Windows Forensics - PimmyTrousers/Cooking-Recipes GitHub Wiki

Forensic artifacts in Windows were built to do other things, but are used as evidence

  • Things that ensure backwards compatibility
  • Things that help programs run faster
  • Things that help speed up/improve ux

The registry is in \windows\system32\config which is protected, w/ backups of important registry hives stored in RegBack (same dir)

  • DEFAULT
  • SAM
  • SECURITY
  • SOFTWARE
  • SYSTEM

Every user files has an ntuser.dat (that user’s chunk of reg info) file:

  • Plugs into reg as HKCU
    • Terms HKCU and ntuser.dat are fairly interchangeable, however:
      • HKCU usually refers to analysis of LIVE system
      • Ntuser.dat usually refers to analysis of files on a DEAD system
  • Always grab specific ntuser.dat s for users you are interested in; usually will grab all
  • HKLM
    • Notice hives previously mentioned:
      • SAM, SECURITY, SOFTWARE, SYSTEM
    • HARDWARE is generated on system boot, not stored on system disk (dynamic)
      • => no HARDWARE hive on disk

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

  • Registry Explorer (free piece of software) and look at ntuser.dat

    • Side note: may see deleted records in red; when a file is deleted during anti forensics and there are still backups it can be recovered

    • \comDlg32: information about last paths a user was browsing.

      • \lastVisitedPidlMRU
        • Binaries used open/save files
      • \OpenSavePidlMRU
        • Contains paths to files themselves

    • Use comdlgMRU to find evidence of files being used that have since been deleted

    • \RecentDocs

      • Reg ripper will parse registry hives for you and parse this info for you

    • \RunMRU

      • Look at MRU list to tell you order of runs. Each letter (a value) is associated w/ a val type and data (like mspaint or notepad). These a cmds a user has run

    • \TypedPaths

      • Indicates user knows what they are looking for and of existence of a path. Say there is evidence of a user look for a path that does not exist => circumstantial evidence that a path has been deleted
      • Vid gives example of C:\msf

    • \userAssist: evidence of application execution

      • When and how many times a program was executed (also, obviously, which user executed it b/c it’s in HKCU)

Places where programs can be specified to start upon login

  • HKCU...Run
  • HKCU...RunOnce
  • HKLM...Run
  • HKLM...RunOnce

ShellBags: information for when a user visits a path & customizes the look and feel. Shellbags persist for things that have not existed on a system for a long time.

  • Uses Shellbags explorer to parse shellbags:
    • Vid example: there is evidence of C:\MSF once existing and:
      • When it existed
      • Which user(s) accessed it
  • Under HKCU\Software\Microsoft\Windows\Shell
    • \BagMRU
    • \Bags

usrclass.dat: another section that stores a user-specific piece of the registry (plugs into registry at HKCU\SOFTWARE\Classes)

  • Added in windows 7: security feature added to increase segmentation
    • Make sure you grab this file too, it’s got some shellbags good stuff good stuff
  • Segmentation from low integrity processes that don’t have r/w permission on std registry

USB devices: (USBDeviceForensics by Woanware is a handy tool)

  • HKLM\SYSTEM<CurrentControlSet>\Enum
    • CurrentControlSet: will only see this on a live system, if analyzing a previously attained image, there will be no current control set
      • Go to \SYSTEM\select > current
      • that value (in this example, 1), is the most recent control set (there could be multiple, ControlSet001, ControlSet002, if Windows had trouble starting and attempted to fix it)
  • \USBSTOR
    • Shows flash drives as folders, expand => serial number
      • Globally unique serial: ampersand near end
      • Ampersand near beginning: manufacturer did not follow guidelines by assigning a globally unique number => microsoft assigns a locally unique one
      • Will know make, serial number, and the last UTC write timestamp
  • \USB
    • Vid and pid entries, match to known db online to find more information about make and model of particular flash drive
  • HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices
    • Mouseover to match serial number, find the name of the volume for connected flash drive
  • HKLM\SYSTEM\MountedDevices
    • Match serial number to find the Volume guid: any other references to volume guid => evidence that flash drive was used for other things
      • Volume guid can tell which user mounted that usb device: Go to ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2: the user that mounted the device will have a file named by the volume guid under MountPoints2
      • Under HKLM...USBSTOR\Ven_Prod_Version\USB iSerial#\Properties{}<####>
        • 0064: first time device plugged into system
        • 0066: first time device was connected to the system (win8+)
          • Also last write time of vid pid key
          • Last write time key of MountPoints2{}
        • 0067: last time device was unmounted & removed
    • Can find what it was mounted as as well (in this case, E:)

Misc registry keys that may provide useful info

  • HKLM\SYSTEM<CurrentControlSet>\Control
    • \TimeZoneInformation: should know what timezone the computer is in; make sure that time correlations and events are accurate
    • \ComputerName: important during an investigation
    • \FileSystem
      • NtfsdisableLastAccessUpdate: using macb times
        • By default set to 1 => the access timestamps are off by default (likely for performance reasons), not normally off
        • Are still updated under certain circumstances
  • HKLM\SYSTEM<CurrentControlSet>\Services
    • \LanmanServer: shares that are configured on the system.
    • \Tcpip: network config
    • \parameter\interfaces: interfaces & their associated ip address configs
      • what ip was addressed to this particular system?
      • Record interface guid as well

NLA: Network location awareness (Vista+): aggregates network info for diff networks that PC connects to (generates guid - like a network profile - windows firewall will apply rules to the appropriate profile using the guid)

Can check the last write time of a key => last time a PC connected → a network

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
    • \Signatures
      • \Unmanaged
        • Take note of profile guid
        • nametype:
          • 6 = wired connection
          • 47 = wireless
          • 17 = broadband
        • Date created
          • Use Dcode to convert weird windows 128 bit timestamps stored in UTC (don’t use dashes)
        • Date last connected

Link file analysis: do not ignore .lnk files “they contain a WEaltH of knowledge”:

  • Metadata: if it was securely erased, the link files may still remain and can provide info about the file. Use exiftool .lnk to analyze the lnk
    • MAC times fo target
    • Original path of file
    • Size
    • Serial number of volume it was stored
    • Network vol shared
    • Some cases: MAC address of host computer
  • Jump lists: task bar access files you’ve interacted with: additional link files (see forensics wiki)

Prefetcher and superfetch: improve ux by caching data freq used and accessed on system. Shows evidence of application execution globally: gui-based apps and from cmd line.

  • C:\windows\prefetch
  • Example: Cmd.exe should only have 1 prefetch file, a second prefetch file with a diff hash means there is >1 cmd.exe which is of interest
  • Tool: winPrefetchView from NirSoft (free)
    • Double click on a file to see info (including run counter and multiple run timestamps)
  • HKLM\SYSTEM<CurrentControlSet>\Control\Session Management\PrefetchParamaters:
    • enablePrefetcher key: 3 (default): app boot and prefetching is enabled, on windows server OS, prefetcher is not turned on by def
⚠️ **GitHub.com Fallback** ⚠️