Search Results
327 items found for ""
- Part 1- Important Registries related to System configuration overview
1. Identify the Microsoft version: An investigator will receive a disk image and have no idea what the specific Windows operating system version is for it. The Windows OS version is critical to ensuring you are accurately finding and utilizing the correct artifacts during your analysis. Directory paths, types of artifacts, and even default programs change based on the version and service pack of the Windows OS. Software Hive: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Through cmd: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" 2. Identify current control set: A control set in the Windows Registry contains system configuration settings needed to control system boot, including driver and service information. Typically, there are two ControlSets: ControlSet001 and ControlSet002. ControlSet001 represents the configuration used in the last successful boot, while ControlSet002 serves as a backup that can be used to recover from boot issues. System hive: SYSTEM\Select Command: reg query "HKLM\System\Select" The Select key contains a REG_DWORD value named "Current," which indicates the number for the ControlSet that is currently active. By examining this value, you can identify which ControlSet is the "current" one. For example, if the Current value is set to 0x01 or "1," then ControlSet001 is the registry path that is currently set to the "CurrentControlSet" and should be examined in-depth. Additionally, the "LastKnownGood" key in the Select key indicates which ControlSet is the snapshot of the last successful boot. If the "LastKnownGood" key is set to 0x01 or "1," it means that ControlSet001 represents the snapshot taken during the last successful boot. 3. Computer name: The computer name is useful mainly for logging purposes and verification, but it should not go unnoticed. SYSTEM hive: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName Cmd: reg query "HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" 4. Time zone information: Registry Timestamps and Time Zones: While most registry timestamps and last write times are recorded in Coordinated Universal Time (UTC), the overall system time, including file system timestamps on FAT file systems, may be associated with the local time zone set in the control panel applet. 2. Changing Time Zone: Users can easily change the time zone settings on their machines. This action updates the last write time of the relevant registry key that stores the time zone information. 3. Recommendation to Use UTC: To maintain consistency and accuracy in forensic analysis, it's highly recommended to set the local analysis machine time to UTC. This helps avoid unintentional biases introduced by forensic tools and minimizes the risk of misinterpreting time-related data. 4. Formulas for Time Conversion: • UTC: UTC = Local Time + ActiveTimeBias • Local Time: Local Time = UTC - ActiveTimeBias • Standard Time: Standard Time = Bias + StandardBias • Daylight Time: Daylight Time = Bias + DaylightBias Time activity is incredibly useful for correlation of activity • Internal log files and date/timestamps will be based off the system time zone information • You might have other network devices and you will need to correlate information to the time zone information collected here. System hive: SYSTEM\CurrentControlSet\Control\TimeZoneinformation Cmd: reg query HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneinformation Will continue further in next blog....... Akash Patel
- Understanding, Collecting, Parsing, Analyzing the $MFT
Introductions The NTFS (New Technology File System) is equipped with a feature known as filesystem journaling, which plays a vital role in maintaining the integrity of the filesystem. This technology keeps a transactional record of all changes made to a volume, ensuring that in the event of a system crash or power failure, the filesystem can roll back changes or resume operations seamlessly. Master File Table ($MFT): The MFT is a database that stores information about every file and directory on an NTFS volume. It's essentially a metadata repository, containing records for each file, including its attributes and metadata. Key Points: File System Metadata: The MFT stores metadata about files and directories, including their names, locations, security descriptors, timestamps, and other attributes. File Allocation: NTFS reserves a portion of the disk space for the MFT during volume formatting. As files and directories are created, they are assigned entries within the MFT. Indexed Structure: The MFT is organized as a table with fixed-size entries, each representing a file or directory. These entries contain various attributes that describe the characteristics of the corresponding file or directory. Unique Identifier: Each file and directory entry in the MFT is assigned a unique identification number known as the MFT Record Number (also referred to as the Inode Number). Special Files: Certain system files and metadata, including