August 2018

@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Hello Reader,
       If you want to understand how people outside of our DFIR space see and understand us, even with a technical infosec background, check out Jessica Hyde's appearance on Rally Security. It was a great reminder of seeing something we are all so deep in from the outside. I think putting yourself into others perspectives helps you explain things and educate others on what we do.

You can watch it here:
https://www.twitch.tv/videos/303079856

Hello Reader,
        I've had a string of test kitchens this week all revolving around ObjectIDs. Today I extend and test Ken Pryor's testing in his blog (https://digiforensics.blogspot.com/2018/08/life-update-little-object-id-research.html) regarding how objectids are retained on copying and pasting versus cut and paste within two ntfs volumes. I did my testing in Windows 7 and validated what Ken had found in his post.

In addition we did some testing with:

  • ObjectIDs and FAT file systems
  • Do directories get ObjectIDs in Windows 7?
  • Does Privazer or CCleaner get rid of ObjectIDs?
  • Why do we care about ObjectIDs so much?

You can watch the broadcast here:

Hello Reader,
            Another Test Kitchen has been recorded. If you want to catch these live I can't promise any particular broadcast time as I do these when I have time, but if you subscribe to my Youtube channel (https://www.youtube.com/user/LearnForensics) you will get notifications whenever I do go live.

This Test Kitchen I did more experimentation with the creation of ObjectIDs when saving files from browsers to the Downloads directory with surprising results! It turns out that:

  • Saving a text file in Chrome to the downloads directory will create an ObjectID and a LNK file even without opening the file
  • Saving a text file in Firefox to the Downloads directory will create a LNK file but will not populate the ObjectID attribute. 
  • Saving executable files in both browsers will create Zone.Identifier alternative data streams as Phill Moore researched prior but will not create ObjectIDs or LNK files. 

Want to see and learn more? Watch the video below:

Hello Reader,
        In the UK or Europe? In three weeks on September 17, 2018 I'll be teaching SANS FOR500 Windows Forensics with Lee Whitfield. If you've read the blog, played the ctfs, done the challenges and watched the forensic lunch its time to come fill in the gaps. In class Lee and I will be going beyond the books to explain how and why things work and what you can rely on.

Interested?
You can find out more here:
https://www.sans.org/event/london-september-2018/course/windows-forensic-analysis

Hello Reader,
    I've been looking into ObjectIDs quite a bit lately so why not open up the fun to all of you and let's see what a crowdsourced effort can produce. This week will see the intersection of programming and analysis in what should be a good learning challenge for many of you.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/31/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Write a python script that can determine which files on a Windows 10 system have ObjectIDs. 

Hello Reader,
         I was thinking more about yesterdays test kitchen in regards to ObjectID creation on Windows 10. To summarize the point if a file gets created in the GUI in Windows 10 it creates a shell item (lnk, jumplist, recent doc, etc...) as well as gets an ObjectID. It occurred to me that just as we have trained examiners to look for Zone.Identifiers for evidence of files downloaded we could use the absence of a ObjectID on a Windows 10 file to find those files that were either not created within the GUI or created in one of the special exclusion directories (outlook temp, internet temp, etc..).

With this in mind we could quickly triage through and in an intrusion scenario eliminate all the files that a user created through the GUI, then eliminate the system files through hash comparison leaving us with just a smaller set of files whose hashes aren't known and were not created by the user. This along with a comparison of the execution artifacts could lead to some pretty fast triage for possible malicious executables.

I'm going to see next week about writing a python script to do this, expect a sunday funday challenge related to this. 

Hello Reader,
               Another day, another Test Kitchen! Sometimes it's easier just to stream out to Youtube a test rather than document and screenshot all of the steps so I did that again tonight. This evening I decided to test if ObjectIDs would be created for files that were created but not opened on Windows 7 and Windows 10.

If you wanted to watch one of these live, make sure to subscribe to the Youtube channel and receive notifications for random dings of forensic testing.

