Search Results

Email forensics is indeed a powerful in the realm of digital investigations. 1. Who sent the email? Identifying the sender is pivotal as it sets the foundation for any email investigation. While emails can be anonymized or spoofed, there are often traces left behind that can help in determining the true sender. Origination Address: The email's "From" address is the first clue. Even if it's spoofed, it can sometimes lead to known domains or entities that can be investigated further. IP Address: Every email sent over the internet carries with it the IP address of the sending server. This IP can often be traced back to an ISP or, in some cases, to a specific organization or location. Contextual Clues: The content of the email, the signature block, language patterns, and references can also provide hints about the sender's identity or affiliation. 2. When was it sent? Timestamps are crucial in establishing timelines, which can be vital in investigations. Message Timestamp: The email's internal timestamp can be altered, but it still provides a reference point. Mail Server Timestamp: This is a more reliable source for determining when an email was sent. Mail servers maintain logs that record the exact time an email was received or sent, providing a trustworthy timeline for investigators. 3. Where was it sent from? Pinpointing the origin of an email can help trace its path and determine its legitimacy. IP Geolocation: The IP address associated with the sending server can be mapped to a geographical location using geolocation databases. This can give investigators an idea of where the email was sent from. Mail Server and ISP Tracking: By analyzing the email header, one can trace the path the email took through different mail servers and ISPs. This can help narrow down its origin and may lead to further investigative avenues. 4. Is there relevant content? While the above questions help in identifying the email's origin and path, the content often holds the key to understanding the email's significance to the investigation. Email Stores: Beyond the text and attachments, emails can contain valuable information stored in contact lists, calendar appointments, and task lists. This data can provide context to the email's intent and can be instrumental in corroborating evidence or establishing motive. In conclusion, email forensics is not just about reading emails but understanding the metadata, tracing its path, and extracting relevant content. A well-conducted email examination can provide a comprehensive view of an individual's activities, associations, and intentions, making it an indispensable tool for digital investigations Akash Patel

Dear readers and followers, I hope this message finds you well. I wanted to take a moment to share an important update regarding our blog. Due to some unforeseen circumstances, I was not able to publish new blog posts from April 5th. Please rest assured that this pause is temporary. I am actively working to resolve the issues at hand and will be back as soon as possible with fresh and engaging topics for you to enjoy. I understand that you might be looking forward to our regular updates, and I sincerely apologize for any inconvenience this may cause. Your patience and understanding during this time are greatly appreciated. In the meantime, I encourage you to explore our archive of past blog posts. There's a wealth of information, tips, and insights waiting for you there. Thank you once again for your continued support and understanding. I look forward to reconnecting with you all very soon with new and exciting content. Stay tuned, and take care! Akash Patel

Introduction: Solid-state drives (SSDs) have revolutionized data storage with their speed, reliability, and lack of moving parts. However, their unique characteristics pose challenges for forensic investigators and analysts. Understanding SSDs: SSDs utilize non-volatile flash memory for data storage, providing faster access times and improved reliability compared to traditional hard drives. (Non-volatility allows flash SSDs to retain memory during a sudden power loss.) Limited Writes and NAND(non-volatile storage) Flash Quality: SSD reliability is directly affected by the number of writes to the NAND(non-volatile storage) flash memory. Frequent writes can lead to data corruption and reduce the lifespan of the drive. Consumer-grade SSDs often use lower quality NAND(non-volatile storage) flash, making them more susceptible to wear and tear from repeated writes. Wear Leveling: Wear leveling is a technique used to distribute write and erase cycles evenly across the SSD's memory cells. When data is modified, it is moved to a new location, and the original location is marked for erasure. This helps prevent certain memory cells from wearing out faster than others. Drive Trimming or Trim: Trim is a feature that improves SSD performance and lifespan by informing the drive which data blocks are no longer in use, allowing the SSD to reclaim them. Effects on Forensic Analysis: Wear leveling can affect forensic analysis by altering the physical location of data on the SSD, making it challenging