2018

@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

December 30, 2018 1 , ,
Hello Reader,
      This will be the first Sunday Funday for 2019 since when the submissions are received and judged the winner will be announced in 2019. Let's see what your system monitoring/debugging skills are like.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 1/4/19 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
What processes update the Syscache.hve file on Windows Server 2008 R2?
Read more »

December 29, 2018 ,
Hello Reader,
         Well no winner this week, I may have pushed a bit far in a holiday week. Tomorrow is the first contest for the new year and we will all have a fresh start.

The Challenge:
On server 2008 r2 how would the following be seen in the syscache and what was logged:
1. Powershell empire agent
2. Meterpeter
3. Mimikatz

 The winning answer:
None! I'll make sure to cover this in the test kitchen
Read more »

December 28, 2018 , ,
Hello Reader,
          Didn't get started until very late tonight so I didn't do a broadcast, tomorrow though we will for sure. Instead I decided to see if I could get Applocker going on Windows 10 Enterprise since I already have a VM running it. I turned Applocker into audit only mode, made default rules and executed programs and ...

Nothing

So far I haven't had any entries in the event logs or a syscache hive generated, so tomorrow on the stream we will attempt to make this work again and also try this on Sever 2012, 2016 and 2019.


Read more »

December 26, 2018 , , ,
Hello Reader,
     One of the things I've often repeated the last couple of test kitchens in regards to the Syscache hive is why does it exist. In earlier googling I thought based on its locations in slide presentations that it might be involved in the volume shadow copy system, something Maxim Suhanov does not agree with. This left the question though, what does it relate to?

Well reader long time BFF (Best Forensic Friend) Dr. Vico Marziale at blackbag may have found a pretty huge clue. In his googling, which I must say found things I did not even when searching keywords that existed in the document, found a pdf from Legato/EMC networker release notes form July of 2010.

Within these release notes the backup software states:
"The files syscache.hve, syscache.hve.LOG1, and syscache.hve.LOG2 are skipped during backup 

 The files syscache.hve, syscache.hve.LOG1, and syscache.hve.LOG2, located in the %systemdrive%\system volume information folder, will be skipped during backup. These hive files are used for maintaining extended data for executable files on the system, such as SRP (Software Restriction Policies) and AppLocker. Microsoft recommends not restoring these files. These files are created from derived data and will be rebuilt over time"

 Source: https://nsrd.info/blog/wp-content/uploads/2010/07/NW753_Release.pdf

So the reason this registry hive was placed in the System Volume Information folder could be that the contents of this special folder are not included in shadow copies. Also Windows Applocker was introduced in Windows 7 (https://en.wikipedia.org/wiki/AppLocker) which coincides with creation of the Syscache hive and was available in Windows Server 2008 R2:(https://blogs.technet.microsoft.com/askperf/2009/10/19/windows-7-windows-server-2008-r2-applocker/)

The included scope of Applocker includes Exes, DLL's and Scripts:

"AppLocker currently supports the following file extensions:
  • Executables (.exe, .com)
  • Dlls (.ocx, .dll)
  • Scripts (.vbs, .js, .ps1, .cmd, .bat)
  • Windows Installers (.msi, .mst, .msp)
  • Packaged app installers (.appx)"

Note that the above link is for Windows 10, in Windows 7 we have not yet seen powershell scripts get logged. 

So this does appear to be the closest thing we've found to a explanation of why Syscache contains the data that it does. Now we need to find out what happened to the hive in later versions of Windows and what else we can infer from its association. 

Tomorrow I plan to return to the test kitchen, just having to much fun over the holidays to do one in time tonight. 
Read more »

December 25, 2018 , ,
Hello Reader,
        At every major holiday I post a recipe on my wife's advice. She said you would at some point want to read something not technical. So since it's Christmas I thought I would share one of the recipes I've been making for my family and friends.

