Monday, October 15, 2018

Daily Blog #508: Forensic Lunch Test Kitchen 10/15/18

Hello Reader,
          Tonight Matt Seyer virtually joined me for another test kitchen! We decided to examine the ObjectID index to determine what is really happening when a file is deleted and its ObjectID index entry is deleted. Matt presented his theory, Dr. Sylve contributed what he knew and the rest was solved with testing, tsk utilities, and python scripts.

Here is what we learned:

  • The ObjectID Index is a B-Tree with pages of entries of ObjectIDs
  • The last ObjectID in a page is the one most likely to survive in the slack space if it is deleted
  • ObjectIDs anywhere else in the page have a high chance of being overwritten when the b-tree is balanced unless they got saved from a previous page swap
  • istat won't give you the full path to a file, but you can get there if you are persistent 
  • The $logfile contains every changed page until its overwritten
We also have some new theories to test tomorrow night regarding USN and $Logfile interaction with the ObjectID Index! We should be testing those tomorrow night.

You can watch the video here:

Sunday, October 14, 2018

Daily Blog #507: Sunday Funday 10/14/18

Hello Reader,
        The weeks have gone by quickly with nightly testing videos and weekly challenges. The schedule works well for me typically as weekend nights I have less time to do testing as I'm spending more time with my family. Let's see how you'll be spending your week with this weeks challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 10/19/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
What artifacts of execution exist on a Windows Server 2008+ that do not exist on Windows 7+? In other words name any forensic artifacts that would show a program executed on a windows server os that you wouldn't find on a windows desktop os!

Saturday, October 13, 2018

Daily Blog #506: Solution Saturday 10/13/18

Hello Reader,
          This week no qualifying submissions, as a reminder this was the challenge:

The Challenge:
The TypedPaths key as we have seen recreates the key each time File Explorer exits. What other artifacts could we use to replace the data that we would have found there?

I'll have to address the answer in a blog post in the future, until then stay tuned for next week's challenge. 

Friday, October 12, 2018

Daily Blog #505: Forensic Lunch Test Kitchen 10/12/18

Hello Reader,
            A shorter test kitchen tonight, mainly because the answer came much quicker than I expected but only in part. Tonight we deleted files from the command line and the GUI to see what effect deleting them would have on the ObjectID Index found at /$Extend/$ObjID:$O. I used the updated $O parser from Matt Seyer found here:

Here is what we learned:

  • Deleting a file from the command line causes the ObjectID Index to delete the file entry
  • Deleting a file from the GUI causes the ObjectID Index to delete the file entry
  • That the deletion appears to clean and too quick, leading me to suspect that there is more going on here
On Monday I expect to resume this line of questioning with a hex editor (likely 010) and some offset tracking as we look to solve the mystery of the deleted ObjectID records. 

You can watch the video here:

Thursday, October 11, 2018

Daily Blog #504: Forensic Lunch Test Kitchen 10/11/18

Hello Reader,
          Tonight we had what I think is a very exciting broadcast of the Forensic Lunch. When discussing on twitter whether or not a ObjectID would be created when a file is accessed over a network share DR Joe Sylve (watch the video to see why i capitalized doctor) hypothesized that it would not, while I pontificated that it would. It turns out ... it does! We then extracted and encoded the local objectid database (/$extend/$objid:$o) and parsed it to find out which systems had which dad.

Here is what we learned:

  • Opening a file from a Windows 10 system on a Windows 7 file share creates an ObjectID that both systems can see
  • The ObjectID contains the volume id and mac address of the file server (the windows 7 system in my testing)
  • The ObjectID database on the Windows 7 system contains the objectid of the file accessed
  • The ObjectID database on the Windows 10 system does not contain the objectid of the file accessed
  • The windows 10 system will create a lnk file for the access
  • The windows 7 system does not create a lnk file for the file being accessed from it as a network share
  • Creating a file in Windows 10 in the GUI will trigger an ObjectID being created on a network share hosted by a Windows 7 system
You can watch the video here:

Wednesday, October 10, 2018

Daily Blog #503: Forensic Lunch Test Kitchen 10/10/18

Hello Reader,
        We had a long night in this session of the test kitchen. Mainly because I was trying to debug making changes to Maxim Suhanov's yarp-timeline script without an IDE to help me find my dumb mistakes. In the end though we were able to find and display all of the transition states within the transaction logs for the TypedPaths key and we showed an updated build of Registry Explorer that will now show deleted values!

Here is what we learned:

  • Python's error messages leave a lot to be desired when you don't have an IDE
  • The yarp-timeline script will print which keys are changing but not their values
  • That with some hacky code modifications we can show the values that were changing in each transaction log entry
  • That all of the changes we made were in fact in the registry transaction logs, but we are not sure how long they will stay. Maxim estimates one hour. 
  • That the newest build of Registry Explorer we tested will show deleted values!
You can watch the video here:

Tuesday, October 9, 2018

Daily Blog #502: Forensic Lunch Test Kitchen 10/9/18

Hello Reader,
           Another night of testing on the test kitchen! This evening we revisited the TypedPath key and registry transaction logs as Maxim Suhanov pointed out I did not wait a full 60 seconds, instead I just let the clock roll over to the next minute. The timing is important as transaction logs are written to 60 seconds after the change occurred and I assumed that was every 60 seconds not 60 seconds since change. To rectify this error I made a timer in Windows 10 for 90 seconds to make sure between each action I left enough time for the system to record the change.

The only real variable left now is that I'm doing this in a VM, when this is all done I'll do it on the host OS as well to make sure there are no differences.

Here is what we learned:

  • The TypedPaths key is not being deleted and recreated, the individual keys appear to be overwritten
  • Looking into the slack space of the registry value for the entries you can see the end of the prior TypedPaths entry if it was longer than the replaced value
  • If a typedpaths entry (url(some number)) isn't present in the key that is overwriting it, then the left over values are deleted
  • The deleted values can be recovered and seen in yarp
  • The overwritten values cannot be seen in yarp even though it was my assumption the transaction logs would contain them
I'll be uploading the registry hives to the GitHub page tomorrow.

You can watch the video here: