Forensics Quick Location's, ToolS Windows

Eric Zimmerman's, Eric Zimmerman's GitHub

when Logs or files are delete we can try and get them back with  Autopsy , EaseUS data recover, 

EZViewer.exe

EZViewer.exe = is a tool developed by SANS Institute that allows users to view various file formats, including .doc, .docx, .xls, .xlsx, .txt, .log, .rtf, .htm, .html, .mht, .csv, and .pdf. It's designed as a standalone, zero-dependency viewer, making it useful for forensic analysis and quick file inspections.

All .csv create below can be opened with EZViewer

MFTECmd.exe (NTFS) 

Used to explore MFT files. It is available in both command line and GUI versions. 

$Boot = system file in NTFS that contains essential boot sector information. It holds details like the volume's size, cluster size, and the location of the Master File Table (MFT)

$MFT = the first record in the volume. The Volume Boot Record (VBR) points to the cluster where it is located. $MFT stores information about the clusters where all other objects present on the volume are located. This file contains a directory of all the files present on the volume, 

$LOGFILE = stores the transactional logging of the file system. It helps maintain the integrity of the file system in the event of a crash, 

$UsnJrnl =  Update Sequence Number (USN) Journal. It is present in the $Extend record. It contains information about all the files that were changed in the file system and the reason for the change. It is also called the change journal., 

EXP: MFTECmd.exe -f <path-to-$MFT-file> --csv "c:\<user>\Desktop\Output"

PECmd.exe

Windows Prefetch files = When a program is run in Windows, it stores its information for future use. This stored information is used to load the program quickly in case of frequent use. 

LOC:  C:\Windows\Prefetch  With extension of .pf

EXP:  PECmd.exe -f <path-to-Prefetch-files> --csv <path-to-save-csv>  = Run Prefetch Parser on a file and save the results in a CSV

EXP:  PECmd.exe -d <path-to-Prefetch-files> --csv <path-to-save-csv>  = Parsing a whole directory

WxTCmd.exe

ActivitiesCache.db = Windows 10 stores recently used applications and files in an SQLite database called the Windows 10 Timeline. This data can be a source of information about the last executed programs. It contains the application that was executed and the focus time of the application. 

LOC:  C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db  With extension of .db

EXP:  WxTCmd.exe -f <path-to-Prefetch-files> --csv <path-to-save-csv>  

JLECmd.exe

Windows Jump Lists = jump lists to help users go directly to their recently used files from the taskbar. We can view jumplists by right-clicking an application's icon in the taskbar, and it will show us the recently opened files in that application. 

LOC:  C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations  With extension of .automaticDestinations-ms

EXP:  WxTCmd.exe -f <path-to-Prefetch-files> --csv <path-to-save-csv>  

There is also a GUI version JumpListExplorer.exe where you load and read .automaticDestinations-ms.

LECmd.exe

Shortcut Files = Windows creates a shortcut file for each file opened either locally or remotely. The shortcut files contain information about the first and last opened times of the file and the path of the opened file, along with some other data.

LOC:  C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\  With extension of .link

LOC:  C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\  

EXP:  LECmd.exe -f <path-to-Prefetch-files> --csv <path-to-save-csv>  = to the Location of file

EXP:  LECmd.exe -d <path-to-Prefetch-files> --csv <path-to-save-csv>  = Just the Location to path no file -d

IE/Edge history

IE/Edge history = An interesting thing about the IE/Edge browsing history is that it includes files opened in the system as well, whether those files were opened using the browser or not. Hence, a valuable source of information on opened files in a system is the IE/Edge history 

LOC:  C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat  With extension of .dat 

The file:///* prefix in the IE/Edge history. Though several tools can be used to analyze Web cache data we will use Autopsy

1. Select Logical Files as a data source.

2. It will then ask you to select the path from which you want files to be analyzed. You can provide the path to the triage folder EXP: target\C

3. With autopsy when asks about ingest modules to process data, check the box in front of 'Recent Activity' and uncheck everything else.

4. You will be able to view local files accessed in the Web history option in the left panel.

5. When Selected  a WebCache.dat in the bottom panel the 'Data Artifacts' tab displays information about the file accessed 

Acquisition

 Data acquisition is recommended part of forensic, and is where imaging the system or make a copy of the required data, this is the correct method to perform analysis on the data.

