GCFE Study Notes

The GIAC Certified Forensic Examiner (GCFE) is certification offered by SANS/GIAC as a very technical overview of Windows Forensics. SANS offers the FOR408 course as preparation for this.

(*WORK IN PROGRESS*)


The content is broken up into 5 sections and I’ll be taking informal notes (not comprehensive) below:

Section 1 

  • Triage, Advanced FTK Imager, Data Stream Carving, File Carving

Section 2

  • Registry Analysis

Section 3

  • Shell Items, Shortcut (.lnk) Files, USB Device, and String Searching

Section 4

  • Email Analysis, Additional Artifact Analysis, and Event Logs

Section 5

  • Browser Analysis

Section 6

  • Knowledge Bits

Notes are captured here are for my personal referencing, but figured I’d share if anyone found it useful.


Section 1

Triage, Advanced FTK Imager, Data Stream Carving, File Carving

 

Section 2

Registry Analysis

Where are the registry files located?

%WinDir%\System32\Config

  • SAM
  • SECURITY
  • SYSTEM
  • SOFTWARE
  • DEFAULT

The location of these registry hives are as follows:

HKEY_LOCAL_MACHINE \SYSTEM : \system32\config\system
HKEY_LOCAL_MACHINE \SAM : \system32\config\sam
HKEY_LOCAL_MACHINE \SECURITY : \system32\config\security
HKEY_LOCAL_MACHINE \SOFTWARE : \system32\config\software
HKEY_USERS \UserProfile :  \winnt\profiles\username
HKEY_USERS.DEFAULT : \system32\config\default

A collection of data files are called HIVES. Hives contain keys and values.

Backup hive files:

%WinDir%\System32\Config\RegBack

  • SAM
  • SECURITY
  • SYSTEM
  • SOFTWARE
  • DEFAULT

Windows XP systems have a set of these registry entries for each restore point.

Windows 7 systems have a set of these registry values for each shadow copy.

User Registry Hives:

These are a “gold mine” of user activity.

NTUSER.DAT

C:\Documents and Settings\<username>\NTUSER.dat (XP)

C:\Users\<username>\NTUSER.dat (Win 7, Win 8)

USRCLASS.DAT (Win 7, Win 8)

C:\Users\<username>\AppData\Local\Microsoft\Windows\USRCLASS.DAT

When these hives are looked at in the Registry Viewer – Hive Names are used, this would likely be live forensics.

HKEY_LOCAL_MACHINE (HKLM) contains:

  • SAM
  • SECURITY
  • SYSTEM
  • SOFTWARE

HKEY_CURRENT_USER (HKCU) contains:

  • NTUSER.DAT

Every KEY in each HIVE has a Last Write Time, the time is stored in UTC

MRULists

  • MRU = Most Recently Used
  • Shows the temporal order of values in key
  • Newest to oldest

Deleted Registry Keys/Values

  • Registry hives have unallocated space similar to file systems
  • A deleted hive key is marked as unallocated
  • Recovery of unallocated keys possible
    • Keys
    • Values
    • Timestamps
  • Lack of anti-forensic tools to complete wipe unallocated registry hive data
  • Commerical YARU (Yet Another Registry Utility) can recover deleted keys
    • Displays unallocated space and deleted keys
    • Available on tzworks.net

Profiling Users/Groups with the SAM hive

With any forensic investigation, your language should be “this activity can be tracked back to the user’s profile’ (you shouldn’t say the user did it, due to possible subversion techniques)

Sam contains User/Group Information

  • Username
  • Security Identifier (SID)
  • User Login Information
    • Last Login
    • Last Failed Login
    • Logon Count
    • Password Policy
  • Group Information
    • Administrators
    • Users
    • Remote Desktop Users

Determine Password

It is difficult to determine if a account as a password.

  • All of these values give false positives.
    • Password required?
    • Has NTLMv2 password?
    • Has LanManager password?
  • Only way to be sure, is to use third-party software like SAMinside.

