Windows Forensics Investigation

During this Practical Windows Forensics course, I conducted an in-depth forensic analysis of a Windows 10 system using a template provided by Blue Cape Security, LLC. Through this hands-on investigation, I systematically examined various Windows artifacts, gaining skills in extracting and interpreting evidence crucial for understanding user behavior, system changes, and potential security events.

First, I documented system information, capturing essential details like Windows version, network settings, and the specific system shutdown time. I also analyzed user accounts, identifying active users, recent login activity, and account group memberships. This step provided a baseline for understanding which users had access and what privileges they held.

In examining user behavior, I reviewed several key artifacts, including UserAssist entries, Shellbags, and RecentDocs, to determine which applications and files had been accessed, and to map out the user’s activity on the system. I also performed a detailed NTFS file system analysis to track specific files, such as "ART-attack.ps1" and "deleteme_T1551.004," documenting their metadata, timestamps, and file paths. Through this process, I recognized signs of timestomping and file deletions, which could indicate malicious activity.

Execution artifacts provided further insights, as I analyzed Prefetch files, BAM, AppCompatCache, and AmCache records to create a timeline of executable files run on the system. This helped in identifying suspicious executables such as powershell.exe, cmd.exe, and AtomicService.exe, which were potentially used for unauthorized actions. I also investigated persistence mechanisms, including Auto-Run keys, the Startup folder, Windows services, and scheduled tasks, to understand how malicious scripts and services were configured to run at system startup.

In the Windows Event Log analysis, I reviewed logs to identify security-related events, such as successful logons, process creations, and registry modifications, which could reveal unauthorized access or configurations. Lastly, I performed memory analysis using Volatility3 to examine volatile data, including memory dumps, and identified suspicious processes and registry keys associated with potentially malicious activities.

Overall, this course taught me critical forensic techniques for investigating Windows systems, enhanced my ability to identify and analyze digital artifacts, and improved my understanding of detecting unauthorized actions through a methodical approach.

Disclaimer: This template has been provided by Blue Cape Security, LLC through the Practical Windows Forensic (PWF) course. The purpose is to guide the student through the course and the process of performing digital forensic analysis of various Windows artifacts. It does not represent an actual template of a forensic report.

System Information

Computername: DESKTOP-K4L3CTS

Registry: HKLM\System\CurrentControlSet\Control\Computername\

Windows Version:

Registry: HKLM\Software\Microsoft\Windows NT\Currentversion\

ProductName Windows 10 Enterprise Evaluation

ReleaseID 2009

BuildLab 19041.vb_release.191206-1406

BuildLabEx 19041.1.amd64fre.vb_release.191206-1406

CompositionEditionID EnterpriseEval

RegisteredOrganization

RegisteredOwner IEUser

UBR 1288

InstallDate 2024-11-02 15:23:55Z

InstallTime 2024-11-02 15:23:55Z

UBR 1288

Timezone:

Registry: HKLM\System\CurrentControlSet\Control\TimeZoneInformation\

Pacific Standard Time

Network Information:

Registry: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{interface-name}

DhcpIPAddress 10.0.2.15

DhcpSubnetMask 255.255.255.0

DhcpServer 10.0.2.2

DhcpNameServer 10.5.45.1

DhcpDefaultGateway 10.0.2.2

DhcpSubnetMaskOpt 255.255.255.0

Shutdown time:

Registry: HKLM\System\ControlSet001\Control\Windows\ShutdownTime

ShutdownTime : 2024-11-02 22:22:26Z

Defender settings:

Registry: HKLM\Software\Microsoft\Windows Defender\

Key path: Microsoft\Windows Defender\Real-Time Protection

LastWrite Time: 2024-11-02 21:00:23Z

DisableRealtimeMonitoring value = 1

Users, Groups and User Profiles

Active accounts during the attack time frame?

Username : IEUser [1001]

SID : S-1-5-21-2972595161-3998504575-2729729522-1001

Full Name :

User Comment :

Account Type :

Account Created : Sat Nov 2 15:30:14 2024 Z

Security Questions :

Question 1 : What’s the name of the city where you were born?

Answer 1 : yhjkkj

Question 2 : What was your childhood nickname?

Answer 2 : jjujjj

Question 3 : What’s the name of the city where your parents met?

Answer 3 : u5u6ujj

Name :

Last Login Date : Sat Nov 2 20:56:07 2024 Z

Pwd Reset Date : Sat Nov 2 15:30:15 2024 Z

Pwd Fail Date : Never

Login Count : 5

--> Password does not expire

--> Password not required

--> Normal user account

Which account(s) were created?

Username : art-test [1002]

Account Created : Sat Nov 2 21:27:41 2024 Z

Which accounts are Administrator group members?

IEUser [1001]

art-test [1002]

Which users have profiles?

Path : C:\Users\IEUser

SID : S-1-5-21-2972595161-3998504575-2729729522-1001

LastWrite : 2024-11-02 22:21:57Z

User Behavior

UserAssist: Applications opened

RecentDocs: Files and folders opened

Shellbags: Locations browsed by the user

Open / Save MRU: Files that were opened

Last-Visited MRU: Applications used to open files

UserAssist:

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

• {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} - A list of applications, files, links, and other objects that have been accessed.

