@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #169: Sunday Funday 12/8/13 Winner!

Hello Reader,
            Another Sunday Funday come and gone, an interesting change this week that I'm curious on your feedback for. For the first time I themed this weeks Sunday Funday to topics discussed in this weeks Forensic Lunch. I was hoping this would give many of you a leg up in getting started so please in comments let me know what you thought, is this something you'd like to see done again?

With that said here is this weeks winning answer!

The Challenge:
You have a Windows 2008 system with two partitions, one system and one data partition for file storage and sharing. You recovered a application compatibility cache entry showing that setmace.exe ran but don't know what was changed. You need to answer the following questions:

1. How can you detect timestamp manipulation via setmace on the system disk
2. How can you detect timestamp manipulation via setmace on the data disk
3. How can you recover what files setmace was pointed at
4. How can you recover what commands were executed

The Winning Answer:

I tried to answer them in order but the answers quickly got mixed together as I thought it would be better to explain my process in order.

1. How can you detect timestamp manipulation via setmace on the system disk
2. How can you detect timestamp manipulation via setmace on the data disk
3. How can you recover what files setmace was pointed at
4. How can you recover what commands were executed

According to your blogpost #130 on Detecting Fraud, "setmace cannot access the physical disk of any system volume, but it can access the physical disk of non system volumes" on Windows Vista/7/8. I would imagine that this is true for Windows 2008 as well as its based on Windows NT 6.x. As a result there wouldn't be any timestamp manipulation via setmace on the system disk.

I would first examine userassist and prefetch to determine if and when setmace has been run.

I would run a keyword search for setmace in an attempt to determine any potential artefacts in slack space. I would examine the pagefile/hiberfil and (hopefully) RAM dump using the processes shown in "Extracting Windows Command Line Details from Physical Memory" and "Restoring Windows CMD sessions from pagefile.sys". This may provide me with clues as to which files were modified. 

I would then create a timeline of activity and look for the low hanging fruit; files with created times when the computer was off, prior to OS or after seizure. This may allow me to determine if setmace has been run on the data disk (as there would be a reference to the drive letter in the command) and may tell me the files that the program was run across.

I am also able to examine the shell artefacts in jumplists/lnk files/shellbags and compare their values with the files on the disk. Any derivations will raise flags as to the accuracy of the timestamps. I would then compare volume shadow copies of the files that have been flagged. I am also able to look for anomalies regarding file access prior to the file being created on the system.

Let's get back to  USN Journal analysis tomorow!

Post a Comment


Author Name

Contact Form


Email *

Message *

Powered by Blogger.