Tuesday, October 16, 2018

Daily Blog #509: ObjectIDs and Domains

Hello Reader,
             Well YouTube was down for awhile tonight and at this point I'll need to get to bed before I could finish a test kitchen broadcast (if it would even work tonight!). So instead I decided to follow up on a question by Dr. Joe Sylve who asked in last nights Test Kitchen if Domain's are present in ObjectIDs if the computer was attached to a domain. To test this I went onto one of my domain connected computers and checked the objectID attributes of a file I've opened many times, our blank contract.



As you can see the DomainID is still all 0's meaning that this field is not currently being used, but you never know what the future will hold!

Monday, October 15, 2018

Daily Blog #508: Forensic Lunch Test Kitchen 10/15/18

Hello Reader,
          Tonight Matt Seyer virtually joined me for another test kitchen! We decided to examine the ObjectID index to determine what is really happening when a file is deleted and its ObjectID index entry is deleted. Matt presented his theory, Dr. Sylve contributed what he knew and the rest was solved with testing, tsk utilities, and python scripts.

Here is what we learned:

  • The ObjectID Index is a B-Tree with pages of entries of ObjectIDs
  • The last ObjectID in a page is the one most likely to survive in the slack space if it is deleted
  • ObjectIDs anywhere else in the page have a high chance of being overwritten when the b-tree is balanced unless they got saved from a previous page swap
  • istat won't give you the full path to a file, but you can get there if you are persistent 
  • The $logfile contains every changed page until its overwritten
We also have some new theories to test tomorrow night regarding USN and $Logfile interaction with the ObjectID Index! We should be testing those tomorrow night.

You can watch the video here:

Sunday, October 14, 2018

Daily Blog #507: Sunday Funday 10/14/18

Hello Reader,
        The weeks have gone by quickly with nightly testing videos and weekly challenges. The schedule works well for me typically as weekend nights I have less time to do testing as I'm spending more time with my family. Let's see how you'll be spending your week with this weeks challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 10/19/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
What artifacts of execution exist on a Windows Server 2008+ that do not exist on Windows 7+? In other words name any forensic artifacts that would show a program executed on a windows server os that you wouldn't find on a windows desktop os!

Saturday, October 13, 2018

Daily Blog #506: Solution Saturday 10/13/18

Hello Reader,
          This week no qualifying submissions, as a reminder this was the challenge:

The Challenge:
The TypedPaths key as we have seen recreates the key each time File Explorer exits. What other artifacts could we use to replace the data that we would have found there?

I'll have to address the answer in a blog post in the future, until then stay tuned for next week's challenge. 

Friday, October 12, 2018

Daily Blog #505: Forensic Lunch Test Kitchen 10/12/18

Hello Reader,
            A shorter test kitchen tonight, mainly because the answer came much quicker than I expected but only in part. Tonight we deleted files from the command line and the GUI to see what effect deleting them would have on the ObjectID Index found at /$Extend/$ObjID:$O. I used the updated $O parser from Matt Seyer found here: https://github.com/forensicmatt/WinObjectIdParser

Here is what we learned:

  • Deleting a file from the command line causes the ObjectID Index to delete the file entry
  • Deleting a file from the GUI causes the ObjectID Index to delete the file entry
  • That the deletion appears to clean and too quick, leading me to suspect that there is more going on here
On Monday I expect to resume this line of questioning with a hex editor (likely 010) and some offset tracking as we look to solve the mystery of the deleted ObjectID records. 

You can watch the video here:

Thursday, October 11, 2018

Daily Blog #504: Forensic Lunch Test Kitchen 10/11/18

Hello Reader,
          Tonight we had what I think is a very exciting broadcast of the Forensic Lunch. When discussing on twitter whether or not a ObjectID would be created when a file is accessed over a network share DR Joe Sylve (watch the video to see why i capitalized doctor) hypothesized that it would not, while I pontificated that it would. It turns out ... it does! We then extracted and encoded the local objectid database (/$extend/$objid:$o) and parsed it to find out which systems had which dad.

Here is what we learned:

  • Opening a file from a Windows 10 system on a Windows 7 file share creates an ObjectID that both systems can see
  • The ObjectID contains the volume id and mac address of the file server (the windows 7 system in my testing)
  • The ObjectID database on the Windows 7 system contains the objectid of the file accessed
  • The ObjectID database on the Windows 10 system does not contain the objectid of the file accessed
  • The windows 10 system will create a lnk file for the access
  • The windows 7 system does not create a lnk file for the file being accessed from it as a network share
  • Creating a file in Windows 10 in the GUI will trigger an ObjectID being created on a network share hosted by a Windows 7 system
You can watch the video here:

Wednesday, October 10, 2018

Daily Blog #503: Forensic Lunch Test Kitchen 10/10/18

Hello Reader,
        We had a long night in this session of the test kitchen. Mainly because I was trying to debug making changes to Maxim Suhanov's yarp-timeline script without an IDE to help me find my dumb mistakes. In the end though we were able to find and display all of the transition states within the transaction logs for the TypedPaths key and we showed an updated build of Registry Explorer that will now show deleted values!