Identify the Microsoft OS Version 

  • Determine the Microsoft Windows Version, Service Pack Level, and Install Date of the machine using this key.
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion
  • It is common to receive a hard drive with an unknown Windows OS on it.
  • This key will show you the install date of the system.

Identify the Current Control Set 

  • Indentifies which control set (ControlSet00x) is considered the CurrentControlSet.
  • Contains information about the system’s configuration setting.
    • SYSTEM\Select
    • SYSTEM\Select\Current
  • Determines which ControlSet00x to use as the “CurrentControlSet”
  • Once you identify which ControlSet00x is the “Current Control Set” you should focus your examination there.

 Time Zone Information 

  • Identify the current system time zone
    • SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Last Access Time On/Off

  • Turns last access timestamp ON or OFF. If disabled, the last access timestamp recording in the filesystem will not occur.
    • SYSTEM\CurrentControlSet\Control\FileSystem
  • Located locate NtfsDisableLastAccessUpdate -> If set to 0x1 then Access time stamps are turned off
  • This is turned off by default in Windows Vista, Windows 7, and Windows 8.
  • Without the last access time it might be more difficult to tell when programs were last opened by the user.
    • Pictures being viewed
    • MP3s being played
    • Office Documents and PDFs being examined

Network Interfaces 

  • Identifies the computer’s network interface cards
    • SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
  • Lists network interfaces of the machine
  • Can determine if machine has static IP address or if it configured by DHCP
  • Ties machine to network activity that was logged
  • Obtain Interface GUID for additional profiling in Network Connections

Historical Wired/Wireless Networks (Win 7/8)

  • Identify networks that the computer has been connected to
  • Networks could be wireless or wired
  • Identify domain name/intranet name
  • Identify SSID
  • Identify Gateway MAC address
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache
  • Identifying intranets and networks that a computer has connected to is incredibly important.
  • Not only can you tell the intranet name, you can tell the last time the network was connected to based on the last write time of the key.
  • This will also list any networks that have been connected to via a VPN
  • MAC address of SSID for Gateway could be physically triangulated.

Network Types

  • Identify the type of network that the computer was connected to
  • Identify Wireless SSIDs that the computer previously connected to
  • Time is recorded in LOCAL TIME – NOT UTC
    • SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{GUID} (XP)
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles (Vista/Win7/Win8)
      • Find GUID from Vista/Win7/Win8 Historical Networks in List
  • Determine the type of network connect using Nametype Value
    • Nametype Value = 0x47 = Wireless
    • Nametype Value = 0x06 = Wired
    • Nametype Value = 0x17 = Broadband (3G)
  • Lists networks that the machine has connected to including the first and last connection time.

System Boot  Autostart Programs

  • Lists the programs that run at system book
    • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
    • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    • SOFTWARE\Microsoft\Windows\CurrentVersion\polices\Explorer\Run
    • SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • (Services) SYSTEM\CurrentControlSet\Services
      • If Start value is set to 0x02 then service will start at boot
  • Determine programs that will start automatically
  • Useful to find malware on a machine that installs on boot such as a rootkit
  • Look at time key was last updated, generally this would be the last boot time.

Shutdown Information

  • Discover when the system was last shutdown
  • Discover how many successful times the system was shutdown (XP Only)
    • SYSTEM\CurrentControlSet\Control\Windows (Shutdown Time)
  • Helpful for certain types of investigations

WordWheelQuery

  • Searches from the start menu
    • NTUSER.DAT\Software\Microsoft\CurrentVersion\Explorer\WordWheelQuery

TypedPaths

  • User deliberately types in windows start menu search or explorer bar
    • NTUSER.DAT\Software\Microsoft\CurrentVersion\Explorer\TypedPaths

RecentDocs

  • Populated when a user opens a file from the windows explorer
    • NTUSER.DAT\Software\Microsoft\CurrentVersion\Explorer\RecentDocs
  • New folders show up as different extension types open