You can watch the video here:

Hello Reader,
           If you were a subscriber to my YouTube channel you would have seen a notification that I was live tonight. Tonight I decided to do a Test Kitchen broadcast to test the behavior of jumplists in Windows 7 vs Windows 10 to see if any of the new jumplist behavior we have observed in Windows 10 was actually there all along.

If you watch the below video you can see me test whether or not Jumplist entries got created for:

  • Creating a file
  • Creating a directory
  • Opening a directory
  • Opening a file
  • Copy and pasting a directory
  • Renaming a directory
As well as some lnk file testing at the end to see how lnk files were created for opening a file in different directories. 

Watch the video below!



Hello Reader,
       I know many of you have work or home labs where you do test things, research things and overall use different virtual environments. What many people don't know though is that you can get a hold of almost all of the VMware software you need like:

  • VMWare Workstation
  • VMWare Fusion
  • VCenter
  • VSphere ESXi Enterprise
  • VSan
For $200 you can join the VMUG (VMware User Group) Advantage program which will get you access to the Eval Experience which gets you 365 days of licensing for the above VMware software and much more. This has let me really get some of my testing accelerated at a much lower cost and I'm looking forward to using the clustered ESXi license as well as VSAN to setup larger research environments. 


You'll have to setup an account at VMUG and usually wait a day to get the login to the OnHub store that contains the eval software. After that you have a year of much easier research ahead of you.

Good Luck!

Hello Reader,
        In Hideaki Ihara's blog post on the port139 blog,  he talks about a subsystem that has been around for quite some time the Distributed Link Tracking System which allowed for lnk files and other shell item structures to survive a file being renamed or moved prior to the inclusion of the MFT Reference numbers in Windows 7. This means that there are at least two methods within a LNK file now that will allow it to point to the correct file even if it has been renamed or moved since it was last opened.

Hideaki is pointing our that when a file is opened and a shell item is created for it that an Object ID should be created for it as an attribute. While I agree this is true I would also look for the creation of the LNK file itself and then what jumplist got updated to determine what application opened the file. Especially since not every file opened will get an Object ID as stated in the limitations section of the Microsoft documentation.

In summary a Object ID won't be set even if a file is opened when:

  1. The file is being opened from a removable drive 
  2. The file is being opened from a FAT drive
  3. The file is being opened from a newly formatted NTFS volume and it the system hasn't rebooted
  4. The file is being opened from a newly attached fixed disk with NTFS and the system hasn't been rebooted
I think we should do more testing with this but in all the above scenarios the shell item system would still record these accesses and the USN journal would show the lnk files and jump lists being updated. I like where Hideaki is going I just want to make sure people are aware of whats possible. 

Hello Reader,
Microsoft is also introducing subtle changes in Windows, sometimes they were always there but we just didn't notice. Lets see what you can determine in this weeks lnk file challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/24/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
As of Windows 10, possibly earlier!, windows will only keep 20 lnk files for a single extension. What other limitations of the lnk file system can you find?

Hello Reader,
           This week Lodrina Cherne swooped in with some interesting research that went way beyond URL history. I think what Lodrina has submitted here is the base of some very interesting research that needs to be performed to find out more. I am happy to say I received more submissions this week but I would encourage anyone reading this to give these challenges a try and submit an answer. You can only benefit from the research and possibly the win!


The Challenge:
For Edge, Chrome and Firefox where could you find evidence of what was uploaded to a file sharing site. Please include all of the locations available, not just the url history


The Winning Answer:
Lodrina Cherne @hexplates


Here are some general methods to investigate upload activity in browsers:

RESEARCH! Besides searching your favorite forensic blogs, browsers and web applications may have developer documentation online.

In the past I’ve used Yahoo! Mail developer docs to better understand webmail artifacts. APIs and handles are sometimes documented for third party developers, use this to your advantage!

