Unveiling Digital Evidence: Investigating

Cybercrimes through Windows Artifacts

By,
Dr. Akash Thakar (C|EH, C|HFI, CEI)
Assistant Professor
Rashtriya Raksha University
akash.thakar@rru.ac.in 1
 INTRODUCTION

Cybercrimes have become increasingly prevalent in today's

digital age. These crimes encompass a wide range of malicious
activities, including hacking, data breaches, identity theft, and
more. The investigation of such crimes relies heavily on digital
evidence, which can provide insights into the actions of
cybercriminals. In this presentation, we will explore how
Windows artifacts play a pivotal role in uncovering digital
evidence and shed light on cybercrime investigations.

2
 UNDERSTATING WINDOWS ARTIFACTS

Windows artifacts refer to traces of user activities and system

events that are left behind on a Windows operating system. These
artifacts can be found in various locations within the system, such
as the registry, event logs, and user profiles. They serve as a
digital footprint, documenting actions like application usage, file
access, logins, and more.

3
 ROLE OF WINDOWS ARTIFACTS IN
INVESTIGATION

Windows artifacts are invaluable in cybercrime investigations

because they provide a timeline of events. By analyzing these
artifacts, investigators can reconstruct a sequence of actions taken
by the cybercriminal. This chronological view is crucial for
understanding the progression of the crime, identifying entry
points, and linking activities to specific individuals.

4
FORENSIC ARTIFACTS OF WINDOWS
OPERATING SYSTEM
• Registry
• Prefetch
• Shellbags
• Volume Shadow Copy
• USB devices
• LNK files
• Jump lists
• Timestamp Analysis
• $MFT (Master File Table)
• Amcache
• Shimcache
• Windows Event Logs
5
 WINDOWS REGISTRY
• The registry or Windows registry is a database of
information, settings, options, and other values for
software and hardware installed on all versions of
Microsoft Windows operating systems.

Registry root keys (hive name)

• When first opening the Windows Registry Editor, it

displays root keys that contain all registry values.
Below is a brief description about each of the most
common root keys and the values contained in each of
them.

6
 WINDOWS REGISTRY
Root Key Description
Describes file type, file extension, and
HKCR (HKEY_CLASSES_ROOT) OLE information. (Object Linking and
Embedding)

Contains user who is currently logged

HKCU (HKEY_CURRENT_USER)
into Windows and their settings.

Contains computer-specific information

about the hardware installed, software
settings, and other information. The
information is used for all users who
HKLM (HKEY_LOCAL_MACHINE)
log on to that computer. This key, and
its subkeys, is one of the most
frequently areas of the registry viewed
and edited by users.

Contains information about all the

users who log on to the computer,
HKU (HKEY_USERS)
including both generic and user-
specific information.
The details about the current
HKEY_CURRENT_CONFIG (HKCC) configuration of hardware attached to 7
the computer.
 WINDOWS REGISTRY
• Registry is a giant database contains information regarding operating
system functions. It also stores programs and settings for program.

• Registry itself found in “c:\windows\system32\config”

• DEFAULT, SAM, SECURITY, SOFTWARE and SYSTEM. These are the

most common and important registry hives. All of the hives are found
in same location. “c:\windows\system32\config” .Even auto backup
of these hives is been stores by windows in Regback folder. In
regedit, you will find these hives in HKLM (Hives Key Local Machine)

• In every profile there is a file named as “NTUSER.DAT” Which means

HKCU (Hives Key Current User) in registry. It is located in C:
\users\username\NTUSER.DAT (Note: You have to uncheck system
protected files from hidden menu) 8
 WINDOWS REGISTRY
• HKCU(ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Explorer

\RecentDocs – Shows most recent open documents

\RunMRU – Shows MRU (Most Recent Used) run command
\TypedPaths – shows what was typed in path of directory
\UserAssist – Shows what program was executed and how many time it
was executed by which user

• “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

Above Hive shows startup programs when computer is booting up. It

can also be found in task manager.

• “HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR”

9
10
 PREFETCH
• Each time that you run an application in your system,

a Prefetch file which contains information about the

files loaded by the application is created by Windows

operating system. The information in the Prefetch file

is used for optimizing the loading time of the

application in the next time that you run it.

• Tool used for analysis is Winprefetchview by NirSoft

11
12
 SHELLBAGS
• Shellbags analysis is done by many automated tool

like shellbags explorer. It stores data related to path

opened on computer. In forensics it is important to

identify some directories which is not available

anywhere in computer. It shows at some point of time

it was existing in a computer. It could be even in

external drive also.

• Tool used for analysis is Shellbag Explorer

13
14
 VOLUME SHADOW COPY
• Windows has included the Volume Shadow Copy Service in it's releases

since Windows XP.

