Thursday, August 30, 2018

Daily Blog #468: Jessica Hyde on Rally Security

Hello Reader,
       If you want to understand how people outside of our DFIR space see and understand us, even with a technical infosec background, check out Jessica Hyde's appearance on Rally Security. It was a great reminder of seeing something we are all so deep in from the outside. I think putting yourself into others perspectives helps you explain things and educate others on what we do.

You can watch it here:
https://www.twitch.tv/videos/303079856

Wednesday, August 29, 2018

Daily Blog #467: Forensic Lunch Test Kitchen 8/29/18

Hello Reader,
        I've had a string of test kitchens this week all revolving around ObjectIDs. Today I extend and test Ken Pryor's testing in his blog (https://digiforensics.blogspot.com/2018/08/life-update-little-object-id-research.html) regarding how objectids are retained on copying and pasting versus cut and paste within two ntfs volumes. I did my testing in Windows 7 and validated what Ken had found in his post.

In addition we did some testing with:

  • ObjectIDs and FAT file systems
  • Do directories get ObjectIDs in Windows 7?
  • Does Privazer or CCleaner get rid of ObjectIDs?
  • Why do we care about ObjectIDs so much?

You can watch the broadcast here:

Tuesday, August 28, 2018

Daily Blog #466: Forensic Lunch Test Kitchen 8/28/18

Hello Reader,
            Another Test Kitchen has been recorded. If you want to catch these live I can't promise any particular broadcast time as I do these when I have time, but if you subscribe to my Youtube channel (https://www.youtube.com/user/LearnForensics) you will get notifications whenever I do go live.

This Test Kitchen I did more experimentation with the creation of ObjectIDs when saving files from browsers to the Downloads directory with surprising results! It turns out that:

  • Saving a text file in Chrome to the downloads directory will create an ObjectID and a LNK file even without opening the file
  • Saving a text file in Firefox to the Downloads directory will create a LNK file but will not populate the ObjectID attribute. 
  • Saving executable files in both browsers will create Zone.Identifier alternative data streams as Phill Moore researched prior but will not create ObjectIDs or LNK files. 

Want to see and learn more? Watch the video below:

Monday, August 27, 2018

Daily Blog #465: Coming to London

Hello Reader,
        In the UK or Europe? In three weeks on September 17, 2018 I'll be teaching SANS FOR500 Windows Forensics with Lee Whitfield. If you've read the blog, played the ctfs, done the challenges and watched the forensic lunch its time to come fill in the gaps. In class Lee and I will be going beyond the books to explain how and why things work and what you can rely on.

Interested?
You can find out more here:
https://www.sans.org/event/london-september-2018/course/windows-forensic-analysis

Sunday, August 26, 2018

Daily Blog #464: Sunday Funday 8/26/18

Hello Reader,
    I've been looking into ObjectIDs quite a bit lately so why not open up the fun to all of you and let's see what a crowdsourced effort can produce. This week will see the intersection of programming and analysis in what should be a good learning challenge for many of you.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/31/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Write a python script that can determine which files on a Windows 10 system have ObjectIDs. 

Daily Blog #463: Solution Saturday 8/25/18

Hello Reader,
      This weeks submissions missed the mark, I got some submissions about lnk file security vulnerabilities but none addressing limitations on how they are created. So sounds like good topics for future test kitchens and a new challenge tomorrow.

Saturday, August 25, 2018

Daily Blog #462: ObjectIDs and intrusion triage

Hello Reader,
         I was thinking more about yesterdays test kitchen in regards to ObjectID creation on Windows 10. To summarize the point if a file gets created in the GUI in Windows 10 it creates a shell item (lnk, jumplist, recent doc, etc...) as well as gets an ObjectID. It occurred to me that just as we have trained examiners to look for Zone.Identifiers for evidence of files downloaded we could use the absence of a ObjectID on a Windows 10 file to find those files that were either not created within the GUI or created in one of the special exclusion directories (outlook temp, internet temp, etc..).

With this in mind we could quickly triage through and in an intrusion scenario eliminate all the files that a user created through the GUI, then eliminate the system files through hash comparison leaving us with just a smaller set of files whose hashes aren't known and were not created by the user. This along with a comparison of the execution artifacts could lead to some pretty fast triage for possible malicious executables.

I'm going to see next week about writing a python script to do this, expect a sunday funday challenge related to this. 