the MFT itself, are stored within the MFT. These files are represented by MFT entries like any other file on the system. Functions: File Management: The MFT serves as a centralized database for managing files and directories, facilitating their creation, deletion, modification, and access control. Data Retrieval: When the file system needs to access a file or directory, it consults the MFT to locate the relevant metadata and attributes associated with the requested entity. Forensic Analysis: During forensic investigations, analysts often examine the MFT to reconstruct file system activity, track file modifications, recover deleted files, and gather evidence related to file usage and access. Collection: Investigation with Kape. We'll use KAPE to acquire the NTFS Master File Table ($MFT) and journals. Then, we'll employ MFTECmd to parse the MFT. Kape triage compound target, showcasing snippets of the MFT, $J, and link files targets. The output structure of Kape, with raw files and parsed outputs, is detailed, emphasizing the efficiency of this workflow in gathering artifacts for analysis. Now as Kape can be used as GUI version or Cmd version its depend upon you. command We are going to deep delve into Tool MFTECmd.exe which we use to parse $MFT artifacts: The command we have used to collect artifact after collection when you unzip you will find --vhdx file when you double click windows will automatically mount a new drive with next available drive letter in this case F:\ Parsing: Command for Parse artifact using MFTECmd: For $MFT: cmd :- MFTECmd.exe -f F:\C\$MFT --csv C:\Users\User\Downloads --csvf mft.csv -f (flag) F:\C\$MFT (mounted drive when you done collection you get drive double click it will get mounted on your folder) like normal drive --csv C:\Users\User\Downloads (path where you want to store) --csvf sds.csv (file name) Analyzing: Analyses of $MFT Output: Column Headers: As we begin our exploration, take note of the extensive list of column headers. These headers provide essential information about MFT entries, including file names, sizes, and crucially, timestamps. Understanding Timestamps: Each timestamp column corresponds to specific aspects of file operations, such as creation (B), modification (M), and access (A). The timestamps are presented in a hex format. with hex 0x10 denoting standard information timestamps accessible via the Windows API while hex 0x30 represents file name timestamps accessible only by the Windows kernel. Detecting Time Stomping Time stomping can be detected by comparing these two time stamp $SI and $FN we can identify time stomping. Wanna know more go through the blog again to understand time stomping. Blog Headline: Anti-Forensics: Timestomping Blog Link: https://www.cyberengage.org/post/anti-forensics-timestomping Interpreting Blank Timestamps: You may notice some blank timestamps in columns ending with hex 0x30. These blanks signify that the $file name timestamps are identical to the corresponding $standard information timestamps. This design choice reduces noise in the data and directs attention to entries where timestamps diverge, aiding in identifying suspicious activities. Akash Patel
- Understanding Important Registries
1. MRU Lists (Most recent used lists) NTUSER.DAT for particular user (If we use Registry explorer in my case c:\users\user\ntuser.dat) Look For Last Visited MRU as well as Recent docs(Highlighted into screenshot) Each MRU list maintains the order of the most recent additions to a registry key. This order can provide valuable insights into user activity. MRU lists help investigators understand the sequence of data populating a specific key. The last write time of a key indicates the time when the first entry in the MRU list occurred. For example, the last write time of the Microsoft Office .docx file might correspond to the time when the file was last opened. The subsequent values in the MRU list indicate the order of recent activity, typically sorted from most recent to oldest. 2. Run Registry: Online -via regedit HKCU\Software\Microsoft\Windows\CurrentVersion\Run Offline- Via registry explorer NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run 3. Deleted registry key values: Privacy cleaner's leftovers can easily be viewed using Registry Explorer. Notice the deleted keys and that each of the sub keys are still visible. In every case, the original data could be recovered. 4. Collecting user information: SAM profiling user/groups (i) Username (ii) RID (iii) User login information -Last login -last failed login -login count -password policy -account creation time (iv) Group information -Administrator -users -remote desktop users When examining the SAM hive in Registry Explorer, we can easily locate the Relative Identifier (RID) associated with a user account(In my case User ID is RID) , as well as other pertinent details. For example, we can identify the RID for a user like Guest os 501, which helps us track his activities on the system. Additionally, Registry Explorer provides insight into important timestamps, including the last login time and the time of the last password change. Akash Patel