Microsoft Office RecentDocs

  • Microsoft Office stores “RecentDocs”
  • Each version of office product under
    • NTUSER.DAT\Software\Microsoft\Office\VERSION
  • The version can be varied
    • 14.0 = Office 2010
    • 12.0 = Office 2007
    • 11.0 = Office 2003
    • 10.0 = Office XP
  • Example:
    • Word 2007 – Software\Microsoft\Office\12.0\Word\FileMRU

OpenSaveMRU

  • If “Open Dialogue Box” pops up, anything entered is tracked here
    • NTUSER.DAT\Software\Microsoft\CurrentVersion\Explorer\ComDlg32\OpenSavePIDMRU
  • Good for determining intent to open a document (File Knowledge)

LastCommandsExecuted

  • Commands typed into the START -> RUN
    • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
  • Commands executed from clicking on START and then executing the command from the SEARCH bar

UserAssist

  • Tells how many times a program was executed
  • Stored encoded in ROT-13
  • Logs
    • Last Run Time
    • Run Count (starts count at 6)
    • Name of Application
  • GUIDS under Win7/Win8
    • CEBFF5CD -> Executable File Execution
    • F4E57C4B -> Shortcut File Execution
  • GUIDs also available for Folder Locations

muicache

  • Designed to check if translation to different languages is needed
  • Substantiate evidence of execution here
  • Has unintended forensic value, no valuable timestamps though
    • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache (Win7)
  • Additional location to look for potential traces of program execution

Shellbags

  • Can track user window viewing preferences to Windows Explorer
  • Can be utilized to tell if activity occurred in a folder
  • You can track if a user opened/closed/created/deleted/copied a folder
  • In some cases, you can see the files from a specific folder as well
    • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
    • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
    • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
    • NTUSER.DAT\Software\Microsoft\WIndows\Shell\Bags
  • Useful since it stores information about which folders were most recently browsed by the user.

 

Section 3

Shell Items, Shortcut (.lnk) Files, USB Device, and String Searching

Shell Items Overview

Data or file that has information to access another file is known as a “shell item”

Shell Item Artifacts

  • Type of Drive target is on:
    • Fixed, Removable, Network
  • Path of Target file:
    • Driver Letter, volume label, volume serial # for locally attached
    • Server share path and drive letter (optional) for network
    • If the target is in a “special” or “known” folder
  • Target Metadata
    • MAC Timestamps
    • Size
    • MFTS Record
    • Sequence Number

The Windows shell allows a user to have shortcut (a.k.a link or lnk) files. A shortcut file is a file that has information used to access another file (or shell objects). It is a form of a pointer.

Analyzing USB Devices

KEY HIVES: SYSTEM, SOFTWARE, NTUSER.DAT

The Process:

  1. Write down vendor, product, version, and serial number
  2. Write down Vendor-ID (VID) and Product-PID
  3. Write down Volume GUIDs
  4. Write down Drive Device Letter
  5. Write down Volume Name
  6. Find user that used that specific USB device
  7. Discover First Time Device Connected
  8. Determine First time Device Connected After Last Reboot
  9. Determine Last Time Device Connected
  10. Determine Time Drive Removal

Here you go:

1.  Write down vendor, product, version, and serial number (SYSTEM HIVE -> USBSTOR)

  • SYSTEM\CurrentControlSet\Enum\USBSTOR
    • Will give you the vendor, product, version, and serial number
    •  if “&” is the 2nd character of the serial number, then it’s not unique. Probably a cheap USB (think
      “Made in China”) that doesn’t adhere to windows standards.
  • Next Step: The serial number will referenced in the SYSTEM\CurrentControlSet\Enum\USB registry key

2.Write down Vendor-ID (VID) and Product-PID

  • SYSTEM\CurrentControlSet\Enum\USB
    • Will give you the Vendor ID (VID),  Parent ID (PID), and last time connected.
    • VID_XXXX
    • PID_YYYY
  • Next Step: The serial number will be referenced in the SOFTWARE\Microsoft\Windows Portable Devices\Devices registry key.

