DFIR - Week 2 - Part 1

COMP SCI 355
Operating Systems Essential (Windows)
Professor Dr. Yan Chen & Jibran Ilyas

Windows Operating System (NTFS)
2
Windows Operating System Forensics
Key Concept: Understand NTFS File System

NTFS stands for New Technology File System,
which is used on popular Windows Platforms we use
Critical NTFS features important for forensics are as

follows:
USN Journal
Alternate Data Streams
Volume Shadow Copy
Master File Table
USN Journal
USNJ (Update Sequence Number
Journal) is basically a Change
Journal which holds the record of
changes made to a hard drive
volume.
It starts off with an 0kb file, but
when changes are made to the
volume, this file gets updated. Each
record is identified by an Update
Sequence Number and contains the
USN, the name of the file, and
information about what the change
was.
Alternate Data Streams

An alternate data stream (ADS) is
a feature of NTFS that contains
information for locating another file.
Alternate streams can’t be seen in
Windows Explorer, and their size is
not included in the file's size. When
you copy or transfer this file, ADS
data is not accounted for.
Malware uses ADS to hide its code
on a particular volume.
Volume Shadow Copy

Volume Shadow Copy Service (VSS) is
one of the most utilized feature of Windows
for Digital Forensics as it keeps a backup
version of files and folders when change
occurs. It moves the backup files to a
“Shadow” location. This feature is utilized
by users to recover an earlier version of
the file and in forensics, it is an extremely
critical artifact to understand the changes
to the file system.
Master File Table (MFT)
The Master File Table (MFT) is a database which accounts for all files and directories in an NTFS.
Every file and directory has at least one record on an NTFS Volume.
Time Stomping can be detected by analyzing MFT (File Name Attribute vs Standard Attribute)
8
$SI Time Stomping

• Attacker executes “dropper.exe”, which creates backdoor DLL
“rector.dll”
Name $SI Created $SI Modified $SI Accessed $SI Entry Modified
rector.dll 2014-04-06 12:00:00 2014-04-06 12:00:00 2014-04-06 12:00:00 2017-05-12 08:04:51
$FN Created $FN Modified $FN Accessed $FN Entry Modified
2017-05-12 08:04:51 2017-05-12 08:04:51 2017-05-12 08:04:51 2017-05-12 08:04:51
• “dropper.exe” also modifies $SI timestamps to match those of legit

system file
• $FN Created timestamp remains intact, represents “true” creation date
for “rector.dll”
Windows Operating System (Windows Artifacts)
9
Windows Registry
• Windows Registry Hives is basically Windows’ Database
that contains extremely critical data for Digital Forensics.
The following Hives are utilized often for forensics
NTUSER.DAT (Tracks Activities of a particular User) Goldmine of Information e.g

SAM (Local User Account Information)
• Shutdown Time of OS
SECURITY (Has Audit Policy Information) • Software Installed
SYSTEM (Program Execution Information) • USB Devices Mounted
SOFTWARE (Windows Services Information) • Recently Used Documents
• Most Recently Used Applications
• Typed URLs
*In Class DEMO
*Deep dive on Windows Registry in Week 7
11
Registry
• Windows configuration database
– System wide settings
– User settings
– Security database
• Organized into “hive files” on disk
• Loaded in memory
• Must be parsed into human-readable output
Forensic Artifacts in the Registry
System Configuration
Computer Name Joined Domain Info
Timezone Network Shares
OS Version Users, SIDS, Groups
Network and Firewall Mounted Devices
Configuration
Audit Configuration Application Compatibility Cache
Installed Programs USB Devices
12
Forensic Artifacts in the Registry
User-Specific Data AutoRuns
Mapped Drives / Network Windows Services
Volumes
Frequently Used Programs Run / RunOnce Keys
Explorer Usage WinLogon Notifications
Application MRU Data Active Setup Installed
Components
Executed Programs AppInit DLLs
Typed URLs Shell Extensions
Opened Documents Browser Helper Objects
13
Anatomy of a Registry Key
Example: Run key
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: NotMalware
Value Data: C:\ProgramData\TotallyMalware\Evil.exe
14
Prefetch Files
When we run applications on Windows
Operating System, a Prefetch file is
created in C:\Windows\Prefetch folder
which contains information about the files
loaded by the application. This Prefetch
file is actually a feature of Windows to
optimize loading time of the application
so that the next load is faster for the user;
it has tremendous forensic value as
malware binaries’ Prefetch file can
contain lot of critical info such as source
location and other files utilized.
16
What Gets Logged?
Enhanced security Windows Error Software

