Digital forensics

Forensic Investigation on Windows Machines

Ryan Mazerik
December 30, 2013 by
Ryan Mazerik

Digital forensics is the process of identifying and collecting digital evidence from any medium, while preserving its integrity for examination and reporting. It can be defined as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.

Two basic types of data are collected in computer forensics, persistent data and volatile. Persistent data is the data that is stored on a local hard drive and is preserved when the computer is turned off. Volatile data is stored in primary memory that will be lost when the computer loses power or is turned off. That data resides in registries, cache, and random access memory (RAM).

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Phases of digital forensics

figure1

Incident Response and Identification

Initially, forensic investigation is carried out to understand the nature of the case. Then, one needs to identify potential sources of relevant data. Also, a data collection plan must be established in order to ensure the privacy of data.

An adequate asset document should be maintained to identify all physical assets under the control of each employee. Then, adequate documentation is maintained to identify all company network and server resources accessible by each employee. The documentation is maintained to identify all available historical data maintained by a company.

Preservation and Collection

Data must be preserved in order to eliminate data destruction. That can be done by correlating processes with the intended authorities of pertinent institutions. Collected sources of data are placed in a forensically sound manner and a report should be created detailing the collected information.

Images of physical disks, RAID volumes, and physical memory are collected and a proper chain of custody of the collected data must be maintained and documented on a standardized form. Forensic acquisitions and media used to store digital evidence are documented as well.

Processing and Analysis

A detailed analysis of the data is done in order to determine facts in the case and the beneficiaries of the act are discovered. The analysis must be capable of identifying deleted files and recovering them. It should be also able to analyze Windows and Linux artifacts.

Reporting

A report of the findings is created that contains evidence and recommended remedial actions. In that phase, analysis should be confirmed by using multiple tools and using test assumptions. The report must be cross checked to find any technical faults, and its accuracy should be maintained.

Windows registry forensics

What is the Windows Registry?

A central hierarchical database used in Microsoft Windows is used to store information that's necessary to configure the system for multiple users, applications and devices. The registry debuted in Windows 95 and has been used in every Windows OS ever since. The Registry replaces configuration files that were used in MS-DOS, such as config.sys and autoexec.bat. It also replaces text-based initialization (.ini) files that were used in DOS based Windows versions. The Registry is used by kernels, user interfaces, device drivers, services and other applications.

Structure of the Windows Registry

The Windows Registry is depicted as one unified file system, although it contains five main hierarchical folders. The five parent folders are called hives, and begin with HKEY (Handle to a Key.) Each of these hives is composed of keys that contain values and subkeys. Values are the names of items that uniquely identify specific values pertaining to the OS, or to applications that depend upon that value. The keys depend on folders and subkeys depend on subfolders of Windows Explorer. Key values are akin to a files in Windows Explorer.

Root Key Functions

HKEY_CLASSES_ROOT (HKCR)

It contains information that the correct program opens when it's executed in Windows Explorer. It also contains information about shortcuts, drag-and-drop rules and user interfaces. The key contains the following path: HKLMSoftwareClasses

HKEY_CURRENT_USER (HKCU)

It contains configuration information for the user account that's currently logged into the system. The data pertains to screen colors, Control Panel settings and user folders. Aliases for user specific branches can be found in the following main key: HKEY_USERS.

HKEY_LOCAL_MACHINE (HKLM)

It contains machine hardware information that the OS runs on. It includes a list of drives mounted to the system and generic configurations of installed hardware and applications.

HKEY_USERS (HKU)

It contains configuration information of complete user profiles on the system, which pertain to application configurations, and visual settings.

HKEY_CURRENT_CONFIG (HCU)

The root key stores information about the system's current configuration. It contains the following path: HKLMConfigprofile

Registry Forensics

Registry keys contain a value called the LastWrite time, which is very similar to the time of the most recent file modification. The value is stored in a FILETIME structure and it represents the last modification of a Registry key. The LastWrite time is changed when a registry key has been created, accessed, modified or deleted. Unfortunately, only the LastWrite time of a registry key can be obtained, when as a LastWrite time for the registry value cannot. Information on the LastWrite time of a key can allow a forensic analyst to infer the approximate date or time an event occurred.

Autorun Locations

Autorun locations are Registry keys that launch programs or applications during the boot process. If a computer is suspected to have been involved in a system intrusion case, autorun locations should be looked at. If the user denies their involvement, then it's possible their system was compromised and used to initiate the attack. In a case like that, autorun locations could prove that the system had a Trojan backdoor installed, leaving it vulnerable for an attacker to use at their discretion.

Common autorun locations are listed below:

HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce

HKLMSoftwareMicrosoftWindowsCurrentVersionpoliciesExplorerRun

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsRun

HKCUSoftwareMicrosoftWindowsCurrentVersionRun

HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce

(ProfilePath)Start MenuProgramsStartup

MRU lists

MRU (Most Recently Used) lists contain entries made due to specific actions performed by a user. There are numerous MRU lists located throughout various Registry keys. The Registry maintains those lists of items in case the user returns to them in the future.