For a number of years I made Nigella Lawson's Aromatic ham:
https://www.foodnetwork.com/recipes/nigella-lawson/aromatic-spiced-ham-recipe-2015116

If you enjoy ham I do recommend it as its fun to make, I like things that involve alot of steps when cooking, and the final product is quite the table centerpiece. These past few years I've been making the prime rib I posted back in 2013 which you can read here:
https://www.hecfblog.com/2013/12/daily-blog-185-merry-christmas.html

In either case, no matter what religion you follow or not I wish a happy holiday season to you and yours as we prepare to enter what may be a very uncertain new year.
Read more »

December 23, 2018 ,
Hello Reader,
    Let's finish the year right. The last challenge of 2018 needs to be special.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 12/28/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
On server 2008 r2 how would the following be seen in the syscache and what was logged:
1. Powershell empire agent
2. Meterpeter
3. Mimikatz
Read more »

December 22, 2018 , , , ,
Hello Reader,
I always love introducing new winners to the community and this week I get my wish. Please congratulate Bastien Lardy with his winning Python DFVFS submission!



The Challenge:
Write a python script using DFVFS that uses the source scanner function to enumerate partitions and shadow copies. It should then provide the ability to extract a file and provide its hash. What additional functionality you decide to add in from there will determine which answer is the most complete. If you need test images to code against consider the Defcon CTF images. 


The winning answer:
This is a python2 (I had issue with python3 and mediator...) script that reads an input disk image and searches (based on full path or regex filters), extracts or computes hash. If shadow copies exist, it will prompt a message whether to process those or not.

https://github.com/blardy/dfvfs_extractor
Read more »

December 21, 2018 1 , , , , , , , , , ,
Hello Reader,
        Today we had another Forensic Lunch! This week we had:


What a great show! You can watch the video here:

Read more »

December 20, 2018 , , , , , ,
Hello Reader,
       Tonight after finding out from you that the Syscache.hve exists on Server 2008 R2 we switched OS's in our testing and focused on Syscahe on Server 2008 R2 and away from Windows 7 for now. Here is what we learned:

  • The Syscache hive exists on an unpatched Server 2008 R2 SP1 system
  • The syscache hive exists even without Amcache coming into existence
  • The syscache hive on server 2008 r2 is catching executables just like Windows 7
  • The syscache hive on server 2008 r2 is committing changes to the registry hive within seconds of the execution
  • The syscache hive on server 2008 r2 includes executions from the Desktop, unlike Windows 7
  • The syscache hive on server 2008 r2 does not appear to be catching bat files like Windows 7 but does catch and executables the bat file calls

More testing to be done! Tune in tomorrow for the Forensic Lunch and next week for more testing!

You can watch the video here:

Read more »

December 19, 2018 , , , ,
Hello Reader,
      Tonight we wrote some python code to recover the full path of the files referenced in the Syscache hive, added in the ProgramID and then viewed the data in Timeline Explorer to see the relation between the executables. We learned:

  • That pytsk does not have an attribute for parent reference number, so we had to extract it from the file name attribute
  • That analyzemft has a great set of example code to pull your unpack's from if you are looking to write your own attribute parser
  • That when I grouped my syscache entries by programID I only had 60+ entries which seems more like just what has been executed on this lightly used VM
  • That there is no entry of any program run directly from my Desktop

You can watch the video here:

Read more »

December 18, 2018 , , ,
Hello Reader,
        Another evening, another test kitchen! Tonight we looked even deeper into the Syscache and we learned:


  • Bat files are recorded in the Syscache hives when executed
  • Bat files and other executables run from the Desktop are not recorded in the Syscache
  • Powershell files (ps1) are not caught in the Syscache hive
  • Deleting a file did not eliminate it from the Syscache hive 
  • Installing a program recorded its installer, but the program did not prepopulate an entry in the Syscache hive
  • Creating a bat file did not pre-populate it in the Syscache hive
You can watch the video here:

Read more »