- Understanding Registry Hive transaction logs**
The Windows operating system caches writes to the registry in two locations. The first is in memory. The second is on disk in the transaction log file. The transaction log is named after the ntuser.dat.LOG 1 and ntuserdat.LOG2 located in the same folder as the registry hive file. **Starting with Windows 8, Microsoft changed the way that windows permanently write to the hive files. The transaction log files are used to cache writes to the registry before they are permanently written to the hive. A significant change occurred in Windows 8.1 and above that might leave the most recent activity that occurred in the past hour inside the transaction log file and will be missing from the registry hive file unless the transaction log files are parsed when you open the registry hive file. Starting with Windows 8 and above, temporary data is written to the transaction log files and continually appends the log files. It does not permanently write to the core hive file immediately but will do so when the system is being unused, shutdown, or when an hour has occurred since the last write to the primary hive file. This has resulted in much less disk writes over time and apparently has improved performance of the operating system by reducing the continual writes to the registry hives. It means that most recent changes to the registry are likely located in the transaction log files and not found in the hive files you might be examining. Most registry forensic tools do not perform this check or alert you to this issue. This is especially interesting if you are trying to track the recent user or process interactions inside the Windows operating system. Many forensic tools do not take into account the data stored in the transaction log files and especially. Akash Patel
- Artifacts for Physical Location : Timezone || Browser Search Terms || Network History || Cookies
1.Timezone The system time zone plays a crucial role in forensic investigations as it provides valuable insights into the timing of various activities on a Windows system. In the Windows Registry, specifically within the SYSTEM hive, the time zone information is stored under the key Location: System Hive SYSTEM\CurrentControlSet\Control\TimeZoneInformation. You can use cmd as well. Reg Query HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation From command prompt: (To save artifact and take home and use registry explorer fir further analysis) Reg Save HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation C:\Users\User\Downloads\output.hiv Registry explorer: Output Interpretation: • Time activity is incredibly useful for correlation of activity. • Internal log files and date/timestamps will be based on the system time zone information. • You might have other network devices and you will need to correlate information to the time zone information collected here. ----------------------------------------------------------------------------------------------------------- 2. Browser Search Terms I have already provided all details regarding Browser collecting artifact. Blog Headline :-Artifact for File download : you can visit the below link to learn about collection Blog Link:- https://www.cyberengage.org/post/artifacts-for-file-download-part-2-firefox-internet-explorer-chrome ------------------------------------------------------------------------------------------------------------- 3.Network History In the Windows Registry, valuable information about networks that a computer has been connected to can be found. This data is critical for forensic investigations as it provides insights into the computer's network activity, including wired and wireless connections, domain or intranet names, SSID details, and even gateway MAC addresses. Location: The network history information is stored within the SOFTWARE hive of the Windows Registry. The relevant registry keys include: SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\Managed SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Nla\Cache You can use command prompt as well. reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures" reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache" From command prompt: Save artifact Manually Reg Save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures" C:\Users\User\Downloads\output.hiv Reg Save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache" C:\Users\User\Downloads\output.hiv Registry explorer can be used to Investigate: Output Interpretation: • Identifying intranets and networks that a computer has connected to is incredibly important. • Not only can you tell the intranet name, but you can also tell the last time the network was connected to based on the last write time of the key. • This will also list any networks that have been connected to via a VPN. • MAC address of SSID for Gateway could be physically triangulated. ------------------------------------------------------------------------------------------------------------- 4. Cookies I have already provided all details regarding Browser collecting artifact. While collecting browser artifact you can collect cookies as well. Blog Headline :-Artifact for File download : you can visit the below link to learn about collection Blog Link:- https://www.cyberengage.org/post/artifacts-for-file-download-part-2-firefox-internet-explorer-chrome ------------------------------------------------------------------------------------------------------------