to recover specific sectors or data remnants such as file slack. Trim operations can also impact forensic investigations by eliminating data remnants and reducing the effectiveness of traditional techniques like file carving. Prefetch and ReadyBoost: Prefetch and ReadyBoost, which are designed to improve system performance by caching frequently accessed data, may be disabled or enabled depending on the SSD configuration. Microsoft has started enabling prefetch and ReadyBoost by default on SSDs due to their improved performance, which may affect forensic analysis and investigation techniques. Acquisition of Data from SSDs: Acquiring data from SSDs requires careful consideration of power loss concerns and data collection methods: Power Loss Concerns: Cutting power to a running SSD can lead to serious problems, potentially causing data modifications during recovery processes. Traditional shutdown processes can also trigger drive optimization activities, affecting data integrity. 2. Impact on Data Collection: Cutting power to an SSD may not be the best option for ensuring proper data collection. The repair operations initiated by the SSD during power loss recovery can involve tasks such as trimming operations and wear leveling, which can affect the integrity of the data. Simply powering off the system using a normal shutdown process can also trigger drive optimization activities, further complicating data collection. 3. Live Acquisition Considerations: Some experts suggest that live imaging of the system might be the best approach for acquiring data from SSDs. Leaving the SSD running for extended periods, even in a powered-down state, can potentially corrupt the data. Live acquisition, similar to imaging memory, may offer better control over the data and reduce the risk of unintended modifications by the SSD. 4. Recommended Recovery Procedures: In case of a drive failure due to power loss, it is recommended to follow specific recovery guidelines provided by manufacturers like Crucial. The recovery process involves completing a power cycle, which may take approximately one hour. This procedure is typically performed on a laptop or desktop computer by connecting the SSD to the SATA power connector and following specific steps to power cycle the drive. Once you have the drive connected and sitting idle, simply power on the computer and wait for 20 minutes. We recommend that you don't use the computer during this process. Power the computer down and disconnect the drive from the power connector for 3 0 seconds. Reconnect the drive, and repeat steps 1 and 2 one more time. Reconnect the drive normally, and boot the computer to your operating system. If the latest firmware has not been updated to your drive, do so. 5. Write Blocking and Analysis: While write blocking drives using standard write blockers can prevent accidental writes from the connected operating system, the SSD's controller may still perform wear leveling and trimming operations when powered on. Using a write blocker for imaging purposes is recommended to preserve drive integrity, but prolonged analysis on an SSD connected via a write blocker may increase the risk of controller-initiated drive management operations, potentially compromising data integrity. Will disk defragmentation be disabled by default on SSDs? Answer: Yes, disk defragmentation is disabled by default on SSDs. This is because SSDs do not benefit from defragmentation like traditional mechanical hard drives. In fact, defragmentation can cause unnecessary wear and tear on SSDs without providing any performance improvements. Will SuperFetch be disabled on SSDs? Answer: It depends. While newer versions of Windows, such as Windows 8 and Windows 10, typically keep SuperFetch enabled on SSDs, older Windows 7 systems may disable SuperFetch if an SSD drive is detected. SuperFetch can improve system performance by preloading frequently used applications into memory, but on SSDs, it may not be as necessary due to the faster read/write speeds. Does the Windows Search Indexer operate differently on SSDs? Answer: No, the Windows Search Indexer operates the same way on SSDs as it does on traditional hard drives. The Search Indexer creates and maintains a database of file and folder information to enable quick file searches. While SSDs may have faster access times, the functionality of the Search Indexer remains unchanged. What should you do if the hash does not match on the first attempt to image an SSD? Answer: If the hash does not match on the first attempt to image an SSD, it's recommended to keep the original image and reimage the drive again. The most likely reason for the hash mismatch is due to wear leveling or trim operations occurring after the initial hash was generated. By comparing the original and subsequent images, you can identify any differences caused by wear leveling or trim, such as deleted files or changes in unallocated space. This comparison can help mitigate concerns over unmatched hashes when presenting evidence in legal proceedings. Conclusion: Solid-state drives offer numerous benefits, but their unique characteristics present challenges for forensic investigators. By understanding the behavior of SSDs, implementing proper acquisition techniques, and adhering to best practices, forensic analysts can effectively acquire and analyze data from SSDs while maintaining data integrity and reliability. Akash Patel

I will start with asking a question: Ever wonder how Office knows your document was "from the Internet? Understanding Alternate Data Streams (ADS): Alternate Data Streams allow for the creation of secondary or subsequent data streams within a single file in the NTFS file system. While the primary data stream contains the main file content, ADS can store additional metadata, attributes, or even executable code. The Significance of Zone.Identifier Stream: One significant use of ADS in forensic investigations is the Zone.Identifier stream, which can indicate the origin of a file, particularly files downloaded from the internet. The Zone.Identifier stream typically contains simple text indicating the file's origin, with a ZoneID value of 3 signifying that the file was downloaded from the internet and may be potentially unsafe. Understanding ZoneID Values: NoZone: -1 MyComputer: 0 Intranet: 1 Trusted: 2 Internet: 3 Untrusted: 4 Example : Analyzing Zone.Identifier ADS: By analyzing the presence of Zone.Identifier ADS, forensic analysts can identify potentially malicious files that were downloaded from the internet. **This analysis is particularly useful when examining critical system directories like C:\Windows\System32, where the presence of ZoneID=3 can raise red flags.** Applications in Forensic Investigations: ADS analysis, especially focusing on Zone.Identifier streams, can provide valuable insights into the origins of files, aiding forensic investigations in various scenarios, including malware analysis, digital forensics, and e-discovery. Conclusion: Alternate Data Streams, particularly the Zone.Identifier stream, offer a fascinating avenue for uncovering the origin of files, especially those downloaded from the internet. By understanding ADS and analyzing ZoneID values, forensic investigators can enhance their capabilities to identify potentially malicious files and gather valuable evidence for investigations. Akash Patel

In today's digital age, forensic investigators face the challenge of extracting valuable evidence from various storage devices, including solid-state drives (SSDs). With techniques like datastream carving, file carving, and parsing metadata, investigators can uncover crucial information for legal proceedings and investigations. Datastream Carving vs. File Carving: 1. Datastream Carving: Involves extracting small fragments of data from larger files. Useful for recovering valuable information, such as URLs and timestamps, from partially deleted files. Tools like Magnet Forensics' Internet Evidence Finder (IEF) facilitate the process by scanning for fragments and full files across storage devices. 2. File Carving: Focuses on recovering intact files from memory or unallocated space. Scans for known file headers and carves out files based on predicted lengths or known footers. Effective for recovering specific types of deleted files but may yield numerous false positives. Parsing Metadata in Files: Metadata embedded within files provides insights into their creation, modification, and history. Microsoft Office documents and picture files contain metadata such as author information, creation time, GPS Coordination, and camera details. Example : For Microsoft Office documents, metadata may include details such as author information, creation time, last print time, and even the version of Microsoft Office used to create the document. This information can help establish the origin and authenticity of the document, which is especially important in cases involving stolen or altered documents. Similarly, picture files contain metadata, which includes information about how the picture was taken. This data typically includes the original picture creation date, the type of camera used, and even GPS coordinates if the device has a built-in GPS. Tools like exiftool can parse metadata from files, uncovering valuable information for e-discovery cases and investigations. In e-discovery cases, requesting metadata can be crucial for building a comprehensive understanding of the evidence and ensuring a fair trial. Judges often grapple with the complexities of metadata requests, recognizing its potential to make or break a case. By leveraging tools like exiftool to parse metadata from files, investigators can uncover valuable information that may strengthen their legal arguments and provide clarity in complex litigation scenarios https://exiftool.org/ Recovering Deleted Files: Forensic analysis often involves recovering lost or deleted files from storage devices. Metadata layer extraction focuses on retrieving file properties, while unallocated space extraction scans for file headers and clusters. Tools like Photorec facilitate file recovery by scanning for file headers and attempting to reconstruct fragmented files. Using Photorec: Photorec is a versatile data recovery program that reads file headers and