High Level System

Analysis To Get Answers

Fast*
*For Windows… and not Memory
Forensics
Actionable DFIR

Author: Chad Graham

E-mail: Chad@cg-isecurity.com
: @CG-iSecurity
: https://www.linkedin.com/in/chadgraham1224
 DFIR Intro
• What is it?

Kill Chain / MITRE ATT&CK

Categories of Artifacts
What will we • Account Usage, Browser Usage, File Download,
talk about? File/Folder Opening, Program Execution, Deleted
Files, USB Devices, Services & Tasks, PowerShell

Timelines
• $MFT
• PLASO/Super TimeLine
Hints, Tips & Tricks
What is DFIR? DFIR Intro
 Digital Forensics &
Incident Response

• DFIR stands for Digital

Forensics and Incident
Response
• Understanding how an
attack took place by
piecing together artifacts
left behind on the system
like a puzzle. Sometimes
there are too many
pieces, sometimes a few This Photo by Unknown Author is licensed under CC BY

of the pieces are missing.

Good luck!
Cyber Kill Chain / MITRE
ATT&CK
• To understand what we are looking for on
a system, it helps to understand how
attacks work.
• https://www.lockheedmartin.com/en-
us/capabilities/cyber/cyber-kill-chain.html
• https://attack.mitre.org/
 Account Usage – Successful/Failed Logons, Logon Types, RDP Usage

Browser Usage – History, Cookies, Cache, Flash & Super Cookies

File Download – Open/Save MRU, Browser Artifacts, Downloads

File/Folder Opening – Open/Save MRU, Recent Files, Shell Bags, LNK Files, Jump
Lists, Prefetch
Categories Program Execution – UserAssist, Last-Visited MRU, Run MRU, AppCompatCache,
Amcache, Jump Lists, Prefetch
of Artifacts Deleted Files – Recycle.bin

USB Devices- USBStor, PnP Events, LNK Files

Services & Tasks – Service Events, Scheduled Tasks events, .job Files

Evidence of PowerShell Code Execution

 • In order to examine these artifacts, we
need to gather some items from the
system:
• Event Logs Folder
• Registry Hives – SYSTEM, SECURITY,
SOFTWARE, APPLICATION,
NTUSER.DAT, USRCLASS.DAT
So, where do we find • Amcache.hve file
all of this stuff? • Prefetch Folder
• %UserProfile%\AppData Folders
• SetupAPI.dev.log File
• $Recycle.bin File
• $MFT File
• C:\Windows\System32\Tasks Folder
Who’s been logging in, or at
least trying to?
• SECURITY Event Logs!
• Successful Logon-
• 4624 = Account Logon
• 4672 = Admin Rights Assigned to User
• 4648 = Logon using explicit credentials (RunAs command)
• Failed Logon-
• 4625 = Failed Logon
• Logon Types-
• Type 2 – Console (Hands on keyboard in front of screen)
• Type 3 – Network Logon (Connections from remote
computers)
• Type 10 – Remote Interactive Logon (Remote Desktop)
 Remote Desktop
Connections

• TerminalServices-
RemoteConnectionManager
Log – Event ID 1149
 • History • Cache
• IE10,11,Edge – • IE11 –
%UserProfile%\AppData\Local\Micro
Browser %UserProfile%\AppData\Local\Microsoft\
Windows\WebCache\WebCacheV*.dat • Edge -
soft\Windows\INetCache\IE

• Firefox –
Usage %UserProfile%\AppData\Roaming\Mozilla\
Firefox\Profiles\<random
text>.default\places.sqlite
• Chrome –
%UserProfile%\AppData\Local\Google\Chr
ome\User Data\Default\History
• Cookies
• IE11 –
%UserProfile%\AppData\Local\Microsoft\
Windows\INetCookies
• Edge –
%UserProfile%\AppData\Local\Packages\M
icrosoft.microsoftedge_<AppID>\AC\Micros
oftEdge\Cookies
• Firefox –
%UserProfile%\AppData\Roaming\Mozilla\
Firefox\Profiles\<randomtext>.default\cook
ies.sqlite
• Chrome –
%UserProfile%\AppData\Local\Google\Chr
ome\User Data\Default\Local Storage\
%UserProfile%\AppData\Local\Packa
ges\Microsoft.microsoftedge_<Ap
pID>\AC\MicrosoftEdge\Cache
• Firefox –
%UserProfile%\AppData\Local\Mozill
a\Firefox\Profiles\<randomtext>.d
efault\Cache
• Chrome –
%UserProfile%\AppData\Local\Googl
e\Chrome\User Data\Default\Cache
• Flash & Super Cookies
• Local Stored Objects (LSOs) or Flash
Cookies are stored when visited website
uses Flash. These cookies do not expire,
and rarely get cleared
%APPDATA%\Roaming\Macromedia\FlashPla
yer\#SharedObjects\<randomprofileid>
 Open/Save Most Recently Used History

• Open/Save MRU (Most Recently Used)

• NTUSER.DAT Registry Hive
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
•
File Download Downloads
• IE10-11-
%UserProfile%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
• Firefox-
%UserProfile%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\downloads.sqlite
 File and/or Folder
Opening
Recent Files
• Open/Save MRU
• Recent Files
• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Expl
orer\RecentDocs
• Shell Bags
• Explorer Access
USRCLASS.DAT\Local
Settings\Software\Microsoft\Windows\Shell\Bags
USRCLASS.DAT\Local
Settings\Software\Microsoft\Windows\Shell\BagMRU
• Desktop Access
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
• LNK Files
• %UserProfile%\AppData\Roaming\Microsoft\Windows\Recent
• Jump Lists
• %UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\A
utomaticDestinations
• Prefetch
• C:\Windows\Prefetch
Program Execution
• UserAssist
NTUSER.DAT\Software\Microsoft\Windows\Currentve
rsion\Explorer\UserAssist\{GUID}\Count
• Last-Visited MRU / Run MRU
• AppCompatCache
• SYSTEM Registry Hive
SYSTEM\CurrentControlSet\Control\Session
Manager\AppCompatCache
• Amcache
• C:\Windows\AppCompat\Programs\Amcache.hve
• Jump Lists
• Prefetch
 • $Recycle.bin file
• %ROOT%\$Recycle.bin

Deleted Files
 USB Devices

• USBStor
SYSTEM\CurrentControlSet\Enum\
USBSTOR
SYSTEM\CurrentControlSet\Enum\
USB
• PnP Events
• SYSTEM Event Log
• Event ID 20001 – Plug and
Play driver install attempted
• LNK Files
 • Services
• Event Logs
SYSTEM Event Logs – Event IDs
7034,7035,7036,7040
• Registry
SYSTEM\CurrentControlSet\Services
• Scheduled Tasks
• Event Logs
SECURITY Event Logs – Event ID 4698,
4702
• Tasks .xml Config Files
• %ROOT%\Windows\SYSTEM32\Tasks

Services & Tasks

 Evidence of
PowerShell Code
Execution

• Event Logs
• Microsoft-Windows-PowerShell-
Operational
Event IDs 4104-4106
 Cool Example of
Obfuscated Code

• This was found during an

incident that was
investigated this year. This is
one of hundreds of script
blocks that ran on several
machines we investigated.
 • $MFT Timeline – Quick and shows
file activity on disk
• Super TimeLine – Long process but
shows all activity on a computer
system, not just what happened
on disk

TIMELINES!
Hints, Tips and Tricks