• Volume Shadow Copy is a service that either manually or automatically

creates backup copies of disk volumes. These backups are automatically

created when Windows performs either a scheduled backup or a system

restore point. This happens before Windows Updates are installed, or when

Windows determines that it is time to create a new system restore point

• Windows Shadow Volumes are important to digital forensics because they

can provide additional data that otherwise would not be available. They can

allow a forensic investigator to recover deleted files, and to learn what was

taking place on a system before he/she began the investigation.

• Tool used for analysis is shadowcopyview

15
16
USB DEVICES

17
18
19
 LNK FILES
• The Windows Shortcut file has the extension .lnk. It basically is a metadata
file, specific for the Microsoft Windows platform and is interpreted by the
Windows Shell.
• Details can be found from LNK files are as follow:
• Original Path of target file
• Timestamp for the target file and link file. (MAC)
• Size of target file
• Attribute associated with target file (read-only, hidden, system etc…)
• System name, volume name, volume serial number and sometimes the
MAC address of the system on which the link file is present
• Whether the file resource is local or located on a remote system.
• LNK files can be found at this path:
“C:\Users\Akash\AppData\Roaming\Microsoft\Windows\Recent (It will
show recent items)”

• A tool named LNK Explorer (LECmd.exe) is command line utility

written by Eric Zimmerman used for carving LNK files. To use that tool use this
command: “LECmd.exe –d (Director y) c:
\users\Akash\AppData\Roaming\Microsoft\Windows\Recent -q --csv .\”
20
21
 JUMP LISTS
• Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to
recently accessed application files and actions. Whenever you right click on icon of
program shows in taskbar you will find jump lists.

• It will show you recent files opened and commons tasks associated with that file.

• Jumplists will be found at this path: “C:

\Users\Akash\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations”
(AutomaticDestinations folder will not be visible in windows explorer. It can be found
under cmd)

• With the jumplist analysis, you can get information like what was recently opened in
respective application. For ex. In VLC media player, which files have been open, you can
find out using jumplist.

• Jump list Explorer is the tool used to parse this jumplist files. This tool is available in both
GUI and CLI version. To use this tool follow this command: “JLECmd.exe -f C:
\Users\Akash\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\faef
7def55a1d4b.automaticDestinations-ms (path of the file) --csv .\”

• Another tool JumpListView from nirsoft can be used to see the jumplist data

22
23
 Timestamp Analysis
• NTFS is the only file system stores record about birth or creation time of any file. In Linux
there is no birth or creation time. There C stands for change in metadata not in the content.
• Timestamp of any file is stored in $MFT file of NTFS file system.
• In $MFT timestamp is stored in following manner:
o M – Modified
o A – Access
o C- Creation (B)
o E – Entry Date
• In $MFT, timestamp of the file is stored in two different attributes. Whatever we are seeing
in properties of file in windows explorer or in CMD is $STANDARD_INFORMATION ($SI)
another copy of timestamp is stored under $FILE_NAME ($FN). $FN can only be
modifiable by windows kernel.
• Timestomp.exe is a common anti-forensic tool for timestamp changes. We can give any
timestamp to any file. In all such anti-forensic tools, the common thing is they can change
the entry in $SI attribute.
• We can look for prefetch file to see that timestomp has been used or not. If you find any
such activity, you can use any tool (ex. NirSoft - winprefetchviewer) to parse that prefetch
file to know more details about number any last accessed date of timestomp.

24
 $MFT
• The master file table (MFT) is a database in which information about

every file and directory on an NT File System (NTFS) volume is

stored.

• Detailed information about a file or directory such as the type, size,

date/time of creation, date/time of most recent modification and

author identity is either stored in MFT entries or in space external to

the MFT but described by the MFT entries.

• Tool used for analysis is MFT2CSV, MFTExplorer

25
Original Manipulated

26
27
 Amcache
• Amcache and Shimcache can provide a timeline of which program was

executed and when it was first run and last modified.

• The Amcache.hve file is a registry file that stores the information of

executed applications.

• A c o m m o n l o c a t i o n f o r A m c a c h e . hv e i s : \ % Sys t e m Ro o t %

\AppCompat\Programs\Amcache.hve

• Amcache.hve records the recent processes that were run and lists the path

of the files that’s executed which can then be used to find the executed

program.

• It also records the programs SHA1 so it can be researched with databases

like VirusTotal for easy identification.

• Amcacheparser.exe is a command line tool to analyze Amcache.hve file.

To use this tool follow this command: “Amcache.exe –csv .\ -f C:

28
\Windows\appcompat\Programs\Amcache.hve”
 Shimcache
• Shimcache, also known as AppCompatCache, is a component of the

Application Compatibility Database, which was created by Microsoft

(beginning in Windows XP) and used by the operating system to identify

application compatibility issues.

