Friday, July 20, 2018

Daily Blog #427: Bitlocker Experiments Part 1

Hello Reader,
          In a prior Sunday Funday regarding Bitlocker drives and Windows upgrades I extended my ask a bit too far in what I put into the challenge and justifiably received no submissions. I haven't stopped looking into the question though of how does Windows temporarily disable Bitlocker to allow the machine to boot for an upgrade and how can we as examiners take advantage of it.

In my research into this I've learned about the 'clearkey' which I've heard of before. The 'clearkey' means that the key to decrypt the bitlocker volume is left in plaintext within the volume. This allows for the bitlocker volume to be present and allows the user to in the future, if they so choose, to protect the volume with a password and recovery key. It appears as though some Surface computers come with this mode on when shipped.

However that did not answer my question about upgrades, as the drive isn't being re-encrypted in the upgrade process. It turns out there is an option to temporarily set an existing image into 'clearkey' mode. To do this you would execute the following command in an administrative command prompt

manage-bde -protectors -disable c:

Here is a screenshot of it successfully running

Checking the status of the drive with the command

manage-bde -status

I see the following

 Notice it has left the protection off for 1 reboot by default, just enough for an update to complete.

I'm going to encrypt a vhd next week and do some testing to see how the tools recognize this. When I'm back in the office in a week (still in Abu Dhabi!) I'll let one my machines upgrade and see if 'cleartext' mode is in fact enabled on my Bitlocker drives allowing me to decrypt them!

Wednesday, July 18, 2018

Daily Blog #426: Directory Copy and Paste Artifacts in Windows 10

Hello Reader,
              I've talked about this in the Forensic Lunch and I think showed it once in a Test Kitchen but I don't think I've written about it in the blog. After reading the ongoing discussion on Twitter about the need to document beyond tweets and videos, you should read Brett Shavers post here , led me to understand that I need to put it in the blog as well to make it more accessible long term. In my mind I've already shown and shared this but I can't expect that everyone has watched and memorized the 100+ episodes of the Forensic Lunch.

So new as of at least Windows 10 (this needs to be tested on Windows 7 and Windows 8) there is a now a jumplist that is capturing the full path of every directory that is copy and pasted. For those of you doing external device investigations that means we have a data source that will show us what data our suspects have been copying and pasting onto external drives ... but only if what they are copying and pasting is a directory. Individual files being copy and pasted does not appear to be tracked, just directories.

You will want to look into the Jumplist with Appid f01b4d95cf55d32a and within it you find an entry for every directory that has been pasted. You will not get the source location but rather the destination which in my mind is more useful. The MRU date associated and the creation time of the directory will show you when as well.  

Daily Blog #425: How I Use It: Userassist

Hello Reader,
             I'm currently teaching in Abu Dhabi and hanging out with my family at night which means I'm not investing the time to do the next level of MAPI testing I need to do. Instead after the warm reception yesterdays post received I thought I would follow it up with a new series I will add to over time called ' How I Use It'.

Often times we talk about artifacts and evidence sources and how to interpret them, in fact there are so many that most people often forget what they know about them. What we don't often talk about is how we as examiners use that data within their casework to make conclusions or points.

So in this first post in this series of how I use different artifacts I want to talk about the Userassist key. This isn't a new key, it's been around since I first saw it in 2002 and wrote about it in the first Hacking Exposed Computer Forensics book in 2004 but people seem to overlook its usefulness.

Userassist records those programs that a user has executed from the GUI, that I would hope is well known at this point. I've posted about it once in 2013 ( and even earlierin 2009 ( both times I didn't really go into detail of what I use it for.

So here are my main analysis points from reviewing this artifacts:

1. What kinds of programs is my suspect executing?

It's difficult to judge the technical proficiency of a suspect from the statements of the people who knew them as their frame of reference in judging their technical abilities is usually focused around how well they use Excel or Outlook. So rather than letting their statements of their abilities to be 'master hackers'  I like to see what kinds of GUI programs they've been executing.

