Scribd
Upload
153 views21 pages

Actionable DFIR: High Level System Analysis To Get Answers Fast

This document discusses digital forensics and incident response (DFIR) techniques for analyzing a Windows system to understand how an attack occurred. It outlines common categories of artifacts left behind, such as account usage, browser activity, files downloaded and executed. The document describes where to find these artifacts in the system's files, registry, and logs. It also discusses the cyber kill chain model and MITRE ATT&CK framework for understanding common attack techniques and what forensic evidence to look for.

Uploaded by

Chad Graham
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
153 views21 pages

Actionable DFIR: High Level System Analysis To Get Answers Fast

This document discusses digital forensics and incident response (DFIR) techniques for analyzing a Windows system to understand how an attack occurred. It outlines common categories of artifacts left behind, such as account usage, browser activity, files downloaded and executed. The document describes where to find these artifacts in the system's files, registry, and logs. It also discusses the cyber kill chain model and MITRE ATT&CK framework for understanding common attack techniques and what forensic evidence to look for.

Uploaded by

Chad Graham
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

High Level System

Analysis To Get Answers


Fast*
*For Windows… and not Memory
Forensics
Actionable DFIR

Author: Chad Graham


E-mail: Chad@cg-isecurity.com
: @CG-iSecurity
: https://www.linkedin.com/in/chadgraham1224
DFIR Intro
• What is it?

Kill Chain / MITRE ATT&CK

Categories of Artifacts
What will we • Account Usage, Browser Usage, File Download,
talk about? File/Folder Opening, Program Execution, Deleted
Files, USB Devices, Services & Tasks, PowerShell

Timelines
• $MFT
• PLASO/Super TimeLine
Hints, Tips & Tricks
What is DFIR? DFIR Intro
Digital Forensics &
Incident Response

• DFIR stands for Digital


Forensics and Incident
Response
• Understanding how an
attack took place by
piecing together artifacts
left behind on the system
like a puzzle. Sometimes
there are too many
pieces, sometimes a few This Photo by Unknown Author is licensed under CC BY

of the pieces are missing.


Good luck!
Cyber Kill Chain / MITRE
ATT&CK
• To understand what we are looking for on
a system, it helps to understand how
attacks work.
• https://www.lockheedmartin.com/en-
us/capabilities/cyber/cyber-kill-chain.html
• https://attack.mitre.org/
Account Usage – Successful/Failed Logons, Logon Types, RDP Usage

Browser Usage – History, Cookies, Cache, Flash & Super Cookies

File Download – Open/Save MRU, Browser Artifacts, Downloads

File/Folder Opening – Open/Save MRU, Recent Files, Shell Bags, LNK Files, Jump
Lists, Prefetch
Categories Program Execution – UserAssist, Last-Visited MRU, Run MRU, AppCompatCache,
Amcache, Jump Lists, Prefetch
of Artifacts Deleted Files – Recycle.bin

USB Devices- USBStor, PnP Events, LNK Files

Services & Tasks – Service Events, Scheduled Tasks events, .job Files

Evidence of PowerShell Code Execution


• In order to examine these artifacts, we
need to gather some items from the
system:
• Event Logs Folder
• Registry Hives – SYSTEM, SECURITY,
SOFTWARE, APPLICATION,
NTUSER.DAT, USRCLASS.DAT
So, where do we find • Amcache.hve file
all of this stuff? • Prefetch Folder
• %UserProfile%\AppData Folders
• SetupAPI.dev.log File
• $Recycle.bin File
• $MFT File
• C:\Windows\System32\Tasks Folder
Who’s been logging in, or at
least trying to?
• SECURITY Event Logs!
• Successful Logon-
• 4624 = Account Logon
• 4672 = Admin Rights Assigned to User
• 4648 = Logon using explicit credentials (RunAs command)
• Failed Logon-
• 4625 = Failed Logon
• Logon Types-
• Type 2 – Console (Hands on keyboard in front of screen)
• Type 3 – Network Logon (Connections from remote
computers)
• Type 10 – Remote Interactive Logon (Remote Desktop)
Remote Desktop
Connections

