Search Results

LNK files, commonly known as shortcuts, play a crucial role in digital forensics by serving as metadata resources utilized by the Windows shell. These files contain valuable information that can provide insights into user activities and file access history. Understanding the significance of LNK files and how to extract and analyze their metadata is essential for forensic investigators seeking to uncover valuable evidence. What is Lnk file? The  ".lnk" file is a shortcut file used in Microsoft Windows operating systems. It stands for "Link." When you create a shortcut to a file, folder, program, or website, Windows creates an .lnk file that points to the target item. This allows users to access the target item quickly without having to navigate through the file system. "During a forensic examination of a hard drive, LNK files can determine what programs and files a user were accessing on their computer." Location and Command: To access LNK files, forensic investigators can navigate to the following locations: Windows Recent Folder:  cd C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\ Office Recent Folder:  cd C:\Users\User\AppData\Roaming\Microsoft\Office\Recent\ Copy Artifacts: (Manually copying artifact and taking home to analyze)(from live system) use copy command in cmd (for copying) Information Contained in LNK Files: LNK files contain a wealth of metadata, including: Original path of the target file Timestamps for the target file and LNK file (modification, access, creation) Size of the target file Attributes associated with the target file (read-only, hidden, system) System name, volume name, volume serial number, and sometimes MAC address of the system on which the LNK file is present Information indicative of whether the target resource is local or located on a remote computer Forensic Analysis and Artifact Extraction: Forensic analysis of LNK files can be conducted using specialized tools such as Kape, which facilitates artifact collection and parsing in real-time. Alternatively, manual extraction and preservation of artifacts enable thorough examination in a controlled laboratory environment. In conclusion, understanding the significance of LNK files and their role in digital forensics is crucial for uncovering valuable evidence and gaining insights into user behavior and activities.

Commands: Locate Recycle Bin in cmd View hidden files: Use the command DIR /ah to display hidden files, including those in the recycle bin. Get user account information: Use wmic useraccount get name,sid to retrieve information about all user accounts and their corresponding SID (Security Identifier) IDs. Navigate to a specific SID: Move to a particular SID value using the command cd SID, where SID represents the Security Identifier of the user whose recycle bin is being analyzed. Once you are in SID directory. Copy the artifact using below command copy "C:\$Recycle.Bin\\*" C:\Users\User\Downloads\recycle" Do same for All SID users recycle bin. Take it Home for further analyses. Tool: https://df-stream.com/recycle-bin-i-parser/ Tool is very simple to use mention directory where you collected artifact and destination and click parse. Conclusion: Understanding the structure and contents of the recycle bin, along with effective parsing techniques, enables forensic analysts to reconstruct file deletion events, recover deleted files, and gain insights into user activities and behavior on the Windows system.

The recycle bin plays a significant role in forensic investigations on Windows filesystems, offering valuable insights into deleted files and user activities. Understanding the recycle bin's functionality and how to extract information from it is crucial for forensic analysts. Location: Windows XP: C:\RECYCLER Windows Vista, 7, 8, 10: C:\$Recycle.bin Interpretation: When a file is deleted from a Windows recycle bin-aware program, it is typically moved to the recycle bin first. The recycle bin stores deleted files temporarily before they are permanently removed. Within the recycle bin, two types of files are commonly found: $I files: These files contain metadata about the deleted files, including their original path, file name, size, and deletion timestamp. $R files: These files contain the actual content of the deleted files, allowing for potential recovery. Commands: Locate to C:\$Recycle.bin View hidden files: Use the command DIR /ah to display hidden files, including those in the recycle bin. Get user account information: Use wmic useraccount get name,sid to retrieve information about all user accounts and their corresponding SID (Security Identifier) IDs. Navigate to a specific SID: Move to a particular SID value using the command cd SID, where SID represents the Security Identifier of the user whose recycle bin is being analyzed. Explore recycle bin contents: Within the SID directory, examine the $R and $I files to access recovery data and metadata about deleted files. 5. Parsing $I files: Utilize parsing tools like $I Parse to extract and interpret metadata from $I files, revealing details about deleted files. As $R is recoverable files so no need for parsing but $I files need parsing tool use for that is $I Parse Conclusion: Understanding the structure and contents of the recycle bin, along with effective parsing techniques, enables forensic analysts to reconstruct file deletion events, recover deleted files, and gain insights into user activities and behavior on the Windows system. This knowledge is invaluable for conducting thorough forensic investigations and uncovering crucial evidence.