Here is what we learned:

  • Python's error messages leave a lot to be desired when you don't have an IDE
  • The yarp-timeline script will print which keys are changing but not their values
  • That with some hacky code modifications we can show the values that were changing in each transaction log entry
  • That all of the changes we made were in fact in the registry transaction logs, but we are not sure how long they will stay. Maxim estimates one hour. 
  • That the newest build of Registry Explorer we tested will show deleted values!
You can watch the video here:

Tuesday, October 9, 2018

Daily Blog #502: Forensic Lunch Test Kitchen 10/9/18

Hello Reader,
           Another night of testing on the test kitchen! This evening we revisited the TypedPath key and registry transaction logs as Maxim Suhanov pointed out I did not wait a full 60 seconds, instead I just let the clock roll over to the next minute. The timing is important as transaction logs are written to 60 seconds after the change occurred and I assumed that was every 60 seconds not 60 seconds since change. To rectify this error I made a timer in Windows 10 for 90 seconds to make sure between each action I left enough time for the system to record the change.

The only real variable left now is that I'm doing this in a VM, when this is all done I'll do it on the host OS as well to make sure there are no differences.

Here is what we learned:

  • The TypedPaths key is not being deleted and recreated, the individual keys appear to be overwritten
  • Looking into the slack space of the registry value for the entries you can see the end of the prior TypedPaths entry if it was longer than the replaced value
  • If a typedpaths entry (url(some number)) isn't present in the key that is overwriting it, then the left over values are deleted
  • The deleted values can be recovered and seen in yarp
  • The overwritten values cannot be seen in yarp even though it was my assumption the transaction logs would contain them
I'll be uploading the registry hives to the GitHub page tomorrow.

You can watch the video here:

Monday, October 8, 2018

Daily Blog #501: Forensic Lunch Test Kitchen 10/8/18

Hello Reader,
           It's Monday and it's time for another test kitchen! Tonight I tested Maxim Suhanov's assertion that waiting 60 seconds would allow the changes I made to the registry by closing file explorer would allow the transaction logs to be written to. So I did that test and even waited two minutes prior to exiting.

Here is what we learned:

  • After waiting two minutes between closing the two file explorer windows the live registry showed the second windows entries. The transaction logs and registry showed the first windows entries but no record of the second.
  • Re-extracting the registry from the disk a few minutes later cause the second windows entries to show up, but the first windows entries were lost again
  • Parsing the registry without the transaction logs does not show either windows changes initially, but did after the second registry extraction
More to test, more to learn! 

You can watch the video below:

Sunday, October 7, 2018

Daily Blog #500: Sunday Funday 10/7/18

Hello Reader,
           This is the 500th Daily Blog! Which also just so happens to land on a Sunday Funday challenge which means, this one must be special .... even if it isn't. We've looked into a lot of topics this last couple weeks, lets see if you've been paying attention.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 10/12/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
The TypedPaths key as we have seen recreates the key each time File Explorer exits. What other artifacts could we use to replace the data that we would have found there?

Saturday, October 6, 2018

Daily Blog #499: Solution Saturday 10/6/18

Hello Reader,

     This week Kevin Pagano grabbed the win with a nice primer on registry monitoring. I m looking forward to testing more registry monitoring tools next week and trying out Maxim Suhanov's suggestion of waiting 30 seconds for transactions to be written.

The Challenge:
How would you monitor/record changes to registry keys? What could you do to get more data?

Winning answer:
There are few monitor tools that can record changes in the registry.

Nirsoft specifically has 2 different options that could be helpful:
RegistryChangesView - allows you to take snapshots of the registry at different points in time and compares two versions and export the changes as needed
RegFromApp - this one monitors the registry for changes made by specific applications

Regshot and WhatChanged are two other tools that are similar to RegistryChangesView in that it can show changes in two snapshots of the registry at different times.

Process Monitor (ProcMon) will give you real time feedback of activities in various locations but also the registry.