Friday, August 24, 2018

Daily Blog #461: Forensic Lunch Test Kitchen 8/23/18

Hello Reader,
               Another day, another Test Kitchen! Sometimes it's easier just to stream out to Youtube a test rather than document and screenshot all of the steps so I did that again tonight. This evening I decided to test if ObjectIDs would be created for files that were created but not opened on Windows 7 and Windows 10.

If you wanted to watch one of these live, make sure to subscribe to the Youtube channel and receive notifications for random dings of forensic testing.

You can watch the video here:

Wednesday, August 22, 2018

Daily Blog #460: Test Kitchen 8/22/18

Hello Reader,
           If you were a subscriber to my YouTube channel you would have seen a notification that I was live tonight. Tonight I decided to do a Test Kitchen broadcast to test the behavior of jumplists in Windows 7 vs Windows 10 to see if any of the new jumplist behavior we have observed in Windows 10 was actually there all along.

If you watch the below video you can see me test whether or not Jumplist entries got created for:

  • Creating a file
  • Creating a directory
  • Opening a directory
  • Opening a file
  • Copy and pasting a directory
  • Renaming a directory
As well as some lnk file testing at the end to see how lnk files were created for opening a file in different directories. 

Watch the video below!



Tuesday, August 21, 2018

Daily Blog #459: Building a testing lab on a budget

Hello Reader,
       I know many of you have work or home labs where you do test things, research things and overall use different virtual environments. What many people don't know though is that you can get a hold of almost all of the VMware software you need like:

  • VMWare Workstation
  • VMWare Fusion
  • VCenter
  • VSphere ESXi Enterprise
  • VSan
For $200 you can join the VMUG (VMware User Group) Advantage program which will get you access to the Eval Experience which gets you 365 days of licensing for the above VMware software and much more. This has let me really get some of my testing accelerated at a much lower cost and I'm looking forward to using the clustered ESXi license as well as VSAN to setup larger research environments. 


You'll have to setup an account at VMUG and usually wait a day to get the login to the OnHub store that contains the eval software. After that you have a year of much easier research ahead of you.

Good Luck!

Monday, August 20, 2018

Daily Blog #458: Object IDs

Hello Reader,
        In Hideaki Ihara's blog post on the port139 blog,  he talks about a subsystem that has been around for quite some time the Distributed Link Tracking System which allowed for lnk files and other shell item structures to survive a file being renamed or moved prior to the inclusion of the MFT Reference numbers in Windows 7. This means that there are at least two methods within a LNK file now that will allow it to point to the correct file even if it has been renamed or moved since it was last opened.

Hideaki is pointing our that when a file is opened and a shell item is created for it that an Object ID should be created for it as an attribute. While I agree this is true I would also look for the creation of the LNK file itself and then what jumplist got updated to determine what application opened the file. Especially since not every file opened will get an Object ID as stated in the limitations section of the Microsoft documentation.

In summary a Object ID won't be set even if a file is opened when:

  1. The file is being opened from a removable drive 
  2. The file is being opened from a FAT drive
  3. The file is being opened from a newly formatted NTFS volume and it the system hasn't rebooted
  4. The file is being opened from a newly attached fixed disk with NTFS and the system hasn't been rebooted
I think we should do more testing with this but in all the above scenarios the shell item system would still record these accesses and the USN journal would show the lnk files and jump lists being updated. I like where Hideaki is going I just want to make sure people are aware of whats possible. 

Sunday, August 19, 2018

Daily Blog #457: Sunday Funday 8/19/18

Hello Reader,
Microsoft is also introducing subtle changes in Windows, sometimes they were always there but we just didn't notice. Lets see what you can determine in this weeks lnk file challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/24/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
As of Windows 10, possibly earlier!, windows will only keep 20 lnk files for a single extension. What other limitations of the lnk file system can you find?

Saturday, August 18, 2018

Daily Blog #456: Solution Saturday 8/16/18

Hello Reader,
           This week Lodrina Cherne swooped in with some interesting research that went way beyond URL history. I think what Lodrina has submitted here is the base of some very interesting research that needs to be performed to find out more. I am happy to say I received more submissions this week but I would encourage anyone reading this to give these challenges a try and submit an answer. You can only benefit from the research and possibly the win!