Understanding how to extract and analyze shell bag data is essential for investigators seeking to uncover evidence and reconstruct user activities. To capture shell bag data, we can utilize specialized tools like SBECmd.exe, which allows us to process the live registry and export the data in CSV format for further analysis. Here's how to use SBECmd.exe: Command Format: C:\Users\User\Downloads\SBECmd> SBECmd.exe -l --csv .\ -l: Process live registry data. --csv: Export the data in CSV format. .\: Store the output in the current working directory (in our example, C:\Users\User\Downloads\SBECmd). Tool Location: Example Usage: -d : Directory where extracted shell bag hives are stored SBECmd.exe is the executable file of the tool. Ensure that you specify the correct path to the tool location when executing the command as well as you can manual capture the hive of shell bag in particular location and later use SBECmd tool to parse the shell bags Location: Manual extraction of particular hives from live system For : USRCLASS.DAT Example: Saving into folder: reg save "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell" "C:\Users\User\Downloads\Shell\shell.hiv" For : NTUSER.DAT complete Capture of NTUSER.DAT from root folder or user or Create image. Win7-10 : NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU Win7-10 : NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags ShellBag Explorer GUI Version Once you collected raw artifact using manual extraction like above example or using kape. Use ShellBag Explorer GUI to understand in easer way. In summary, SBECmd.exe or GUI Version provides a convenient and effective means of capturing and analyzing shell bag data, enabling forensic investigators to gather evidence and reconstruct user actions with precision and accuracy. Akash Patel

What are Shell Bags? Shell Bags are data structures within the Windows registry that track user window viewing preferences in Windows Explorer. These structures store information about which folders were most recently browsed by the user, including details such as folder view settings and the last time a folder was visited or updated. Location of Shell Bag Artifacts Shell Bag artifacts are typically found in the following registry locations: For Windows 7-10: USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags For XP NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU Location of Both .Dat Files: 1. NTUSER.DAT File Location: The NTUSER.DAT file is typically located within each user's profile folder on the system. For example, if the username is "User," the NTUSER.DAT file for that user will be found in: C:\Users\User It's important to note that the NTUSER.DAT file is hidden by default, so you may need to enable "Show hidden files and folders" in Windows Explorer to view it. 2. USRCLASS.DAT File Location: The USRCLASS.DAT file is also a part of the user's registry hive and contains information related to user-specific COM (Component Object Model) classes. Unlike the NTUSER.DAT file, the USRCLASS.DAT file is typically not found directly in the user's profile folder. Instead, it is located within the "AppData" directory under the user's profile folder: C:\Users\User\AppData\Local\Microsoft\Windows Within this directory, you may find the USRCLASS.DAT file alongside other system and application data specific to the user. Importance of NTUSER.DAT and USRCLASS.DAT: NTUSER.DAT contains the user's registry settings, preferences, and configurations, making it a vital component for forensic analysis to understand user behavior and system usage. USRCLASS.DAT complements NTUSER.DAT by providing information about user-specific COM classes, which may be relevant for understanding the user's interactions with various software components and applications. Understanding Shell Bags artifact and why to collect? The Windows registry stores valuable information about folder view settings and user interactions with folders, including the last time a folder was visited or updated. This data is stored in shell bags, which are created by Windows Explorer when a folder is viewed or when view settings are adjusted. Shell bags also track visits to zip files, providing insights into user activities and prior knowledge of specific data. Understanding shell bags is crucial for forensic analysis because Even after data is deleted or securely removed, shell bag information persists, allowing investigators to reconstruct directory listings and access patterns. This persistence extends to removable devices like external hard drives and USB flash drives. For example, if a folder named "secret" containing a subfolder "pictures" was securely removed, shell bag information would still indicate its existence. This