December 17, 2018 , , , ,
Hello Reader,
       Tonight in the Test Kitchen we expanded our testing of the Syscache hive by adding more data from our python script that is matching MFT entries to the Syscache entries. Here is what we learned:
  • The syscache hive seems to record atleast exe, dll, bat and cmd files executed
  • The syscache hive like the Amcache hive will store which program by sha1 hash the executable is associated with
  • If there is no associated executable (no MSI installer) it will use the sha1 hash 'da39a3ee5e6b4b0d3255bfef95601890afd80709' which is the empty hash. Meaning like the Amcache it is storing information about executables not associated with any MSI installed program
  • It appears, this needs more testing, that it may record more related executables than the Amcache does when a program is installed/executed

Still much more testing to be done to really make sure we understand what we are really seeing. To  be tested:
  1. Installing a program but not executing it, will it appear
  2. Adding full path support to the python script to understand where the associated files are being pulled from
  3. Checking to see if powershell scripts get logged
  4. Looking to see if deletions of programs/executables change the hive
  5. Testing again to see if programs run from the desktop are include

You can watch the video here:

Read more »

December 16, 2018 , ,
Hello Reader,
             Last week I got you searching for DFVFS, this weeks let's see you program in DFVFS! We've done a lot of different challenges for the Sunday Funday series so why not continue to mix it up and see what you've learned.

Need some code examples? Look at yesterdays winning answer:
https://www.hecfblog.com/2018/12/daily-blog-568-solution-saturday-121518.html



The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 12/21/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Write a python script using DFVFS that uses the source scanner function to enumerate partitions and shadow copies. It should then provide the ability to extract a file and provide its hash. What additional functionality you decide to add in from there will determine which answer is the most complete. If you need test images to code against consider the Defcon CTF images. 


Read more »

December 15, 2018 3 , , ,
Hello Reader,
This week I changed up the challenge and you stepped up to the task. This week the master of DFIR knowledge summarization used his skills to pull of a win by one project. Congratulations to Phill Moore (and his baby) for this weeks win!



The Challenge:
Find all the projects out there that are making use of DFVFS (https://github.com/log2timeline/dfvfs) with a description of what the code does with it. Let's see if we can find all the possible exemplar code bases out there to help others adopt this framework!

The Winning Answer:

dfVFS, or Digital Forensics Virtual File System, provides read-only access to
file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system
objects, for which it uses several back-ends that provide the actual
implementation of the various storage media types, volume systems and file
systems.


Log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. Plaso documentation
A DFVFS backed viewer project with a WxPython GUI for viewing file systems and file system metadata. Forensic Lunch about it

Allows you to extract a file from forensic images, virtual disks, raw images and live disks, including from volume shadows. Blog posts:
An open source tool set built on dfVFS. Blog post about it

Evidence Fetcher (efetch) is a web-based file explorer, viewer, and analyzer. Efetch supports viewing hundreds of file types including office, registry, PST, image, and SQLite files. Efetch supports navigating RAW, E01, ZIP, GZ, TAR, VMDK, VHD, QCOW, and BZ2 files thanks to dfVFS.
Blog post about it

A tool for when you have a bunch of documents to figure out of. Gransk is an open source tool that aims to be a Swiss army knife of document processing and analysis. Its primary objective is to quikly provide users with insight to their documents during investigations. It includes a processing engine written in Python and a web interface. Under the hood it uses Apache Tika for content extraction, Elasticsearch for data indexing, and dfVFS to unpack disk images.

A Python implementation of VMPOP (Virtual Machine POPulation) framework. dfVFS is used to enable for Data Extraction features

ArtifactExtractor is a script that extracts common Windows artifacts from source images and VSCs.

This program automatically finds provenance related to a file on an image
I’m not exactly sure what that means.

Technically doesn’t use DFVFS, but a long time ago Dave put out a Sunday Funday challenge to automate the installation so I wrote this script. It may not work any more, it worked at the time.
Read more »

December 14, 2018 , , , , ,
Hello Reader,
         It's the forensic lunch! This broadcast we had Eric Huber talking about his work at the NW3C (National White Collar Crime Center) and his investigations into Cryptocurrencies. I think you'll enjoy it!