targets various media file types. It can recover files from hard drives or mounted drive images and has limited fragmentation handling capabilities. Photorec Sorter can help organize recovered files by extension for easier analysis. Output: Using Photorecsorter: Move the PhotoRec Sorter executable (PhotoRec_Sorter.exe) to the directory containing the "recup_dir" folders generated by PhotoRec. Execute PhotoRec_Sorter.exe from the same directory. Monitor the console output for any messages or errors during the sorting process. Once PhotoRec Sorter has finished execution, navigate through the "recup_dir" folders to ensure all files are properly sorted. Check for any files that may not have been sorted correctly and manually move them to the appropriate folders based on their file extensions. Conclusion: By leveraging techniques such as datastream carving, file carving, and metadata parsing, forensic investigators can extract valuable evidence from storage devices like SSDs. These techniques play a crucial role in e-discovery cases, legal proceedings, and criminal investigations, providing insights that can strengthen legal arguments and uncover hidden truths. Akash Patel

1. UserAssist Key Understanding the UserAssist Key: The UserAssist key, located within the NTUSER.DAT hive of the Windows registry, contains valuable information about GUI program executions initiated by users. This key stores details such as the last run time, run count, name of the GUI application, focus time, and focus count for each program launched in Windows Explorer. Analyzing UserAssist Data: Forensic analysts can leverage the UserAssist key to uncover important details about program executions, including Last Run Time (UTC): The timestamp indicating when a program was last executed by the user. Run Count: The number of times a program has been executed on the system. Name of GUI Application: The name or identifier of the GUI application launched by the user. Focus Time and Focus Count: Metrics indicating the total time an application has been in focus and the number of times it was re-focused in Windows Explorer. Understanding GUIDs and Execution Modes: Each application launch generates unique GUIDs within the UserAssist key, distinguishing between executable file executions and shortcut file executions. For example: GUIDs for Windows XP: GUIDs such as 5e6ab780 represent Internet Toolbar, 75048700_ signifies Active Desktop. GUIDs for Windows 7 and higher: GUIDs like CEBFF6CD denote executable file execution, F4E57C4B indicates shortcut file execution. Understanding GUIDs and Execution Modes: Each application launch generates unique GUIDs within the UserAssist key, distinguishing between executable file executions (CEBFF6CD) and shortcut file executions (F4E57C4B). By analyzing these GUIDs, forensic analysts can discern how users interact with applications, whether through direct executions or shortcut activations. 2. Shimcache (Application compability cache)/ Amcache Hive Shimcache Purpose • Checks to see if application needs to be "shimmed" (properties applied) to run application on current OS or via older OS parameters • AppCompatCache will track the executable file's last modification date, file path, and if it was executed • Advanced: Applications will be shimmed again (w/ additional entry) if the file content is updated or renamed. Good for proving application was moved, renamed, and even time stomped (If current File's Mod-time * ShimCache Mod-time) Amcache Purpose: •Application Experience Service •New AppCompat structure and full of additional information To understand in deep Kindly go through my previous blog link below... Blog Headline : Forensic Collection of Execution Evidence through AppCompatCache(Shimcache)/Amcache.hiv Blog Link: https://www.cyberengage.org/post/forensic-collection-of-execution-evidence-through-appcompatcache-shimcache--amcache-hiv Blog Headline: Shimcache/Amcache Analysis: Tool-->AppCompactCacheParser.exe/AmcacheParser.exe Blog Link: https://www.cyberengage.org/post/shimcache-amcache-analysis-tool-appcompactcacheparser-exe-amcacheparser-exe Blog Headline: Amcache.hiv Analysis: Tool--> Registry explorer Blog Link: https://www.cyberengage.org/post/amcache-hiv-analysis-tool-registry-explorer 3. BAM/DAM Record information about executed programs, including the path of the executable and the date/time of the last execution. The DAM is specifically found on systems with connected standby, a feature that allows Windows to remain powered on while the screen is turned off, similar to the standby mode on smartphones. The DAM helps manage desktop application access to extend battery life while ensuring that system processes can still function effectively. On the other hand, the BAM is associated with a kernel mode driver service that was introduced in Windows 10 version 1709. While there is limited official information available about the BAM, forensic analysts have observed similarities between the information recorded in BAM and DAM keys. Within these registry keys, you can find entries corresponding to various programs. Each entry will contain details such as the full path of the executable and the timestamp of the last execution. System Hive: (BAM/DAM) SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID} SYSTEM\CurrentControlSet\Services\Dam\UserSettings\{SID} Akash Patel