Logon & logoff
auditing Reporting installation
User creation, Security & policy Anti-virus & HIPS User application
deletion, changes changes alerts events
Security Application
Driver loads &

Service start & stop
unloads
Network configuration
changes
System
17
Application/Service Logs
• OS sub-components – Operational
– AppLocker – Admin
– PowerShell – Debug
– Task Scheduler – Analytic
– Remote Desktop
– Microsoft Office
– Dozens more…
• Logging levels
18
Clearing Event Logs

 Event logs can be cleared various ways:
‒ Directly through Windows API
‒ Deleting EVTX files
‒ Custom Utilities
Super Timelines
All Windows Related Artifacts can be put in a single timeline to understand what happened
on the system at a given point in time. Open Source Timeline tools combine File System,
Registry, Event Logs, Prefetch Files, etc. to give a snapshot in time view of the system.
Windows Operating System (Volatile Data)
20
Volatile Data Basics

Built in Windows Commands can be used to collect a
wealth of forensic data on Windows Operating System.
This data is important as it is not available with Dead Disk
Forensics (offline image), therefore, this must be taken
before shutting down the operating system to collect as much
meaningful information about a Live System State as
possible
Examiner have to follow RFC 3227 for the order of
Volatility
https://tools.ietf.org/html/rfc3227
Usually this collection is scripted to comply with RFC 3227.
Provides fast access to relevant data. Some of this data is

hard to extract from a dead (offline) disk image.
Volatile Data – ARP

The Address Resolution Protocol (ARP) table contains the MAC addresses mapping with IP
addresses
Volatile Data – ROUTE

The Routing Table contains info about
Networks and how they can be reached
(either directly or through multiple hops).
Volatile Data – SYSTEM INFO

“SystemInfo.exe” Command on a
Windows System contains very valuable
information about an Operating System
e.g.
Processor Info
OS Install Date
Boot Time
Hotfix (Patches) Info
Timezone Info
Windows Domain Info
Network Card Info
Volatile Data – Scheduled Tasks Info

“Schtasks.exe” Command on a
Windows System gives an output of all
scheduled tasks on the system along
with the following info:
Task Name
Task Decription
Task Binary File Location
Frequency
Start Date
Last Run Time
Next Run Time
Windows Operating System (Live Analysis)
26
Live Analysis – Process Explorer
Process Explorer is basically Windows
Task Manager on Steroids. It gives a lot
of information on which processes are
running on the system its supplemental
information that is very useful when
analyzing the systems in a LIVE state.
Live Analysis – AutoRuns
Autoruns is an application that tells you all about the programs that are configured to start on
Operating System Bootup. Windows pulls this information from many sources like Startup Folder,
Windows Servers, Winlogon, etc.; Autoruns gives a Visual look on all startup programs.
Live Analysis – TCPView
Tcpview is basically the visual version of Netstat.exe command covered earlier. When analyzing
the systems in a LIVE state, this tool provides quick visual info on what applications are actively
communicating with the REMOTE hosts and how much data is being exchanged between the
target system and the REMOTE host.
Live Analysis – Process Monitor
Process Monitor is a tool that can take
a process of interest and stalk its
Registry, File System and Network
Activity to give you a 360 degree view of
its operations.
End of Week 2 – Part 1 Slides

DFIR - Week 2 - Part 1

Uploaded by

Copyright:

Available Formats

DFIR - Week 2 - Part 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DFIR - Week 2 - Part 1

Uploaded by

Copyright:

Available Formats

COMP SCI 355

Operating Systems Essential (Windows)

Professor Dr. Yan Chen & Jibran Ilyas

Key Concept: Understand NTFS File System

Critical NTFS features important for forensics are as

Alternate Data Streams

Volume Shadow Copy

Master File Table (MFT)

$SI Time Stomping

• “dropper.exe” also modifies $SI timestamps to match those of legit

NTUSER.DAT (Tracks Activities of a particular User) Goldmine of Information e.g

What Gets Logged?

Enhanced security Windows Error Software

Driver loads &

Clearing Event Logs

Volatile Data Basics

Provides fast access to relevant data. Some of this data is

Volatile Data – ARP

Volatile Data – ROUTE

Volatile Data – SYSTEM INFO

Volatile Data – Scheduled Tasks Info

You might also like