Is it just Office, Outlook and IE?  Or are they loading regedit, going into the command prompt and looking into different system mmc's.  The difference in what they are executing helps me judge the types of artifacts I should expect to find and how closely I need to inspect the dates and artifacts the system is showing me.

In addition I can look for evidence of encryption tools (Veracrypt/Truecrypt), wipers (eraser/bcwipe) and even anti forensics tools (Ccleaner, everyone's favorite). All from one helpful key that will even tell me how many times they've executed it.

2. How far back does the Userassist go? Is it complete?

The Userassist key starts populating data when your first profile is first created and you've logged in for the first time. That means that the history of programs within the key should go back as far as the user profile creation. If there is a gap, especially if it is a large gap, you could be seeing evidence of anti forensics. Start looking for what happened immediately before the gap began to see what could have cleared the data.

Also remember that deleted registry keys, just like deleted files, are not gone just because we delete them. So make sure to use a tool that will show you any potential deleted userassist keys or values. tools like Registry Explorer, YARU and others can expose this data to you while exploring the keys.

3. What email clients is my suspect using?

I'm often looking for my suspects email archives. Rather than guessing what Email client they are using (yes some people don't use Outlook) I can just go to the Userassist key to find out. Unless you have a very interesting suspect using a command line based email reader (pine in windows subsystem for linux?)  the rest are GUI based and should be recorded. If I find no email clients I need to look for what web mail services my suspect is using in their browser history.

4. What web browsers is my suspect using?

Lastly in my normal inspection of the Userassist I'm looking to understand what web browsers by suspect is using. It is not uncommon now for a suspect to be using 2, 3 or even 4 different web browsers on their system during one day. So I use this as a sanity check to make sure:

1. I'm looking for history from all of those browsers, its easy to miss one and focus on the others
2.  I need to make sure my forensic tools support the browser being used, I'm looking at you Maxthon, as its easy to miss a whole browser history cache because you didn't realize the limits of your tool.

So that's the first 4 questions I would answer when reviewing this key and I review this key early in my investigation along with other basic artifacts (execution history, file access and device usage) to start understanding what to expect from this system.

Tuesday, July 17, 2018

Daily Blog #424: The registry key so nice they named it twice, computername computername

Hello Reader,
               I enjoy teaching forensics as students always ask questions to make you figure out things you just take for granted. A good example of this was last month while in Amsterdam I had a student ask, hey why is the computername registry key in the System registry (located under System\\Control\ComputernName\CompuerName) under a registry key named computername. 

I've always made jokes about this key, see post title above, but never really took the time to understand why it was setup this way. A couple of google searches and some in class testing later I had my answer.

It turns out that when you change the name of your Windows computer in the control panel that a new key is added to the base computername key. This new key called ActiveComputerName contains the old name of the computer prior to you changing it while the new name you have given the computer is now stored in the ComputerName key.

Here is the ComputerName key after renaming the computer

Here is the old name of the computer, located in the ActiveComputerName key

Here is the new name of the computer in the ComputerName key

On reboot the activecomputername key is deleted and the new ComputerName key is kept.

So there you go, there is in fact a reason and a function for the duplication in the computername registry key. Every key, every decision has a story and understanding how it works and why will only make you a better examiner. 

Sunday, July 15, 2018

Daily Blog #423: Sunday Funday 7/15/18

Hello Reader,
          Windows 10 keeps on changing and with it new features come along that we care about and old features we were excited about disappear. Let's see if you can solve this missing artifacts mystery in this weeks Sunday Funday.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 7/20/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtfu
  6. Anonymous entries are allowed, please email them to Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
Cortana used to have a database that kept track of location information and other relevant DFIR data. As of a year ago the database has changed and the location data is nowhere to be found. For this weeks challenge please answer the following questions:
1. Where does Cortana keep it's data now
2. What data does Cortana retain now 
3. Is there any location history left from Cortana

Daily Blog #422 Solution Saturday 7/14/18

Hello Reader,
         Things are always changing in forensics and especially forensic analysis of cloud hosted systems. This weeks challenge involved Office 365 audit logs and while the contest was going this week Microsoft announced welcome changes that will be rolled out that will change both the question and this weeks answer. So congratulations to this weeks winner Adam Harrison .

