Friday, November 30, 2018

Daily Blog #553: Forensic Lunch 11/30/18

Hello Reader,
         We had a forensic lunch today! It was just Matt and I as all of our scheduled guests had to reschedule but we made the most of our time. Thanks for those of you who tuned in live and expect Forensic Lunch to return in December on:


December 7th, 2018 at Noon CST
December 14th, 2018 at Noon CST

Matt and I talked about:

I'm behind on podcast uploads again, I'll get that fixed. 

You can watch the video here:

Thursday, November 29, 2018

Daily Blog #512: Forensic Lunch Test Kitchen 11/29/18

Hello Reader,
       Tonight we tested out Maxim Suhanov's YARP library and his provided script to extract and decompress the LZNT1 compressed keys in the CIT\System key we talked about last night.

Here is what we learned:

  • YARP is a great python registry library, clearly I'm just scratching the surface of what it can do
  • LZNT1 requires a minimum chunk size equal to the cluster size of the ntfs drive to decompress data
  • The CIT\System key on my test system had two values to be decompressed
  • The first value appears to contain system executables
  • The second value appears to contain user executables
  • There is some overlap between the CIT\System key and the recentfilecache.bcf
  • The CIT\System key refers to the recentfilecache.bcf file
  • The CIT\System key contained calls to rundll with parameters

You can watch the video here:

Wednesday, November 28, 2018

Daily Blog #552: Forensic Lunch Test Kitchen 11/28/18

Hello Reader,
       Tonight we had a test kitchen with ups and downs as some things worked and others didn't. Here's what we learned:


  • All of the lznt1 libraries we tried to decompress the system binary registry entries Maxim Suhanov found failed
  • YARP has support for the lznt1 format used in the registry, I've downloaded it and we will use it tomorrow
  • The Windows 7 Amcache can be manually updated by running the scheduled task, but otherwise will not be updated until the scheduled task runs
  • The last write date of the key in the Amcache in Windows 7 has nothing to do with execution time, its just when the scheduled task ran
  • Like Windows 10 the Windows 7 Amcache will scan any executable on the desktop and insert it into the Amcache even if it wasn't executed
More tomorrow night!

Here is the video:

Tuesday, November 27, 2018

Daily Blog #551: Forensic Lunch Test Kitchen 11/27/18

Hello Reader,
       Tonight we reached another conclusion on our road to understanding of the Amcache hive.
Here is what we learned:

  • As Maxim Suhanov pointed out on twitter for Windows 7 there is a schedule task called 'Microsoft Compability Appraiser' that runs every night and updates the Amcache
  • On Windows 10 that same task exists but the Amcache is updated after GUI executions 
  • Non executed programs in the Desktop, at least, are added when the scheduled task runs
  • If a program is modified and its hash changed the new entry will be updated when the schedule task runs again, not when the program is executed
  • There is a registry key in the SOFTWARE hive that Maxim found that appears to contain compressed appcompat data in Windows 7, in Windows 10 I found no entriies
Tomorrow night we check what Windows 7 is doing, validating what Maxim has found and what we have found in Windows 10.

You can watch the video here:

Monday, November 26, 2018

Daily Blog #550: Forensic Lunch Test Kitchen 11/26/18

Hello Reader,
           Tonight we continued our shimcache testing and here is what we found out tonight:

  • Confirmed again that shimcache will record any executable viewable within the GUI
  • Shimcache will update the record if the executable is modified and then executed
  • Amcache does not immediately update an entry if an executable is modified and executed
  • Sysmon did not get added to the Amcache even though it has some type of GUI window (message box appearing) but this was not the standard win32 gui message box
  • Amcache added the executable we left on the desktop but did not execute on Friday at 5am UTC saturday, the process event log showed it was a background task manager. 
  • Sysmon was installed to see if we can get more detail on the process that is updating Amcache

We are now going to let the system update the registry overnight and see what changes it makes with the executable we left in the desktop and the downloads directory. 

You can watch the video here:

Sunday, November 25, 2018

Daily Blog #549: Sunday Funday 11/25/18

Hello Reader,
        Another week of research and discovery is behind us. Let's push your own knowledge this this weeks challenge!

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 11/30/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
On a  Windows 7 system how long does it take for a new gui executable to appear in the Amcache. What can you do if anything to force the executable to appear in the amcache hive. 

Daily Blog #548: Solution Saturday 11/25/18

Hello Reader,
          Looks like the holiday week took up most peoples times as I didn't have any qualifying answers this week. Come back tomorrow for next weeks challenge!

Friday, November 23, 2018

Daily Blog #547: Forensic Lunch Test Kitchen 11/23/18

Hello Reader,
            Tonight we had a short late night broadcast as I am enjoying the four day weekend that is Thanksgiving here in the United States. However just because it was short doesn't mean we didn't find out a lot of interesting things! Here is what we learned:

  • The desktop executable rbcmd.exe that I didn't execute but did extract was added to the Amcache 24 hours later after the last video aired
  • The Amcache hive transaction logs do contain all of the most recent GUI executables executed, with a 10 second delay. For 10 seconds after execution there is a buffer likely in memory where the changes are pending
  • If you parse the Amcache hive without the transaction logs you will miss the most recently executed GUI programs
  • Running programs from the command line are not found in the transaction logs immediately after execution
  • Programs not executed in the GUI but executed from the command line in directories other than the desktop have not shown up in the Amcache
You can watch the video here:

Thursday, November 22, 2018

Daily Blog #546: Thanksgiving post 2018

Hello Reader,
         When I did the previous year of blogging my wife suggested I post recipes which I did on Holidays. This year I did a sous vide turkey following the recipe in this video:


https://www.youtube.com/watch?v=x03Ug4biX-I

I did one thing different though, I cooked the turkey breasts to 145 rather than 130 and it made a huge difference. Last year I cooked it to 130 as suggested and the meat while safe to eat was pink and made everyone worried, finding itself in the broiler to bring it to temp.