• AppCompatCache (also known as Shimcache) can be found on this location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session

Manager\AppCompatibility

• AppCompatCacheParser.exe is the command line tool used to parse

AppCompateCache (Shimcache) artifact. Command to use

AppCompatCacheParser.exe is “AppCompatCacheParser.exe --csv .\” This

registry is been updated only when computer is shutdown.

• In volatility there is a plugin for Shimcache parser. To user that follow this

command: “volatility –f memorydump.mem –profilename=win10x64_12345

29
shimcachemem --output=csv –output file= ./shimcache.csv”
WINDOWS EVENT LOGS
▪ The logging mechanism built into Windows systems
▪ Logs from the operating system
▪ Logs from applications on the system
▪ Useful for troubleshooting problems
▪ Also useful for detecting security issues

▪ Errors
▪ Warnings
▪ Informational messages

30
MAJOR LOGS
▪ Application log
▪ Information about applications
▪ System
▪ System component events
▪ Driver issues, hardware issues…
▪ Security
▪ Resource use
▪ Logins/logoffs
▪ File access
▪ Also will find a lot under Applications and Services Logs

31
STRUCTURE OF A
WINDOWS EVENT LOG
▪ Event Viewer

▪ Log Name
▪ Application,
System, Security,
etc.

▪ Event ID
▪ Unique number
corresponding with
the specific log
type

▪ Log Level
▪ Information,
Warning, Error

▪ Message
▪ This will vary quite
a bit based on the
content of the
message

32
 EVENT IDS OF INTEREST
Event ID Description

▪ 4624 An account was successfully logged on. (See Logon Type Codes)

▪ 4625 An account failed to log on.

▪ 4634 An account was logged off.

▪ 4647 User initiated logoff. (In place of 4634 for Interactive and RemoteInteractive logons)

▪ 4648 A logon was attempted using explicit credentials. (RunAs)

▪ 4672 Special privileges assigned to new logon. (Admin login)

▪ 4776 The domain controller attempted to validate the credentials for an account. (DC)

▪ 4768 A Kerberos authentication ticket (TGT) was requested.

▪ 4769 A Kerberos service ticket was requested.

▪ 4771 Kerberos pre-authentication failed.

▪ 4720 A user account was created.

▪ 4722 A user account was enabled.

▪ 4688 A new process has been created. (If audited; some Windows processes logged by default)

▪ 4698 A scheduled task was created. (If audited)

▪ 4798 A user's local group membership was enumerated.

▪ 4799 A security-enabled local group membership was enumerated.

▪ 5140 A network share object was accessed.

▪ 5145 A network share object was checked to see whether client can be granted desired access.
33
▪ 1102 The audit log was cleared. (Security)
 LOGON TYPE CODES
Type Description
▪2 Console
▪3 Network
▪4 Batch (Scheduled Tasks)
▪5 Windows Services
▪7 Screen Lock/Unlock
▪8 Network (Cleartext Logon)
▪9 Alternate Credentials Specified (RunAs)
▪ 10 Remote Interactive (RDP)
▪ 11 Cached Credentials (e.g., Offline DC)
▪ 12 Cached Remote Interactive (RDP, similar toType 10)
▪ 13 Cached Unlock (Similar to Type 7)

34
 MICROSOFT-WINDOWS-TASK SCHEDULER /
OPERATIONAL

Event ID Description

▪ 106 The user xregistered the Task Scheduler task y. (New Scheduled Task)

▪ 141 User xdeleted Task Scheduler task y.

▪ 100 Task Scheduler started the xinstance of the ytask for user z.

▪ 102 Task Scheduler successfully finished the xinstance of the ytask for user
z.

MICROSOFT-WINDOWS-TASK SCHEDULER /
OPERATIONAL
Event ID Description

▪ 1116 The antimalware platform detected malware or other

potentially unwanted software.
▪ 1117 The antimalware platform performed an action to protect
your system from malware or other potentially unwanted 35
software.
MICROSOFT-WINDOWS-TERMINAL SERVICES
LOCAL SESSION MANAGER / OPERATIONAL
Event ID Description

▪ 21 Remote Desktop Services: Session logon succeeded:

▪ 22 Remote Desktop Services: Shell start notification received:

▪ 23 Remote Desktop Services: Session logoff succeeded:

▪ 24 Remote Desktop Services: Session has been disconnected:

▪ 25 Remote Desktop Services: Session reconnection succeeded:

