Daily Blog #183: Sunday Funday 12/22/13 Winner!

Sunday Funday by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
      This week an anonymous submitter has won the day, and a 4TB External Hard Drive. It's important to keep track of what changes, especially when it comes to OS's that we may not be dealing with daily yet.This week's answer does a good job at showing some of what's changed but there is more than you should be aware of. Your greatest challenge in dealing with Windows 8 is just getting all your regular tools to run! With all this said here is this weeks winning answer!

The Challenge:
1. Explain the artifacts for execution you can find on windows xp and windows 8

2. For those artifacts that are in the same location for both, explain what differences exist

The Winning Answer:

Program Execution: following are some of the well-known artifacts one may find on Windows XP/7/8 systems along with relevant distinctions across the Windows versions:

Application Compatibility Cache: used to determine issues relating to application comp ability with executables; can use to track executables  by file name, size, last modified time and last update time (only in WinXP)
WinXP --> SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility\
Win7/8 --> SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\

Jump Lists: unique to versions of Windows 7 and greater, allows users to quickly access frequent/recent selections; can determine first/last time of execution of an application
Win7/8 --> C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Prefetch: Used by Microsoft Windows for preloading code pages of often-used applications; can use to tell if application had been executed on a system (uses a calculate hash for the directory from where application was ran); may not necessarily be enabled on all systems as there are discrepancies across Windows versions.
WinXP/Vista/7/8 --> C:\Windows\Prefetch

Last Visited MRU: Logs specific executable called by an application for opening files documented in the OpenSaveMRU key; also tracks directory location for the last file accessed by an application.
WinXP --> NTUSER.dat\Software\Microsoft\Windows\Current Version\Explorer\ComDig32\LastVisitedMRU
Win7/8 --> NTUSER.dat\Software\Microsoft\Windows\Current Version\Explorer\ComDig32\LastVisitedPidMRU

RunMRU Start (Run): logs usage of Start -> Run sequence for loading executables
WinXP/7/8 --> NTUSER.dat\Software\Microsoft\Windows\Current Version\Explorer\RunMRU

UserAssist: Tracks GUI-based applications that are launched from the user's desktop in the launcher on Windows systems
WinXP/7/8 --> NTUSER.dat\Software\Microsoft\Windows\Current Version\Explorer\UserAssist\{GUID}\Count
Where GUID can be on of the following:
XP --> 75048700 (Active Desktop)
        --> CEBFF5CD (.EXE file execution)
        --> F4E57C4B (Shortcut file execution)
        --> 6D809377 (ProgramFilesX64)
        --> 7C5A40EF (ProgramFilesX86)
        --> 1AC14E77 (System)
        --> D65231B0 (SystemX86)
        --> B4BFCC3A (Desktop)
        --> FDD39AD0 (Documents)
        --> 374DE290 (Downloads)
        --> 0762D272 (User Profiles)

In addition, one can review Windows Event logs for service related information.
Services Events: log of services that were started/stopped; can also identify services that start on boot (ultimately determine file/executable associated with service); requires reviewing event logs; following are relevant event IDs:
7034 --> service crashed unexpectedly
7035 --> Serve sent a Start/Stop command
7036 --> Service started/stopped
7040 --> Start type changed

Also Read: Daily Blog #182

Post a Comment