You can read Eric's Blog here:http://www.afodblog.com/
You can follow Eric on twitter here: https://twitter.com/ericjhuber
You can learn more about the NW3C here: https://www.nw3c.org/

Watch the video below:

Read more »

December 13, 2018 , , , , ,
Hello Reader,
         This was another test kitchen were we mainly got some python code to work and in the end were able to print all of the file name's out of the file name attributes for every file referenced in the Syscache hive Object key. This isn't done though as next week I need to add in the sequence numbers to the checks to make sure I'm looking at the right file.

So next week we will be able to start making some observations about what exactly Syscache is actually tracking.

You can watch me use Eric Zimmerman's new Syscache plugin and write python code to parse the filename attribute here:

Read more »

December 12, 2018 16 ,
Hello Reader,
         Got some medicine today so hopefully I'll be able to stop coughing tomorrow. In the meantime I'd like to point you to some very interesting work Maxim Suhanov is doing. You can read the tweet thread here:

https://twitter.com/errno_fail/status/1073012513187479553


Maxim found that Windows is keeping two last access dates, one on the disk and one in memory for a single file if Last Access dates are enabled. In the below python script you can see he can actually see the contents of both version of the timestamp:


#!/usr/bin/env python3

import os
from time import sleep

FILE_PATH = 'ts.txt'

def get_atime_1():
 result = os.stat(FILE_PATH, follow_symlinks = False)
 return result.st_atime

def get_atime_2():
 for entry in os.scandir('.'):
  if entry.name.lower() == FILE_PATH.lower():
   return entry.stat().st_atime

#print('Starting up...')
#sleep(15)
print(get_atime_1(), get_atime_2())

https://gist.github.com/msuhanov/74fd3c795883e0491277e6e27f2434e3

That to me is fascinating, it looks like one entry is coming from the stat of the file itself while the other is coming from the directory index. This is going to become more testing material in the near future. 
Read more »

December 11, 2018 , , ,
Hello Reader,
      Well my cough has gotten worse so no test kitchen tonight or else you would mainly hear my coughing. So tonight I thought I would take the time to spotlight one of the tools you could be including in your Sunday Funday submission this week, Artifact Extractor.

You can check it out here:
https://github.com/Silv3rHorn/ArtifactExtractor

What Silv3rHorn has done is create a dfvfs script that will extract from any support image source (which is alot) all of the artifacts specified in the logical volume and the shadow copies.

Check it out and let me know what you think! I'll be using it in future test kitchens to give a go. 
Read more »

December 10, 2018 , , , ,
Hello Reader,
         Another test kitchen down! This time we went back to the Syscache.hve in Windows 7 trying to understand its limitations and its purpose in the operating system. Here is what we found:

  • Programs executed from the Desktop whether from the command line or GUI were not being inserted into the Syscache.hve
  • Programs executed from a temp directory made on the Desktop were being recorded in the Syscache.hve
  • There are some sysinternals programs that are not being captured at all, these may not need any shiming

You can watch the video here:

Read more »

December 09, 2018 , ,
Hello Reader,
        We've had a lot of different kinds of challenges to attract different people within the community to participate. This week I'm changing the challenge up again to open up who can participate this week in a test of your google and basic code reading skills.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 12/14/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Find all the projects out there that are making use of DFVFS (https://github.com/log2timeline/dfvfs) with a description of what the code does with it. Let's see if we can find all the possible exemplar code bases out there to help others adopt this framework!
Read more »

December 08, 2018 , , , , , , ,
Hello Reader,
       Another challenge where a new victor has emerged! One of the great things about these weekly challenges is that let's people within the larger community a chance to show what they got. This week Zach Stanford has made his mark with his winning submission.