M IC RO S OF T-W I N D OW S - R E MOT E
CONNECTION MANAGER / OPERATIONAL
Event ID Description
*1149 Remote Desktop Services: User authentication succeeded:
*This is BEFORE user authentication and does NOT indicate successful authentication; only a successful
NETWORK connection

36
SOME MORE EVENT LOGS OF INTEREST
▪ 4688/592 (Security) – New Process executed
▪ Malware or malicious software running, or malicious actor
running things
▪ Not every new process is bad!!
▪ Nmap.exe, ssh.exe, psexec.exe, psexecsvc.exe, ping.exe,
powershell.exe, etc…

▪ 4624/528/540 (Security) – Account logged in

▪ Attacker logged in
▪ But not all logins are attackers!
▪ 4625 – Failed logon attempt

▪ 5140/560 (Security) – A share was accessed

▪ Accessing another computer
▪ Lateral movement

37
SOME MORE EVENT LOGS OF INTEREST

▪ 5156 (Security) – Windows Firewall Network connection

by process
▪ See a process making a connection
▪ Command and control maybe?

▪ 7045/601 (System) – New Service installed

▪ New services generally should only be installed during
patches and new software installation
▪ Change management procedures – helps anomalies stand out

▪ 4663/567 (Security) – File and Registry auditing

▪ Modifications to the system
▪ Files added
▪ Must enable file auditing

38
SOME ADDITIONAL LOGS
▪ 4720 (Security) – A user account was created
▪ Attackers could create themselves an account as a backdoor
▪ Should be fairly easy to deconflict with the admin team
▪ 4732/4728 (Security) - A member was added to a group
▪ Attackers could add their account to a higher privileged
account
▪ Should be fairly easy to deconflict with the admin team

39
SYSMON
▪ Monitors and logs system activities to the Windows Event Log
▪ Free!
▪ A part of the Sysinternals Suite
▪ Created by Mark Russinovich
▪ Windows service and driver

▪ Monitoring + logging only – no analysis

▪ Up to you + another tool to do that

40
SYSMON EVENT IDS
▪ 1 – Process creation
▪ 2 – A process changed a file creation time
▪ 3 – Network connection
▪ 4 – Sysmon service state changed (sysmon was started or
stopped)
▪ 5 – Process terminated
▪ 6 – Driver loaded
▪ 7 – Image loaded (module is loaded in a process)
▪ 11 – FileCreate
▪ 12 – Registry Event (Create and Delete)
Full list here: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

41
INSTALLING SYSMON
▪ Default settings…
▪ process images hashed with sha1 and no network monitoring
▪ Will for sure want to modify this

▪ Sysmon.exe -accepteula –i
▪ Must install as an admin, since you are installing a service

42
DEFAULT CONFIGURATION
▪ Sysmon.exe –c
▪ Gets current configuration
▪ Not a whole lot there…

43
FILTERING
▪ We can configure Sysmon to
▪ Only show us certain events (include)
▪ Filter out certain events (exclude)
▪ Do I care to see every smss.exe event?
▪ Is it malicious?
▪ Probably not…
▪ But make sure you only filter out the OFFICIAL path/executable!
▪ Session Manager Subsystem – it’s normal.
▪ XML configuration file
▪ Include events that match…
▪ Exclude events that match…

44
SAMPLE CONFIGURATION
FILE
▪ Network
▪ Only connections on ports 80 and 443 not from Internet
Explorer

▪ Drivers
▪ Exclude “Microsoft”
▪ Exclude “windows”
▪ No process termination events

45
FILTERING DOESN’T
SOUND FUN…
▪ How about a place to start?!?

▪ SwiftOnSecurity Sysmon Configuration

▪ https://github.com/SwiftOnSecurity/sysmon-config
▪ A good baseline to begin from
▪ 800+ lines
▪ It’s long
▪ But it’s good
▪ Tweak for your own organization

46
TWEAKING THE CONFIG
▪ Logging EVERYTHING will get noisy
▪ Think tons of events on thousands of computers in a large
organization
▪ Too much data to deal with
▪ Don’t want to exclude things that could be malicious
▪ Please – read through the sample config if you start there
▪ Make sure you understand what you’re doing
▪ Make sure you agree with what it’s doing
▪ Put it in play and see what happens
▪ Some legitimate process making tons of logs on your network?
Exclude it.
▪ Afraid you’re not getting a full enough picture of something?
Include it.

47
48
49
CONCLUSION
Windows artifacts play a crucial role in unveiling digital
evidence in cybercrime investigations. Their ability to
provide a clear timeline of events and user actions aids in
understanding the nature of cybercrimes and identifying the
responsible parties. As the digital landscape continues to
evolve, embracing new challenges and technologies is
essential for effective cybercrime investigation

50
 A N Y
???
O NS
STI
QUE

51
52