Tuesday, August 16, 2022

Windows Forensic:Registry Recon

Windows Forensic:Registry Recon

Registry Recon - Digital Forensic
Features
  • Efficient harvesting of Registry data from entire disk images

  • Resurrection of Registries long since forgotten

  • Access to enormous amounts of deleted Registry data

  • Unique keys and values shown by default in historical fashion

  • Seamless access to all instances of keys and values

  • Windows restore point and Volume Shadow Copy support

  • Ability to view keys (and their values) at particular points in time

  • Automatic decoding of particularly interesting Registry keys


To solve the Windows Forensics challenges, we used the following resources:


.Registry Recon supports adding forensic images in EnCase (E01) and raw (dd) formats, VHD disk images, physically mounted slave drives, and the contents of directories as evidence.

1.Add Evidence  

Registry Recon - Digital Forensic

2. Add Evidence >Mount option

Registry Recon - Digital Forensic

3. Adding Evidence  >add

Registry Recon - Digital Forensics

4. Add Evidence >Enter Evidence Name
Registry Recon - Digital Forensics

5. Adding Evidence > Importing system hives from active windows installs.

Registry Recon - Digital Forensics

6.Adding Evidence >Importing complete.

Registry Recon - Digital Forensics

Process 
Registry Recon - Digital Forensics


7. #Windows-1 Hostname? (DESKTOP-0J3S8C2)

Open the file using a Registry Recon

SYSTEM\ControlSet001\Control\ComputerName\ComputerName registry key. Note the data value of the ComputerName.

Registry Recon - Digital Forensics

8.# Windows-2 Time-zone (UTC)

Still using the Registry Recon and the SYSTEM file, navigate to the SYSTEM\ControlSet001\Control\TimeZoneInformation registry key. Note the data value for TimeZoneKeyName.

Registry Recon - Digital Forensics


9.#Windows-3 Build number (19042)

Open the Registry Recon then navigate to the Software\Microsoft\Windows Nt\CurrentVersion registry key. Note the data value for the CurrentBuildNumber.

Registry Recon - Digital Forensics

10.#Windows-4 Product name

From the same steps and results obtained from the previous challenge, the product name is also listed there (on the same registry key).

Registry Recon - Digital Forensics

11. #Windows-5 SID  (John Doe)

You can also determine a user's SID by looking through the ProfileImagePath values in each S-1-5-21 prefixed SID listed under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Registry Recon - Digital Forensics

 Select each SID under this in turn and look at the ProfileImagePath and at the end of this string is the name of the user.

12. Windows-6 TypedURLs  (http://go.microsoft.com)

The last link entered is a bit different. In our case, the browser used is Internet Explorer and the urls are also in the hive. Other browsers usually keep their data in other locations on the drive. The path to the key is NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLs and the value we are looking for is the first value named url1. The answer is (http://go.microsoft.com)

Registry Recon - Digital Forensics

13.Windows-7   Recently accessced docs folder (HACKPLANET)

Registry Recon - Digital Forensics

(CyberChef  tools )Converts a hexadecimal byte string back into its raw value.
Registry Recon - Digital Forensics


14.Windows-8  Run  (OneDrive.exe)

The key takeaway from the description is “Finding a software that runs when system is restarted”.

So we go to the software registry in Windows\system32\config\ and under Microsoft\Windows\Current Version\Run\, in the execute key

Registry Recon - Digital Forensics


ปัญหาที่พบ

  • โปรแกรมยังไม่สามารถ Automate decode ได้ เราต้อง copy ค่าใน Registry ไป  Decode โดยเครื่องมืออื่น ๆ
  • supports  forensic images  (E01) and raw (dd) formats, VHD disk images, physically mounted slave drives, and the contents of directories as evidence แต่ไม่สนับสนุน  *.L01,*.AD


Introducing Registry Recon



Refer:Registry Recon

           How to Find a User's Security Identifier (SID) in Windows



#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD #หลักสูตรการพิสูจน์หลักฐานทางดิจิทัล


หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง ADMIN เพื่อแก้ไขต่อไป
ขอบคุณครับ

Saturday, August 13, 2022

AmcacheParser Forensic tools

AmcacheParser Forensic tools

The Amcache.hve file is a registry file that stores the information of executed applications.

