legal contact
 

interesting spots to look at while doing an offline harddisk analysis

Check

No.

Artifacts name

location / remarks

1 Registry Artefacts C:\Windows\System 32\Registry hive files
2 Windows event Logs C:\Windows\System32\winevt\Logs
3 Volume shadow copies System volume information of each partition
4 MFT in NTFS File systems Boot partition of the system
5 Browser Artifacts Contained in the browser installation folders
6 Link Files C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent
7 Prefetch Files C:\Windows\Prefetch
8 User-assist keys Windows Registry read more later in this document
9 USNJRNL Partition\Extend\$UsnJrnl:$J
10 Shell bags C:\User\ Local Settings\Software\Microsoft\Windows\Shell
11  Taskbar Jumplists C:\Users\Default\AppData\Roaming\Microsoft\Windows\Rece nt 

For just the export of interesting stuff, use the RegistryReport.

/users/…./*.dat

Find registry at:
/windows/system32/config/sam
/windows/system32/config/system
/windows/system32/config/software
/windows/system32/config/security

/users/…./ntuser.dat

RegRipper
https://code.google.com/p/regripper/

Can also use Sysinternals if simulating file structure

USB Devices been connected
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR

Mounted devices
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPCVolume

The history of recent mapped network drives is store into
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

The following listing shows two important autorun keys that run when the system boots: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKCU\Software\Microsoft\Windows\Current\VersionExplorer\MountPoints2

Other malware executables target some users on the system and run when the specific user or any user logs on to the system. They can be found in the following locations: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru nonce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru n HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Once HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\ Winlogon\Userinit
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

Since smss.exe launches before windows subsystem loads, it calls configuration subsystem to load the hive present at
HKLM\SYSTEM\CurrentControlSet\Control\hivelist
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager

Userinit Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Notify: (Ctrl-Alt-Del)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

boot key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot

Startup keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Services\Once
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Services

Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

File Association
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_CLASSES_ROOT

Recycle bin:
$Recycle.Bin

EvetLOGs
Windows event logs record the computers notifications and alerts that are generated as a result of user activity. These instances are referred as “events” and are identified with “event id”. Windows event logs can be viewed from in-built application known as “EventViewer.exe” when system is up and running. In an off-line state or from the forensic image these windows event log files can be located in the path “C:\Windows\System32\winevt\Logs”. Log files such as SecEvent.evtx, SysEvent.evtx, AppEvent.evtx are the most commonly examined event log files. The Parsing and examination of event log files reveals important information about user logins and log outs, application activity, user activity, changes that have been made to the default settings such as date & time changing, changes made by the malware activity etc. which would be useful in an investigation.

Before Vista, the event logs were as follows: %System root%\System32\config
After Vista, %System root%\System32\winevt\logs

Check:
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security

Read: Detecting Security Incidents Using Windows Workstation Event Logs

Use:
TZWorks released evtwalk and evtx_viewer. Harlan Carvey wrote a few Perl scripts to parse event log files, and Andreas Schuster released evtx_parser.

dir c:\forensicscases\*.evtx /b /s | evtwalk -pipe > events.txt

For evtwalk, the followingreport categories are available:

Password changes
Clock changes or updates
User logon and logoff events
System start and stop times
User credential or permission changes
USB events

check prefetch:
%SystemRoot%\Prefetch

Use:
NirSoft PrefetchView

Check
Win Scheduled Tasks:
C:\Windows\System32\Tasks

Check
ThumbDB
C:\Users\\AppData\Local\Microsoft\Windows\Explorer

Use:
https://thumbcacheviewer.github.io/

The Windows operating system creates shortcut files for the recently opened files by default in the following locations: C:\users\\AppData\Roaming\Microsoft\Windows\Recent C:\users\\AppData\Roaming\Microsoft\Office\Recent Windows XP saves the shortcut files at the following location: C:\Documents and Settings\\Recent\

Use:
https://exiftool.org/

Check
UserAssist

Use:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

This key contains two GUID subkeys (CEBFF5CD Executable File Execution, F4E57C4B Shortcut File Execution): each subkey maintains a list of system objects such as program, shortcut, and control panel applets that a user has accessed.

Registry values under these subkeys are weakly encrypted using ROT-13 algorithm which basically substitutes a character with another character 13 position away from it in the ASCII table.

All values are ROT-13 Encoded, some tips:

.exe = .RKR
.lnk = .YAX

If Win10 version > 1709, check: Background Activity Moderator (BAM)

HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}

 

If Win10, check: RecentApps

HKCU\Software\Microsoft\Windows\Current Version\Search\RecentApps

AppID = Name of Application
LastAccessTime = Last execution time in UTC
LaunchCount = Number of times executed

Check: ShimCache

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Use: ShimCacheParser.py, by Mandiant (https://github.com/mandiant/ShimCacheParser)

Check: Amchache

C:\Windows\AppCompat\Programs\Amcache.hve

Use:The file can be analyzed using the amcache plugin of RegRipper (https://github.com/keydet89/RegRipper2.8)

For more information about Amcache and Shimcache in forensic analysis, please refer to this specific article: Amcache and Shimcache in forensic analysis

 

Use: Prefetch file can be parsed and analyzed using tools like PeCMD (https://github.com/EricZimmerman/PECmd)

Recent opened Programs/Files/URLs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Start>Run
The list of entries executed using the Start>Run command in maintained in this key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

By using Windows “Recent Opened Documents” Clear List feature via Control Panel>Taskbar and Start Menu, an attacker can remove the Run command history list.

In fact, executing the Clear List function will remove the following registry keys and their subkeys. So check if this still exists...

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

UserAssist
Userassist are a set of registry keys that contain information about the applications and shortcuts accessed by particular user using windows GUI. The information also includes execution count the date of last execution which helps in determining whether a given application has been executed by a particular user of not.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Recent URLs
HKCU\Software\Microsoft\Internet Explorer\TypedURLs

Pagefile
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

This key maintains the configuration of Windows virtual memory: the paging file (usually C:pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown.

This key contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when the computer shutdowns (by default, windows will not clear the paging file).

Windows Search
HKCU\Software\Microsoft\Search Assistant\ACMru

  • 5001: Contains list of terms used for the Internet Search Assistant
  • 5603: Contains the list of terms used for the Windows files and folders search
  • 5604: Contains list of terms used in the “word or phrase in a file” search
  • 5647: Contains list of terms used in the “for computers or people” search

Installed programs
HKLM\SOFTWARE\Microsoft\Windows\Current\Version\Uninstall

  • DisplayName — program name
  • UninstallString — application Uninstall component’s file path, which indirectly refers to application installation path

Command Processor Autorun
This key contains command that is automatically executed each time cmd.exe is run:

HKLM\SOFTWARE\Microsoft\Command Processor
HKCU\Software\Microsoft\Command Processor

Debugging

This key allows administrator to map an executable filename to a different debugger source, allowing user to debug a program using a different program. Modification to this key requires administrative privilege.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

File extensions
This key contains instruction to execute any .exe extension file. Malware normally modifys this value to load itself covertly.

HKCR\exe\fileshell\opencommand
HKEY_CLASSES_ROOT\batfile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command

Windows Protect Storage

Protected Storage is a service used by Microsoft products to provide a secure area to store private information.
HKCU\Software\Microsoft\Protected Storage System Provider

Registry Editor hides these registry keys from users viewing, including administrator.

There are tools that allow examiner to view the decrypted Protected Storage on a live system, such as Protected Storage PassView and PStoreView.

Amcache and Shimcache can provide a timeline of which program was executed and when it was first run and last modified

On Windows 8, Amcache.hve replaces RecentFileCache.bcf and uses the Windows NT Registry File (REGF) format.

A common location for Amcache.hve is:

\%SystemRoot%\AppCompat\Programs\Amcache.hve

Amcache.hve file is also an important artifact to record the traces of anti-forensic programs, portable programs, and external storage devices, and can be analyzed using amcache plugin of RegRipper:

https://github.com/keydet89/RegRipper2.8

Shimcache

Shimcache, also known as AppCompatCache, is a component of the Application Compatibility Database, which was created by Microsoft (beginning in Windows XP) and used by the operating system to identify application compatibility issues.

HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache

Shimcache can be investigated using ShimCacheParser.py, by Mandiant:
https://github.com/mandiant/ShimCacheParser

Prefetch Files
Prefetch files are created by the windows operating system whenever an application is run from a specific location for the first time. Prefetch files are used to speed up the application startup process. These files are named in a predefined format and the prefetch name consists name of the application, hash notifying the location from which the application was run, and a “.PF” file extension. The prefetch files are stored in “\Root\Windows\Prefetch” folder. Analysis of prefetch files reveals the evidence of program execution for a particular user or from a particular location. Prefetch entry may still remain event after the program has been deleted or un-installed. This information together with timeline analysis helps in determining what programs have been executed in the system.

USNJRNL
The USNJRNL (Update Sequence Number Journal) file, also known as NTFS Change Journal records all the changes that happens to a file in windows environment. One such journal file is maintained each NTFS volume and stored in the file “$Extend\$UsnJrnl”. The $UsnJrnl file contains a wealth of information that is useful for a forensic examiner in figuring out what changes have been made in the system. The $UsnJrnl analysis may reveal information about File or directory names, their MFT record numbers, type of change that happened to the files, time of change, reason for change, Security ID and information about the source of such change which would help the examiner to identify the activities that have taken place with respect to the files and folder of the subject computer system. Below figure shows some $UsnJrnl entries that were parsed.

Taskbar Jump lists
Jumplists are one of the task bar features introduced from windows 7 that helps the user to view all the recently accessed files based on the file category. It also allows the user to pin their favorite files so that they can be easily accessed. Jumplists are present in “*.automaticDestinations-ms” format under user profile path “C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations” and also as “*.customDestination-ms” filesin compound binary format. The jumplist records help the forensic examiner in identifying the files/applications that have been created and accessed by the user. Below figure is an example for the jumplist created for internet explorer application.