An example of an MRU list located in the Windows Registry is the RunMRU key. When a user types a command into the "Run" box via the Start menu, the entry is added to that Registry key. It's location is HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU. The chronological order of applications executed via "Run" can be determined by looking at the data column of the "MRUList" value. The letter "a" represents the first command typed in the "Run" box, and the letter "g" represents the last command typed in the "Run" box.

Fig: RunMRU key

Wireless Networks

A network or hotspot connection to a computer is identified by its SSID. A SSID is logged within Windows XP as a preferred network connection. It can be found in the Registry in the HKLMSOFTWAREMicrosoftWZCSVCParametersInterfaces key. The Registry key parents multiple subkeys and they should contain the values "ActiveSettings" and "Static#0000". There are also values that begin with "Static#" and are sequentially numbered. In the binary data of "Static#" values are the network SSIDs of all the wireless access points that system has connected to. That can be seen by right clicking the value and selecting "modify" button.

Fig: Wireless Networks Registry view

UserAssist

The UserAssist key, at HCUSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist, contains two or more subkeys which have long hexadecimal names that appear as globally unique identifiers (GUIDs.)

Each subkey records values that pertain to specific objects the user has accessed on the system, such as Control Panel applets, shortcut files, and programs. With the UserAssist key, a forensic examiner could acquire a better understanding of what types of files or applications have been accessed on a particular system. They aren't definitive, because they can't be associated with a specific dates and times. But they may still indicate a user's specific actions.

Fig: UserAssist Key

LAN computers

The Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComputerDescriptions contains information on computers connected on a LAN. The ComputerDescriptions key is useful in determining whether or not a user was connected to certain computers or belonged to a specific LAN.

USB devices

Anytime a device is connected to the Universal Serial Bus (USB), drivers are queried and the device's information is stored into the Registry. The first important key is HKLMSYSTEMControlSet00xEnumUSBSTOR. That key stores the contents of the product and device ID values of any USB device that has ever been connected to the system.

Under each device, there is a Device ID and they're assigned uniquely by the manufacturer of the device. So, USB devices can be identified specifically by that Device ID.

Fig: USB devices registry key

Internet Explorer

Internet Explorer stores its data in the HKCUSoftwareMicrosoftInternet Explorer key. HKCUSoftwareMicrosoftInternet ExplorerMain is one of the three sub keys and stores the user's settings in Internet Explorer. It contains information like search bars, the start page, and form settings. The second sub key is HKCUSoftwareMicrosoftInternet ExplorerTypedURLs and it contains the browsing history of the particular user.

Fig: TypedURLs key

The third subkey is HKCUSoftwareMicrosoftInternet ExplorerDownload Directory and it contains the last directory used to store a downloaded file from Internet Explorer.

Free tools for digital forensics

SANS SIFT

The SIFT Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed digital forensic examinations in a variety of settings. It's compatible with the Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. It has tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, and Rifiuti for examining the Recycle Bin.

ProDiscover Basic

ProDiscover Basic is a simple digital forensic investigation tool that has tools for images, analysis, and reports on evidence found on drives.

The Sleuth Kit

The Sleuth Kit is an open source digital forensics toolkit that can be used to perform in-depth analysis of various file systems. Autopsy is a GUI for The Sleuth Kit. It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching out of the box, with the ability to add other modules for extended functionality.

FTK Imager

FTK Imager is a data preview and imaging tool that facillitates the examination of files and folders on local hard drives, network drives, CDs/DVDs, and reviews the content of forensic images or memory dumps. FTK Imager also has tools to create SHA1 or MD5 hashes of files, export files and folders from forensic images for disk reviews, and to recover files that were deleted from the Recycle Bin, and mount forensic images to view its contents in Windows Explorer.

Mandiant RedLine

RedLine offers the ability to perform memory and file analysis of specific hosts. It collects information about running processes and drivers from memory, and gathers file system metadata, registry data, event logs, network information, services, tasks, and browsing history to help build an overall threat assessment profile.

Major player in digital forensics

EnCase

EnCase is a suite of digital forensics products by Guidance Software. The software comes in several forms designed for forensic, cyber security and e-discovery use.

FTK

Forensic Toolkit, or FTK, is a computer forensics program made by AccessData. FTK is a court-accepted digital investigations platform built for speed, stability and ease of use. It provides comprehensive processing and indexing up front, thus providing faster filtering and search capabilities.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Sources

Ryan Mazerik
Ryan Mazerik

Ryan has over 10yrs of experience in information security specifically in penetration testing and vulnerability assessment. He used to train and mentor consultants of these offerings to expand security delivery capabilities.He has strong passion in researching security vulnerabilities and taking sessions on information security concepts.