Daily Blog #583: Sunday Funday 12/30/18 - Syscache.hve File Challenge

Syscache.hve File Challenge by David Cowen - Hacking Exposed Computer Forensics Blog


Hello Reader,
      This will be the first Sunday Funday for 2019 since when the submissions are received and judged the winner will be announced in 2019. Let's see what your system monitoring/debugging skills are like.

The Prize:

$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 1/4/19 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:

What processes update the Syscache.hve file on Windows Server 2008 R2?

Also Read: Daily Blog #582

Daily Blog #582: Solution Saturday 12/29/18 - Syscache Server 2008 R2 Challenge

Syscache Server 2008 R2 Challenge by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
         Well no winner this week, I may have pushed a bit far in a holiday week. Tomorrow is the first contest for the new year and we will all have a fresh start.

The Challenge:

On server 2008 r2 how would the following be seen in the syscache and what was logged:

1. Powershell empire agent

2. Meterpeter

3. Mimikatz

The winning answer:

None! I'll make sure to cover this in the test kitchen

Also Read: Daily Blog #581

Daily Blog #581: Forensic Lunch Test Kitchen 12/28/18 Syscache Applocker and Server 2012

Forensic Lunch Test Kitchen 12/28/18 Syscache Applocker and Server 2012 by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
         Tonight we booted up a server 2012 VM which is in line with Windows 8.1 looking to see if we could find a syscache hive with and without applocker configured. So far no such luck but we will keep trying.

If you want to watch the video you can do so here:


Also Read: Daily Blog #580 

Daily Blog #580: Applocker and Windows 10

I decided to see if I could get Applocker going on Windows 10 Enterprise since I already have a VM running it.


Hello Reader,
          Didn't get started until very late tonight so I didn't do a broadcast, tomorrow though we will for sure. Instead I decided to see if I could get Applocker going on Windows 10 Enterprise since I already have a VM running it. I turned Applocker into audit only mode, made default rules and executed programs and ...

Nothing

So far I haven't had any entries in the event logs or a syscache hive generated, so tomorrow on the stream we will attempt to make this work again and also try this on Sever 2012, 2016 and 2019.

Also Read: Daily Blog #579


Daily Blog #579: The meaning of Syscache.hve

Hello Reader,
     One of the things I've often repeated the last couple of test kitchens in regards to the Syscache hive is why does it exist. In earlier googling I thought based on its locations in slide presentations that it might be involved in the volume shadow copy system, something Maxim Suhanov does not agree with. This left the question though, what does it relate to?

Well reader long time BFF (Best Forensic Friend) Dr. Vico Marziale at blackbag may have found a pretty huge clue. In his googling, which I must say found things I did not even when searching keywords that existed in the document, found a pdf from Legato/EMC networker release notes form July of 2010.

Within these release notes the backup software states:
"The files syscache.hve, syscache.hve.LOG1, and syscache.hve.LOG2 are skipped during backup 

The files syscache.hve, syscache.hve.LOG1, and syscache.hve.LOG2, located in the %systemdrive%\system volume information folder, will be skipped during backup. These hive files are used for maintaining extended data for executable files on the system, such as SRP (Software Restriction Policies) and AppLocker. Microsoft recommends not restoring these files. These files are created from derived data and will be rebuilt over time"

Source: https://nsrd.info/blog/wp-content/uploads/2010/07/NW753_Release.pdf

So the reason this registry hive was placed in the System Volume Information folder could be that the contents of this special folder are not included in shadow copies. Also Windows Applocker was introduced in Windows 7 (https://en.wikipedia.org/wiki/AppLocker) which coincides with creation of the Syscache hive and was available in Windows Server 2008 R2:(https://blogs.technet.microsoft.com/askperf/2009/10/19/windows-7-windows-server-2008-r2-applocker/)

The included scope of Applocker includes Exes, DLL's and Scripts:

"AppLocker currently supports the following file extensions:
  • Executables (.exe, .com)
  • Dlls (.ocx, .dll)
  • Scripts (.vbs, .js, .ps1, .cmd, .bat)
  • Windows Installers (.msi, .mst, .msp)
  • Packaged app installers (.appx)"

Note that the above link is for Windows 10, in Windows 7 we have not yet seen powershell scripts get logged. 

So this does appear to be the closest thing we've found to a explanation of why Syscache contains the data that it does. Now we need to find out what happened to the hive in later versions of Windows and what else we can infer from its association. 