A common location for Amcache.hve is:
\%SystemRoot%\AppCompat\Programs\Amcache.hve

Export >  Amcache.hve

AmcacheParser

Amcache.hve


Loading an Amcache.hve hive from a Windows 10 machine into Registry Explorer, we can see the following layout:
Registry Explorer > Open  Amcache.hve

Registry Explorer

Registry Explorer

Amcache.hve
AmcacheParser

AmcacheParser searches and sorts out cache information from Microsoft Windows` Amcache.hve registry (a file that stores information about recently run applications/programs). It allows users to differentiate between file entities and program entities when searching and exporting information.

AmcacheParser Forensic tools


AmcacheParser

#.\AmcacheParser.exe -f "I:\Export\Amcache.hve" --csv I:\Export
AmcacheParser

Export to csv file.
AmcacheParser

20220727154302_Amcache_UnassociatedFileEntries.csv  entry, which looks a bit like this:

AmcacheParser

Full Path:
AmcacheParser Forensic tools




Refer:

amcache-still-rules-everything-around

EricZimmerman

Amcache and Shimcache in forensic analysis


#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD #หลักสูตรการพิสูจน์หลักฐานทางดิจิทัล


หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง ADMIN เพื่อแก้ไขต่อไป
ขอบคุณครับ


Friday, August 12, 2022

DIGITAL FORENSICS:Booting a forensics image on a Virtual Machine

DIGITAL FORENSICS: Booting a forensics image on a Virtual Machine


Starting with V9. of OSForensics, booting a forensic image of a system disk as a virtual machine has never been easier.

When performing forensic investigation on an image of a target system drive, it is often necessary to recreate and examine the live environment of the system to acquire all relevant data during the investigation. By running the image as a live system, the investigator can perform a live forensic analysis of the image, allowing for the potential discovery of additional forensic artifacts that may not have been previously uncovered from a traditional static analysis. Finally, because the system is running in a protected virtual environment created from the forensic image file, there is no risk of compromising the target system.


Booting a forensics image on a Virtual Machine

To access this feature from the Start screen, simply click the Boot Virtual Machine icon or module button as shown above.

Users simply need to point OSF to the forensic image file of the target O/S drive, review a few other options and features and click the ‘Boot VM’ button.

Booting a forensics image on a Virtual Machine


Steps

  • 1. Select image file.
  • 2. Choose OS if image is of a multi-boot system.
  • 3. Choose VirtualBox or VM Workstation. (Must be pre-installed)
  • 4. Review technical specifications.
  • 5. Attach any additional disk images.
  • 6. Choose or review VM options and User account to boot.
  • 7. Click “Boot VM”
    Booting a forensics image on a Virtual Machine


After clicking ‘Boot VM’, the real-time log with begin recording all of the processes taking place behind the scenes. Once completed, your VM software will launch and the selected user account will boot…
Booting a forensics image on a Virtual Machine

Analyzing the Live System

Once the boot process is complete, you may begin analyzing and searching through the live system. In addition to being able to review the Desktop layout, the Recycle Bin, and proprietary files in their native application, this also provides a great visual aid for screenshotting evidence to present to a client or in court when necessary.

