November 2018

@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Hello Reader,
         We had a forensic lunch today! It was just Matt and I as all of our scheduled guests had to reschedule but we made the most of our time. Thanks for those of you who tuned in live and expect Forensic Lunch to return in December on:


December 7th, 2018 at Noon CST
December 14th, 2018 at Noon CST

Matt and I talked about:

I'm behind on podcast uploads again, I'll get that fixed. 

You can watch the video here:

Hello Reader,
       Tonight we tested out Maxim Suhanov's YARP library and his provided script to extract and decompress the LZNT1 compressed keys in the CIT\System key we talked about last night.

Here is what we learned:

  • YARP is a great python registry library, clearly I'm just scratching the surface of what it can do
  • LZNT1 requires a minimum chunk size equal to the cluster size of the ntfs drive to decompress data
  • The CIT\System key on my test system had two values to be decompressed
  • The first value appears to contain system executables
  • The second value appears to contain user executables
  • There is some overlap between the CIT\System key and the recentfilecache.bcf
  • The CIT\System key refers to the recentfilecache.bcf file
  • The CIT\System key contained calls to rundll with parameters

You can watch the video here:

Hello Reader,
       Tonight we had a test kitchen with ups and downs as some things worked and others didn't. Here's what we learned:


  • All of the lznt1 libraries we tried to decompress the system binary registry entries Maxim Suhanov found failed
  • YARP has support for the lznt1 format used in the registry, I've downloaded it and we will use it tomorrow
  • The Windows 7 Amcache can be manually updated by running the scheduled task, but otherwise will not be updated until the scheduled task runs
  • The last write date of the key in the Amcache in Windows 7 has nothing to do with execution time, its just when the scheduled task ran
  • Like Windows 10 the Windows 7 Amcache will scan any executable on the desktop and insert it into the Amcache even if it wasn't executed
More tomorrow night!

Here is the video:

Hello Reader,
       Tonight we reached another conclusion on our road to understanding of the Amcache hive.
Here is what we learned:

  • As Maxim Suhanov pointed out on twitter for Windows 7 there is a schedule task called 'Microsoft Compability Appraiser' that runs every night and updates the Amcache
  • On Windows 10 that same task exists but the Amcache is updated after GUI executions 
  • Non executed programs in the Desktop, at least, are added when the scheduled task runs
  • If a program is modified and its hash changed the new entry will be updated when the schedule task runs again, not when the program is executed
  • There is a registry key in the SOFTWARE hive that Maxim found that appears to contain compressed appcompat data in Windows 7, in Windows 10 I found no entriies
Tomorrow night we check what Windows 7 is doing, validating what Maxim has found and what we have found in Windows 10.

You can watch the video here:

Hello Reader,
           Tonight we continued our shimcache testing and here is what we found out tonight:

  • Confirmed again that shimcache will record any executable viewable within the GUI
  • Shimcache will update the record if the executable is modified and then executed
  • Amcache does not immediately update an entry if an executable is modified and executed
  • Sysmon did not get added to the Amcache even though it has some type of GUI window (message box appearing) but this was not the standard win32 gui message box
  • Amcache added the executable we left on the desktop but did not execute on Friday at 5am UTC saturday, the process event log showed it was a background task manager. 
  • Sysmon was installed to see if we can get more detail on the process that is updating Amcache

We are now going to let the system update the registry overnight and see what changes it makes with the executable we left in the desktop and the downloads directory. 

You can watch the video here:

Hello Reader,
        Another week of research and discovery is behind us. Let's push your own knowledge this this weeks challenge!

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 11/30/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
On a  Windows 7 system how long does it take for a new gui executable to appear in the Amcache. What can you do if anything to force the executable to appear in the amcache hive. 

Hello Reader,
            Tonight we had a short late night broadcast as I am enjoying the four day weekend that is Thanksgiving here in the United States. However just because it was short doesn't mean we didn't find out a lot of interesting things! Here is what we learned:

  • The desktop executable rbcmd.exe that I didn't execute but did extract was added to the Amcache 24 hours later after the last video aired
  • The Amcache hive transaction logs do contain all of the most recent GUI executables executed, with a 10 second delay. For 10 seconds after execution there is a buffer likely in memory where the changes are pending
  • If you parse the Amcache hive without the transaction logs you will miss the most recently executed GUI programs
  • Running programs from the command line are not found in the transaction logs immediately after execution
  • Programs not executed in the GUI but executed from the command line in directories other than the desktop have not shown up in the Amcache
You can watch the video here:

Hello Reader,
         When I did the previous year of blogging my wife suggested I post recipes which I did on Holidays. This year I did a sous vide turkey following the recipe in this video:


https://www.youtube.com/watch?v=x03Ug4biX-I

I did one thing different though, I cooked the turkey breasts to 145 rather than 130 and it made a huge difference. Last year I cooked it to 130 as suggested and the meat while safe to eat was pink and made everyone worried, finding itself in the broiler to bring it to temp.

