention and purging policies. Data Retention: While SRUM retains data for approximately 30 days, additional testing reveals that extended periods of system inactivity can lead to purging of older data. It's not uncommon to find up to 60 days of historical performance data in SRUM, making it a valuable resource for investigators. Key Takeaways SRUM offers a treasure trove of information to digital forensic analysts, including: Applications running at specific times User accounts associated with each application Network bandwidth usage per application Network connections, including dates, times, and connected networks Final Thoughts SRUM has revolutionized the way digital forensic investigations are conducted, offering a deeper insight into user activities and system performance. As technology continues to evolve, so will the tools and methods employed by both investigators and criminals. However, with tools like SRUM in their arsenal, investigators are better equipped than ever to uncover the truth and bring justice to those who seek to undermine it. Akash Patel

Today marks the beginning of an exciting new chapter in my professional journey as I join Ankura as Cybersecurity Incident response, Associate. The start of a new job is always an important milestone. I am eager to contribute to the success of Ankura and to work with my new colleagues to achieve our common goals. This is just the beginning, and I look forward to sharing more about my experiences and learnings in the coming months. Thank you for being part of my journey, and stay tuned for more updates as I navigate this new and exciting chapter! Akash Patel