 When copying the registry hives from  %WINDIR%\System32\Config , we cannot because it is a restricted file and need to use tools

1. KAPE: is a live data acquisition and analysis tool which can be used to acquire registry data 

2. Autopsy:  gives you the option to acquire data from both live systems or from a disk image 

3. FTK Imager:  is similar to Autopsy and allows you to extract files from a disk image or a live system by mounting the said disk image or drive in FTK Imager 

Now for Reading The Hives:

1. Registry Explorer:  It can load multiple hives simultaneously and add data from transaction logs into the hive to make a more 'cleaner' hive with more up-to-date data. It also has a handy 'Bookmarks' option containing forensically important registry keys often sought by forensics investigators.

2. RegRipper is a utility that takes a registry hive as input and outputs a report that extracts data from some of the forensically important keys and values in that hive. The output report is in a text file and shows all the results in sequential order. 

Offline Access

Registry access using regedit.exe, if you only have access to a disk image, you must know where the registry hives are located on the disk. 

LOC:  C:\Windows\System32\Config 

Hives :

1. DEFAULT (mounted on HKEY_USERS\DEFAULT)

2. SAM (mounted on HKEY_LOCAL_MACHINE\SAM)

3. SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)

4. SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)

5. SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)

Two other hives containing user information can be found in 

LOC:  C:\Users\<username>\  

Hives :

1. NTUSER.DAT (mounted on  HKEY_CURRENT_USER  when a user logs in)

2. USRCLASS.DAT (mounted on  HKEY_CURRENT_USER\Software\CLASSES ) 

USRCLASS.DAT hive is LOC:  <username>\AppData\Local\Microsoft\Windows 

There is another very important hive called the AmCache hive, Windows creates this hive to save information on programs that were recently run on the system.

LOC:   C:\Windows\AppCompat\Programs\Amcache.hve 

Registry Transaction Logs 

Another main source of forensic data are the registry transaction logs and backups, Transaction logs considered as the journal of the changelog of the registry hive. Windows often uses transaction logs when writing data to registry hives. Often the latest changes in the registry that haven't made their way to the registry hives themselves. LOG files are in the same directory as the hive itself and has same name as the registry hive SAM.hve = SAM.LOG1, SAM.LOG2

Registry BACKUPs 

Registry backups are the opposite of Transaction logs. backups of the registry hives located in the C:\Windows\System32\Config directory. 

These hives are copied to the C:\Windows\System32\Config\RegBack directory every ten days. 

Good place to look if you suspect that some registry keys might have been deleted/modified recently. 

System Information and System Accounts 

Control Set

The hives containing the machine’s configuration data used for controlling system startup are called Control Sets, Control Sets, ControlSet001 and ControlSet002, in the SYSTEM hive on a machine. In most cases (but not always), ControlSet001 will point to the Control Set that the machine booted with, and ControlSet002 will be the  last known good  configuration. Windows creates a volatile Control Set when the machine is live, called the CurrentControlSet ( HKLM\SYSTEM\CurrentControlSet ). For getting the most accurate system information, this is the hive that we will refer to. We can find out which Control Set is being used as the CurrentControlSet by looking at the following registry

Select:   Computer\HKEY_LOCAL_MACHINE\SYSTEM\Select 

The  last known good configuration can be found using the following registry value: SYSTEM\Select\LastKnownGood

ControlSet001:   Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 

ControlSet002:   Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002 

System Info

OS Version:   SOFTWARE\Microsoft\Windows NT\CurrentVersion 

Computer Name:    SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName 

Time Zone:    SYSTEM\CurrentControlSet\Control\TimeZoneInformation  

Network Interfaces and Past Networks:  SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces  

Each Interface is represented with a unique identifier (GUID) subkey, which contains values relating to the interface’s TCP/IP configuration. This key will provide  us with information like IP addresses, DHCP IP address and Subnet Mask, DNS Servers, and more. This information is significant because it helps you make sure that you are performing forensics on the machine that you are supposed to perform it on.

The past networks a given machine was connected to can be found in the following locations:

   Unmanaged:    SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged 

  Managed:    SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed 

Autostart Programs (Autoruns)

The following registry keys include information about programs or commands that run when a user logs on. 

1.    NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run  

2.    NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce 

3.   SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce  

4.   SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run 

5.   SOFTWARE\Microsoft\Windows\CurrentVersion\Run 

Services

The DWORD value for the Start key in this location determines how the service starts:

• 0x00000002 (2) → Automatic

• 0x00000003 (3) → Manual

• 0x00000004 (4) → Disabled

Services:  SYSTEM\CurrentControlSet\Services\ 

SAM hive and user information

The SAM hive contains user account information, login information, and group information. The information contained here includes the relative identifier (RID) of the user, number of times the user logged in, last login time, last failed login, last password change, password expiry, password policy and password hint, and any groups that the user is a part of.