Registry Auditing can be turned on as such so changes will show in Event Logs:
1. Run the following command from Command Prompt:
auditpol /set /subcategory:"Registry" /success:enable
Note: if the OS has a different language pack, the name “Registry” might differ. For instance, on a German Windows, the name is “Registrierung”. To see what the name of the subcategory is you can run:
auditpol /list /subcategory:*
2. Open Registry Editor and navigate to the key which we want to audit (HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word)
3. Right-click on the key and choose “Permissions…”
4. Click “Advanced” and switch to the Auditing tab
5. Add a user or group and select Access: Set Value
6. Apply settings
Via Microsoft

RegistryExplorer from Eric Zimmerman can be used to possibly show deleted registry keys and recover them as needed as well as interpret the registry transaction LOG files.

Friday, October 5, 2018

Daily Blog #498: Forensic Lunch 10/5/18

Hello Reader,
           We had a Forensic Lunch today! Matthew and I talked with all of you about:


  • The state of the DFIR Conference circuits with what we are told is the end of Enfuse. (Enfuse is being moved into the Opentext Conference from what we've been told). 
  • What other DFIR Conferences exist
  • The idea of going on a cruise together and doing DFIR stuff
  • And matthew demoed his /$Extend/$OBJID:$O Parsing script which is available on Github here: https://gist.github.com/forensicmatt/5d06acb11986c02cb61e9599fe9625f9
  • We talked about recovering deleted ObjectIDs from the $OBJID Index allocation
  • We talked about use cases for ObjectID analysis
You can watch the video here:

Thursday, October 4, 2018

Daily Blog #497: Forensic Lunch Test Kitchen 10/4/18

Hello Reader,
        Another test kitchen! Tonight we went back to the TypedPaths overwrite mystery while Matthew finishes his $OBJID:$O parser to show tomorrow on the forensic lunch. We got YARP installed on our Windows 10 test VM and performed the same test of opening multiple file explorer windows, going to unique paths and watching the TypedPaths key get overwritten. We then extracted the registries and parsed them with YARP in an attempt to find the previously written TypedPaths files.

Here is what we learned:

  • YARP has a series of new utility scripts, we used yarp-print and yarp-timeline
  • YARP will automagically attempt to find and replay any transactions logs in the same directory as the registry file you opened
  • YARP did not find the prior TypedPaths values
More testing next week, make sure to tune into the forensic lunch tomorrow!

Here is the video:

Wednesday, October 3, 2018

Daily Blog #496: Forensic Lunch Test Kitchen 10/3/18

Hello Reader,
      Today we come close to a conclusion on our exploration of ObjectIDs within the MFT. We went in and both extracted MFT attributes with pytsk as well as ran/validated the same information with mftecmd to determine why we had duplicate objectids in our file system.

We learned that:

  • Duplicate ObjectIDs appear to happen in hard links to the same file
  • Every Duplicate ObjectID that we tested had the same file entry and sequence number meaning it was the same file
  • Python has a cool function called dir() which will show you all of the available methods that an object has
You can watch the video here:

Tuesday, October 2, 2018

Daily Blog #495: Forensic Lunch Test Kitchen 10/2/18

Hello Reader,
          Another night, another test kitchen. Tonight we continued our ObjectID testing and research to see if sequence numbers would reliably increment on reboots allowing us to find evidence of changes to the system clock and in what actual order files were created (windows 10) or opened (all other windows). Here is the summary of what we learned:


  • Sequence numbers are set in the Software registry under SOFTWARE\Microsoft\RPC\UUIDSequenceNumber
  • Windows.old backups now appear to include the users directory and are deleted after a week by a scheduled task
  • Sequence numbers will increment on each reboot, irregardless of timeset
  • Sequence numbers can jump and then settle back on the original sequence, working to understand how and why

You can watch the broadcast here:

Monday, October 1, 2018

Daily Blog #494: Forensic Lunch Test Kitchen 10/1/18

Hello Reader,
         Tonight the test kitchen continued to plumb the depths of ObjectID attributes of files in the MFT. What did we learn tonight?

We learned that:

  • The perceived duplicate timestamps from the decoded object ids were for the most part due to lack on granularity in nano seconds, when the raw values were added there were more unique values
  • That some files appear to have the same objectid and are related (the same exe file, lnk file pointing to the same resource) meaning we need to look at the MFT attributes to see if they are hard links to the same file
  • That changing the clock back will not change the base clock time used to generate ObjectIDs and sorting by the ObjectID timestamp will show you the correct order a file was created/interacted with (depending on the version of Windows) regardless of the time set by the user
We left off with a test of the sequence numbers as my VM had a Windows 10 update pending. We will continue tomorrow night!

You can watch the broadcast here: