interesting spots to look at while doing an offline harddisk analysis
Check
| No. | Artifacts name | location / remarks |
|---|---|---|
| 1 | Registry Artefacts | C:\Windows\System 32\Registry hive files |
| 2 | Windows event Logs | C:\Windows\System32\winevt\Logs |
| 3 | Volume shadow copies | System volume information of each partition |
| 4 | MFT in NTFS File systems | Boot partition of the system |
| 5 | Browser Artifacts | Contained in the browser installation folders |
| 6 | Link Files | C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent |
| 7 | Prefetch Files | C:\Windows\Prefetch |
| 8 | User-assist keys | Windows Registry read more later in this document |
| 9 | USNJRNL | Partition\Extend\$UsnJrnl:$J |
| 10 | Shell bags | C:\User\ Local Settings\Software\Microsoft\Windows\Shell |
| 11 | Taskbar Jumplists | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Rece nt |
For just the export of interesting stuff, use the RegistryReport.
/users/…./*.dat
Find registry at:
/windows/system32/config/sam
/windows/system32/config/system
/windows/system32/config/software
/windows/system32/config/security
/users/…./ntuser.dat
RegRipper
https://code.google.com/p/regripper/
Can also use Sysinternals if simulating file structure
USB Devices been connected
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR
Mounted devices
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPCVolume
The history of recent mapped network drives is store into
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
The following listing shows two important autorun keys that run when the system boots: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKCU\Software\Microsoft\Windows\Current\VersionExplorer\MountPoints2
Other malware executables target some users on the system and run when the specific user or any user logs on to the system. They can be found in the following locations: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru nonce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru n HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Once HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\ Winlogon\Userinit
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Since smss.exe launches before windows subsystem loads, it calls configuration subsystem to load the hive present at
HKLM\SYSTEM\CurrentControlSet\Control\hivelist
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager
Userinit Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Notify: (Ctrl-Alt-Del)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
boot key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
Startup keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Services\Once
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Services
Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
File Association
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_CLASSES_ROOT
Recycle bin:
$Recycle.Bin
EvetLOGs
Windows event logs record the computers notifications and alerts that are generated as a result of user activity. These instances are referred as “events” and are identified with “event id”. Windows event logs can be viewed from in-built application known as “EventViewer.exe” when system is up and running. In an off-line state or from the forensic image these windows event log files can be located in the path “C:\Windows\System32\winevt\Logs”. Log files such as SecEvent.evtx, SysEvent.evtx, AppEvent.evtx are the most commonly examined event log files. The Parsing and examination of event log files reveals important information about user logins and log outs, application activity, user activity, changes that have been made to the default settings such as date & time changing, changes made by the malware activity etc. which would be useful in an investigation.
Before Vista, the event logs were as follows: %System root%\System32\config
After Vista, %System root%\System32\winevt\logs
Check:
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security
Read: Detecting Security Incidents Using Windows Workstation Event Logs
Use:
TZWorks released evtwalk and evtx_viewer. Harlan Carvey wrote a few Perl scripts to parse event log files, and Andreas Schuster released evtx_parser.
dir c:\forensicscases\*.evtx /b /s | evtwalk -pipe > events.txt
For evtwalk, the followingreport categories are available:
Password changes
Clock changes or updates
User logon and logoff events
System start and stop times
User credential or permission changes
USB events
check prefetch:
%SystemRoot%\Prefetch
Use:
NirSoft PrefetchView
Check
Win Scheduled Tasks:
C:\Windows\System32\Tasks
Check
ThumbDB
C:\Users\\AppData\Local\Microsoft\Windows\Explorer
Use:
https://thumbcacheviewer.github.io/
The Windows operating system creates shortcut files for the recently opened files by default in the following locations: C:\users\\AppData\Roaming\Microsoft\Windows\Recent C:\users\\AppData\Roaming\Microsoft\Office\Recent Windows XP saves the shortcut files at the following location: C:\Documents and Settings\\Recent\
Check
UserAssist
Use:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count
This key contains two GUID subkeys (CEBFF5CD Executable File Execution, F4E57C4B Shortcut File Execution): each subkey maintains a list of system objects such as program, shortcut, and control panel applets that a user has accessed.
Registry values under these subkeys are weakly encrypted using ROT-13 algorithm which basically substitutes a character with another character 13 position away from it in the ASCII table.
All values are ROT-13 Encoded, some tips:
.exe = .RKR
.lnk = .YAX
If Win10 version > 1709, check: Background Activity Moderator (BAM)
HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
If Win10, check: RecentApps
HKCU\Software\Microsoft\Windows\Current Version\Search\RecentApps
AppID = Name of Application
LastAccessTime = Last execution time in UTC
LaunchCount = Number of times executed
Check: ShimCache
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Use: ShimCacheParser.py, by Mandiant (https://github.com/mandiant/ShimCacheParser)
Check: Amchache
C:\Windows\AppCompat\Programs\Amcache.hve
Use:The file can be analyzed using the amcache plugin of RegRipper (https://github.com/keydet89/RegRipper2.8)
For more information about Amcache and Shimcache in forensic analysis, please refer to this specific article: Amcache and Shimcache in forensic analysis
Use: Prefetch file can be parsed and analyzed using tools like PeCMD (https://github.com/EricZimmerman/PECmd)
Recent opened Programs/Files/URLs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Start>Run
The list of entries executed using the Start>Run command in maintained in this key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
By using Windows “Recent Opened Documents” Clear List feature via Control Panel>Taskbar and Start Menu, an attacker can remove the Run command history list.