• {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} - Lists the shortcut links used to start programs
  

2024-11-02 21:24:02Z

{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe (1)

2024-11-02 21:11:27Z

Microsoft.Windows.Explorer (8)

2024-11-02 20:59:49Z

Value names with no time stamps:

UEME_CTLCUACount:ctor

MSEdge

Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy!App

D:\VBoxWindowsAdditions-amd64.exe

{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe

Microsoft.Windows.Search_cw5n1h2txyewy!CortanaUI

Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy!App

Microsoft.Windows.ControlPanel

{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe

Recent Docs:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

n/a

ShellBags:

NTUSER.DAT:

HKCU\Software\Microsoft\Windows\Shell\BagMRU

HKCU\Software\Microsoft\Windows\Shell\Bags

USRCLASS.DAT:

Local Settings\Software\Microsoft\Windows\Shell\BagMRU

\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

MRU Resource

2024-11-02 21:17:26 My Network Places\VBOXSVR [Desktop\3\0\]

2024-11-02 21:17:26 My Network Places\VBOXSVR\\\Vboxsvr\d_drive [Desktop\3\0\0\]

2024-11-02 21:18:56 PWF-main (1)\PWF-main\Install-Sysmon [Desktop\4\0\0\]

2024-11-02 21:23:49 PWF-main (1)\PWF-main\AtomicRedTeam [Desktop\4\0\1\]

NTFS - File System Analysis

Which files are located in My Computer\CLSID_Desktop\PWF-main\PWF-main\AtomicRedTeam?

File Name

• ART-attack-cleanup.ps1

• ART-attack.ps1

• PWF_Analysis-MITRE.png

• PWF_Analysis-MITRE.svg
  

What is the MFT Entry Number for the file "ART-attack.ps1"?

Entry Number

• 103823
  

Standard Information

Created On: 2024-02-29 04:33:58.0000000

Modified On: 2024-02-29 04:33:58.0000000

Record Modified On: 2024-11-02 21:24:02.7348659

Last Accessed On: 2024-11-02 21:25:11.6144837

File Name

Created On: 2024-11-02 21:18:45.8011104

Modified On: 2024-11-02 21:18:45.8011104

Record Modified On: 2024-11-02 21:18:45.8011104

Last Accessed On: 2024-11-02 21:18:45.8011104

What are the MACB timestamps for "ART-attack.ps1"?

Modified m... 2024-02-29 04:33:58.0000000

Accessed .a.. 2024-11-02 21:25:11.6144837

Changed ($MFT) ..c. 2024-11-02 21:24:02.7348659

Birth (Creation) ...b 2024-02-29 04:33:58.0000000

Was "ART-attack.ps1" timestomped?

Yes

When was the file "deleteme_T1551.004" created and deleted?

2024-11-02 21:28:38 - created

2024-11-02 21:28:48 - deleted

What was the Entry number for "deleteme_T1551.004" and does it still exist in the MFT?

Overwritten

107713

Execution Artifacts

Background Activity Moderator (BAM)

Registry: HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings

Which executables (.exe files) did the BAM record for the IEUser (RID 1000) incl. their last execution date and time?

2024-11-02 15:31:14Z - \Device\HarddiskVolume2\Windows\explorer.exe

Application Compatibility Cache ("AppCompatCache") / Shimcache

Registry: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Determine the cache entry position for:

AtomicService.exe: 7

mavinject.exe: 6

AmCache

Registry: C:\Windows\AppCompat\Programs\Amcache.hve

What SHA-1 hash did Amcache record for AtomicService.exe?

n/a

Prefetch

Path: C:\Windows\Prefetch\*.pf

Use the Prefetch-Timeline output to produce a timeline of suspicious execution events in the Eric Zimmerman Timeline Explorer:

POWERSHELL.exe

cmd.exe

NET.exe

REG.exe

SCHTASKS.exe

SC.exe

ATOMICSERVICE.EXE

MAVINJECT.exe

NOTEPAD.exe

Shortcut (LNK) Files

Path: C:\users\<username>\AppData\Roaming\Microsoft\Windows\Recent

Path: C:\users\<username>\AppData\Roaming\Microsoft\Office\Recent

Persistence Mechanisms

Auto-Run Keys

Registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

What is the full path of the AtomicService.exe that was added to the run keys?

C:\Path\AtomicRedTeam.exe

Startup Folder

Paths:

C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

What is the name of the suspicious script in the StartUp folder?

batstartup.bat

Windows Services

Registry: HKLM\SYSTEM\CurrentControlSet\Services

When was the suspicious atomic service installed?

2024-11-02 21:28:02Z

Scheduled Tasks

Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

Path:

C:\Windows\System32\Tasks

Which tasks were created by the IEUser and what's the creation time?

T1053_005_OnLogon

LastWrite: 2024-11-02 21:28:00Z

Id: {0809C40C-9E86-4CF4-B178-7D2458F0B0F0}

Task Reg Time: 2024-11-02 21:28:00Z

T1053_005_OnStartup

LastWrite: 2024-11-02 21:28:00Z

Id: {C7858901-2004-4549-90A8-EE52F1D3E344}

Task Reg Time: 2024-11-02 21:28:00Z

How many times did they execute?

They execute every time the system starts up

Windows Event Log Analysis

Path: C:\Windows\System32\winevt\logs

Source Event IDs Description

Microsoft-Windows-Windows Defender 5000 Defender enabled

5001 Defender disabled

System 7045 A new service was installed

Security 4624 An account was successfully logged on

Windows PowerShell 400 Engine state is changed from None to Available

Microsoft-Windows-Sysmon 1 Process creation

3 Network connection

11 File create

12, 13 Registry events

22 DNS query

Memory Analysis

with Volatility3

Important memory related artifacts:

Memory (volatile data)

hiberfil.sys

pagefile.sys

swapfile.sys

PID of suspicious processes?

powershell.exe 5848

notepad.exe 1180

AtomicService.exe 4760

Suspicious registry key in HKCU?

iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART

using volatility: vol -f win10-memory.raw windows.registry.printkey --offset 0xe50309e04000 --key AtomicRedTeam