3. Write down Volume GUIDs

  • SYSTEM\MountedDevices
    • Will give you the volume GUID next to “\Volume{“
  • Next Step: Stay on “MountedDevices” key or pull NTUSER.DAT for recent docs

4. Write down Drive Device Letter

  • Multiple locations/methods, but difficult to explain concisely. See Windows Internals book for details.
    • SYSTEM\MountedDevices
    • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    • Perform search for Volume Name via Shortcut file analysis (LNK)
  • Next Step: The serial number will be referenced as we move to the SOFTWARE hive

5. Write down Volume Name

  • SOFTWARE\Microsoft\Windows Portable Devices\Devices
    • Will give you the volume name of the USB device when it was plugged in the machine
  • Next Step:  Stay in the SOFTWARE HIVE and go up to the EMDMgmt key

6. Write down Volume Serial Number

  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
    • Will give you the hex valuie for the Volume Serial Number (VSN)
  • A disk format changes the volume’s serial number

6. Write down user that used the USB device

  • Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • Visit each user’s NTUSER.DAT looking for the GUID
  • Next Step: Time Analysis

7. Determine First Time Device connected

  • SYSTEM\CurrentControlSet\Enum\USBStor
    • Will give as “InstallDate” in Windows 64 Bit Hex Value Timestamp (Use “DCodeDate” tool)
  • Plug and Play Log Files
    • XP
      • c:\Windows\setupapi.log
    • Win7 and Win8
      • c:\Windows\inf\setupapi.dev.log
  • Log File Times are set to local time zone (unlike most things in UTC)
  • Mandiant Highlighter tool helps
    • Search for device serial number and look for first entry
  • Next Step: Determine “Last Write” via Serial Number
  • Last Connected = 0064 (Windows 8)

8. Determine Last Time Device connected

  • SYSTEM\CurrentControlSet\Enum\USB
    • Will give as “LastWrite” with serial number
  • Also: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2/{GUID}
    • Will give as Time (Timezone)
  • Last Step: Determine time device was removed.
  • Last Connected = 0066 (Windows 8)

9. Determine Time Device Removed

  • SYSTEM\CurrentControlSet\Enum\USBStor
    • Will give as Windows 64 Bit Hex Value Timestamp (Use “DCodeDate” tool)
  • Last Removal = 0067 (Windows 8)

Whew! That’s several steps, but hopefully this guide helps you.

Reminders/Tips: 

  • Red text is a reminder to pull the current control set like “ControlSet001”, which is available at SYSTEM\Select\Current
  • There are 3 primary USB device classes
    • MSC/UMS (USB Mass Storage) which is the most common and used in thumb drives, mp3 players, smartphones, etc
    • PTP (Picture Transfer Protocol) which is used for cameras, scanners, printers, smartphones, and tablets
    • MTP (Media Transfer Protocol) which is an improvement over PTP and is used on MP3 players, cameras, smartphones, and tablets.

Major Forensic Suites

  • EnCase (EnScript Engine, Application Parsing, Bookmarks and Reporting)
  • FTK

Shortcut Files

.lnk automatically created by Windows in Recent Folder

  • Win7/8
    • c:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\
  • WinXP
    • c:\Documents and Settings\<username>\Recent\
  • Any non-executable opened in Windows generates a shortcut (.lnk)
    • File Target
    • Parent Folder
    • Max = 149 Files/Folders in Recent Directory
  • Shortcut (.lnk) Files will point to:
    • Target File MAC times
    • Volume Information (Name, Type, Volume Serial #)
    • Fixed, Removable, or Network Target
    • Original Path & Location
  • Last Modification Date on .lnk files = Last Time any file with exact same name has been opened (regardless of location)

Jump Lists

Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.