Here’s a snippet from the Yahoo Developer Network related to uploading:


This snippet is as example specifically related to advertiser data upload – so if I was interested in in this artifact, one search term might be
              “status”: “completed”

Here’s an example related to Google Drive upload:



My search term for Google Drive uploads might be
              uploadTime=

Mozilla (FireFox) has a good collection of APIs, here are some upload related ones we might see:
What the MDN web docs tell us is that bytes and file path + name are properties used in “UploadData”. There’s also browser compatibility information – so this may apply with Chrome or FireFox on Android? Pretty cool!

These events may leave some of the above keywords on disk – but even more important than the keywords, we know that there is some kind of marker that the upload has started, that it’s completed successfully, etc. We know this data is being recorded somewhere, even temporarily, so it’s worth digging for this type of data on disk!

TEST! For different web applications, what is the expected behavior? Are there keywords that appear on screen or a string in the site URL?

Here’s one example using the Dropbox browser interface with Chrome. I am dragging and dropping a file from my system into Dropbox. Note the on screen prompt “upload to the folder”.


While the file is uploading, we see “Uploading Additional Forensic Resources.docx” at the bottom of the screen.


When the upload is complete, the status changes to “Uploaded Additional Forensic Resources.docx”


Potential search terms for Dropbox upload so far are
              upload to the folder
              Uploading [filename of interest]
              Uploaded [filename of interest]

These search terms could be run in your forensic tool across browser artifacts like history and cache. Using a forensic suite for your first pass search can be useful to look across different locations and filetypes. Are you searching inside SQLite databases? Decompressing FireFox session history? Not every suite will do this for you though they will be more efficient than searching each database or cache folder by itself on your first pass!

Besides browser artifacts, you could run these keywords across other areas of the drive like unallocated space and the pagefile/hibernation file.

Another test could be uploading a file with a unique name to a filesharing site, then search your browser data for that filename. ­­­


Hello Reader,
       This post serves to congratulate @gh0stp0p on achieving the first perfect score in the Defcon DFIR CTF! She has not only won the admiration of her peers but also a license of Forensic Email Collector. For those still wanting to play, or still playing, we will leave the CTF up for at least a month before we move onto the next project.

As a reminder the CTF is located here:
https://defcon2018.ctfd.io/

And you can download the images here:
http://www.hecfblog.com/2018/08/daily-blog-451-defcon-dfir-ctf-2018.html

Thanks everyone for playing and hopefully you will learn something from the experience! Next time we will up the difficulty. 

Hello Reader,
           If you haven't already done so check out this blog post from Malware Maloney:
https://malwaremaloney.blogspot.com/2018/08/windows-10-notification-wal-database.html

In it not only does author show how to create a new query for pulling messages from the database he also extended a SQLite python library to correctly decode the write ahead log of the SQLite database that stores the notifications. Meaning you can recover more deleted messages.

Give it a read and in a future post let's take that and write a script around it.

Hello Reader,
        I realized that while I posted this on twitter I did not share this on the blog which is the more permanent record of things. First this years Defcon DFIR CTF was sponsored by:


SANS - Donating 1st prize access to DFIR Netwars Continuous for a year and lego minifigs
Also if you were in the blue team village at just the right time we brought out SANS tshirts, polos, keychains and posters that quickly disappeared.





 Magnet Forensics - Donating a really cool backpack that contained a license of AXIOM, a magnet water bottle, magnet external cell phone battery and a cool magnet pen.










 Blackbag Forensics - Donating a license of Blacklight and a really cool insulated drink cup (like a yeti or rtic but with a very nicely done blackbag logo)







 MetaSpike - Who donated a license of Forensic Email Collector which will go to whoever gets the first perfect score in the Defcon DFIR CTF!


  • 1st Place went to Hadar Yudovich @hadar0x

Hello Reader,
       For those of you who use libvshadow you may have noticed that it shows deleted shadow copies but does not differentiate between active and deleted shadow copies. This can be an issue as parts of the deleted shadow copies could be overwritten leading to strange results.