The Challenge:
For Edge, Chrome and Firefox where could you find evidence of what was uploaded to a file sharing site. Please include all of the locations available, not just the url history


The Winning Answer:
Lodrina Cherne @hexplates


Here are some general methods to investigate upload activity in browsers:

RESEARCH! Besides searching your favorite forensic blogs, browsers and web applications may have developer documentation online.

In the past I’ve used Yahoo! Mail developer docs to better understand webmail artifacts. APIs and handles are sometimes documented for third party developers, use this to your advantage!

Here’s a snippet from the Yahoo Developer Network related to uploading:


This snippet is as example specifically related to advertiser data upload – so if I was interested in in this artifact, one search term might be
              “status”: “completed”

Here’s an example related to Google Drive upload:



My search term for Google Drive uploads might be
              uploadTime=

Mozilla (FireFox) has a good collection of APIs, here are some upload related ones we might see:
What the MDN web docs tell us is that bytes and file path + name are properties used in “UploadData”. There’s also browser compatibility information – so this may apply with Chrome or FireFox on Android? Pretty cool!

These events may leave some of the above keywords on disk – but even more important than the keywords, we know that there is some kind of marker that the upload has started, that it’s completed successfully, etc. We know this data is being recorded somewhere, even temporarily, so it’s worth digging for this type of data on disk!

TEST! For different web applications, what is the expected behavior? Are there keywords that appear on screen or a string in the site URL?

Here’s one example using the Dropbox browser interface with Chrome. I am dragging and dropping a file from my system into Dropbox. Note the on screen prompt “upload to the folder”.


While the file is uploading, we see “Uploading Additional Forensic Resources.docx” at the bottom of the screen.


When the upload is complete, the status changes to “Uploaded Additional Forensic Resources.docx”


Potential search terms for Dropbox upload so far are
              upload to the folder
              Uploading [filename of interest]
              Uploaded [filename of interest]

These search terms could be run in your forensic tool across browser artifacts like history and cache. Using a forensic suite for your first pass search can be useful to look across different locations and filetypes. Are you searching inside SQLite databases? Decompressing FireFox session history? Not every suite will do this for you though they will be more efficient than searching each database or cache folder by itself on your first pass!

Besides browser artifacts, you could run these keywords across other areas of the drive like unallocated space and the pagefile/hibernation file.

Another test could be uploading a file with a unique name to a filesharing site, then search your browser data for that filename. ­­­


Daily Blog #455: Perfect Score in the Defcon DFIR CTF

Hello Reader,
       This post serves to congratulate @gh0stp0p on achieving the first perfect score in the Defcon DFIR CTF! She has not only won the admiration of her peers but also a license of Forensic Email Collector. For those still wanting to play, or still playing, we will leave the CTF up for at least a month before we move onto the next project.

As a reminder the CTF is located here:
https://defcon2018.ctfd.io/

And you can download the images here:
http://www.hecfblog.com/2018/08/daily-blog-451-defcon-dfir-ctf-2018.html

Thanks everyone for playing and hopefully you will learn something from the experience! Next time we will up the difficulty. 

Thursday, August 16, 2018

Daily Blog #454: SQLite Write Ahead Logs and Python

Hello Reader,
           If you haven't already done so check out this blog post from Malware Maloney:
https://malwaremaloney.blogspot.com/2018/08/windows-10-notification-wal-database.html

In it not only does author show how to create a new query for pulling messages from the database he also extended a SQLite python library to correctly decode the write ahead log of the SQLite database that stores the notifications. Meaning you can recover more deleted messages.

Give it a read and in a future post let's take that and write a script around it.

Wednesday, August 15, 2018

Daily Blog #453: Winners of the Unofficial Defcon DFIR CTF

Hello Reader,
        I realized that while I posted this on twitter I did not share this on the blog which is the more permanent record of things. First this years Defcon DFIR CTF was sponsored by:


SANS - Donating 1st prize access to DFIR Netwars Continuous for a year and lego minifigs
Also if you were in the blue team village at just the right time we brought out SANS tshirts, polos, keychains and posters that quickly disappeared.





 Magnet Forensics - Donating a really cool backpack that contained a license of AXIOM, a magnet water bottle, magnet external cell phone battery and a cool magnet pen.










 Blackbag Forensics - Donating a license of Blacklight and a really cool insulated drink cup (like a yeti or rtic but with a very nicely done blackbag logo)







 MetaSpike - Who donated a license of Forensic Email Collector which will go to whoever gets the first perfect score in the Defcon DFIR CTF!