Jump Lists come in multiple flavors:

  • automatic (autodest, or *.automaticDestinations-ms) files
  • custom (custdest, or *.customDestinations-ms) files
  • Explorer StartPage2 ProgramsCache Registry values

AutomaticDestinations

The AutomaticDestinations Jump List files are located in the user profile path:

Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Files: *.automaticDestinations-ms

Win 8/8.1 Search History

  • NTUSER.DAT
    • Software\Microsoft\Windows\CurrentVersion\Explorer\SearchHistory\Microsoft.Windows.FileSearchApp

Win7/Win8 Thumbnail Forensics

  • thumbs.db replaced by ThumbCache
    • thumbnails only (small, medium, large, XL)
    • Original location “might” be stored
    • Date/Time is not stored
  • C:\Users\<username>\AppData\Local\Microsoft\Windows\Explorer\

Win7/Vista/Win8

  • Uses “Recycle Bin”
  • Every single file has it’s own “$””I” file “$I” which has a corresponding “$R” file
  • Files are preceded by $I##### files contain
    • Original PATH and name
    • Deletion Date/Time
  • Files are also preceded by $R##### and contain recovery data

Windows Prefetch (Superfetch)

Prefetch XP/Vista/Win7/Win8

  • Increase performance of system by pre-loaded code pages
  • Cache manager monitors all files/directories and maps them into a .pf file
  • Utilized to show application execution (what and when)
  • Disabled on systems with SSD drive otherwise enabled by default

c:\Windows\Prefetch

  • Limited to 128 files on XP and Vista/Win7
  • Limited to 1024 files for Win8
    • (exename) – (hash).pf
  • Hash calculated based on directory path of executable
  • Lookup table for file-hash found on course USB: prefetch-hashes-lookup.txt

c:\Windows\Prefetch\Layout.ini

  • layout.ini file contains original path names of the files located in the prefetch
  • Disk Defragmenter uses layout.ini to relocate all directories and files to a contiguous area of the disk
  • Stores first time, last time, and execution count

 

Section 4

Email Analysis, Additional Artifact Analysis, and Event Logs

NT/Win2000/XP/Server 2003

  • .evt file type (not stored in cleartext)
  • %systemroot%\System32\config
  • filenames: SecEvent.evt, AppEvent.evt. SysEvent.evt

Vista/Win7/Win8/Server 2008/Server 2012

  • .evtx file type (not stored in cleartext)
  • %systemroot%\System32\winevt\logs
  • Filenames: Security.evtx, Application.evtx, System.evtx, etc

Types of Event Logs (less critical logs in gray)

  • Security
    • Records access control and security settings information
    • Events based on audit and group policies
    • Example: Failed Logon; Folder Access
  • System
    • Contains events related to Windows services, system components, drivers, resources, etc.
    • Example: Service stopped; System rebooted
  • Application
    • Software events unrelated to the operating system
    • Example: SQL Server fails to access a database
  • Custom
    • Custom application logs
    • Examples: Server logs including Directory Server, DNS Server, and File Replication Service
  • Setup
    • Setup log records and installation and update information on all applications. 

.evtx Log Format

  • Memory efficiencies
    • Less costly to log
  • XML and filtering
  • Improved messaging
    • IP addresses
    • EventIDs changed
  • Expanded number of event logs
    • Increased granularity of audit control

 

Built-in Service Accounts

  • SYSTEM – most powerful local account, unlimited access to system
  • LOCAL SERVICE – limited privileges  similar to authenticated user account; can only access network resources via null session
  • NETWORK SERVICE – Slightly higher privileges than LOCAL SERVICE; can access network resources similar to authenticated user account.
  • ANONYMOUS LOGON – Null session w/o credentials used to authenticate with resource

