@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #595: Solution Saturday 1/12/19

Hello Reader,
        I had two great submissions this week and one of them surprised me because it was from my own fellow g-c'er Matt Seyer. Matt won this weeks competition because he took one step farther in his testing to show not only what the new tables in the Server 2019 SRUM database meant, he also showed where to go in the registry to get the answer.

The Winning Answer:
Matt Seyer (@forensic_matt)

Sunday Funday Submission

The Challenge

Server 2019 got SRUM, what if any differences are there between SRUM on Windows 10 and SRUM on Server 2019?

Methodology

Compare the SRUM database schemas of a Windows 10 system and Server 2019. The most obvious differences should appear in the database schemas. Because the SRUM database uses the Extensible Storage Engine (ESE) format, we should work directly with the ESE database itself and not use tools that interpret its data into a different format (many tools will convert the ESE to SQLite). Because SRUM uses Extensions that are recorded in the SOFTWARE hive, the SOFTWARE hive should also be checked for differences.

Windows Versions Used

The following versions were used for generating the data in this research.
Server 2019 Version: Windows Server 2019 Standard (Desktop Experience)
Windows 10 Version: Windows 10 Enterprise

Table Differences

The following table schemas are resolved with a script (srum_schema.py) that uses pyesedb and yarp to resolve SRUM data. pyesedb allows us to work with the ESE format and yarp allows us to work with Registry and take transaction logs into account.

Base Tables

After reviewing SRUM’s base set of tables (tables not in the extensions), they appear to remain the same across Windows 10 and Server 2019.
Windows 10
Server 2019 Desktop Experience
Status
---------------------------------------
Table: MSysObjects
---------------------------------------
ObjidTable -> INTEGER_32BIT_SIGNED
Type -> INTEGER_16BIT_SIGNED
Id -> INTEGER_32BIT_SIGNED
ColtypOrPgnoFDP -> INTEGER_32BIT_SIGNED
SpaceUsage -> INTEGER_32BIT_SIGNED
Flags -> INTEGER_32BIT_SIGNED
PagesOrLocale -> INTEGER_32BIT_SIGNED
RootFlag -> BOOLEAN
RecordOffset -> INTEGER_16BIT_SIGNED
LCMapFlags -> INTEGER_32BIT_SIGNED
KeyMost -> INTEGER_16BIT_UNSIGNED
LVChunkMax -> INTEGER_32BIT_SIGNED
Name -> TEXT
Stats -> BINARY_DATA