Daily Blog #513: Solution Saturday 10/20/18 - Windows Server 2008+ Challenge Winning Answer

Windows Server 2008+ Challenge Winning Answer by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
      While this weeks winning answer did not directly answer the challenge asked it is the most complete and fills in some much needed knowledge. Congratulations to returning Sunday funday champion Adam Harrison for this weeks answer.

The Challenge:
What artifacts of execution exist on a Windows Server 2008+ that do not exist on Windows 7+? In other words name any forensic artifacts that would show a program executed on a windows server os that you wouldn't find on a windows desktop os!

The winning answer:
Adam Harrison

In response to this weeks challenge I undertook to documents as many artifacts as I could think of/search out which evidence program execution, and to determine which Windows operating systems these artifacts are availablefor.

To be up front, I did not identify any which were explicitly available in Windows Server 2008+ but not in the Desktop counterparts. With that said the following artifacts are, in my opinion and experience more commonly available within Windows Server:

  • Event ID 4688 - Requires enabling and in my experience I have seen it more commonly enabled on Servers than Desktops.
  • IDS - Host based IDS running on notable servers

Other artifacts considered and detailed in the table and post below include:
  • Prefetch
  • ShimCache
  • MUICache
  • Amcache
  • RecentFileCache.bcf
  • Microsoft-Windows-TaskScheduler (200/201)
  • LEGACY_* Registry Keys
  • Microsoft-Windows-Application-Experience Program-Inventory
  • Microsoft-Windows-Application-Experience Program-Telemetry
  • BAM
  • SRUM
  • ActivitiesCache.db
  • Security Log (592/4688)
  • System Log (7035)
  • UserAssist
  • RecentApps
  • JumpLists
  • RunMRU
  • AppCompatFlags Registry Keys

In many instances these are more common to be found/enabled on a Windows Desktop rather than Server, as opposed to the other way around.

The fuller description of all the execution indicators I was able to think of and find, and details as to which OS versions they exist for is laid out in the following blog post:

The key spreadsheet documenting the artifact availability is available here:

It is my intention to keep the spreadsheet updated and and feedback, additions or corrections are gratefully received.

Post a Comment