 SAM:  SAM\Domains\Account\Users  

Usage or knowledge of files/folders 

Recent Files

Windows maintains a list of recently opened files for each user. As we might have seen when using Windows Explorer, it shows us a list of recently used files.  This information is stored in the NTUSER hive.

There are different keys with file extensions, such as  .pdf , .jpg , .doc ,etc. These keys provide us with information about the last used files of a specific file extension. So if we are looking specifically for the last used PDF files, 

we can look at the following registry key:  NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pdf 

ShellBags

This information about the Windows 'shell'  is stored and can identify the Most Recently Used files and folders. Since this setting is different for each user, it is located in the user hives. We can find this information on the following locations: 

1. USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags 

2. USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 

3. NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU 

4. NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags 

Registry Explorer doesn't give us much information about ShellBags. However, another tool from Eric Zimmerman's tools called the ShellBag Explorer shows us the information in an easy-to-use format. We just have to point to the hive file we have extracted, and it parses the data and shows us the results.  

Open/Save and LastVisited Dialog MRUs

When we open or save a file, a dialog box appears asking us where to save or open that file from. It might be noticed that once we open/save a file at a specific location, Windows remembers that location. This implies that we can find out recently used files if we get our hands on this information. We can find this information on the following locations: 

1.  NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU 

2. NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU 

Windows Explorer Address/Search Bars

Another way to identify a user's recent activity is by looking at the paths typed in the Windows Explorer address bar or searches performed using the following registry keys, respectively. 

1.  NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths  

2.  NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery 

Evidence of Execution 

UserAssist 

Windows keeps track of applications launched by the user using Windows Explorer for statistical purposes in the User Assist registry keys. These keys contain information about the programs launched, the time of their launch, and the number of times they were executed. However, programs that were run using the command line can't be found in the User Assist keys.  

UserAssit:    NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count 

ShimCache

ShimCache is a mechanism used to keep track of application compatibility with the OS and tracks all applications launched on the machine. Its main purpose in Windows is to ensure backward compatibility of applications. It is also called Application Compatibility Cache (AppCompatCache). ShimCache stores file name, file size, and last modified time of the executables.

The Registry Explorer, doesn't parse ShimCache data in a human-readable format, so we go to another tool called AppCompatCache Parser, also a    part of Eric Zimmerman's tools. It takes the SYSTEM hive as input, parses the data, and outputs a CSV

ShimCache:  SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache  

AppCompatCache Parser: AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse> 

AmCache

The AmCache hive is an artifact related to ShimCache. This performs a similar function to ShimCache, and stores additional data related to program executions. This data includes execution path, installation, execution and deletion times, and SHA1 hashes of the executed programs. 

AmCache: C:\Windows\appcompat\Programs\Amcache.hve  

Information about the last executed programs at: Amcache.hve\Root\File\{Volume GUID}\  

BAM/DAM

Background Activity Monitor or BAM keeps a tab on the activity of background applications. Similar Desktop Activity Moderator or DAM is a part of Microsoft Windows that optimizes the power consumption of the device. Both of these are a part of the Modern Standby system in Microsoft Windows. 

1.  SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID} 

2. SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID} 

External Devices/USB device forensics 

Device identification

The following locations keep track of USB keys plugged into a system. These locations store the vendor id, product id, and version of the USB device plugged in and can be used to identify unique devices. These locations also store the time the devices were plugged into the system. 

1.  SYSTEM\CurrentControlSet\Enum\USBSTOR 

2.  SYSTEM\CurrentControlSet\Enum\USB 

Similarly, the following registry key tracks the first time the device was connected, the last time it was connected and the last time the device was removed from the system.

SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\####

In this key, the #### sign can be replaced by the following digits to get the required information: 

• 0064 → First Connection time 

• 0066 (3) → Last Connection time 

• 0x00000004 (4) → Last removal time 

USB device Volume Name

The device name of the connected drive. We can compare the GUID we see here in this registry key and compare it with the Disk ID we see on keys mentioned in device identification to correlate the names with unique devices.

 Devices:   SOFTWARE\Microsoft\Windows Portable Devices\Devices 

LOGS Location's

Setupapi.dev (External Devices)

When any new device is attached to a system, information related to the setup of that device is stored in the  setupapi.dev.log .

LOC:  C:\Windows\inf\setupapi.dev.log