• TerminalServices-
RemoteConnectionManager
Log – Event ID 1149
• History • Cache
• IE10,11,Edge – • IE11 –
%UserProfile%\AppData\Local\Micro
Browser %UserProfile%\AppData\Local\Microsoft\
Windows\WebCache\WebCacheV*.dat • Edge -
soft\Windows\INetCache\IE

• Firefox – %UserProfile%\AppData\Local\Packa
Usage %UserProfile%\AppData\Roaming\Mozilla\
Firefox\Profiles\<random
ges\Microsoft.microsoftedge_<Ap
pID>\AC\MicrosoftEdge\Cache
text>.default\places.sqlite • Firefox –
• Chrome – %UserProfile%\AppData\Local\Mozill
%UserProfile%\AppData\Local\Google\Chr a\Firefox\Profiles\<randomtext>.d
ome\User Data\Default\History efault\Cache
• Chrome –
• Cookies
%UserProfile%\AppData\Local\Googl
• IE11 – e\Chrome\User Data\Default\Cache
%UserProfile%\AppData\Local\Microsoft\
Windows\INetCookies • Flash & Super Cookies
• Edge – • Local Stored Objects (LSOs) or Flash
Cookies are stored when visited website
%UserProfile%\AppData\Local\Packages\M uses Flash. These cookies do not expire,
icrosoft.microsoftedge_<AppID>\AC\Micros and rarely get cleared
oftEdge\Cookies
%APPDATA%\Roaming\Macromedia\FlashPla
• Firefox – yer\#SharedObjects\<randomprofileid>
%UserProfile%\AppData\Roaming\Mozilla\
Firefox\Profiles\<randomtext>.default\cook
ies.sqlite
• Chrome –
%UserProfile%\AppData\Local\Google\Chr
ome\User Data\Default\Local Storage\
Open/Save Most Recently Used History

• Open/Save MRU (Most Recently Used)


• NTUSER.DAT Registry Hive
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

File Download Downloads
• IE10-11-
%UserProfile%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
• Firefox-
%UserProfile%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\downloads.sqlite
File and/or Folder
Opening
Recent Files
• Open/Save MRU
• Recent Files
• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Expl
orer\RecentDocs
• Shell Bags
• Explorer Access
USRCLASS.DAT\Local
Settings\Software\Microsoft\Windows\Shell\Bags
USRCLASS.DAT\Local
Settings\Software\Microsoft\Windows\Shell\BagMRU
• Desktop Access
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
• LNK Files
• %UserProfile%\AppData\Roaming\Microsoft\Windows\Recent
• Jump Lists
• %UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\A
utomaticDestinations
• Prefetch
• C:\Windows\Prefetch
Program Execution
• UserAssist
NTUSER.DAT\Software\Microsoft\Windows\Currentve
rsion\Explorer\UserAssist\{GUID}\Count
• Last-Visited MRU / Run MRU
• AppCompatCache
• SYSTEM Registry Hive
SYSTEM\CurrentControlSet\Control\Session
Manager\AppCompatCache
• Amcache
• C:\Windows\AppCompat\Programs\Amcache.hve
• Jump Lists
• Prefetch
• $Recycle.bin file
• %ROOT%\$Recycle.bin

Deleted Files
USB Devices

• USBStor
SYSTEM\CurrentControlSet\Enum\
USBSTOR
SYSTEM\CurrentControlSet\Enum\
USB
• PnP Events
• SYSTEM Event Log
• Event ID 20001 – Plug and
Play driver install attempted
• LNK Files
• Services
• Event Logs
SYSTEM Event Logs – Event IDs
7034,7035,7036,7040
• Registry
SYSTEM\CurrentControlSet\Services
• Scheduled Tasks
• Event Logs
SECURITY Event Logs – Event ID 4698,
4702
• Tasks .xml Config Files
• %ROOT%\Windows\SYSTEM32\Tasks

Services & Tasks


Evidence of
PowerShell Code
Execution

• Event Logs
• Microsoft-Windows-PowerShell-
Operational
Event IDs 4104-4106
Cool Example of
Obfuscated Code

• This was found during an


incident that was
investigated this year. This is
one of hundreds of script
blocks that ran on several
machines we investigated.
• $MFT Timeline – Quick and shows
file activity on disk
• Super TimeLine – Long process but
shows all activity on a computer
system, not just what happened
on disk

TIMELINES!
Hints, Tips and Tricks

You might also like