The Challenge:


Document the order that the following shims are executed/data written in Windows 10:
  • Prefetch
  • Shimcache
  • Amcache
  • Userassist
  • SRUM
List the time stamps associated with the entry creation and whatever else you can determine about the order they are called

The Winning Answer:
https://medium.com/@z89127866x/battle-of-the-shims-60fdae38264e

Come back tomorrow for the next week's challenge!
Read more »

December 08, 2018 , , ,
Hello Reader,
        This week we had a Forensic Lunch with Eric Zimmerman! We talked about

You can watch the video here:

Read more »

December 06, 2018 , , , , ,
Hello Reader,
  Tonight we tested the new NTFSDisableLastAccessUpdate registry key in Windows 10 1803. Here's what we learned:

  • We learned that reading double negatives can be hard, it turns out my system did have last access dates on (value of 2) as Maxim Suhanov stated as my system drive was <= 128gb in size
  • We learned that drives larger than 128gb in size (my host system) have last access dates off (value of 3)
  • We learned that changing the value from 2 to 3 will be reversed on reboot as system managed really does mean system managed. 
  • We learned that changing the value from 2 to 1 will remain 1 on reboot meaning user managed will not be overruled by the system on reboot.
  • We learned that we will have to double check every system now because as of Windows 10 1803 we may have updated last access dates again!
You can watch the video here:

Read more »

December 05, 2018 , , ,
Hello Reader,
     Tonight we were testing the Syscache.hve that Maxim Suhanov found in his testing of the Amcache and Recentcache.bcf files, you can read his write up here: https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/

From our testing tonight here is what we learned:

  • The syscache hive has three indexes
    • The ObjectID key (no relation to $objid) which is inserted into the hive sequentially as new executables are run (we haven't tested executables being prechecked before running)
    • The FileID key which is indexed off of the sequence and entry number of the file being executed
    • The Objectlru which appears to connect the two
  • The ObjectID keys contain the SHA1 hash of the contents of the executable being checked
  • The ObjectID keys contain the MFT reference number of the executable being checked
  • The ObjectID key does not contain the name of the executable, but you can find it by looking up the MFT reference number
  • The Syscache hive appears to be updated quite quickly and is not using the transaction logs to do so 
  • The syscache hive is a Windows 7 feature (haven't tested windows vista) and does not exist in the same location at least in Windows 10
  • The key write time appears to be the time of first check for the current hash, we will change the hash of a known executable to test this behavior tomorrow night
You can watch the video here:

Read more »

December 04, 2018 4 , , , , , ,
Update 12/6/18: It turns out that my test system had a system volume smaller than 128gb in size meaning the last access dates were enabled (setting 2). According to @errno_faiil (Maxim Suhanov) if my system driver was larger than 128gb then the last access dates would be disabled (setting 3).

Want to know more? Watch this video: https://www.youtube.com/watch?v=yHG6MEH99Z0

Hello Reader,
        It looks like as of at least Windows 10 1803 a new change has come to an old registry key. The NtfsDisableLastAccessUpdate key found in 'SYSTEM\CurrentControlSet\Control\FileSystem' no longer is just a true/false 1/0 value. It now has four possible values stating how the access dates in NTFS were enabled or disabled.

Looking at my laptop's registry I can see the following value is currently set:

which leads to the question of... what does 80000002 mean? Luckily fsutil will translate the current value for us:


So the 8 appears to be some kind of upper bit masking while the 2 is the value set letting us know that NTFS Access updates are currently disabled by system policy.

Checking the set behavior command in fsutil shows us all the possible documented options:

As you can see we've moved from two possible states (on/off, true/false, 0/1) to four. The system is now tracking if the user or the system has enabled or disable last access dates in NTFS.

Why? I have no idea currently but it certainly does add more context to the decision. So all of you who have tools that interpret this value will need to update your tools!