- Artifacts for USB or Drive Usage Part 2: Drive Letter and Volume Name || Volume Serial Number || Shortcut (LNK) Files || P&P Event Log
1.Drive Letter and Volume Name USB devices play a significant role in forensic investigations, and understanding the drive letter and volume name associated with a USB device can provide valuable insights into user activity and data access. Location: XP Command • Find ParentldPrefix. Reg Query HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR • Use ParentldPrefix Discover Last Mount Point. reg query HKLM\SYSTEM\MountedDevices Location: Win7-10 Command reg query "HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices" reg query HKLM\SYSTEM\MountedDevices You can save this artifact using reg save by providing path of registry and providing destination. Interpretation: • Identify the USB device that was last mapped to a specific drive letter. ------------------------------------------------------------------------------------------------------------- 2.Volume Serial Number USB devices are commonly used for data storage and transfer, making them important artifacts in forensic investigations. Understanding the Volume Serial Number of the filesystem partition on a USB device can provide valuable information about its usage and history. Location: Registry Key (Non-SSD System Drive): HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt (This key is present only if the system drive is not SSD) Query through CMD: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt" Interpretation: 1. Identify Registry Key: Locate the EMDMgmt registry key under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ to access information about the filesystem partition. 2. Volume Serial Number: Use the Volume Name and USB Unique Serial Number to find the Volume Serial Number. The Volume Serial Number is typically the last integer number in the line of information retrieved from the registry key. 3. Convert Decimal to Hex Serial Number: Once the Volume Serial Number is identified in decimal format, it can be converted to hexadecimal format for further analysis if needed. ------------------------------------------------------------------------------------------------------------- 3.Shortcut (LNK) Files Get deep details about this artifact from my previous blog. Blog 1: Unveiling the Significance of LNK Files in Digital Forensics https://www.cyberengage.org/post/unveiling-the-significance-of-lnk-files-in-digital-forensics Blog 2 :Lnk files Analysis: Tool-->LECmd.exe https://www.cyberengage.org/post/lnk-files-analysis-tool-lecmd-exe ------------------------------------------------------------------------------------------------------------- 4.P&P Event Log The Plug and Play (P&P) Event Log is a crucial source of information for forensic investigators, providing insights into driver installations and device connections on a Windows system. Location: System Log File (Windows 7-10): %systemroot%\System32\winevt\logs\System.evtx Event ID: 20001: Plug and Play driver install attempted Interpretation: Event Identification: The P&P Event Log records events triggered when a Plug and Play driver installation is attempted on the system. Each event is assigned a unique identifier, with Event ID 20001 specifically indicating a Plug and Play driver install attempt. Timestamp: The timestamp of the event provides information about when the driver installation attempt occurred. This timestamp is crucial for establishing timelines and sequences of events during forensic analysis. Device Information: The event log entry typically includes details about the device involved in the driver installation attempt. This information may include device type, manufacturer, model, and hardware identifiers. Device Serial Number: For USB and other Plug and Play-capable devices, the event log may contain the serial number or unique identifier of the device involved in the driver installation attempt. This can help investigators identify specific devices connected to the system. Status: The status code provided within the event entry indicates the outcome of the driver installation attempt. A status code of "0" typically indicates that the installation was successful without errors. Any other status code may indicate errors or issues encountered during the installation process. -------------------------------------------------------------------------------------------------------------
- Artifacts for Deleted File and file knowledge Part 1: ACMRU || Last Visited MRU || Vista/Win7-10 Thumbnails || Recycle Bin.