145 was the perfect temp and led to a very good product that I then broiled the skin to give it the roasted appearance people expect.

Tomorrow back to the normal schedule!

Wednesday, November 21, 2018

Daily Blog #545: Forensic Lunch Test Kitchen 11/21/18

Hello Reader,
         Tonight we continued looking into Amcache and Shimcache in their parts of the application compatibility cache system. Here is what we learned:

  • Command line executions, without GUIs, are not immediately tracked in Amcache but are in Shimcache after two days 
  • Command line executions, with GUIs, are tracked in Amcache after a shutdown, need to check the transaction logs next time to see if we can get them without reboot/shutdown
  • Command line programs executed from the GUI are tracked in the Amcache
  • The process creation events I turned in the local security policy are not catching user processes, need to check on why
  • Amcache does contain command line programs I never executed, but the dates are 3 days after the extraction

So we need to let the system keep running and see if some automatic sweep will cause the other command line executables to be tracked. 

You can watch the video here:

Tuesday, November 20, 2018

Daily Blog #544: Forensic Lunch Test Kitchen 11/20/18

Hello Reader,
          Tonight we continued our journey into the shimcache and amcache. Here is what we learned:

  • The extracted executable file from the command line that was not executed was still not present in the shimcache
  • Simply viewing the directory in the GUI that the extracted but not executed executable was in was enough to get it added to the shimcache
  • No new entries from the downloads directories were present in the Amcache

Tomorrow night we will see if the Amcache needed even more time, suggesting its a schedule task

You can watch the video here:

Monday, November 19, 2018

Daily Blog #543: Forensic Lunch Test Kitchen 11/19/18

Hello Reader,
     Tonight we continue to go down further into the application compatibility cache and its associated artifacts. Thanks to tonight's BFFs (Best forensic friends) Phill Moore, Jessica Hyde and Mike Cary for participating in the testing! Here is what we learned:

  • Approximately 6 hours or so after the tests were done on 11/16/18 in the prior video (https://www.hecfblog.com/2018/11/daily-blog-540-forensic-lunch-test.html) the entries we expected to show up in the Amcache were written to the registry 
  • In addition to the programs we executed being delayed in their writes, we also had more programs we extracted in the GUI but did not execute show up in Amcache
  • The timestamp of the key here did not reflect when the program executed but rather when it was added to the Amcache hive! We are setting up more testing to determine what the triggers are for Amcache updating
  • Extracting an executable from a zip file in the command line did not result in a Shimcache or Amcache entry being made, as suggested by Mike Cary on twitter. 
  • Executing an executable from the command line did get an entry in the shimcache on shutdown and reboot
  • We had an inconsistent result in the amcache on execution where once it appeared after shutdown and another time it didn't
  • We have enabled process creation event logging and the VM will run overnight to see when and what hopefully is updating the Amcache

You can watch the video here:

Sunday, November 18, 2018

Daily Blog #542: Sunday Funday 11/18/18

Hello Reader,
         We've had some great submissions the last couple of weeks and hoping to get that trend up this week! Following on from this weeks topics lets see how well you can work your forensic tool for registry analysis.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 11/23/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
What keys and or files are created/modified when you:
1. First plug in a USB 3.0 drive using the storport driver
2. The last time you plug in a USB 3.0 drive using the storport driver

Saturday, November 17, 2018

Daily Blog #541: Solution Saturday 11/17/18

Hello Reader,
          This week a new champion emerges and enters the winners circle. Congratulations to Oleg Skulkin who grabbed a win this week with his testing! Make sure to come back tomorrow to see next weeks' challenge for your chance at $100!

The Challenge:
We've tested what happens for copies to NTFS drives. Now let's change it up. What changes occur to files when you copy and paste as well as cut and paste to a FAT32 drive

The Winning Answer:
Olegl Skulkin

I created 6 files, 1 DOCX, 1 TXT, 1 JPG on an NTFS volume for copying, and 1 DOCX, 1 TXT, 1 JPG for cutting and pasting. I used Windows 10 both for copying and cutting, and a freshly formatted FAT32 flash drive.

I created two folders on the flash drive – “copy - paste” and “cut - paste”. I copied and pasted first three files to “copy - paste”, and next three files to “cut - paste”. Then I imaged the flash drive with FTK Imager (4.1.1.1) and used Autopsy (4.9.0) to examine the image.

Here are the results:


The DOCX file saved its Modified timestamp, lost time for Accessed, and its Created timestamp changed. Despite the fact I used UTC as the timezone in Autopsy, the timestamps were shown in UTC +3. 

The same results were observed for the TXT file: 


And for the JPG file:

As for cutting and pasting, the DOCX file saved its Modified and Created timestamps, but lost time for Accessed timestamp (again, timestamps are in UTC +3):

The same happened with the TXT file:

And with the JPG file:

Results 
Copy – paste: 
Modified 
Accessed 
Created 
Unchanged 
Changed 
Changed 

Cut – paste 
Modified 
Accessed 
Created 
Unchanged 
Changed 
Unchanged