In past posts we have seen router and its security aspects of the application, Today as continuity we will begin our journey about Windows .Lets start from scratch.
What is operating system :
In layman terms its just a bridge between hardware and software of the computer or it acts like translator in real world.Since the era of operating system beginned we use various operating system for various purposes.The Windows operating system is low end or consumer based operating system with futures to endusers.
Why we need forensics at windows :
In growing corporate world As part of incident response we need forensics or we need to get little deeper for forensics of windows.
Before digging further technically , i recommend as per sans to use jump bag which should have the following tools .
NTFS, Fat32, ExFat
Default Partition structure:
- “Windows” – core OS (NTFS)
- “Recovery” (NTFS)
- “Reserved”
- “System” – UEFI (Fat32)
- “Recovery Image” (NTFS)
Can be examined with numerous tools
(e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.)
- Location of important registry hives:
\Users\user_name\NTUSER.DAT
\Windows\System32\config\DEFAULT
\Windows\System32\config\SAM
\Windows\System32\config\SECURITY
\Windows\System32\config\SOFTWARE
\Windows\System32\config\SYSTEM
Can be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
- Location of EVTX logs:
\Windows\System32\winevt\Logs\
\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx
- NTUSER.dat
\SOFTWARE\Microsoft\Windows\Shell\Bags\
- UsrClass.dat
- LNK format has not changed
Can be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
- Useful fields:
Hostname
MAC Address
Volume ID
Owner SID
MAC Times
\Users\user_name\AppData\Local\Microsoft\Windows\Explorer\
- Recycle Bin artefacts have not changed
$I
Still provides original file name and path
$R
Original file
- vssadmin tool still provides list of current VSCs
- Windows indexing service is an evidentiary gold mine
Potentially storing emails and other binary items
Great as dictionary list for password cracking
- Stored in an .EDB file
Can be interpreted by EseDbViewer, ESEDatabaseView or X-Ways Forensics
If “dirty” dismount, need to use esentutl.exe
- In Windows 10 stored in the following directory:
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
- Windows 10 features “Cortana”, a personal assistant, which expands upon the unified search platform introduced in Windows 8,
Search encompasses local files, Windows Store & online content
Can set reminders
Can initiate contact (e.g. write emails)
- Cortana Databases (EDBs):
\Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\AppData\Indexed DB\IndexedDB.edb
\Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\ESEDatabase_CortanaCoreInstance\CortanaCireDb.dat
Interesting Tables:
LocationTriggers
Latitude/Longitude and Name of place results
Geofences
Latitude/Longitude for where location based reminders are triggered
Reminders
Creation and completion time (UNIX numeric value)
\Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\Contacts_xxxxx.cfg
\Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\Contacts_xxxxx.cfg.txt
- The following databases contain a list of notifications:
\Users\user_name\AppData\Local\Microsoft\Windows\Notifications\appdb.dat
Toast notifications are stored in embedded XML
- “Picture Password” is an alternate login method where gestures on top of a picture are used as a password
- This registry key details the path to the location of the “Picture Password” file:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\PicturePassword\user_GUID
- Path of locally stored Picture Password file:
C:\ProgramData\Microsoft\Windows\SystemData\user_GUID\ReadOnly\PicturePassword\background.png
- Applications (Apps) that utilise the Metro Modern UI are treated differently to programs that work in desktop mode
- Apps are installed in the following directory:
\Program Files\WindowsApps\
- Settings and configuration DBs are located in following directories:
\Users\user_name\AppData\Local\Packages\package_name\LocalState\
Two DB formats:
SQLite DBs (.SQL)
Jet DBs (.EDB)
- Apps are purchased/installed via the Windows Store
- During the Insider Preview their was a Beta Store which contained Windows 10 –compatible Apps (e.g. Microsoft Office Apps)
- Registry key of installed applications:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\
- List of deleted applications:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deleted\
- New web browser and rendering engine (Spartan)
- Same as IE10, records no longer stored in Index.DAT files, stored in EDB
- Edge settings are stored in the following file:
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.edb
- Edge cache stored in the following directory:
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\#!001\MicrosoftEdge\Cache\
- Last active browsing session stored:
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\MicrosoftEdge\User\Default\Recovery\Active\
- Edge (and IE) history records stored in the following database:
\Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
- This is actually an .EDB file
- Can be interpreted by EseDbViewer or ESEDatabaseView
- Might be a “dirty” dismount, need to use esentutl.exe
- Database also stores Cookies
- Internet Cache stored in this directory:
\Users\user_name\AppData\Local\Microsoft\Windows\INetCache\