1.ACMRU Description: On Windows XP machines, the search assistant feature allows users to search for various items such as filenames, computers, or words within files. This feature retains a user's search terms for future reference, constituting the "Search History" on the system. Location: The search history is stored in the Windows registry within the NTUSER.DAT hive: NTUSER.DAT\Software\Microsoft\SearchAssistant\ACMru\#### Interpretation: The "ACMru" key contains different subkeys identified by numeric values ("####"), each representing a specific type of search history: Search the internet: #### = 5001 Search for all or part of a document name: #### = 5603 Search for a word or phrase within a file: #### = 5604 Search for printers, computers, and people: #### = 5647 ------------------------------------------------------------------------------------------------------------- 2. Last Visited MRU Already talked about this artifact in previous blog: Reminder: From command prompt: Manual extractionv(NTUSER.DAT) Reg Save HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU C:\Users\User\Downloads\output.hiv ------------------------------------------------------------------------------------------------------------- 3.Vista/Win7-10 Thumbnails The thumbs.db file, which was used in earlier versions of Windows, is not present in Vista/Win7-10. Instead, thumbnail data is stored under a single directory specific to each user, located in their application data directory under their home directory. Location: C:\Users\\AppData\Local\Microsoft\Windows\Explorer\ Manually extraction of files: So later can be copy "C:\Users\User\AppData\Local\Microsoft\Windows\Explorer\*" "C:\Users\User\Downloads\Shell" Interpretation: These files are generated when a user switches a folder to thumbnail mode or views pictures via a slideshow. Thumbnails in Vista/Win7-10 are stored in separate database files. Vista/Win7-10 supports four thumbnail sizes: 32 (small) 96 (medium) 256 (large) 1024 (extra large) The thumbcache database files store thumbnail copies of pictures based on their size, with each size having its own corresponding file in the cache folder. Tool Used for analyses: https://thumbcacheviewer.github.io/ ------------------------------------------------------------------------------------------------------------- 4. Recycle Bin Artifact Get deep details about this artifact from my previous blog. Blog 1: Recycle Bin forensic https://www.cyberengage.org/post/recycle-bin-forensic Blog 2 : Recycle Bin $I analyses Tool-->I_Parse_v1.1 https://www.cyberengage.org/post/recycle-bin-i-analyses-tool-i_parse_v1-1 -------------------------------------------------------------------------------------------------------------
- Artifacts for Program execution Part 1: Last Visited MRU || Application Compatibility Cache || Prefetch
1. Last Visited MRU Description: The Last Visited MRU (Most Recently Used) artifact tracks the specific executable files used by an application to open files documented in the OpenSaveMRU key. Additionally, each value within this artifact also records the directory location for the last file accessed by that application. Location: Path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU Commands: Registry Query: Using CMD Live system reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU (Can also use HKLM) From registry explorer Registry Save: To save Registry using CMD on live system. reg save HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU C:\Users\User\Downloads\output.hiv Analysis Tool: One effective tool for analyzing this artifact is reg-ripper or Registry Explorer. These tools can determine if the hive is dirty and provide insights into the registry data. Alternatively, REcmd or Kape can also be used for analysis purposes. ------------------------------------------------------------------------------------------------------------- 2. Application Compatibility Cache Get deep details about this artifact from my previous blog. Blog 1:Forensic Collection of Execution Evidence through AppCompatCache(Shimcache) /Amcache.hiv https://www.cyberengage.org/post/forensic-collection-of-execution-evidence-through-appcompatcache-shimcache--amcache-hiv Blog 2 :Shimcache/Amcache Analysis: Tool-->AppCompactCacheParser.exe/AmcacheParser.exe https://www.cyberengage.org/post/shimcache-amcache-analysis-tool-appcompactcacheparser-exe-amcacheparser-exe Blog 3 :Amcache.hiv Analysis: Tool--> Registry explorer https://www.cyberengage.org/post/amcache-hiv-analysis-tool-registry-explorer ------------------------------------------------------------------------------------------------------------- 3. Prefetch Get deep details about this artifact from my previous blog. Blog 1 :Forensic Collection of Execution Evidence through Prefetch Analysis https://www.cyberengage.org/post/forensic-collection-of-execution-evidence-through-prefetch-analysis Blog 2 :Prefetch Analysis: Tool-->PECmd.exe https://www.cyberengage.org/post/prefetch-analysis-tool-pecmd-exe ------------------------------------------------------------------------------------------------------