Looks like two researchers out of Japan are attempting to fix that issue with an extension to libvshadow and some really interesting catalog recreation research.


Check it out below!

http://i.blackhat.com/us-18/Thu-August-9/us-18-Kobayashi-Reconstruct-The-World-From-Vanished-Shadow-Recovering-Deleted-VSS-Snapshots.pdf

Hello Reader,
            This year at Defcon we made things interesting with a challenge that involves making your way through 3 images to answer questions and solve a case. Now that Defcon is over and the winners awarded it's your turn to give the challenge a try.

The first image password is 'tacoproblems'
The second and third image password is gained by answering the right questions in the CTF.


CTF Site:
https://defcon2018.ctfd.io/

Download Links:
Image 1:
https://www.dropbox.com/s/1q4f0fowo8048mq/Image1.7z?dl=0

Image 2:
https://www.dropbox.com/s/9gzjfqkl8uup58k/Image2.7z?dl=0

Image 3:
https://www.dropbox.com/s/jvaqb4rfi3jojbk/Image3.7z?dl=0

Hello Reader,
Defcon is over and with it our CTF. For this weeks challenge lets look at some browser forensics artifacts that could be helpful to you when I open up the forensic ctf to the public tomorrow.         


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/17/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
For Edge, Chrome and Firefox where could you find evidence of what was uploaded to a file sharing site. Please include all of the locations available, not just the url history.

Hello Reader,
Another week , another winning answer by Adam Harrison! The CTF is ending in an hour and I look forward to seeing how this all shakes out.


The Challenge:
Name all of the Windows and OSX artifacts you would examine to determine if Anti Forensics tools have been executed. 


The Winning Answer:

The majority of Anti-Forensic tools are just programs like any other, often executed within the host OS. Additionally, the question specifically asks about proving execution of of Anti-Forensic tools. As such the first thing I will concern myself with is evidence of program execution. 

Noting that different anti-forensics tools may miss certain evidence sources (especially if run with basic user privileges) it is important to be broad in the areas you look as one of the lesser known or used artifacts may have been left untouched by the tools. Additionally in cases of suspected anti-forensic efforts I would be interested in the content of all of these artifacts, including whether they are empty, as this may be an indication of anti-forensics tool use in and of itself. 

Evidence of Tool Execution
Windows
Prefetch
Jump Lists
AppCompatCache
MUICache
UserAssist
RunMRU
LastVisitedMRU
Log Files (tools may be deployed as services or with a scheduled element, process creation events associated with Audit Process Creation)
Third party application execution monitoring (e.g. AV, DLP, etc)
WSL (If WSL is in use then this opens a whole other kettle of fish, .bashhistory, evidence of tool installation etc.)
Evidence of process artifacts in RAM
Command history in RAM

MacOSX
knowledgeC.db database (application usage data)
.bashhistory (if tools used or executed from command line)
FSEvents (evidence of filesystem events including creation of software files and also deletion and renaming associated with tool use)
com.apple.finder.plist (evidence of finder searches for software)
RecentApplications.sfl
Spotlight Shortcuts plist
.bashhistory in ram
Evidence of process artifacts in RAM

Evidence of Tool Use
In addition, the use of anti-forensics tools can leave their own artifacts behind. In the case of CCleaner the presence of deleted but recoverable “ZZZ” files and folders is a classic indicator of use. Other similar unique fingerprints are associated with different anti-forensic tools. One other such tell tail sign is recoverable files with random filenames and high entropy content consistent with being overwritten with pseudo random data, entropy analysis of recovered deleted files can highlight these. 

Evidence of research/download/installation
Proving the intent of a user can also be useful, whether evidence of the use of anti-forensic tools is actually identified. Evidencing that tools were sought, downloaded and installed during an in-scope time frame (such as just after an employee was notified of an HR interview etc). Additionally evidence that research was performed into hiding evidence can be helpful in painting a picture as to a users intentions and help to combat the "My computer was running slow so I used CCleaner" defense.