- Internet Cookies stored in this directory:
\Users\user_name\AppData\Local\Microsoft\Windows\INetCookies\
- Body of emails are stored in TXT or HTML format
Can be analysed by a number of tools
Stored in the following directory:
\Users\user_name\AppData\Local\Comms\Unistore\data\
- Metadata of emails are stored in the following DB (EDB format):
\Users\user_name\AppData\Local\Comms\UnistoreDB\store.vol
- Attachments
- Email header
- Contact information
- Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default):
Appears to be scaled back from Windows 8.x (less integrated as previous People App)
- UC settings are stored in the following DB:
\Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps…\LocalState\livecomm.edb
- Account
SourceID
List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn)
DomainTag
Username for each account
- Contact
List of synched contacts across all account platforms
- Event
Calendar entries (including birthdays of contacts if synched to Windows Live) and locations
- MeContact
Further details about owner accounts
-Person and PersonLink
Further details about each contact including what account they link back to (e.g Skype)
- Locally cached contact entries are stored in this directory:
\Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps_xxxxx\LocalState\Indexed\LiveComm\xxxxx\xxxxx\People\AddressBook\
- Contact photos are stored in this directory (JPGs):
\Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps_xxxx\LocalState\LiveComm\xxxx\xxxx\UserTiles\
- History DB located in following file:
\Users\user_name\AppData\Local\Packages\xxxx.Twitter_xxxxxxx\LocalState\twitter_user_id\twitter.sqlite
- SQLite3 format DB
11 Tables in DB
Relevant tables:
- messages – holds tweets & DMs
- search_queries – holds searches conducted in Twitter app by user
- statuses – lists latest tweets from accounts being followed
- users – lists user account and accounts being followed by user
\Users\user_name\AppData\Local\Packages\xxxxx.Twitter_xxxx\Settings\settings.dat
- Includes user name (@xxxxx)
- Details on profile picture URL
- Twitter ID number
- The Skype App was discontinued with Windows 10
Windows 10 prompts you to download the desktop Skype application
- Built-in by default, API allows all programs to save files in OneDrive
- List of Synced items located in file:
\Users\user_name\AppData\Local\Microsoft\Windows\OneDrive\settings\xxxxxxxx.dat
- Locally cached items are stored in directory:
\Users\user_name\OneDrive\
- With the release of the Windows Insider program Microsoft introduced the Office Mobile Apps
If you have a valid Office365 account then you can edit and create documents
Otherwise these Apps are read-only
- List of recent documents stored in the following file (XML):
\Users\user_name\AppData\Local\Packages\Microsoft.Office.Word_xxxx\LocalState\AppData\Local\Office\16.0\MruServiceCache\xxxx_LiveId\Excel\Documents_en-AU
- Cached files stored in this directory:
\Users\user_name\AppData\Local\Packages\Microsoft.Office.Word_xxxx\LocalState\OfficeFileCache\
- Files stored as .FSD extension - actually data embedded
- Can be manually carved from FSD file
- List of recent documents stored in the following file (XML):
\Users\user_name\AppData\Local\Packages\Microsoft.Office.Excel_xxxx\LocalState\AppData\Local\Office\16.0\MruServiceCache\xxxx_LiveId\Excel\Documents_en-AU
- Cached files stored in this directory:
\Users\user_name\AppData\Local\Packages\Microsoft.Office.Excel_xxxx\LocalState\OfficeFileCache\
Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
- List of recent documents stored in the following file (XML):
\Users\user_name\AppData\Local\Packages\Microsoft.Office.PowerPoint_xxxx\LocalState\AppData\Local\Office\16.0\MruServiceCache\xxxx_LiveId\Excel\Documents_en-AU
- Cached files stored in this directory:
\Users\user_name\AppData\Local\Packages\Microsoft.Office.PowerPoint_xxxx\LocalState\OfficeFileCache\
Files stored as .FSD extension - actually data embedded
Can be manually carved from FSD file
\Users\user_name\AppData\Local\Packages\Microsoft.Office.OneNote_xxxx\LocalState\AppData\Local\OneNote\16.0\
- Files stored as xxxx.bin extension
Encoded binary files
Embedded graphics such as PNG or JPG
- Recent places stored in this file (XML):
\Users\user_name\AppData\Local\Packages\Microsoft.WindowsMaps_xxxx\LocalState\Graph\xxxx\Me\00000000.ttl
Latitude/Longitude
Dates modified (searched)
- WinPMEM (tested versions 1.6.2 & 2.0.1):
Run as Administrator
Has to extract driver to local temp location
V1.6.2 running process ~10MB
V2.0.1 running process ~80MB
- FTK Imager:
Run as Administrator
Running process ~15MB
- FTK Imager
Can be used for Physical or Logical acquisition
- X-Ways Forensics
Can be used for Physical or Logical acquisition
FTK Imager
Nirsoft ESEDatabaseView
RegistryBrowser
WinPMEM
External references additionally which you can refer :
https://digital-forensics.sans.org/media/Poster_Windows_Forensics_2017_WEB.pdf
https://github.com/cugu/awesome-forensics
What is operating system :
In layman terms its just a bridge between hardware and software of the computer or it acts like translator in real world.Since the era of operating system beginned we use various operating system for various purposes.The Windows operating system is low end or consumer based operating system with futures to endusers.