Event Logs Analysis Scenario – Tracking Account Usage

  • Determine which accounts have been used for attempted logons
  • Track account usage for known compromised accounts
  • Relevant Event IDs:
    • 4624 – Successful Logon
    • 4625 – Failed Logon
    • 4634/4647 – Successful Logoff
    • 4672 – Account logon with superuser rights (i.e. Administrator)
  • Type Codes:
    • 2 – Logon via console (i.e. using the keyboard)
    • 3 – Network logon
    • 4 – Batch Logon – Often used by Scheduled Tasks
    • 5 – Windows Service Logon
    • 7 – Credentials uses to lock or unlock screen
    • 8 – Network logon sending credentials in cleartext
    • 9 – Different credentials used than the logged-in user – runas command
    • 10 – Remote interactive logon (Remote Desktop Protocol)
    • 11 – Cached credentials used to logon – system likely offline from DC
    • 12 – Cached Remote Interactive (similar to Type 10)
    • 13 – Cached unlock (similar to Type 7)
  • Look at Logon ID with event IDs 4624 (logon) ,4647 (logoff)
  • Investigative Notes:
    • Event descriptions provide a granular view of logon information
    • Windows does not reliability record logoffs (ID 4634) so also look for ID 4647 -> user initiated logoff for interactive logons (user is sitting in front of desktop, or VNC, or RDP).
    • Logon events not recorded when backdoors, exploited services, or similar malcious means are used to access a system

Event Logs Analysis Scenario – Remote Desktop Protocol

  • Relevant Event IDs
    • 4778 – Session Connected/Reconnected
    • 4779 – Session Disconnected
  • Event log provides hostname and IP address of remote machine trying to make a connection

Account Logon Events

  • Different than Logon Event category
  • Recorded on system that authenticated credentials
    • Local Account/Workgroup = On Workstation
    • Domain/Active Directory = On Domain Controller
  • Event ID Codes (NTLM protocol)
    • 4776: Successful / Failed account authentication
  • Event ID Codes (Kerberos protocol)
    • 4768: Ticket Granting ticket was successful (successful logon)
    • 4769: Service Ticket requests (access to server resource)
    • 4771: Pre-authentication failed (failed logon)
  • Error Codes separate for NTLM and Kerberos

Event Logs Analysis Scenario – Finding a Rogue Local Account

  • Scenario: A local account named root was used to map a network share
  • Event ID 4776 indicates that the root account authenticated from workstation M4500
  • Event ID 4624 shows a successful network (Type 3) logon immediately prior

Event Logs Analysis Scenario – Evidence of Malware Execution

  • Scenario: Evil doer is thought to have utilized malware to elevate privileges. Identify potential malware and determine if it was executed.
  • Event IDs:
    • 4688 (SecLog) – New process created (includes executable path)
    • System Event Log (lolok for Warning and Error events)
    • Application Event Log (look for Warning and Error events)
  • Investigative Notes:
    • Unless process tracking is being audited on the system (rare), the Security Event Log may not help much.
    • Search System and Application event logs looking for Warning and Error events from A/V or other security applications
    • Keep an eye out for crashed processes and reboots

Event Logs Analysis Scenario – Suspicious Services

  • Scenario: Analyze logs for suspicious services running at boot time
  • Review services started to stopped during time of a suspected hack
  • Event IDs:
    • 7034 – Service crashed unexpectedly
    • 7035 – Service sent a Start/Stop control
    • 7036 – Service started or stopped
    • 7040 – Start type changed (Boot | On Request | Disabled)
    • 7045 – A service was installed on the system (Win2000R2+)
    • 4697 – A service was installed on the system (from Security log)
  • Investigative Notes:
    • All Event IDs except 4697 reference the System Log
    • A large amount of malware and worms utilize Services
    • Services started on boot illustrate persistence (desirable in malware, maybe even 80%+)
    • Service crash due to attacks like process injection