evidence undermines claims of user ignorance about the existence of certain data, especially when combined with other artifacts from the system, such as linked files. Understanding of Shell/BagMRU and Shell/Bag: Within the "BagMRU" subkey, there are three values: "MRUList", "NodeSlot", and "NodeSlots". "MRUList" is a four-byte value indicating the order in which each folder within the structure was last accessed. For example, if folder 3 was most recently accessed, it would be listed first, followed by the remaining folders in order of access. "NodeSlot" points to the "Bags" key, which stores the actual data related to folder customization. "NodeSlots" are present in the root "BagMRU" key and are updated upon the creation of new shell bags. Shell\Bag : - Stores actual folder customization data(WINDOW SIZE, WINDOW LAYOUT) Parsing Shell Bag Artifacts Manual parsing of Shell Bag artifacts can be complex and time-consuming. However, specialized tools like Eric Zimmerman's ShellBag Explorer GUI version or SBECmd.exe cmd version simplify the extraction and analysis process. These tools generate structured output, making it easier for forensic analysts to interpret the data and identify relevant information. Conclusion Understanding Shell Bags and their significance in Windows forensics is essential for extracting valuable insights from digital evidence. By analyzing Shell Bag artifacts, forensic investigators can reconstruct user activities, track folder access, and uncover critical evidence relevant to their investigations. Akash Patel

By leveraging its capabilities, investigators can efficiently extract valuable insights from Jump List files, shedding light on recent file accesses and application usage patterns. Single File Analysis: When analyzing a single Jump List file, the following command syntax can be used: Format:- JLECmd.exe -f [Path to Jump List File] -q --csv .\ Example:- JLECmd.exe -f C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f065ac336abcaa3e.automaticDestinations-ms -q --csv .\ -f: Specifies the path to the Jump List file for analysis. -q: Optional parameter to display only the filename being processed, speeding up exporting to JSON or CSV format. --csv: Instructs the tool to store the output in CSV format. .\: Specifies the directory to store the parsed data (store data in directory which you are working in) (you can change directory as you like) Full Directory Parsing: To analyze an entire directory containing Jump List files, the command syntax can be modified as follows: Format:- JLECmd.exe -d [Path to Directory] -q --csv .\ Example:- JLECmd.exe -d C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations -q --csv .\ -d: Indicates that a directory containing multiple Jump List files will be parsed. Note on GUI Version: Additionally, it's worth mentioning that JLECmd also offers a GUI version(JumpListExplorer.exe), providing users with an intuitive interface for performing Jump List analysis tasks. The left-side navigation neatly categorizes the different streams associated with link file data, allowing users to easily access target timestamps, file sizes, paths, and additional details for each file. The tool efficiently parses this information, offering valuable insights such as host names, MAC addresses, and other pertinent data. While the same analysis could be conducted using Microsoft Excel with TSV files generated from command line tools, the graphical user interface of the tool streamlines the process, making data interpretation and analysis more intuitive Akash Patel

Description: Jump Lists represent a dynamic feature engineered to empower users by granting them swift access to frequently or recently used items. This functionality extends beyond mere media files, encompassing recent tasks as well. Whether it's opening a favorite document or resuming a recent project, Jump Lists facilitate seamless navigation and productivity. Location: Jump List: Automatic Destinations: C:\Users\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations Custom Destinations: C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations Command Line: Manually Access Jump List Directories: cd C:\Users\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations cd C:\Users\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations Copy Artifacts: (Manually copying artifact and taking home to analyze)(from live system) copy "C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\*" "C:\Users\User\Downloads\artifact" Unlocking Insights: Jump Lists harbor a treasure trove of user activities, aiding forensic investigations and digital forensics endeavors. By meticulously analyzing Jump List artifacts, investigators can reconstruct user interactions, discern frequently