Why we need forensics at windows :
In growing corporate world As part of incident response we need forensics or we need to get little deeper for forensics of windows.
Before digging further technically , i recommend as per sans to use jump bag which should have the following tools .
- Documenting the who, what, where, why, and how during an incident in an Incident Handler’s Journal
- A contact list of incident response team members
- USB drives
- A bootable USB drive or Live CD with up-to-date anti-malware and other software that can read and/or write to file systems of your computing environment (and test this, please)
- A laptop with forensic software (e.g. FTK or EnCase)
- Anti Malware utilities
- Computer and network toolkits to add/remove components, wire network cables, etc. and hard duplicators with write-block capabilities to create forensically sound copies of hard drive images
File Systems / Partitions
Supported File Systems:NTFS, Fat32, ExFat
Default Partition structure:
- “Windows” – core OS (NTFS)
- “Recovery” (NTFS)
- “Reserved”
- “System” – UEFI (Fat32)
- “Recovery Image” (NTFS)
Registry Hives
- Registry hives format has not changed
Can be examined with numerous tools
(e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.)
- Location of important registry hives:
\Users\user_name\NTUSER.DAT
\Windows\System32\config\DEFAULT
\Windows\System32\config\SAM
\Windows\System32\config\SECURITY
\Windows\System32\config\SOFTWARE
\Windows\System32\config\SYSTEM
Event Logs
- EVTX log format has not changedCan be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
- Location of EVTX logs:
\Windows\System32\winevt\Logs\
Event Logs – Windows Store
\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx
\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
Prefetch
\Windows\Prefetch\
Shellbags
- UsrClass.dat
LNK Shortcuts
(e.g. X-Ways Forensics, etc.)
- Useful fields:
MAC Address
Volume ID
Owner SID
MAC Times
Thumbcache
Location of Thumbcache files:
Recycle Bin
$I
Still provides original file name and path
$R
Original file
Volume Shadow Copies
Windows Indexing Service
Potentially storing emails and other binary items
Great as dictionary list for password cracking
- Stored in an .EDB file
Can be interpreted by EseDbViewer, ESEDatabaseView or X-Ways Forensics
If “dirty” dismount, need to use esentutl.exe
- In Windows 10 stored in the following directory:
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
Cortana
Search encompasses local files, Windows Store & online content
Can set reminders
Can initiate contact (e.g. write emails)
- Cortana Databases (EDBs):
\Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\AppData\Indexed DB\IndexedDB.edb
\Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\ESEDatabase_CortanaCoreInstance\CortanaCireDb.dat
Interesting Tables:
LocationTriggers
Latitude/Longitude and Name of place results
Geofences
Latitude/Longitude for where location based reminders are triggered
Reminders
Creation and completion time (UNIX numeric value)
- The following databases contain a list of contacts synched from email accounts:
\Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\Contacts_xxxxx.cfg
\Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\Contacts_xxxxx.cfg.txt
Notification Centre
\Users\user_name\AppData\Local\Microsoft\Windows\Notifications\appdb.dat
Toast notifications are stored in embedded XML
Picture Password
- This registry key details the path to the location of the “Picture Password” file:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\PicturePassword\user_GUID
- Path of locally stored Picture Password file:
C:\ProgramData\Microsoft\Windows\SystemData\user_GUID\ReadOnly\PicturePassword\background.png
Applications
- Apps are installed in the following directory:
\Program Files\WindowsApps\
- Settings and configuration DBs are located in following directories:
\Users\user_name\AppData\Local\Packages\package_name\LocalState\
Two DB formats:
SQLite DBs (.SQL)
Jet DBs (.EDB)
Windows Store
- During the Insider Preview their was a Beta Store which contained Windows 10 –compatible Apps (e.g. Microsoft Office Apps)
- Registry key of installed applications:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\
- List of deleted applications:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deleted\
Edge Browser
- Same as IE10, records no longer stored in Index.DAT files, stored in EDB
- Edge settings are stored in the following file:
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.edb
- Edge cache stored in the following directory:
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\#!001\MicrosoftEdge\Cache\
- Last active browsing session stored:
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\MicrosoftEdge\User\Default\Recovery\Active\
Browser History Records
\Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