Event Logs Analysis Scenario – Application Installation

  • Scenario: Review logs to identify evil or unauthorized software installations
  • Track uninstalled software for dangerous apps previously present
  • Identify failed installation attempts
  • Relevant Event IDs:
    • 1033 – Installation completed (with success/failure status)
    • 1034 – Application removal completed (with success/failure status)
    • 11707 – Installation completed successfully
    • 11708 – Installation operation failed
    • 11724 – Application removal completed successfully
  • Investigative Notes:
    • All Event IDs reference the Application Log
      • Look for event logged from the MSI Installer source
    • Events only logged when applications use Windows Installer API

Event Logs Analysis Scenario – Time Manipulation

  • Scenario: Find evidence of time changes accomplished by user accounts
  • Event IDs:
    • 1 – Kernel-General (System Log)
    • 4616 – System time was changed (System log)
  • Investigative Notes:
    • New in Win8: System log events include user account information
    • Security State Change Auditing must be enabled to log time changes into the Security log

Event Logs Analysis Scenario – Tracking BYOD and External Devices

  • Scenario: Determine if and when hardware devices have been installed on the system
  • Event IDs:
    • 20001 – Plug and Play Drive install attempted (System Log)
    • 4663 – Attempt to access removable storage object (Security Log)
    • 4656 – Failure to access removable storage object (Security Log)
    • 1394 – FireWire
  • Investigative Notes:
    • System log identifies device type and serial number but only shows first time a device has been plugged in.
    • Security log can identify every time a device is accessed (Win8/2012 only)

Event Logs Analysis Scenario – Wireless Network Geolocation

  • Scenario: Determine what wireless the networks the system associated with and identify network characteristics to find location.
  • Event IDs:
    • 11000 – Wireless network association started (Vista and later)
    • 8001 – Successful connection to wireless network (Vista and later)
    • 8002 – Failed connection to wireless network (Vista and later)
  • Investigative Notes:
    • New custom log introduces with Vista and Server 2008 – WLAN- AutoConfigLog
    • Contains SSID and BSSID (Mac address) which can be used to geolocate wireless access point *(no BSSID in Win8)
    • Shows historical record of wireless network connections

Event Logs Analysis Scenario – Event Log Clearing

  • Scenario: Determine if Event Logs have been modified
  • Event IDs:
    • 1102 – Audit log cleared
  • Investigative Notes:
    • Administrator rights are required to clear logs
    • No built-in mechanism for selective deletion of events
    • After log is cleared, a 1102 event is placed in log

 

Section 5

Browser Analysis

Common questions and the location of their forensic artifacts:

  1. What websites did the user visit? (History, Cache, Cookies, Recovery Folders, Suggested Sites)
  2. How many times was a site visited? (History)
  3. When was the site visited? (History, Cookies, Cache, Recovery Folders)
  4. What websites were saved by the user? (Bookmarks)
  5. Were any files downloaded? (Download Folder, Cache)
  6. Can we identify any usernames? (Cookies, Cache, Auto-Complete, Recovery Folders)
  7. What was the user searching for? (Auto-Complete, Cache)

 

Browser Forensics – Internet Explorer

IE Auto-Complete – “What was the user typing?”

  • Address bar history – Typed URLs Registry key
    • NTUSER\Software\Microsoft\InternetExplorer\TypedUrls
  • Records the last 50 addresses in IE10+
  • Auto-Complete includes:
    • Browsing History
    • Favorites
    • Suggested Sites
    • Form Data

 

Browser Forensics – Firefox

In Windows 7, History – Cookies – Bookmarks – Auto Complete are located here:

  • %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<random-name>.default

(the content needed when “roaming” from machine to machine, you want the above content)

In Windows 7, Cache is located here:

  • %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\<random-name>.default\Cache

(due to larger file sizes, you want cache to stay “local”)

The most important Firefox database files are:

  • places.sqlite | History – Bookmarks – Auto-Complete
  • downloads.sqlite | Download History
  • formhistory.sqlite | Auto-Complete form data
  • cookies.sqlite | Cookies
  • signons.sqlite | Stored usernames and passwords
  • webappsstore.sqlite | HTML5 web storage
  • extensions.sqlite | Firefox add-ons