Tomorrow I plan to return to the test kitchen, just having to much fun over the holidays to do one in time tonight. 

Daily Blog #578: Merry Christmas 12/25/18

Hello Reader,
        At every major holiday I post a recipe on my wife's advice. She said you would at some point want to read something not technical. So since it's Christmas I thought I would share one of the recipes I've been making for my family and friends.

For a number of years I made Nigella Lawson's Aromatic ham:
https://www.foodnetwork.com/recipes/nigella-lawson/aromatic-spiced-ham-recipe-2015116

If you enjoy ham I do recommend it as its fun to make, I like things that involve alot of steps when cooking, and the final product is quite the table centerpiece. These past few years I've been making the prime rib I posted back in 2013 which you can read here:
https://www.hecfblog.com/2013/12/daily-blog-185-merry-christmas.html

In either case, no matter what religion you follow or not I wish a happy holiday season to you and yours as we prepare to enter what may be a very uncertain new year.

Daily Blog #577: Christmas Eve 12/24/18

Good evening reader,
We are all tucked in and hoping that DFIR santa is bringing us new artifacts for Christmas. Tomorrow I'll likwly be posting a recipe but I wanted to wish you good tidings and a happy new year!

Daily Blog #576: Sunday funday 12/23/18

Hello Reader,
    Let's finish the year right. The last challenge of 2018 needs to be special.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 12/28/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
On server 2008 r2 how would the following be seen in the syscache and what was logged:
1. Powershell empire agent
2. Meterpeter
3. Mimikatz

Daily Blog #575: Solution Saturday 12/22/18

Hello Reader,
I always love introducing new winners to the community and this week I get my wish. Please congratulate Bastien Lardy with his winning Python DFVFS submission!



The Challenge:
Write a python script using DFVFS that uses the source scanner function to enumerate partitions and shadow copies. It should then provide the ability to extract a file and provide its hash. What additional functionality you decide to add in from there will determine which answer is the most complete. If you need test images to code against consider the Defcon CTF images. 


The winning answer:
This is a python2 (I had issue with python3 and mediator...) script that reads an input disk image and searches (based on full path or regex filters), extracts or computes hash. If shadow copies exist, it will prompt a message whether to process those or not.

Daily Blog #574: Forensic Lunch 12/21/18 Alissa Torres, Dr. Joe Sylve

Hello Reader,
        Today we had another Forensic Lunch! This week we had:


What a great show! You can watch the video here:

Daily Blog #573: Forensic Lunch Test Kitchen 12/20/18 Syscache and Server 2008 R2

Hello Reader,
       Tonight after finding out from you that the Syscache.hve exists on Server 2008 R2 we switched OS's in our testing and focused on Syscahe on Server 2008 R2 and away from Windows 7 for now. Here is what we learned:

  • The Syscache hive exists on an unpatched Server 2008 R2 SP1 system
  • The syscache hive exists even without Amcache coming into existence
  • The syscache hive on server 2008 r2 is catching executables just like Windows 7
  • The syscache hive on server 2008 r2 is committing changes to the registry hive within seconds of the execution
  • The syscache hive on server 2008 r2 includes executions from the Desktop, unlike Windows 7
  • The syscache hive on server 2008 r2 does not appear to be catching bat files like Windows 7 but does catch and executables the bat file calls

More testing to be done! Tune in tomorrow for the Forensic Lunch and next week for more testing!

You can watch the video here:

Daily Blog #572: Forensic Lunch Test Kitchen 12/19/18 Syscache and Python

Hello Reader,
      Tonight we wrote some python code to recover the full path of the files referenced in the Syscache hive, added in the ProgramID and then viewed the data in Timeline Explorer to see the relation between the executables. We learned:

  • That pytsk does not have an attribute for parent reference number, so we had to extract it from the file name attribute
  • That analyzemft has a great set of example code to pull your unpack's from if you are looking to write your own attribute parser
  • That when I grouped my syscache entries by programID I only had 60+ entries which seems more like just what has been executed on this lightly used VM
  • That there is no entry of any program run directly from my Desktop

You can watch the video here:

Daily Blog #571: Forensic Lunch Test Kitchen 12/18/18 Syscache

Hello Reader,
        Another evening, another test kitchen! Tonight we looked even deeper into the Syscache and we learned:


  • Bat files are recorded in the Syscache hives when executed
  • Bat files and other executables run from the Desktop are not recorded in the Syscache
  • Powershell files (ps1) are not caught in the Syscache hive
  • Deleting a file did not eliminate it from the Syscache hive 
  • Installing a program recorded its installer, but the program did not prepopulate an entry in the Syscache hive
  • Creating a bat file did not pre-populate it in the Syscache hive
You can watch the video here:

Daily Blog #570: Forensic Lunch Test Kitchen 12/17/18 Syscache.hve

Hello Reader,
       Tonight in the Test Kitchen we expanded our testing of the Syscache hive by adding more data from our python script that is matching MFT entries to the Syscache entries. Here is what we learned:
  • The syscache hive seems to record atleast exe, dll, bat and cmd files executed
  • The syscache hive like the Amcache hive will store which program by sha1 hash the executable is associated with
  • If there is no associated executable (no MSI installer) it will use the sha1 hash 'da39a3ee5e6b4b0d3255bfef95601890afd80709' which is the empty hash. Meaning like the Amcache it is storing information about executables not associated with any MSI installed program
  • It appears, this needs more testing, that it may record more related executables than the Amcache does when a program is installed/executed

Still much more testing to be done to really make sure we understand what we are really seeing. To  be tested:
  1. Installing a program but not executing it, will it appear
  2. Adding full path support to the python script to understand where the associated files are being pulled from
  3. Checking to see if powershell scripts get logged
  4. Looking to see if deletions of programs/executables change the hive
  5. Testing again to see if programs run from the desktop are include

You can watch the video here:

Daily Blog #569: Sunday Funday 12/16/18

Hello Reader,
             Last week I got you searching for DFVFS, this weeks let's see you program in DFVFS! We've done a lot of different challenges for the Sunday Funday series so why not continue to mix it up and see what you've learned.

Need some code examples? Look at yesterdays winning answer:
https://www.hecfblog.com/2018/12/daily-blog-568-solution-saturday-121518.html



The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 12/21/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Write a python script using DFVFS that uses the source scanner function to enumerate partitions and shadow copies. It should then provide the ability to extract a file and provide its hash. What additional functionality you decide to add in from there will determine which answer is the most complete. If you need test images to code against consider the Defcon CTF images. 


Daily Blog #568: Solution Saturday 12/15/18

Hello Reader,
This week I changed up the challenge and you stepped up to the task. This week the master of DFIR knowledge summarization used his skills to pull of a win by one project. Congratulations to Phill Moore (and his baby) for this weeks win!



The Challenge:
Find all the projects out there that are making use of DFVFS (https://github.com/log2timeline/dfvfs) with a description of what the code does with it. Let's see if we can find all the possible exemplar code bases out there to help others adopt this framework!

The Winning Answer:

dfVFS, or Digital Forensics Virtual File System, provides read-only access to
file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system
objects, for which it uses several back-ends that provide the actual
implementation of the various storage media types, volume systems and file
systems.


Log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. Plaso documentation
A DFVFS backed viewer project with a WxPython GUI for viewing file systems and file system metadata. Forensic Lunch about it

Allows you to extract a file from forensic images, virtual disks, raw images and live disks, including from volume shadows. Blog posts:
An open source tool set built on dfVFS. Blog post about it

Evidence Fetcher (efetch) is a web-based file explorer, viewer, and analyzer. Efetch supports viewing hundreds of file types including office, registry, PST, image, and SQLite files. Efetch supports navigating RAW, E01, ZIP, GZ, TAR, VMDK, VHD, QCOW, and BZ2 files thanks to dfVFS.
Blog post about it

A tool for when you have a bunch of documents to figure out of. Gransk is an open source tool that aims to be a Swiss army knife of document processing and analysis. Its primary objective is to quikly provide users with insight to their documents during investigations. It includes a processing engine written in Python and a web interface. Under the hood it uses Apache Tika for content extraction, Elasticsearch for data indexing, and dfVFS to unpack disk images.

A Python implementation of VMPOP (Virtual Machine POPulation) framework. dfVFS is used to enable for Data Extraction features

ArtifactExtractor is a script that extracts common Windows artifacts from source images and VSCs.

This program automatically finds provenance related to a file on an image
I’m not exactly sure what that means.

Technically doesn’t use DFVFS, but a long time ago Dave put out a Sunday Funday challenge to automate the installation so I wrote this script. It may not work any more, it worked at the time.