- This is actually an .EDB file
- Can be interpreted by EseDbViewer or ESEDatabaseView
- Might be a “dirty” dismount, need to use esentutl.exe
- Database also stores Cookies
Internet Explorer (legacy)
\Users\user_name\AppData\Local\Microsoft\Windows\INetCache\
- Internet Cookies stored in this directory:
\Users\user_name\AppData\Local\Microsoft\Windows\INetCookies\
Email (Mail application)
Can be analysed by a number of tools
Stored in the following directory:
\Users\user_name\AppData\Local\Comms\Unistore\data\
- Metadata of emails are stored in the following DB (EDB format):
\Users\user_name\AppData\Local\Comms\UnistoreDB\store.vol
- Attachments
- Email header
- Contact information
Unified Communication
Appears to be scaled back from Windows 8.x (less integrated as previous People App)
- UC settings are stored in the following DB:
\Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps…\LocalState\livecomm.edb
Interesting Tables:
SourceID
List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn)
DomainTag
Username for each account
- Contact
List of synched contacts across all account platforms
- Event
Calendar entries (including birthdays of contacts if synched to Windows Live) and locations
- MeContact
Further details about owner accounts
-Person and PersonLink
Further details about each contact including what account they link back to (e.g Skype)
\Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps_xxxxx\LocalState\Indexed\LiveComm\xxxxx\xxxxx\People\AddressBook\
- Contact photos are stored in this directory (JPGs):
\Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps_xxxx\LocalState\LiveComm\xxxx\xxxx\UserTiles\
Twitter App
\Users\user_name\AppData\Local\Packages\xxxx.Twitter_xxxxxxx\LocalState\twitter_user_id\twitter.sqlite
- SQLite3 format DB
11 Tables in DB
Relevant tables:
- messages – holds tweets & DMs
- search_queries – holds searches conducted in Twitter app by user
- statuses – lists latest tweets from accounts being followed
- users – lists user account and accounts being followed by user
- Settings located in file:
\Users\user_name\AppData\Local\Packages\xxxxx.Twitter_xxxx\Settings\settings.dat
- Includes user name (@xxxxx)
- Details on profile picture URL
- Twitter ID number
Skype App (legacy)
Windows 10 prompts you to download the desktop Skype application
OneDrive App
- List of Synced items located in file:
\Users\user_name\AppData\Local\Microsoft\Windows\OneDrive\settings\xxxxxxxx.dat
- Locally cached items are stored in directory:
\Users\user_name\OneDrive\
Microsoft Office Apps
If you have a valid Office365 account then you can edit and create documents
Otherwise these Apps are read-only
Word App
\Users\user_name\AppData\Local\Packages\Microsoft.Office.Word_xxxx\LocalState\AppData\Local\Office\16.0\MruServiceCache\xxxx_LiveId\Excel\Documents_en-AU
- Cached files stored in this directory:
\Users\user_name\AppData\Local\Packages\Microsoft.Office.Word_xxxx\LocalState\OfficeFileCache\
- Files stored as .FSD extension - actually data embedded
- Can be manually carved from FSD file
Excel App
\Users\user_name\AppData\Local\Packages\Microsoft.Office.Excel_xxxx\LocalState\AppData\Local\Office\16.0\MruServiceCache\xxxx_LiveId\Excel\Documents_en-AU
- Cached files stored in this directory:
\Users\user_name\AppData\Local\Packages\Microsoft.Office.Excel_xxxx\LocalState\OfficeFileCache\
Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
PowerPoint App
\Users\user_name\AppData\Local\Packages\Microsoft.Office.PowerPoint_xxxx\LocalState\AppData\Local\Office\16.0\MruServiceCache\xxxx_LiveId\Excel\Documents_en-AU
- Cached files stored in this directory:
\Users\user_name\AppData\Local\Packages\Microsoft.Office.PowerPoint_xxxx\LocalState\OfficeFileCache\
Files stored as .FSD extension - actually data embedded
Can be manually carved from FSD file
OneNote App
Cached files stored in this directory:
\Users\user_name\AppData\Local\Packages\Microsoft.Office.OneNote_xxxx\LocalState\AppData\Local\OneNote\16.0\
- Files stored as xxxx.bin extension
Encoded binary files
Embedded graphics such as PNG or JPG
Maps App
\Users\user_name\AppData\Local\Packages\Microsoft.WindowsMaps_xxxx\LocalState\Graph\xxxx\Me\00000000.ttl
Latitude/Longitude
Dates modified (searched)
Memory Acquisition
Run as Administrator
Has to extract driver to local temp location
V1.6.2 running process ~10MB
V2.0.1 running process ~80MB
- FTK Imager:
Run as Administrator
Running process ~15MB
Live Disk Acquisition
Can be used for Physical or Logical acquisition
- X-Ways Forensics
Can be used for Physical or Logical acquisition
Sources:
PresentationFTK Imager
Nirsoft ESEDatabaseView
RegistryBrowser
WinPMEM
External references additionally which you can refer :
https://digital-forensics.sans.org/media/Poster_Windows_Forensics_2017_WEB.pdf
https://github.com/cugu/awesome-forensics
0 Comments