Read more »

December 04, 2018 , ,
Hello Reader,
         It's coming around to CCDC competition time for much the of the United States, some schools are already in invitationals. This is the yearly call for volunteers for the NCCDC red team. If you have the following to bring to the table:


  • Custom malware
  • Custom command and control 
  • An active Github repository 
  • The ability to lay low and persist with an active defender
If so, email your cv to volunteer@nccdc.org Spots are limited each year for volunteers and we hope to hear from you. 
Read more »

December 02, 2018 , ,
Hello Reader,
             We've had some great research coming out by working together. This weeks challenge is less about trying something new, and more about trying to understand more about what we already know.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 12/7/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Document the order that the following shims are executed/data written in Windows 10:
  • Prefetch
  • Shimcache
  • Amcache
  • Userassist
  • SRUM
List the time stamps associated with the entry creation and whatever else you can determine about the order they are called
Read more »

December 01, 2018 , , ,
Hello Reader,
        This week we have a clear winner with Maxim Suhanov not only answering the question but finding a new artifact and writing a proof of concept extractor for it in the process!

The Challenge:
On a  Windows 7 system how long does it take for a new gui executable to appear in the Amcache. What can you do if anything to force the executable to appear in the amcache hive. 

The Winning Answer:
Maxim Suhanov (@errno_fail)

Read more »

November 30, 2018 ,
Hello Reader,
         We had a forensic lunch today! It was just Matt and I as all of our scheduled guests had to reschedule but we made the most of our time. Thanks for those of you who tuned in live and expect Forensic Lunch to return in December on:


December 7th, 2018 at Noon CST
December 14th, 2018 at Noon CST

Matt and I talked about:

I'm behind on podcast uploads again, I'll get that fixed. 

You can watch the video here:

Read more »

November 29, 2018 , , , , , , , ,
Hello Reader,
       Tonight we tested out Maxim Suhanov's YARP library and his provided script to extract and decompress the LZNT1 compressed keys in the CIT\System key we talked about last night.

Here is what we learned:

  • YARP is a great python registry library, clearly I'm just scratching the surface of what it can do
  • LZNT1 requires a minimum chunk size equal to the cluster size of the ntfs drive to decompress data
  • The CIT\System key on my test system had two values to be decompressed
  • The first value appears to contain system executables
  • The second value appears to contain user executables
  • There is some overlap between the CIT\System key and the recentfilecache.bcf
  • The CIT\System key refers to the recentfilecache.bcf file
  • The CIT\System key contained calls to rundll with parameters

You can watch the video here:

Read more »

November 28, 2018 , , , ,
Hello Reader,
       Tonight we had a test kitchen with ups and downs as some things worked and others didn't. Here's what we learned:


  • All of the lznt1 libraries we tried to decompress the system binary registry entries Maxim Suhanov found failed
  • YARP has support for the lznt1 format used in the registry, I've downloaded it and we will use it tomorrow
  • The Windows 7 Amcache can be manually updated by running the scheduled task, but otherwise will not be updated until the scheduled task runs
  • The last write date of the key in the Amcache in Windows 7 has nothing to do with execution time, its just when the scheduled task ran
  • Like Windows 10 the Windows 7 Amcache will scan any executable on the desktop and insert it into the Amcache even if it wasn't executed
More tomorrow night!

Here is the video:

Read more »

November 27, 2018 , , , , ,
Hello Reader,
       Tonight we reached another conclusion on our road to understanding of the Amcache hive.
Here is what we learned:

  • As Maxim Suhanov pointed out on twitter for Windows 7 there is a schedule task called 'Microsoft Compability Appraiser' that runs every night and updates the Amcache
  • On Windows 10 that same task exists but the Amcache is updated after GUI executions 
  • Non executed programs in the Desktop, at least, are added when the scheduled task runs
  • If a program is modified and its hash changed the new entry will be updated when the schedule task runs again, not when the program is executed
  • There is a registry key in the SOFTWARE hive that Maxim found that appears to contain compressed appcompat data in Windows 7, in Windows 10 I found no entriies
Tomorrow night we check what Windows 7 is doing, validating what Maxim has found and what we have found in Windows 10.

You can watch the video here:

Read more »
Subscribe to: Posts (Atom)
Hacking Exposed Computer Forensics Blog © 2020. All Rights Reserved.
Powered by Blogger

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.