5. Last Visited MRU/ Open Save MRU When you "save or open a file," Have you ever noticed that it might remember the location you previously saved or opened a file? Have you noticed that when you save or open a file, there is a drop-down dialog box that remembers your previous save or open locations or files that have been opened? (i) Open Save MRU It acts as a repository for a history of files accessed or saved by users, offering a panoramic view of their digital footprint. NTUSER.Dat Hive: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ Through CMD: reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ To Learn In deep check out below blog Blog Link: https://www.cyberengage.org/post/artifacts-for-file-download-part-1-open-save-mru-artifacts-email-attachments-skype-history Blog Name: Artifacts for file download Part 1: Open/Save MRU Artifacts (ii) Last Visited MRU The Last Visited MRU (Most Recently Used) artifact tracks the specific executable files used by an application to open files documented in the OpenSaveMRU key. Additionally, each value within this artifact also records the directory location for the last file accessed by that application. NTUSER.Dat Hive: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ Through CMD: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU To Learn In deep check out below blog Blog link https://www.cyberengage.org/post/artifacts-for-program-execution-part-1-last-visited-mru-application-compatibility-cache-pref Bog Name: Artifacts for Program execution Part 1: Last Visited MRU In simpler term: Last Visited Pid MRU :- Track application executable used to open files in Open save MRU and the last file path used (Program execution) Open save pid MRU”- Values under this show items input in open save dialog without an extension (File knowledge) * :-(track the most recent files of any extension input in open save dialog). 6. Last Commands executed: NTUSER.DAT Hive: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU Command: reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU Akash Patel

1. Search History: The "WordWheelQuery" registry key is a valuable artifact found in the Windows registry of Windows 7 to Windows 10 systems. It stores information about keywords searched for from the START menu bar, providing insights into user search behavior and interests. NTUSER.DAT Hive. NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\WorkWheelQuery To Learn In deep check out below blog: Blog Name: Artifacts for Deleted File or File Knowledge Part 2: Search -WordWheelQuery Blog Post https://www.cyberengage.org/post/artifacts-for-deleted-file-or-file-knowledge-part-2-search-wordwheelquery-index-dat-file 2. Typed Path: This key will show when you have manually typed a path into the Start menu or into the Explorer bar. This key would be useful in a situation where you are trying to show that the user had specific knowledge of a location. NTUSER.DAT hive. NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\TypedPaths 3. Recent Docs: Registry Key that tracks the last files and folders opened, populating data in the "Recent" menus of the Start menu, is a crucial component for understanding user activity and accessing recent documents and folders efficiently. Located within the NTUSER.DAT hive, NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs To Learn In deep check out below blog Blog Name: Artifacts for File Opening/Creation Part 1: Recent Files Blog Link:- https://www.cyberengage.org/post/artifacts-for-file-opening-creation-part-1-open-save-mru-recent-files-shell-bags\ 4. Microsoft Office Recent Docs (i). Identifying Office Versions in the Registry: By navigating to specific registry keys, investigators can uncover the version of Office installed on the system. The following versions correspond to specific registry keys: Office 2010 (Version 14.0) Office 2003 (Version 11.0) Office 2007 (Version 12.0) Office XP (Version 10.0) Office 2016 (Version 16.0) Office 2013 (Version 15.0 (ii). Registry Keys for Office Versions: Forensic investigators can locate information about Office versions within the Windows registry, specifically in the NTUSER.DAT hive. NTUSER.DAT\Software\Microsoft\Office\VERSION This key stores information about the Office version, where VERSION can be either 16.0 or 14.0. NTUSER.DAT\Software\Microsoft\Office\VERSION\User MRU\LiveID_####\File MRU This key contains information about recently accessed files and documents within specific Office applications. "PlaceMRU," which shows the path of the location of the previously opened file in that directory. NTUSER.DAT Hve (HKLM) Software\Microsoft\Office\14;0\Word\File MRU Software\Microsoft\Office\14.0\Excel\File MRU Software\Microsoft\Office\16 .. 0\Pow,erpoint\User MRU\LiveID_####\File MRU Will continue in next blog..................... Akash Patel To Learn In deep check out below blog