- Artifacts for Program execution Part 2: Jump Lists || RunMRU Start || UserAssist
1.Jump Lists Get deep details about this artifact from my previous blog. Blog 1: Unveiling the Significance of Jump list Files in Digital Forensics https://www.cyberengage.org/post/unveiling-the-significance-of-jump-list-files-in-digital-forensics Blog 2 : Jump list Analysis: Tool-->JLECmd.exe https://www.cyberengage.org/post/jump-list-analysis-tool-jlecmd-exe ----------------------------------------------------------------------------------------------------------- 2. RunMRU Start->Run RunMRU is a registry key that records the commands executed through the Start -> Run feature in Windows. This key is located within the NTUSER.DAT hive at the following path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\ Through cmd query reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU and Manual extraction of registry through cmd and take home to analyze Reg Save HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU C:\Users\User\Downloads\output1.hiv By analyzing the RunMRU key, forensic investigators can gain insights into the actions performed by users on the system, including the commands they executed via the Run dialog. ------------------------------------------------------------------------------------------------------------- 3.UserAssist UserAssist is a crucial component of Windows systems, particularly for tracking GUI-based programs launched from the desktop. Located within the NTUSER.DAT hive, specifically under NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist{GUID}\ One notable aspect of UserAssist is that all values are encoded using ROT-13 encryption, adding a layer of security to the data. This encryption ensures that sensitive information about program execution remains protected. Understanding UserAssist involves deciphering the GUIDs associated with different functionalities. ---GUID for XP • 75048700 Active Desktop ---GUID for Win7-10 • CEBFF5CD Executable File Execution • F4E57C4B Shortcut File Execution ---Program Locations for Win7-10 UserAssist • ProgramFilesX64 6D809377-... • ProgramFilesX86 7C5A40EF-... • System 1AC14E77-... • SystemX86 D65231BO-... • Desktop B4BFCC3A-... • Documents FDD39ADO-... • Downloads 374DE290-... • UserProfiles 0762D272-... -------------------------------------------------------------------------------------------------------
- Artifacts for File Opening/Creation Part 2: Last Visited MRU || Office Recent Files || LNK Files || Prefetch || JumpLists.
1.Last Visted MRU Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. In addition, each value also tracks the directory location for the last file that was accessed by that application. Example: Notepad.exe was last run using the C:\Users\Rob\Desktop folder. Location in the Registry To get a glimpse into this trove of information, one need only venture into the registry. The LastVisitedPidMRU key resides at: Command:- reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ You will find this artifact in C:\Users\User\NTUSER.DAT Collect All 3 Artifacts From command prompt: Manual extraction of particular registry Reg Save HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidMRU C:\Users\User\Downloads\output.hiv (To Save hive details into hive file for further analysis in registry explorer) Crafting a Seamless Forensic Workflow To craft a seamless forensic workflow, consider the following steps: KAPE Automation: Leverage the power of KAPE for efficient and automated artifact collection. Manual Extraction: For those who prefer a more hands-on approach, manual extraction via registry exploration is a viable option. Forensic Image Considerations: Ensure that the registry hive NTUSER.DAT is part of your forensics image to unlock a comprehensive array of artifacts. If you using FTK Imager: Simple do this to collect all NTUSER.DAT Hive. ------------------------------------------------------------------------------------------------------------- 2.Office Recent Files MS Office programs will track their own Recent Files list to make it easier for users to remember the last file they were editing. Location: NTUSER.DAT\Software\Microsoft\Office\VERSION • 14.0 = Office 2010 • 12.0 = Office 2007 • 11.0 = Office 2003 • 10.0 = Office XP Query through CMD: Command : - reg query HKCU\Software\Microsoft\Office Manual Save the artifact: (Later user registry explorer to analyze) Command : - Reg Save HKCU\Software\Microsoft\Office C:\Users\User\Downloads\output.hiv Or you can complete capture of image of NTUSER.DAT while creating a image Interpretation: Similar to the Recent Files, this will track the last files