Daily Blog #567: Forensic Lunch 12/14/18

Hello Reader,
         It's the forensic lunch! This broadcast we had Eric Huber talking about his work at the NW3C (National White Collar Crime Center) and his investigations into Cryptocurrencies. I think you'll enjoy it!

You can read Eric's Blog here:http://www.afodblog.com/
You can follow Eric on twitter here: https://twitter.com/ericjhuber
You can learn more about the NW3C here: https://www.nw3c.org/

Watch the video below:

Daily Blog #566: Forensic Lunch Test Kitchen 12/13/18

Hello Reader,
         This was another test kitchen were we mainly got some python code to work and in the end were able to print all of the file name's out of the file name attributes for every file referenced in the Syscache hive Object key. This isn't done though as next week I need to add in the sequence numbers to the checks to make sure I'm looking at the right file.

So next week we will be able to start making some observations about what exactly Syscache is actually tracking.

You can watch me use Eric Zimmerman's new Syscache plugin and write python code to parse the filename attribute here:

Daily Blog #565: Seeing Double (access dates)

Hello Reader,
         Got some medicine today so hopefully I'll be able to stop coughing tomorrow. In the meantime I'd like to point you to some very interesting work Maxim Suhanov is doing. You can read the tweet thread here:

https://twitter.com/errno_fail/status/1073012513187479553


Maxim found that Windows is keeping two last access dates, one on the disk and one in memory for a single file if Last Access dates are enabled. In the below python script you can see he can actually see the contents of both version of the timestamp:


#!/usr/bin/env python3

import os
from time import sleep

FILE_PATH = 'ts.txt'

def get_atime_1():
 result = os.stat(FILE_PATH, follow_symlinks = False)
 return result.st_atime

def get_atime_2():
 for entry in os.scandir('.'):
  if entry.name.lower() == FILE_PATH.lower():
   return entry.stat().st_atime

#print('Starting up...')
#sleep(15)
print(get_atime_1(), get_atime_2())

https://gist.github.com/msuhanov/74fd3c795883e0491277e6e27f2434e3

That to me is fascinating, it looks like one entry is coming from the stat of the file itself while the other is coming from the directory index. This is going to become more testing material in the near future. 

Daily Blog #564: Tool spotlight Artifact Extractor

Hello Reader,
      Well my cough has gotten worse so no test kitchen tonight or else you would mainly hear my coughing. So tonight I thought I would take the time to spotlight one of the tools you could be including in your Sunday Funday submission this week, Artifact Extractor.

You can check it out here:
https://github.com/Silv3rHorn/ArtifactExtractor

What Silv3rHorn has done is create a dfvfs script that will extract from any support image source (which is alot) all of the artifacts specified in the logical volume and the shadow copies.

Check it out and let me know what you think! I'll be using it in future test kitchens to give a go. 

Daily Blog #563: Forensic Lunch Test Kitchen 12/10/18

Hello Reader,
         Another test kitchen down! This time we went back to the Syscache.hve in Windows 7 trying to understand its limitations and its purpose in the operating system. Here is what we found:

  • Programs executed from the Desktop whether from the command line or GUI were not being inserted into the Syscache.hve
  • Programs executed from a temp directory made on the Desktop were being recorded in the Syscache.hve
  • There are some sysinternals programs that are not being captured at all, these may not need any shiming

You can watch the video here:

Daily Blog #562: Sunday Funday 12/9/18

Hello Reader,
        We've had a lot of different kinds of challenges to attract different people within the community to participate. This week I'm changing the challenge up again to open up who can participate this week in a test of your google and basic code reading skills.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 12/14/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Find all the projects out there that are making use of DFVFS (https://github.com/log2timeline/dfvfs) with a description of what the code does with it. Let's see if we can find all the possible exemplar code bases out there to help others adopt this framework!

Daily Blog #561: Solution Saturday 12/8/18

Hello Reader,
       Another challenge where a new victor has emerged! One of the great things about these weekly challenges is that let's people within the larger community a chance to show what they got. This week Zach Stanford has made his mark with his winning submission.

The Challenge:


Document the order that the following shims are executed/data written in Windows 10:
  • Prefetch
  • Shimcache
  • Amcache
  • Userassist
  • SRUM
List the time stamps associated with the entry creation and whatever else you can determine about the order they are called

The Winning Answer:
https://medium.com/@z89127866x/battle-of-the-shims-60fdae38264e

Come back tomorrow for the next week's challenge!

Daily Blog #560: Forensic Lunch 12/7/18

Hello Reader,
        This week we had a Forensic Lunch with Eric Zimmerman! We talked about

You can watch the video here:

Daily Blog #559: Forensic Lunch Test Kitchen 12/6/18

Hello Reader,
  Tonight we tested the new NTFSDisableLastAccessUpdate registry key in Windows 10 1803. Here's what we learned:

  • We learned that reading double negatives can be hard, it turns out my system did have last access dates on (value of 2) as Maxim Suhanov stated as my system drive was <= 128gb in size
  • We learned that drives larger than 128gb in size (my host system) have last access dates off (value of 3)
  • We learned that changing the value from 2 to 3 will be reversed on reboot as system managed really does mean system managed. 
  • We learned that changing the value from 2 to 1 will remain 1 on reboot meaning user managed will not be overruled by the system on reboot.
  • We learned that we will have to double check every system now because as of Windows 10 1803 we may have updated last access dates again!
You can watch the video here:

Daily Blog #558: Forensic Lunch Test Kitchen 12/5/18

Hello Reader,
     Tonight we were testing the Syscache.hve that Maxim Suhanov found in his testing of the Amcache and Recentcache.bcf files, you can read his write up here: https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/

From our testing tonight here is what we learned:

  • The syscache hive has three indexes
    • The ObjectID key (no relation to $objid) which is inserted into the hive sequentially as new executables are run (we haven't tested executables being prechecked before running)
    • The FileID key which is indexed off of the sequence and entry number of the file being executed
    • The Objectlru which appears to connect the two
  • The ObjectID keys contain the SHA1 hash of the contents of the executable being checked
  • The ObjectID keys contain the MFT reference number of the executable being checked
  • The ObjectID key does not contain the name of the executable, but you can find it by looking up the MFT reference number
  • The Syscache hive appears to be updated quite quickly and is not using the transaction logs to do so 
  • The syscache hive is a Windows 7 feature (haven't tested windows vista) and does not exist in the same location at least in Windows 10
  • The key write time appears to be the time of first check for the current hash, we will change the hash of a known executable to test this behavior tomorrow night
You can watch the video here:

Daily Blog #557: Changes in the NtfsDisableLastAccessUpdate key

Update 12/6/18: It turns out that my test system had a system volume smaller than 128gb in size meaning the last access dates were enabled (setting 2). According to @errno_faiil (Maxim Suhanov) if my system driver was larger than 128gb then the last access dates would be disabled (setting 3).

Want to know more? Watch this video: https://www.youtube.com/watch?v=yHG6MEH99Z0

Hello Reader,
        It looks like as of at least Windows 10 1803 a new change has come to an old registry key. The NtfsDisableLastAccessUpdate key found in 'SYSTEM\CurrentControlSet\Control\FileSystem' no longer is just a true/false 1/0 value. It now has four possible values stating how the access dates in NTFS were enabled or disabled.

Looking at my laptop's registry I can see the following value is currently set:

which leads to the question of... what does 80000002 mean? Luckily fsutil will translate the current value for us:


So the 8 appears to be some kind of upper bit masking while the 2 is the value set letting us know that NTFS Access updates are currently disabled by system policy.

Checking the set behavior command in fsutil shows us all the possible documented options:

As you can see we've moved from two possible states (on/off, true/false, 0/1) to four. The system is now tracking if the user or the system has enabled or disable last access dates in NTFS.

Why? I have no idea currently but it certainly does add more context to the decision. So all of you who have tools that interpret this value will need to update your tools!



Daily Blog #556: NCCDC Red Team Call for Volunteers

Hello Reader,
         It's coming around to CCDC competition time for much the of the United States, some schools are already in invitationals. This is the yearly call for volunteers for the NCCDC red team. If you have the following to bring to the table:


  • Custom malware
  • Custom command and control 
  • An active Github repository 
  • The ability to lay low and persist with an active defender
If so, email your cv to volunteer@nccdc.org Spots are limited each year for volunteers and we hope to hear from you. 

Daily Blog #555: Sunday Funday 12/2/18

Hello Reader,
             We've had some great research coming out by working together. This weeks challenge is less about trying something new, and more about trying to understand more about what we already know.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 12/7/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Document the order that the following shims are executed/data written in Windows 10:
  • Prefetch
  • Shimcache
  • Amcache
  • Userassist
  • SRUM
List the time stamps associated with the entry creation and whatever else you can determine about the order they are called