accessed resources, and unveil recent tasks. Moreover, Jump Lists provide a snapshot of user behavior, shedding light on preferences, work patterns, and potential security breaches. Forensic Approach: Forensic analysis of Jump Lists can be extracted using specialized tools like Kape, facilitating artifact collection and parsing in real-time or through image creation for later analysis. Alternatively, manual extraction and preservation of artifacts enable thorough examination in a controlled laboratory environment. Jump List artifacts, investigators can uncover a plethora of information, including: MRU and MFU Lists: Jump Lists reveal the Most Recently Used (MRU) and Most Frequently Used (MFU) lists, shedding light on the files and applications accessed by users or applications. File Attributes: Details such as file names, file paths, and MAC (Modified, Accessed, Created) timestamps provide crucial context for understanding file interactions. Volume Information: Jump Lists also capture the volume name from which the file was accessed, offering insights into storage device usage. Web Browsing History: The history of uploaded and downloaded files through web browsers is recorded in Jump Lists, providing a comprehensive view of online activities. Automatic vs. Custom Destinations: Automatic Destinations: Automatic destinations encompass features common across all applications, facilitated by the Windows API. These Jump Lists are essential for understanding universal user activities and application interactions. (This artifact is must) Custom Destinations: Custom destinations offer application-specific features, varying based on how developers implement them. These Jump Lists are created when users pin items to the taskbar or start menu, providing insights into individual application usage patterns. Jump List Artifacts: Automatic destination files with names like de48a32edcbe79e4.automaticDestinations-ms, where the unique identifier represents the application associated with the Jump List. The destlist stream within these files acts as the MRU list, containing embedded LNK files that can be extracted and parsed. de48a32edcbe79e4.automaticDestinations-ms de48a32edcbe79e4. (This part is App ID) this ID is for application you can check the id in below link or online. That which app it belongs to https://github.com/EricZimmerman/JumpList/blob/master/JumpList/Resources/AppIDs.txt While custom destination files like .customdestination-ms lack the OLECF format of automatic destination files, they still provide valuable insights into user activities. Sequentially appended link files within these files can be carved out and analyzed, offering additional context to forensic investigations. Conclusion: Jump Lists serve as indispensable components in the forensic toolkit, enabling investigators to traverse user activities, delineate digital footprints, and extract crucial insights. Leveraging Jump List artifacts, forensic professionals can navigate the intricate landscape of user interactions, bolstering investigations and uncovering pivotal evidence. Akash Patel

Introduction DensityScout, a robust tool crafted by Christian Wojner at CERT Austria, stands at the forefront of digital forensics and cybersecurity. Specializing in the detection of common obfuscation techniques such as runtime packing and encryption, DensityScout has become an invaluable asset for security professionals seeking to identify and neutralize potential threats. Decoding Density: A Measure of Randomness At the heart of DensityScout lies the concept of "density," which serves as a measure of randomness or entropy within a file. In straightforward terms, files exhibiting encryption, compression, or packing tend to possess a higher degree of inherent randomness, setting them apart from their normal counterparts. Legitimate executables in Windows, known for their lack of packing or encryption, rarely display random character sequences, leading to higher entropy. Understanding the DensityScout Command The command-line operation of DensityScout provides users with a powerful and customizable approach to file analysis. A typical command, such as Command :- densityscout.exe-pe -r -p 0.1 -o results.txt c:\Windows\System32 exemplifies the tool's capabilities. -pe Option: Instructs DensityScout to select files using the well-known signature of portable executables ("MZ"), transcending conventional file selection by extension. This is instrumental in identifying executable files that may have been strategically renamed to evade detection. -r Flag: Directs the tool to perform a recursive scan of all files and sub-folders from the specified starting point, ensuring a comprehensive examination. -p 0.1 Option: Allows users to set a