145 was the perfect temp and led to a very good product that I then broiled the skin to give it the roasted appearance people expect.

Tomorrow back to the normal schedule!

Hello Reader,
         Tonight we continued looking into Amcache and Shimcache in their parts of the application compatibility cache system. Here is what we learned:

  • Command line executions, without GUIs, are not immediately tracked in Amcache but are in Shimcache after two days 
  • Command line executions, with GUIs, are tracked in Amcache after a shutdown, need to check the transaction logs next time to see if we can get them without reboot/shutdown
  • Command line programs executed from the GUI are tracked in the Amcache
  • The process creation events I turned in the local security policy are not catching user processes, need to check on why
  • Amcache does contain command line programs I never executed, but the dates are 3 days after the extraction

So we need to let the system keep running and see if some automatic sweep will cause the other command line executables to be tracked. 

You can watch the video here:

Hello Reader,
          Tonight we continued our journey into the shimcache and amcache. Here is what we learned:

  • The extracted executable file from the command line that was not executed was still not present in the shimcache
  • Simply viewing the directory in the GUI that the extracted but not executed executable was in was enough to get it added to the shimcache
  • No new entries from the downloads directories were present in the Amcache

Tomorrow night we will see if the Amcache needed even more time, suggesting its a schedule task

You can watch the video here:

Hello Reader,
     Tonight we continue to go down further into the application compatibility cache and its associated artifacts. Thanks to tonight's BFFs (Best forensic friends) Phill Moore, Jessica Hyde and Mike Cary for participating in the testing! Here is what we learned:

  • Approximately 6 hours or so after the tests were done on 11/16/18 in the prior video (https://www.hecfblog.com/2018/11/daily-blog-540-forensic-lunch-test.html) the entries we expected to show up in the Amcache were written to the registry 
  • In addition to the programs we executed being delayed in their writes, we also had more programs we extracted in the GUI but did not execute show up in Amcache
  • The timestamp of the key here did not reflect when the program executed but rather when it was added to the Amcache hive! We are setting up more testing to determine what the triggers are for Amcache updating
  • Extracting an executable from a zip file in the command line did not result in a Shimcache or Amcache entry being made, as suggested by Mike Cary on twitter. 
  • Executing an executable from the command line did get an entry in the shimcache on shutdown and reboot
  • We had an inconsistent result in the amcache on execution where once it appeared after shutdown and another time it didn't
  • We have enabled process creation event logging and the VM will run overnight to see when and what hopefully is updating the Amcache

You can watch the video here:

Hello Reader,
         We've had some great submissions the last couple of weeks and hoping to get that trend up this week! Following on from this weeks topics lets see how well you can work your forensic tool for registry analysis.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 11/23/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
What keys and or files are created/modified when you:
1. First plug in a USB 3.0 drive using the storport driver
2. The last time you plug in a USB 3.0 drive using the storport driver

Hello Reader,
          This week a new champion emerges and enters the winners circle. Congratulations to Oleg Skulkin who grabbed a win this week with his testing! Make sure to come back tomorrow to see next weeks' challenge for your chance at $100!

The Challenge:
We've tested what happens for copies to NTFS drives. Now let's change it up. What changes occur to files when you copy and paste as well as cut and paste to a FAT32 drive

The Winning Answer:
Olegl Skulkin

I created 6 files, 1 DOCX, 1 TXT, 1 JPG on an NTFS volume for copying, and 1 DOCX, 1 TXT, 1 JPG for cutting and pasting. I used Windows 10 both for copying and cutting, and a freshly formatted FAT32 flash drive.

I created two folders on the flash drive – “copy - paste” and “cut - paste”. I copied and pasted first three files to “copy - paste”, and next three files to “cut - paste”. Then I imaged the flash drive with FTK Imager (4.1.1.1) and used Autopsy (4.9.0) to examine the image.

Here are the results:


The DOCX file saved its Modified timestamp, lost time for Accessed, and its Created timestamp changed. Despite the fact I used UTC as the timezone in Autopsy, the timestamps were shown in UTC +3. 

The same results were observed for the TXT file: 


And for the JPG file:

As for cutting and pasting, the DOCX file saved its Modified and Created timestamps, but lost time for Accessed timestamp (again, timestamps are in UTC +3):

The same happened with the TXT file:

And with the JPG file:

Results 
Copy – paste: 
Modified 
Accessed 
Created 
Unchanged 
Changed 
Changed 

Cut – paste 
Modified 
Accessed 
Created 
Unchanged 
Changed 
Unchanged 



Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.