  • 1st Place went to Hadar Yudovich @hadar0x

Tuesday, August 14, 2018

Daily Blog.#452 Dealing with deleted shadow copies

Hello Reader,
       For those of you who use libvshadow you may have noticed that it shows deleted shadow copies but does not differentiate between active and deleted shadow copies. This can be an issue as parts of the deleted shadow copies could be overwritten leading to strange results.

Looks like two researchers out of Japan are attempting to fix that issue with an extension to libvshadow and some really interesting catalog recreation research.


Check it out below!

http://i.blackhat.com/us-18/Thu-August-9/us-18-Kobayashi-Reconstruct-The-World-From-Vanished-Shadow-Recovering-Deleted-VSS-Snapshots.pdf

Monday, August 13, 2018

Daily Blog #451: Defcon DFIR CTF 2018 Open to the Public

Hello Reader,
            This year at Defcon we made things interesting with a challenge that involves making your way through 3 images to answer questions and solve a case. Now that Defcon is over and the winners awarded it's your turn to give the challenge a try.

The first image password is 'tacoproblems'
The second and third image password is gained by answering the right questions in the CTF.


CTF Site:
https://defcon2018.ctfd.io/

Download Links:
Image 1:
https://www.dropbox.com/s/1q4f0fowo8048mq/Image1.7z?dl=0

Image 2:
https://www.dropbox.com/s/9gzjfqkl8uup58k/Image2.7z?dl=0

Image 3:
https://www.dropbox.com/s/jvaqb4rfi3jojbk/Image3.7z?dl=0

Sunday, August 12, 2018

Daily Blog #450: Sunday Funday 8/12/18

Hello Reader,
Defcon is over and with it our CTF. For this weeks challenge lets look at some browser forensics artifacts that could be helpful to you when I open up the forensic ctf to the public tomorrow.         


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/17/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
For Edge, Chrome and Firefox where could you find evidence of what was uploaded to a file sharing site. Please include all of the locations available, not just the url history.

Saturday, August 11, 2018

Daily Blog #449: Solution Saturday

Hello Reader,
Another week , another winning answer by Adam Harrison! The CTF is ending in an hour and I look forward to seeing how this all shakes out.


The Challenge:
Name all of the Windows and OSX artifacts you would examine to determine if Anti Forensics tools have been executed. 


The Winning Answer:

The majority of Anti-Forensic tools are just programs like any other, often executed within the host OS. Additionally, the question specifically asks about proving execution of of Anti-Forensic tools. As such the first thing I will concern myself with is evidence of program execution. 

Noting that different anti-forensics tools may miss certain evidence sources (especially if run with basic user privileges) it is important to be broad in the areas you look as one of the lesser known or used artifacts may have been left untouched by the tools. Additionally in cases of suspected anti-forensic efforts I would be interested in the content of all of these artifacts, including whether they are empty, as this may be an indication of anti-forensics tool use in and of itself. 

Evidence of Tool Execution
Windows
Prefetch
Jump Lists
AppCompatCache
MUICache
UserAssist
RunMRU
LastVisitedMRU
Log Files (tools may be deployed as services or with a scheduled element, process creation events associated with Audit Process Creation)
Third party application execution monitoring (e.g. AV, DLP, etc)
WSL (If WSL is in use then this opens a whole other kettle of fish, .bashhistory, evidence of tool installation etc.)
Evidence of process artifacts in RAM
Command history in RAM

MacOSX
knowledgeC.db database (application usage data)
.bashhistory (if tools used or executed from command line)
FSEvents (evidence of filesystem events including creation of software files and also deletion and renaming associated with tool use)
com.apple.finder.plist (evidence of finder searches for software)
RecentApplications.sfl
Spotlight Shortcuts plist
.bashhistory in ram
Evidence of process artifacts in RAM

Evidence of Tool Use
In addition, the use of anti-forensics tools can leave their own artifacts behind. In the case of CCleaner the presence of deleted but recoverable “ZZZ” files and folders is a classic indicator of use. Other similar unique fingerprints are associated with different anti-forensic tools. One other such tell tail sign is recoverable files with random filenames and high entropy content consistent with being overwritten with pseudo random data, entropy analysis of recovered deleted files can highlight these. 