density threshold for real-time display during the scan. Files with a density below the provided threshold (0.1 in this example) are promptly revealed on the screen. This option caters to users who prefer immediate insights rather than waiting for the entire scan to conclude. -o results.txt Option: Specifies the output file where DensityScout records the density values for each evaluated file. This file becomes a valuable resource for analyzing and further investigating findings. Interpreting Density Values Understanding the significance of density values is crucial in leveraging DensityScout effectively. A density value less than 0.1 often indicates a packed file, signifying a higher degree of randomness. Conversely, normal files, especially those typical of Windows executables, tend to have a density greater than 0.9. Real-world Application and Use Cases DensityScout has proven its mettle in real-world scenarios, providing security professionals with actionable insights into potentially malicious files. The tool's ability to promptly reveal files with suspicious densities ensures a proactive approach to threat detection. Next Steps As you delve into the world of digital forensics and cybersecurity, consider incorporating DensityScout into your toolkit. Explore the tool's capabilities, experiment with different parameters, and enhance your ability to identify and neutralize suspicious files. Final Thoughts In the pursuit of securing digital environments, tools that decode the intricacies of file structures become indispensable. DensityScout's focus on "density" adds a pragmatic layer to file analysis, contributing significantly to the collective efforts of cybersecurity professionals worldwide. Tool Link:- https://cert.at/en/downloads/software/software-densityscout Akash Patel

Introduction: KAPE, crafted by Eric Zimmerman, stands as a powerful, free, and versatile triage collection and post-processing tool designed to streamline forensic data gathering. It operates seamlessly with crowd-sourced "target" files, enabling the identification and collection of specific artifacts. Let's delve into the intricacies of this exceptional tool. Key Features: 1 . Meta-Files for Artifacts: KAPE utilizes "target" files grouped into meta-files, such as the "!SANS Triage.tkape," covering artifacts from SANS FOR498, FOR500, and FOR508 classes. Currently Windows-exclusive, KAPE can be executed from a thumb drive or remotely downloaded/pushed to a system. Results can be directed to an attached drive, file share, SFTP server, or cloud platforms like Amazon AWS or Microsoft Azure. SANS instructors have ingeniously employed PowerShell remoting for endpoints to download and run KAPE in batch mode, sending data to an SFTP server in the cloud. Capabilities: 1 . Artifact Collection: KAPE's capabilities extend to collecting virtually any forensic artifact needed, offering a rapid and reliable process. Portable with no installation requirements, KAPE boasts detailed audit logging for meticulous tracking. The tool is flexible and customizable, overcoming wildcard and recursion challenges in other tools. It enables easy standardization of collected data across teams. KAPE excels in collecting locked system files, alternate data streams, and even supports extraction from Windows Volume Shadow Copies. The tool is exceptionally fast, incorporating inline de-duplication to reduce collection sizes effectively. KAPE supports post-processing of collected data through module capabilities, enhancing its overall utility. Example Command Line: kape.exe --tsource F --target !SANS_Triage --tdest C:\temp\Output Explanation: --tsource: Specifies the drive or directory to search (e.g., F). --target: Identifies the target configuration or meta-file to run. --tdest: Specifies the directory to store copied files. Additional Options: vss: Enables the search on all available Volume Shadow Copies on --tsource. vhdx and vhd: Creates a VHDX virtual hard drive from the contents of --tdest. debug: Enables debug messages when set to true. Conclusion: KAPE emerges as an indispensable tool in the forensic arsenal, offering a user-friendly yet powerful approach to artifact collection and post-processing. Its efficiency, coupled with extensive customization options, positions it as a go-to solution for forensic practitioners worldwide. Akash Patel

In the realm of digital forensics, the quest for uncovering valuable artifacts extends beyond live system analysis. While it's commonly known that RAM is a volatile entity, leaving little room for post-shutdown exploration, there are hidden copies of RAM waiting to be discovered. One such treasure trove is the often-overlooked Windows hibernation file, "hiberfil.sys." Understanding Hibernation Files Hibernation files are automatically generated by Windows systems, especially laptops, during transitions into hibernation or power-saving modes. The file, named "hiberfil.sys," resides in the root directory of the system drive (usually "C:"). What makes this file special is that it encapsulates a complete copy of the system's RAM at the moment of hibernation. Unveiling the Power of Hibernation Files 1. hiberfil.sys - A Memory Goldmine: By copying the "hiberfil.sys" file, investigators gain access to a pre-existing memory image, offering a snapshot of the system's state when it entered hibernation. Even if the system is currently up and running, analysts now have the opportunity to analyze two distinct memory images: the live dump and the one derived from the hibernation file. 2. Crash Dump Files and Page Files: Crash dump files, particularly "memory.dmp" in the %WINDIR% folder, provide complete copies of RAM when a full crash dump occurs. Windows "pagefile.sys" and "swapfile.sys" files contain parts of memory that were paged out to disk, offering additional insights. 3. Challenges and Future Considerations: Windows 2016 introduces stringent requirements for drivers, impacting current memory acquisition tools. The adaptation of tools to meet these requirements remains uncertain. Analyzing Hibernation Files To analyze "hiberfil.sys," the process involves decompressing the file, understanding its structure, and extracting relevant information. Various tools facilitate this analysis: - powercfg.exe: This Windows tool manages the compression of hibernation files. Analysts can enable, disable, or modify the compression settings using powercfg.exe. - Forensic Tools: Tools like Volatility, Comae, BulkExtractor, Magnet Forensics Internet Evidence Finder, Belkasoft Evidence Center, and Passware offer capabilities to decompress hibernation files on-the-fly and perform string searching and data carving. - New Arsenal Recon Tool - Hibernation Recon: A recent addition to the arsenal, Hibernation Recon, not only decompresses hibernation files but also extracts leftover slack space for further analysis. After running tool we will get bunch of output files Types of output provided by Arsenal Recon. Output example: Conclusion As we navigate the intricate landscape of digital forensics, hibernation files emerge as a valuable resource for analysts. Beyond the confines of live system analysis, these files provide a glimpse into the past, allowing investigators to reconstruct events and understand system states. Akash Patel

Introduction: In the ever-evolving landscape of cybersecurity, the ability to efficiently analyze Windows event logs is paramount. Eric Zimmerman's EvtxECmd emerges as a game-changer, offering not just a command-line parser but a comprehensive tool for transforming, filtering, and extracting critical information from Windows event logs. Understanding the Challenge: Windows event logs, with their custom formats for each event type, present a significant challenge for analysts trying to normalize and filter logs at scale. EvtxECmd tackles this challenge head-on by leveraging crowd-sourced event map files. These files, tailored for each event log and type, utilize Xpath filters to extract crucial information, simplifying the filtering and grouping of data. Key Features and Functionality: ---Customized Event Map Files: EvtxECmd hosts a collection of crowd-sourced event map files for each event log and type. These map files utilize Xpath filters to extract critical information from events, such as usernames, domains, IP addresses, and more. EvtxECmd's true power lies in its ability to normalize and filter logs at scale. It can process logs from various systems or different log types on a single system, allowing for easy analysis and extraction of valuable insights. The tool can be run on live systems, accessing the Volume Shadow Service (VSS) to retrieve older versions of event logs. Live analysis capabilities make it a versatile solution for real-time incident response and forensic investigations. Modern event logs being in XML format, EvtxECmd capitalizes on Xpath filtering for easy identification of specific parts of XML output. Event type-specific map files extract relevant values using Xpath filter notation. Understanding the Map File: Example: EID 4624 The EvtxECmd Map file for Event ID 4624 demonstrates how individual elements are referenced using Xpath filter notation. Standardized fields like UserName, RemoteHost, and ExecutableInfo provide consistent data points for various event types. Powerful Filtering with Timeline Explorer: Creative Filtering Opportunities: Grouping and Segmentation: Running EvtxEcmd on live system to extract artifacts: COMMAND LINE: - EvtxECmd.exe -d C:\windows\system32\winevt\logs --csv C:\Users\user\desktop --csvf eventlogs.csv –vss Breaking Up: -d (directory) (Path of (directory)logs where it present) --csv \Users\user\desktop (CSV Format where you want store) --csvf eventlogs.csv File name to save CSV formatted results –vss Process all Volume Shadow Copies that exist on drive Running EvtxEcmd on collected logs from system: COMMAND LINE: -   EvtxECmd.exe -d C:\users\user\downloads\logs\ --csv C:\Users\user\desktop --csvf eventlogs.csv -d (Provide path where all logs present) Running EvtxEcmd on Single log for example security.evtx: COMMAND LINE: -   EvtxECmd.exe -f C:\users\user\download\security.evtx --csv C:\Users\user\desktop --csvf eventlogs.csv -f (For single evtx file) Conclusion: The collaboration of EvtxECmd with Timeline Explorer enhances the analytical capabilities, providing a holistic approach to Windows event log analysis. Whether you are dealing with incident response, forensic investigations, or simply aiming to strengthen your cybersecurity posture, EvtxECmd proves to be a must-have tool in your arsenal. The flexibility and power it brings to the table empower analysts to navigate through the intricacies of Windows event logs, unveiling critical information for a proactive cybersecurity stance. Akash Patel

Introduction: The Amcache.hve registry hive, introduced with Windows 8 and later backported to patched Windows 7 systems, is a treasure trove of information for digital forensics analysts. This registry hive contains valuable data related to executed executables, installed applications, and loaded drivers. In this blog post, we delve into the intricacies of the Amcache.hve, focusing on the InventoryApplicationFile, InventoryApplication, and InventoryDriverBinary keys. InventoryApplicationFile: Navigating Executables The InventoryApplicationFile key serves as an excellent starting point when dissecting Amcache data. Its subkeys are named per application, offering a straightforward method to identify executables of interest. While the hash generation algorithm hasn't been fully reversed, it seems linked to the full path of the executable. Analysts may encounter multiple keys with the same executable name but located in different folders. Key values provide additional insights, such as the renowned "FileID" value, offering the SHA1 hash (minus the initial four zeroes), "LowerCaseLongPath" for the full path, "Size" for file size, and "LinkDate" for the PE header compilation time. As you navigate through InventoryApplicationFile, you unveil a plethora of details associated with executed executables. InventoryApplication: Unraveling Installed Applications The InventoryApplication key within the Amcache hive complements the InventoryApplicationFile, focusing on installed applications. Each entry, named according to the "ProgramID," facilitates easy association with InventoryApplicationFile. The key provides crucial information, including installation date (granularity of one day) and detailed publisher information. While the last write times of registry keys may not necessarily indicate execution time, they signify the presence of the executable on the system. Combining information from InventoryApplication and InventoryApplicationFile offers a comprehensive view of both executed and installed applications. InventoryDriverBinary: Decrypting Loaded Drivers Loaded drivers play a pivotal role in investigations involving potential advanced malware infections. The InventoryDriverBinary key within Amcache.hve holds a wealth of information about drivers on the system. Each subkey corresponds to a driver, offering insights into anomalies based on known good/bad hashes, modification times, driver signing status, and metadata stored in the PE header. This information is invaluable when scrutinizing systems for advanced malware using rootkits, bootkits, or security tool evasion capabilities. Real-world Example: Spotting Suspicious Drivers In a real-world example, we encounter a driver with an unusual name in a non-standard folder, lacking recorded driver metadata. This prompts further investigation, including checking the digital signature, comparing timestamps with known activities, and querying the SHA1 hash against databases like VirusTotal. Ultimately, this driver turns out to be part of the F-Response forensics tool, highlighting the importance of thorough analysis. Conclusion: The Amcache.hve registry hive unveils a wealth of information crucial for digital forensics investigations. By navigating through InventoryApplicationFile, InventoryApplication, and InventoryDriverBinary keys, analysts can gain valuable insights into executed executables, installed applications, and loaded drivers. Akash Patel