9. System Boot autostart programs: NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Run NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion \Run Once Software Hive Software\Microsoft\ Windows\CurrentVersion\RunOnce Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run Software\Microsoft\ Windows\CurrentVersion \Run System Hive: SYSTEM\CurrentControlSet\Services 0x0 (Hexadecimal) or 0 (Decimal): Boot start - The service starts during the system boot process. 0x1 (Hexadecimal) or 1 (Decimal): System start - The service starts during the system initialization. 0x2 (Hexadecimal) or 2 (Decimal): Automatic start - The service starts automatically when the system starts. 0x3 (Hexadecimal) or 3 (Decimal): Manual start - The service must be started manually by the user or another program. 0x4 (Hexadecimal) or 4 (Decimal): Disabled - The service is disabled and cannot be started. Key usefulness: Determine programs that will start automatically Useful to find malware on a machine that installs on boot such as a rootkit Look at when the time key was last updated, generally this would be the last boot time of the system 10. Shutdown information: Discover when the system was last shut down Discover how many successful times the system was shut down System hive: SYSTEM\CurrentContro1Set\Control\Windows (Shutdown Time) SYSTEM\CurrentContro1Set\Control\Watchdog\Display (Shutdown Count) CMD: reg query HKLM\SYSTEM\CurrentControlSet\Control\Windows Notice the shutdown time is in hex. This time is in Windows 64-bit time. Luckily, we can utilize Decode Date on your desktop, we can write the values and press decode. It will tell us the date that is stored at that location. Akash Patel

8. Network profile key: -First and last name connected: Windows XP: The Legacy of Wireless Zero Configuration In the Windows XP era, the Wireless Zero Configuration (WZC) service was the backbone of wireless network management. Deep within the registry at SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces{GUID} lies a goldmine of data. Here, the machine meticulously records its encounters with wireless access points, preserving SSIDs and timestamps of connection. These SSIDs, akin to unique security identifiers, serve as digital footprints, revealing the machine's proximity to specific locations and networks. Windows 7-10: The Evolution of Network List Profiles The Network List Profiles, housed within below key and took center stage. Each subkey, adorned with a GUID, encapsulates network names and types, delineated by hexadecimal values. SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles Whether wireless (0x47) wired (0x06) broadband (0x17), each network type leaves its mark, illuminating the user's connectivity landscape. Decoding the Temporal Enigma: CreationTime and LastDateConnected The CreationTime and LastDateConnected timestamps, shrouded in 128-bit system time, hold the key to unraveling network chronicles. Utilizing the DCodeDate tool, these timestamps unveil the saga of network encounters, from the maiden connection to the latest rendezvous. CMD: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" 9. Shares and offline locations: System Hive SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\ CMD: reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\ Detecting Open Shares: A Critical Investigation The first step in examining file shares is detecting their presence on a machine. In many cases, users may inadvertently share their entire hard drive, unknowingly granting remote access to sensitive files. Identifying these open shares is crucial in understanding how files may have appeared on a workstation, thereby mitigating potential arguments regarding unauthorized access or file manipulation. Client-Side Caching (CSC): The Silent Culprit A covert method of file exfiltration lies in Windows Offline Files' client-side caching (CSC) feature. By enabling offline access to specific files, users can discreetly cache them on their system, allowing access regardless of network connectivity. This poses a significant challenge in detecting unauthorized file transfers, as cached files may go unnoticed by traditional monitoring methods. However, examining CSC Flags options can provide insights into how folders are cached, shedding light on potential file exfiltration attempts. Windows Offline Files caches files in the directory C: \Windows\ CSC. • CSCFlag = 0: Default option means that the user must specify which files he would like to be cached. • CSCFlag = 16: For automatic document caching, "All files and programs that users open from the shared folder are automatically available offline" with the "optimize for performance" unchecked. • CSCFlag = 32: For automatic program caching. Same as above, but with "Optimize for performance" checked. • CSCFlag = 48: Caching is disabled. • CSCFlag = 2048: Default Win7-l O setting until user disables the "Simple File Sharing" or uses the "advanced" sharing options. It is also the default setting for "Homegroup." Key Data Fields: Unraveling the Mystery Max Uses: Total number of connections to a single share. Set to 4294967295 at default, which is also the highest number you can get using 32 bits. Path: Local path Permissions: Apparently, the value can help us determine how a share was created. 0 is default meaning that GUI or PowerShell created the share. For Win7-10, if the value is 9, then it was created via advanced file sharing. If the value is 63, then a command line created the share. Type: Type of device or share accessed • 0 = Disk Drive or Folder • 1 = Printer • 2 = Device • 3 = IPC • 2147483648 = Admin (Disk, Printer, Device, or IPC) Will continue in next blog................... Akash Patel