In fact, executing the Clear List function will remove the following registry keys and their subkeys. So check if this still exists...
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU HKCU\Software\Microsoft\Internet Explorer\TypedURLs HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
UserAssist
Userassist are a set of registry keys that contain information about the applications and shortcuts accessed by particular user using windows GUI. The information also includes execution count the date of last execution which helps in determining whether a given application has been executed by a particular user of not.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Recent URLs
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
Pagefile
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
This key maintains the configuration of Windows virtual memory: the paging file (usually C:pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown.
This key contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when the computer shutdowns (by default, windows will not clear the paging file).
Windows Search
HKCU\Software\Microsoft\Search Assistant\ACMru
- 5001: Contains list of terms used for the Internet Search Assistant
- 5603: Contains the list of terms used for the Windows files and folders search
- 5604: Contains list of terms used in the “word or phrase in a file” search
- 5647: Contains list of terms used in the “for computers or people” search
Installed programs
HKLM\SOFTWARE\Microsoft\Windows\Current\Version\Uninstall
- DisplayName — program name
- UninstallString — application Uninstall component’s file path, which indirectly refers to application installation path
Command Processor Autorun
This key contains command that is automatically executed each time cmd.exe is run:
HKLM\SOFTWARE\Microsoft\Command Processor
HKCU\Software\Microsoft\Command Processor
Debugging
This key allows administrator to map an executable filename to a different debugger source, allowing user to debug a program using a different program. Modification to this key requires administrative privilege.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
File extensions
This key contains instruction to execute any .exe extension file. Malware normally modifys this value to load itself covertly.
HKCR\exe\fileshell\opencommand
HKEY_CLASSES_ROOT\batfile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command
Windows Protect Storage
Protected Storage is a service used by Microsoft products to provide a secure area to store private information.
HKCU\Software\Microsoft\Protected Storage System Provider
Registry Editor hides these registry keys from users viewing, including administrator.
There are tools that allow examiner to view the decrypted Protected Storage on a live system, such as Protected Storage PassView and PStoreView.
Amcache and Shimcache can provide a timeline of which program was executed and when it was first run and last modified
On Windows 8, Amcache.hve replaces RecentFileCache.bcf and uses the Windows NT Registry File (REGF) format.
A common location for Amcache.hve is:
\%SystemRoot%\AppCompat\Programs\Amcache.hve
Amcache.hve file is also an important artifact to record the traces of anti-forensic programs, portable programs, and external storage devices, and can be analyzed using amcache plugin of RegRipper:
https://github.com/keydet89/RegRipper2.8
Shimcache
Shimcache, also known as AppCompatCache, is a component of the Application Compatibility Database, which was created by Microsoft (beginning in Windows XP) and used by the operating system to identify application compatibility issues.
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
Shimcache can be investigated using ShimCacheParser.py, by Mandiant:
https://github.com/mandiant/ShimCacheParser
Prefetch Files
Prefetch files are created by the windows operating system whenever an application is run from a specific location for the first time. Prefetch files are used to speed up the application startup process. These files are named in a predefined format and the prefetch name consists name of the application, hash notifying the location from which the application was run, and a “.PF” file extension. The prefetch files are stored in “\Root\Windows\Prefetch” folder. Analysis of prefetch files reveals the evidence of program execution for a particular user or from a particular location. Prefetch entry may still remain event after the program has been deleted or un-installed. This information together with timeline analysis helps in determining what programs have been executed in the system.
USNJRNL
The USNJRNL (Update Sequence Number Journal) file, also known as NTFS Change Journal records all the changes that happens to a file in windows environment. One such journal file is maintained each NTFS volume and stored in the file “$Extend\$UsnJrnl”. The $UsnJrnl file contains a wealth of information that is useful for a forensic examiner in figuring out what changes have been made in the system. The $UsnJrnl analysis may reveal information about File or directory names, their MFT record numbers, type of change that happened to the files, time of change, reason for change, Security ID and information about the source of such change which would help the examiner to identify the activities that have taken place with respect to the files and folder of the subject computer system. Below figure shows some $UsnJrnl entries that were parsed.
Taskbar Jump lists
Jumplists are one of the task bar features introduced from windows 7 that helps the user to view all the recently accessed files based on the file category. It also allows the user to pin their favorite files so that they can be easily accessed. Jumplists are present in “*.automaticDestinations-ms” format under user profile path “C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations” and also as “*.customDestination-ms” filesin compound binary format. The jumplist records help the forensic examiner in identifying the files/applications that have been created and accessed by the user. Below figure is an example for the jumplist created for internet explorer application.