(cache is the only major artifact not stored in sqlite)

(firefox maintains more history info than IE)

(Cookies often contain username information)

Investigation Questions and where to look within places.sqlite:

  • What was the complete URL that was visited? | url
  • What was the title of the page visited? | title
  • When was the site first visited? | visit_date*
  • When was the site last visited? | visit_date*
  • How many visits were made to the site? | visit_count
  • Was the URL typed by the user? | typed
  • Was the page retrieved w/o any user actions? | hidden
  • What page led the user to this one? | from_visit
  • How did the user request the page? | visit_type

What the “typed” field means within places.sqlite:

  • 1 | User followed a link and the page was loaded
  • 2 | User typed the URL to get to the page (with or without auto-complete)
  • 3| User followed a bookmark to the page
  • 4 | Indicates some inner content was loaded such a images and frames
  • 5 | Page accessed due to a permanent direct (HTTP 301 status code)
  • 6 | Page accessed due to temporary redirct (HTTP 302 status code)
  • 7 | File indicated by history was downloaded (non-HTML content)

Firefox Cookie Analysis:

  • _utma Cookie = Unique Visitor Cookie
  • _utmz Cookie = Campaign Cookie (expires 6 months after last visit)
  • _utmb Cookie = Session or Visit Cookie

Browser Forensics – Chrome

Chrome first released December 11, 2008

Uses WebKit layout engine

  • Also used by Safari

Artifacts are stored in:

  • SQLite (a majority of artifacts)
  • JSON
  • SNSS (session restore files)

Chrome History Artifacts – Investigating Sites Visited

  • Top Sites/ Segments – Track usage for “Most Visited Feature”
  • History – 3 months of site visits, downloads, auto-complete, segments
  • History Index – Full text index of visited pages kept in 30 day increments (only up to v30)
  • Archived History – History older than ~3 months

Chrome History Artifacts – Page Transition Types (why/how a site was visited)

  • 0 | Link, User clicked a link
  • 1 | Typed, Typed in a URL bar (same as IE Typed URLs)
  • 2 | Auto_Bookmark, via a suggestion in the Chrome UI
  • 3 | Auto_Subframe, content loaded in a non-top level frame (advertisement)
  • 4 | Manual_Subframe, content loaded in a non-top level frame
  • 5 | Omnibar Generated, suggested based on user tying but user did NOT see URL
  • 6 | Start_Page, Home page of a tab
  • 7 | Form_Submit, User filled out information in a form and submitted
  • 8 | Reload, Page Refreshed
  • 9 | Keyword, Keyword typed to identify site (i.e. “Wired” <tab>)
  • 10 | Keyword Generated, The actual URL generated (and visited) as a result of keyword.

 

Chrome Browser Review – Browser | Chrome Filename | Format

  • Internet History | History, Top Sites, Archived History | SQLite
  • Cache File | data_#, f_##### | N/A
  • Cookies/Web Storage | Cookies/Local Storage Folder | SQLite
  • Bookmarks | Bookmars, Bookmarks.bak | JSON
  • Download History | History | SQLite
  • Auto-Complete/Form History | History, Web Data, Network Action Predictor | SQLite
  • Session Recovery | Current Session, Current Tabs, Last Session, Last Tabs | SNSS

 

Section 6

Knowledge Bits and Windows 10 Specifics

WPDNSE stands for Windows Portable Device Namespace extension and is located at the C:\Users\< username >\AppData\Local\Temp\WPDNSE file path.

Windows 10 Specifics

 

Windows 10 and newer stored metadata in WebCacheV01.dat (e.g. WebCacheV66.dat)

Windows creates a .dmp file when it crashes.

In Windows 7 and 10 a thumbs.db file will be generated any time a directory is browsed to with a UNC path.