The Challenge:
Explain in a compromise of a Office365 account what you could review in the following circumstances.

Scenario a: only default logging in a E3 plan

Scenario b: Full mailbox auditing turned on

You are attempting in both scenarios to understand the scope of the attackers access 

The Winning Answer from Adam Harrison:

The first point to note is that a compromise of Office 365 (while commonly referred to as Business Email Compromise (BEC)) is not necessarily limited to email accounts. Depending on how an organisation employs Office 365 they may host a wealth of information besides just email and attachments in O365, much of which could be valuable to an attacker. In the case of the in-scope E3 plan, each compromised user account could potentially expose:

Exchange — Email messages, attachments and Calendars (Mailbox size up to 100GB)
OneDrive — 1TB per user, unless increased by admins to up to 25TB.
SharePoint — Whatever sites that user has access to.
Skype — Messages, call and video call history data
Microsoft Teams — Messages, call and video call history data as well as data within integrated apps.
Yammer — Whatever it is people actually do on Yammer. Are you prepared for a full compromise of your organisation's memes, reaction gifs and cat pictures?

All of that before you concern yourself with the likelihood of credential reuse, passwords which may be stored within O365 (Within documents and emails) for other services, delegated access to other mailboxes and MDM functionality.

Specifically answering the two questions:

Scenario a: only default logging in a E3 plan

Below is a non-comprehensive list of evidence sources which may be available to an examiner to assist in understanding the scale/scope of an O365 compromise:

  • Unified Audit Log, via Audit Log Search in the Security & Compliance Centre and accessible using Search-UnifiedAuditLog' cmdlet. This will need to be enabled if not already enabled and will provide retrospective visibility if enabled after the fact.
  • Mailbox Content
  • Read Tracking 
  • Message Tracking Logs
  • Mailbox Rule information
  • Proxy Logs/ DNS Logs/ Endpoint AV Logs / SIEM
  • Office 365 Management Activity API
  • Azure Active Directory reports and Reporting Audit API (With Azure AD P1/P2)

Scenario b: Full mailbox auditing turned on

By default, Auditing is not enabled, nor are the more granular Mailbox Auditing and SharePoint Site Collection Audit options. However, if we assume that 'audit log search' has been enabled as well as the optional logging associated with enabling 'mailbox auditing' and that audit has been configured for all SharePoint site collections then the following additional evidence sources become available.

  • Unified Audit Log - but now with more detailed events recorded as a result of enabling 'mailbox auditing'. The 'Search-MailboxAuditLog' will now also be available.
  • SharePoint Audit log reports

It should be noted that simply enabling mailbox audit logging for all mailboxes is not enough to capture all useful events. By default, only the 'UpdateFolderPermissions' action is logged with additional events requiring configuration, these include Create, HardDelete, MailboxLogin, Move, MoveToDeletedltems, SoftDelete and Update events.

SharePoint audit logging is pretty granular and, in my experience, rarely enabled. However, if correctly configured a record of user actions including document access, modification and deletion actions can be generated.

These evidence sources, their usefulness and some suggested methodologies to leverage them are outlined in my recent blog post.

Friday, July 13, 2018

Daily Blog #421: Magical DFIR Beasts and where to find them

Hello Reader,
                  Good news, the Unicorn maybe dead but it turns out all of the issues that it raised is causing a major change from the Office 365 team. You can read the official announcement here: but here is the TLDR:

1. Mailbox auditing will now be turned on in full mode by default for all commercial tenants
2. If you already have mailbox auditing turned on it will continue to be on
3. They are going to add more audit flags to provide more granular access

This is great news and it should be on by default across your potential investigations by the end of year, but you could always just try to talk people into turning it on now!