Screenshots allow you to capture evidence files and artifacts just as they may have appeared through the eyes of the user. Some examples include…

  • Jumplists (recent webpages, Word docs, etc.)
  • Autorun Apps.
  • Previous custom desktop backgrounds
  • Settings for certain applications (e.g., CCleaner)
  • Search term history from P2P and other applications

Autorun Apps.
Booting a forensics image on a Virtual Machine

Booting a forensics image on a Virtual Machine

A VHD File
Booting a forensics image on a Virtual Machine

Booting a forensics image on a Virtual Machine

Network Drive
Booting a forensics image on a Virtual Machine


Booting a forensic image in VirtualBox with FTK Imager


Forensic Image Virtual Boot:Learn how to create a Virtual Machine from a Forensic Disk Image



Credit:osforensics

 หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น


* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #computerforensic #ComputerForensics #dfir #forensics
#digitalforensics #investigation #cybercrime #fraud


Tuesday, August 2, 2022

Digital Forensics:The Memory Process File System (MemProcFS)

Digital Forensics:The Memory Process File System (MemProcFS)



The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.

เป็นเครื่องมือช่วยในการศึกษาหน่วยความจำ (Memory) สามารถดึงข้อมูลจากหน่วยความจำ   ออกมาวิเคราะห์ แบบง่าย ๆ  โดยไม่ต้องใช้อาร์กิวเมนต์ commandline ที่ซับซ้อน!

Install

Windows

Download or clone the Memory Process File System github repository. Pre-built binaries are found in the files folder.

Digital Forensics:The Memory Process File System (MemProcFS)

Please download and install the latest version of Dokany at: https://github.com/dokan-dev/dokany/releases/latest It is recommended to download and install the DokanSetup_redist version.

Digital Forensics:The Memory Process File System (MemProcFS)
Digital Forensics:The Memory Process File System (MemProcFS)
Mounting the file system requires the Dokany file system library to be installed.
The Memory Process File System (MemProcFS)

#H:\MemProcFS\MemProcFS_files_and_binaries_v4.9.3-win_x64-2
0220718>MemProcFS.exe -device "H:\18 Computer Forensics\CTF\incident-response-challenge.com\Easy - Is that you\Easy - Volatility Find Evil - Is that you\Challenge\memdump.mem" -forensic 1
The Memory Process File System (MemProcFS)
Python support requires Python 3.6 or later. The user may specify the path to the Python installation with the command line parameter -pythonhome, alternatively download Python 3.7 – Windows x86-64 embeddable zip file and unzip its contents into the files/python folder when using Python modules in the file system.

Mount

The Memory Process File System (MemProcFS)

Memdump.mem
The Memory Process File System (MemProcFS)

#M:\sys\proc\Proc.txt
The Memory Process File System (MemProcFS)


The Memory Process File System (MemProcFS)

Digital Forensics:The Memory Process File System (MemProcFS)
#M:\Registry
Digital Forensics:The Memory Process File System (MemProcFS)

ComputerName
#M:\Registry\HKLM\SYSTEM\Contolset001\Control\ComputerName\ComputerName
Digital Forensics:The Memory Process File System (MemProcFS)


ProductName
#M:\Registry\HKLM\SOFTWARE\Micorsoft\Windows NT\CurrentVersion\ProdcutName.txt
The Memory Process File System

Windows install Date
#M:\Registry\HKLM\SOFTWARE\Micorsoft\Windows NT\CurrentVersion\InstallDate.txt
Windows install Date

ShutdownTime
#M:\Registry\HKLM\SYSTEM\Contolset001\Control\Windows\shutdownTime.txt
Digital Forensics:The Memory Process File System


#M:\name\spoolsv.exe-1228\memmap\vad.txt
#M:\name\spoolsv.exe-1228\modules\advapi32.dll\fullname.txt
Digital Forensics:The Memory Process File System (MemProcFS)


#M:\forensic\ntfs\ntfs_files.txt
Digital Forensics:The Memory Process File System (MemProcFS)

timeline_process
#M:\forensic\timeline\timeline_process.txt
Digital Forensics:The Memory Process File System (MemProcFS)

YouTube Credit : 13Cubed


Credit:  ufrisk 



อ่านเพิ่ม Memory Forensics
             


หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น


* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #computerforensic #ComputerForensics #dfir #forensics
#digitalforensics #investigation #cybercrime #fraud