Evidence of research/download/installation
Proving the intent of a user can also be useful, whether evidence of the use of anti-forensic tools is actually identified. Evidencing that tools were sought, downloaded and installed during an in-scope time frame (such as just after an employee was notified of an HR interview etc). Additionally evidence that research was performed into hiding evidence can be helpful in painting a picture as to a users intentions and help to combat the "My computer was running slow so I used CCleaner" defense.

Windows
Registry artifacts (installed applications, application specific entries etc)

OSX
/Library/Receipts/InstallHistory.plist
/Library/Preferences/com.apple.SoftwareUpdate.plist
/Library/LaunchAgents

Both
The disk… (Look for executables for anti-forensics tools on disk e.g. ‘Program Files’ Directories, ‘Applications’ directories, ‘Downloads’ directories) 
Browser History/Cache/Cookies for evidence of search history and websites visited (location dependant on OS and installed browser(s))
Proxy/ web filtering logs (evidence of browsing to sites concerning anti-forensics and downloading of tools)
AV Logs (scanning of downloaded executable)

Wildcard
You never know where you might find that smoking gun which demonstrates the intention to circumvent forensic analysis. In one notable case, a colleague of mine stumbled across an iOS note which was stored within a backup on the suspects computer. Within it the suspect had detailed a proposed methodology to steal data from his employer which would be “undetectable”. Using throwaway virtual machines (which would then be wiped from disk) he proposed to collate and extract data from the organisation and transmit it to a cloud service connected to via the VM. The actions performed left almost no trace of the IP theft, but what evidence of the existence of a now deleted VM coupled with the note made compelling reading in court.

---

Daily Blog #448: Defcon DFIR CTF update

Hello Reader,
      Another late post after a long day in Vegas. We launched the ctf today and already have a fight for the top 3 spots. As more people get the evidence I'm expecting it to get really interesting.

We initially planned to do a live stream today but spent most of the day finishing the last questions so I expect we will do the stream tomorrow instead.

For those who want to watch the scoreboard go to
https://defcon2018.ctfd.io/scoreboard

To follow along, the contest ends tomorrow nighy! There is a long time for everything to change by then.

As before once the event is over we will make the images public and everyone can play, just without prizes.

Friday, August 10, 2018

Daily Blog #447 Defcon 2018 Forensic CTF

Hello Reader,
Just a reminder that the ctf starts tomorrow afternoon. If you are in Vegas and have not signed up yet here is the link:
https://www.eventbrite.com/e/unofficial-defcon-dfir-ctf-2018-tickets-47978189055?ref=estw

Prizes:
1st. DFIR Netwars Continuous for a year from SANS and. Lego mini fig
2nd. Magnet prize loaded backpack, Lego mini fig and license of forensic email collector
3rd. Blackbag prize pack

It's not too late to sign up, get ready!

Thursday, August 9, 2018

Daily Blog #446: Sparse image blues

Hello Reader,
     A quick one before I fall asleep after a long day of ctf prep and Vegas fun. If you are using the fresponse imager to capture a full disk be aware that it seems to default to a sparse image format and leaves out shadow copies.

However imaging the same fresponse mounted image with another tool will capture the full disk.

Wednesday, August 8, 2018

Daily Blog #445: F-Response and the Cloud

Hello Reader,
           Today I'm sharing a lesson I learned from acquiring systems in the cloud from another cloud hosted system in the same provider. I was adding the agents and getting ready to acquire the systems, but they kept dropping off the F-Response management list of subjects.

I was quite confused, I checked the network and realized my RDP session was active the entire time and hadn't timed out. I restarted the F-Response service and kept a ping running, when the F-Response agent timed out I noticed the ping never lost a packet.

So I reached out to the excellent support staff (aka Matt Shannon) at F-Response and explained my problem and they quickly reached out (after 5PM!) and offered a suggestion, check your clock skew.

This isn't something I had run into before and so I went and made sure my clocks were the same and now it's happily imaging away.

So hopefully this helps someone in the future, if you F-Response subject keeps timing out check to make sure that the license server and the subject are set to the same time!

Sunday, August 5, 2018

Daily Blog #444: Sunday Funday 8/5/18

Hello Reader,
           Thank you for all of the responses in the blog comments, on twitter and on LinkedIn to my question regarding Anti Forensics tools used in the wild. It was great to expand everyone's knowledge of what tools to look for and make a list of those I need to test to see what traces each of them leaves behind. With that in mind let's see how you handle this weeks Anti Forensics themed challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/10/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Name all of the Windows and OSX artifacts you would examine to determine if Anti Forensics tools have been executed. 