5. NTFS last access time on/off The Misconception: One common misconception about last access timestamps is that they solely indicate the last time a file was opened or accessed by a user. However, this oversimplification overlooks the fact that these timestamps can be updated for reasons other than user interaction. For instance, a file may have its last access timestamp modified simply by being "touched" by the system, without any actual opening or viewing by a user. Variables Impacting Last Access Timestamps: Several variables can impact the accuracy and reliability of last access timestamps. One significant factor is the operating system's settings. For instance, Microsoft disabled updates to last access timestamps in Windows Vista and subsequent versions for NTFS file systems to enhance performance. However, it's crucial to note that this setting only affects NTFS file systems, while other file systems like ExFAT and FAT continue to update access timestamps normally. Granularity and Enabling Last Access Timestamps: Last access timestamps typically have a loose granularity, often accurate only to within one hour. Users can choose to enable last access timestamps if needed for applications that rely on them. However, enabling this feature may come with performance implications and should be considered carefully based on the specific forensic scenario. Importance in Forensic Analysis: Despite their limitations, They can help investigators determine when files were accessed by the system, shedding light on user activity and potential evidence trails. System Hive: SYSTEM\CurrentControlSet\Control\FileSystem Cmd : reg query HKLM\System\ CurrentControlSet\Control\Filesystem 6: Network interfaces: This key contains a plethora of invaluable details, including TCP/IP configurations, IP addresses, gateways, and DHCP-related information. For machines configured with DHCP, it reveals the assigned IP address, subnet mask, and DHCP server's IP address. Significance in Forensic Investigations: Network interface information plays a crucial role in cases involving network-based evidence. It provides investigators with essential insights into how a system was connected to a network—be it wired, wireless, 3G, or Bluetooth. Moreover, the interface GUID serves as a valuable identifier for correlating additional network profile data stored in registry keys, enhancing the depth of investigation. Exploring Historical IP Information: On Windows 7 through Windows 10 systems, multiple subkeys under each interface provide historical IP information. These records, stemming from DHCP assignments, offer insights into previous IP address assignments. While not exhaustive, they contribute valuable context to investigative analyses. The last connected IP for each interface is particularly noteworthy, as it relates to the parent GUID key. System Hive: SYSTEM\CurrentContro1Set\Services\Tcpip\Parameters\Interfaces Cmd: reg query HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces usefulness • Lists network interfaces of the machine • Can determine whether machine has a static IP address or whether it is configured by DHCP • Ties machine to network activity that was logged • Obtain interface GUID for additional profiling in network connections 7. Historical network-network list keys: Understanding NLA Functionality: NLA operates by aggregating network information for each network interface a PC is connected to and generating a globally unique identifier (GUID) for each network. These identifiers, known as network profiles, facilitate the application of appropriate firewall rules based on the network's characteristics. For instance, different firewall profiles may be applied for public, home, or managed networks, allowing for tailored security configurations Forensic Significance of NLA: From a forensic standpoint, NLA presents a wealth of valuable information. By accessing NLA records, investigators can obtain a list of all networks a machine has ever connected to, identified by their DNS suffixes. This capability is instrumental in identifying intranets and external networks, offering crucial context for investigative analysis. Geo-Location Insights: One of the most compelling aspects of NLA for forensic investigators is its potential to provide geo-location insights. By examining the networks a device has connected to and the associated timestamps, investigators can infer the geographical locations where the device has been used. This information can be pivotal in reconstructing timelines, establishing alibis, or corroborating witness statements in digital investigations Registry Details: NLA-related information is primarily stored in the Windows Registry under specific locations: HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList SOFTWARE\Microsoft\ Windows NT\ CurrentVersion \NetworkList\Signatures\ Unmanaged SOFTWARE\Microsoft\ Windows NT\ CurrentVersion \NetworkList\Signatures\Managed Historical data, including connection times, can be found under the Cache key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache Utilizing ProfileGuid: One challenge in NLA analysis is determining the first and last time a network was connected to. Investigators can overcome this obstacle by leveraging the ProfileGuid, a unique identifier associated with each network, and mapping it to connection times stored in the Registry. Write down profile GUID Usefulness • Identifying intranets and networks that a computer has connected to is incredibly important • First and last time a network connection was made • This will also list any networks that have been connected to via a VPN • MAC Address of SSID for Gateway could be physically triangulated Will Continue on next post................ Akash Patel

Introduction: In the ever-evolving landscape of digital forensics, understanding the artifacts left behind by operating systems is crucial. One such artifact that plays a pivotal role in forensic investigations is Microsoft's Application Compatibility Cache, commonly known as AppCompatCache. Understanding AppCompatCache(Shimcache): AppCompatCache is designed to detect and remediate program compatibility challenges that may arise when a program is launched. It allows a program to invoke properties of different operating system versions, mitigating compatibility issues. This subsystem employs what are known as "shims," and the amalgamation of these compatibility modes is colloquially referred to as ShimCache. Structure and Default Shims: By default, hundreds of shims exist on a standard Windows installation, stored in the registry. These shims are utilized to determine if a program requires compatibility adjustments. What makes AppCompatCache particularly intriguing from a forensic standpoint is that information about each executable is checked and added to the registry, irrespective of whether it needs to be shimmed. Forensic Insights from AppCompatCache(Shimcache): Forensic analysts can leverage information stored in AppCompatCache to track application execution. This includes details such as the name, full path, last modification time of the executable, file size (on Windows XP), and the last time executed. The data is stored in the registry, and the number of entries varies across different Windows versions. Registry Paths for AppCompatCache(Shimcache): The AppCompatCache can be found in the SYSTEM hive of the registry, with different paths for various Windows versions. Understanding these paths is essential for forensic analysis. Server 2003/2008/2012/2016 Win7-10: SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache Entries: 512 (Server 2003) or 1,024 (Win7-10, Server 2008/2012/2016) Windows XP: SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility\AppCompatCache Entries: Limited to 96 ************Analyzing AppCompatCache Output: Forensic analysts should note that the most recent events are listed at the top, and new entries are written only on system shutdown. Entries are committed to the registry during shutdown or, in Windows 10, during a reboot.****************** Forensic Applications: AppCompatCache becomes a valuable resource in forensics when attackers attempt to cover their tracks by removing tools and corresponding prefetch files. The entries can serve as crucial clues that the application existed, even if prefetch files were deleted. Renaming or modifying an application triggers additional AppCompatCache entries, aiding in tracking file manipulations. Evolution of AppCompatCache(Shimcache) in Windows Vista Onwards: Starting with Windows Vista, a new flag named "InsertFlag" was introduced, indicating whether an application executed. Researchers found that the absence of this flag in the data structure suggests non-execution. However, executables can be recorded preemptively by the operating system even before execution, requiring careful interpretation. Multiple AppCompatCache Databases: Forensic analysts may encounter multiple AppCompatCache(Shimcache) databases, each in a different control set found in the SYSTEM hive. Reviewing these databases can provide additional historical data, enhancing the depth of forensic analysis. Key Difference between Amcache.hiv vs Shimcache ***** Key Differences: Information Depth: Amcache provides more detailed information, including file size, and is introduced in later Windows versions. Shimcache focuses on compatibility and may not have as much detail as Amcache. They are stored in different registry paths. Shimcache has been present in Windows for a more extended period, while Amcache was introduced in later versions. Amcache is designed to be a more comprehensive source of information about program executions. Shimcache is primarily concerned with compatibility settings invoked during program launches. ***** Akash Patel