Windows
Registry artifacts (installed applications, application specific entries etc)

OSX
/Library/Receipts/InstallHistory.plist
/Library/Preferences/com.apple.SoftwareUpdate.plist
/Library/LaunchAgents

Both
The disk… (Look for executables for anti-forensics tools on disk e.g. ‘Program Files’ Directories, ‘Applications’ directories, ‘Downloads’ directories) 
Browser History/Cache/Cookies for evidence of search history and websites visited (location dependant on OS and installed browser(s))
Proxy/ web filtering logs (evidence of browsing to sites concerning anti-forensics and downloading of tools)
AV Logs (scanning of downloaded executable)

Wildcard
You never know where you might find that smoking gun which demonstrates the intention to circumvent forensic analysis. In one notable case, a colleague of mine stumbled across an iOS note which was stored within a backup on the suspects computer. Within it the suspect had detailed a proposed methodology to steal data from his employer which would be “undetectable”. Using throwaway virtual machines (which would then be wiped from disk) he proposed to collate and extract data from the organisation and transmit it to a cloud service connected to via the VM. The actions performed left almost no trace of the IP theft, but what evidence of the existence of a now deleted VM coupled with the note made compelling reading in court.

---

Hello Reader,
      Another late post after a long day in Vegas. We launched the ctf today and already have a fight for the top 3 spots. As more people get the evidence I'm expecting it to get really interesting.

We initially planned to do a live stream today but spent most of the day finishing the last questions so I expect we will do the stream tomorrow instead.

For those who want to watch the scoreboard go to
https://defcon2018.ctfd.io/scoreboard

To follow along, the contest ends tomorrow nighy! There is a long time for everything to change by then.

As before once the event is over we will make the images public and everyone can play, just without prizes.

Hello Reader,
Just a reminder that the ctf starts tomorrow afternoon. If you are in Vegas and have not signed up yet here is the link:
https://www.eventbrite.com/e/unofficial-defcon-dfir-ctf-2018-tickets-47978189055?ref=estw

Prizes:
1st. DFIR Netwars Continuous for a year from SANS and. Lego mini fig
2nd. Magnet prize loaded backpack, Lego mini fig and license of forensic email collector
3rd. Blackbag prize pack

It's not too late to sign up, get ready!

Hello Reader,
     A quick one before I fall asleep after a long day of ctf prep and Vegas fun. If you are using the fresponse imager to capture a full disk be aware that it seems to default to a sparse image format and leaves out shadow copies.

However imaging the same fresponse mounted image with another tool will capture the full disk.

Hello Reader,
           Today I'm sharing a lesson I learned from acquiring systems in the cloud from another cloud hosted system in the same provider. I was adding the agents and getting ready to acquire the systems, but they kept dropping off the F-Response management list of subjects.

I was quite confused, I checked the network and realized my RDP session was active the entire time and hadn't timed out. I restarted the F-Response service and kept a ping running, when the F-Response agent timed out I noticed the ping never lost a packet.

So I reached out to the excellent support staff (aka Matt Shannon) at F-Response and explained my problem and they quickly reached out (after 5PM!) and offered a suggestion, check your clock skew.

This isn't something I had run into before and so I went and made sure my clocks were the same and now it's happily imaging away.

So hopefully this helps someone in the future, if you F-Response subject keeps timing out check to make sure that the license server and the subject are set to the same time!

Hello Reader,
           Thank you for all of the responses in the blog comments, on twitter and on LinkedIn to my question regarding Anti Forensics tools used in the wild. It was great to expand everyone's knowledge of what tools to look for and make a list of those I need to test to see what traces each of them leaves behind. With that in mind let's see how you handle this weeks Anti Forensics themed challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/10/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Name all of the Windows and OSX artifacts you would examine to determine if Anti Forensics tools have been executed. 

Hello Reader,
           Another week where Adam Harrison has again dominated the entries. For those of you thinking about trying out next weeks contest don't be deterred. You too can be a winner with just some basic effort and some good documentation skills!

The Challenge:
Windows 10 keep changing and with it its behavior. In Windows 8.1 and early versions of Windows 10 there was a task to delete plug and play devices that haven't been plugged in for 30 days. In more recent versions of Windows 10 this appears to be disabled. For this challenge please document what versions of Windows 10 has the task enabled and if it survives being upgraded. 

The Winning Answer:
https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html?spref=tw

Great job Adam! Come back tomorrow for a new challenge!

Hello Reader,
       Today I have a question for you. In my work I've encountered tools that my suspects have used to clean or wipe their system. However I'm wondering what others are out there that I haven't seen yet. So here is my list


  • CCleaner
  • Evidence Eliminator
  • System Soap
  • PC Optimizer Pro
  • BCWipe
  • Eraser
  • Sdelete

What additional wipers or anti forensics tools have you come across? Let me know in the comments below or in a tweet/linked in comment.

Thanks!

Hello Reader,
           One of the problems we are having recently in Windows 10 forensics is that what would previously be identified with a major service pack version or a new version of Windows is now being marked as a feature release. These releases are changing the behaviors we rely on in forensics and we are going to have to start referring not just to Windows 10 but the build of Windows 10. This isn't going to stop in the near future as Microsoft says that they plan to just iterate Windows 10 for the foreseeable future.

If you look at some of Adam Harrison's recent blogs you'll notice he has multiple major versions of Windows 10 running within different VMs. I think this kind of setup will be necessary going forward and we are going to have do more regression testing of artifacts both old and new to understand the new normal.

I'll be following this up with what the major releases are so we can start building a common vernacular in describing Windows 10. For now just be aware that just because its Windows 10 does not mean that any previous Windows 10 research still applies without testing. 

Hello Reader,
       I had stopped thinking about the Windows 10 notifications database since I last saw Yogesh Kahtri blog post about it here. I was reviewing a file list produced by an opposing party in a litigation we are working and suddenly saw a directory full of notification images and got curious again.

Since Yogesh first blogged about it the location of the Notification data has changed and it is now located here:
\Users\\AppData\Local\Microsoft\Windows\Notifications

Pictures pushed to the system and displayed in start menu tiles or notifications are stored here:
\Users\\AppData\Local\Microsoft\Windows\Notifications\wpnidm

And the database is now a SQLite database named wpndatabase.db which you can open up with any SQLite tool. I am using Navicat for SQLite because its one of my favorites.

When I did I found the database I went looking to see which table contained the data that I would think is interesting and found a table named Notification, here is the schema:


There are three fields here you should pay attention to the first is the HandlerID which will tell you which program created the notification, you find the name associated in the NotificationHandler table.


The second field is the Payload field, this is the actual contents of the Notification, I was looking through here to see if there was something interesting and found all the Notifications that Outlook had been popping up as I was getting new emails. Here is an example:



Placeholder image
Caesars Total Rewards
Win big in August with the play by TR app! Download now!
<http://click.email.caesars-marketing.com/open.aspx?>
Download and log in to be rewarded.         View this email with images. <http://view.email.caesar...





Within the text tags you can see the contents of the new mail notification I received from Outlook.

 The last fields to look at are the ExpiryTime and ArrivalTime which record when the notification was received (ArrivalTime) and when it will be deleted from the database (ExpiryTime). These are stored in decimal but if you convert them to Hex you can convert them back to a readable time using the Windows FileTime BigEndian option in Dcode.
 

So there you go, we can recover the sender, subject and first lines of an email in the notification database even if the email has been purged from the system otherwise. I am going to look further into this to see if there is any other Notifications of interest.

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.