Saturday, August 4, 2018

Daily Blog #443: Solution Saturday 8/4/18

Hello Reader,
           Another week where Adam Harrison has again dominated the entries. For those of you thinking about trying out next weeks contest don't be deterred. You too can be a winner with just some basic effort and some good documentation skills!

The Challenge:
Windows 10 keep changing and with it its behavior. In Windows 8.1 and early versions of Windows 10 there was a task to delete plug and play devices that haven't been plugged in for 30 days. In more recent versions of Windows 10 this appears to be disabled. For this challenge please document what versions of Windows 10 has the task enabled and if it survives being upgraded. 

The Winning Answer:
https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html?spref=tw

Great job Adam! Come back tomorrow for a new challenge!

Friday, August 3, 2018

Daily Blog #442: Anti Forensic Tools in the wild

Hello Reader,
       Today I have a question for you. In my work I've encountered tools that my suspects have used to clean or wipe their system. However I'm wondering what others are out there that I haven't seen yet. So here is my list


  • CCleaner
  • Evidence Eliminator
  • System Soap
  • PC Optimizer Pro
  • BCWipe
  • Eraser
  • Sdelete

What additional wipers or anti forensics tools have you come across? Let me know in the comments below or in a tweet/linked in comment.

Thanks!

Thursday, August 2, 2018

Daily Blog #441: Changes in Windows 10

Hello Reader,
           One of the problems we are having recently in Windows 10 forensics is that what would previously be identified with a major service pack version or a new version of Windows is now being marked as a feature release. These releases are changing the behaviors we rely on in forensics and we are going to have to start referring not just to Windows 10 but the build of Windows 10. This isn't going to stop in the near future as Microsoft says that they plan to just iterate Windows 10 for the foreseeable future.

If you look at some of Adam Harrison's recent blogs you'll notice he has multiple major versions of Windows 10 running within different VMs. I think this kind of setup will be necessary going forward and we are going to have do more regression testing of artifacts both old and new to understand the new normal.

I'll be following this up with what the major releases are so we can start building a common vernacular in describing Windows 10. For now just be aware that just because its Windows 10 does not mean that any previous Windows 10 research still applies without testing. 

Wednesday, August 1, 2018

Daily Blog #440: Windows 10 Notifications Database

Hello Reader,
       I had stopped thinking about the Windows 10 notifications database since I last saw Yogesh Kahtri blog post about it here. I was reviewing a file list produced by an opposing party in a litigation we are working and suddenly saw a directory full of notification images and got curious again.

Since Yogesh first blogged about it the location of the Notification data has changed and it is now located here:
\Users\\AppData\Local\Microsoft\Windows\Notifications

Pictures pushed to the system and displayed in start menu tiles or notifications are stored here:
\Users\\AppData\Local\Microsoft\Windows\Notifications\wpnidm

And the database is now a SQLite database named wpndatabase.db which you can open up with any SQLite tool. I am using Navicat for SQLite because its one of my favorites.

When I did I found the database I went looking to see which table contained the data that I would think is interesting and found a table named Notification, here is the schema:


There are three fields here you should pay attention to the first is the HandlerID which will tell you which program created the notification, you find the name associated in the NotificationHandler table.


The second field is the Payload field, this is the actual contents of the Notification, I was looking through here to see if there was something interesting and found all the Notifications that Outlook had been popping up as I was getting new emails. Here is an example:



Placeholder image
Caesars Total Rewards
Win big in August with the play by TR app! Download now!
<http://click.email.caesars-marketing.com/open.aspx?>
Download and log in to be rewarded.         View this email with images. <http://view.email.caesar...





Within the text tags you can see the contents of the new mail notification I received from Outlook.

 The last fields to look at are the ExpiryTime and ArrivalTime which record when the notification was received (ArrivalTime) and when it will be deleted from the database (ExpiryTime). These are stored in decimal but if you convert them to Hex you can convert them back to a readable time using the Windows FileTime BigEndian option in Dcode.
 

So there you go, we can recover the sender, subject and first lines of an email in the notification database even if the email has been purged from the system otherwise. I am going to look further into this to see if there is any other Notifications of interest.