that were opened by each MS Office application. The last entry added, per the MRU, will be the time the last file was opened by a specific MS Office application. ------------------------------------------------------------------------------------------------------------- 3. LNK Files Get deep details about this artifact from my previous blog. Blog 1: Unveiling the Significance of LNK Files in Digital Forensics https://www.cyberengage.org/post/unveiling-the-significance-of-lnk-files-in-digital-forensics Blog 2 : Lnk files Analysis: Tool-->LECmd.exe https://www.cyberengage.org/post/lnk-files-analysis-tool-lecmd-exe ------------------------------------------------------------------------------------------------------------ 4. Prefetch Get deep details about this artifact from my previous blog. Blog 1: Forensic Collection of Execution Evidence through Prefetch Analysis https://www.cyberengage.org/post/forensic-collection-of-execution-evidence-through-prefetch-analysis Blog 2 : Prefetch Analysis: Tool-->PECmd.exe https://www.cyberengage.org/post/prefetch-analysis-tool-pecmd-exe ------------------------------------------------------------------------------------------------------------ 5. JumpLists Get deep details about this artifact from my previous blog. Blog 1: Unveiling the Significance of Jump list Files in Digital Forensics https://www.cyberengage.org/post/unveiling-the-significance-of-jump-list-files-in-digital-forensics Blog 2 : Jump list Analysis: Tool-->JLECmd.exe https://www.cyberengage.org/post/jump-list-analysis-tool-jlecmd-exe ------------------------------------------------------------------------------------------------------------
- Artifacts for File Opening/Creation Part 1: Open/Save MRU || Recent Files || Shell Bags
1. Open/Save MRU Artifacts: It acts as a repository for a history of files accessed or saved by users, offering a panoramic view of their digital footprint. Location in the Registry To get a glimpse into this trove of information, one need only venture into the registry. The Open/Save MRU key resides at: Command:- reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ You will find this artifact in C:\Users\User\NTUSER.DAT Collect All 3 Artifacts From command prompt: Manual extraction of particular registry Reg Save HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU C:\Users\User\Downloads\output.hiv (To Save hive details into hive file for further analysis in registry explorer) Crafting a Seamless Forensic Workflow To craft a seamless forensic workflow, consider the following steps: KAPE Automation: Leverage the power of KAPE for efficient and automated artifact collection. Manual Extraction: For those who prefer a more hands-on approach, manual extraction via registry exploration is a viable option. Forensic Image Considerations: Ensure that the registry hive NTUSER.DAT is part of your forensics image to unlock a comprehensive array of artifacts. If you using FTK Imager: Simple do this to collect all NTUSER.DAT Hive. -------------------------------------------------------------------------------------------------------- 2. Recent Files Registry Key that tracks the last files and folders opened, populating data in the "Recent" menus of the Start menu, is a crucial component for understanding user activity and accessing recent documents and folders efficiently. Located within the NTUSER.DAT hive, specifically under Through Registry NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs Through Cmd: Query Reg Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\ Through Cmd: Manual extraction Reg Save HKCU\ Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\ C:\Users\User\Downloads\output.hiv RecentDocs key reveals several important subkeys: Overall: This key tracks the overall order of the last 150 files or folders opened. The Most Recently Used (MRU) list within this key maintains the temporal order in which each file or folder was opened. The last entry and modification time of this key corresponds to the time and location of the last file with a specific extension that was opened. Specific Extension: This subkey stores the last files with a particular extension that were opened. Similar to the Overall key, the MRU list within this subkey tracks the temporal order of file openings. The last entry and modification time of this key signifies the time and location of the last file with the specified extension that was opened. Folder: This subkey records the last folders that were opened. Similar to the Specific Extension subkey, the MRU list within this key maintains the temporal order of folder openings. The last entry and modification time of this key indicate the time and location of the last folder opened. ------------------------------------------------------------------------------------------------------------ 3. Shell Bags Get deep details about this artifact from my previous blog. Blog 1: Understanding Shell Bags in Windows Forensics https://www.cyberengage.org/post/understanding-shell-bags-in-windows-forensics Blog 2 : Shell Bags Analysis: Tool-->SBECmd.exe or ShellBagsExplorer- GUI Version (Very Important artifact) https://www.cyberengage.org/post/shell-bags-analysis-tool-sbecmd-exe-or-shellbagsexplorer-gui-version-very-important-artifact -----------------------------------------------------------------------------------------------------------
- Understanding Registry:
Windows Registry Overview: The Windows registry is a crucial database storing system, software, hardware, and user configuration data. Root Keys: It comprises four main root keys: HKEY_CLASSES_ROOT HKEY_CURRENT_USER (HKCU) HKEY_LOCAL_MACHINE (HKLM) HKEY_USERS. Offline Access: Registry files are typically located in %WINDIR%\system32\config, with hives like DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM. Hives and Contents: Each hive contains specific information: SYSTEM Hive: HKLM Hardware and service configurations. It will also list the majority of the raw device names for volumes and drives on the system including USB keys SOFTWARE Hive: Application settings and configurations. NTUSER.DAT Hive: User-specific configuration and environment settings as well as which includes a slew of identifiable data pertaining to user activity. SAM Hive: Local user accounts and groups. SECURITY Hive: Security information like password policies and group membership. AMCACHE.HVE : Introduced in Windows 8, it tracks application compatibility and execution evidence, aiding in running older executables. Backup hives: RegIdleBackup task runs every 10 days on Vista, Win7, Win8, Win10, Server 2008, Server 2012, and Server 2016. It copies SAM, DEFAULT, SYSTEM, SOFTWARE, and SECURITY hives to %WinDir%\System32\Config\RegBack directory. This backup might contain residue that was cleared from the current hives. The task does not backup the local NTUSER.dat hives of users. Note :- Windows automatically creates backup copies of its registry hives periodically and stores them in the %SystemRoot%\System32\config\RegBack directory. However, this folder might be empty or not contain the most recent backups depending on system settings. User registry Hives The Windows registry holds a wealth of user-specific information, offering insights into various aspects of user activity on the system. It serves as a repository for recent actions performed by users, including accessed files, searched items, typed URLs, executed commands, and saved documents. One of the primary components of the registry is the NTUSER.dat hive : which contains keys specific to each user profile Located under HKEY_CURRENT_USER, the NTUSER.dat hive offers a comprehensive view of user-centric actions within the system. UsrClass.dat. hive : This hive, typically located at C:\Users\AppData\Local\Microsoft\Windows\UsrClass.dat, holds crucial information related to program execution and folder manipulation. It plays a vital role in the virtualized registry root for User Account Control (UAC), facilitating seamless user interactions with the system. Despite its virtualized nature, UsrClass.dat offers valuable clues about user activities, helping forensic analysts reconstruct user behavior patterns. Tip:- One notable aspect of UsrClass.dat is its association with ShellBags, a registry key that tracks the opening and closing of files and folders by programs. By examining ShellBags entries, investigators can uncover evidence of file and folder interactions, shedding light on user activities and application usage patterns. With registry explorer things became easy to analyze (By Eric Zimmerman) Registry key last write time using registry explorer 1. The registry tracks the last write time for every key on the system. 2. This timestamp, stored within the registry itself, indicates the last update of any key value and is typically displayed in Coordinated Universal Time (UTC). 3. The last write time is crucial for forensic investigations as it provides the timing of specific activities or events within the registry. 4. By correlating the last write time with other system data, such as user login times or file copy events, investigators can build a comprehensive timeline of user actions. 5. It's important to note that the last write time is updated whenever a value is added or updated within a key, and different keys may be updated at different points depending on the program's behavior. 6. Ensuring a clear understanding of whether timestamps are recorded in UTC or the local time zone is essential for accurate interpretation of forensic data. Failure to account for time zone discrepancies could lead to misinterpretation of critical evidence, potentially compromising the integrity of the investigation Will Continue in next blog............................. Akash Patel