Forensicating Windows Artifacts: Investigation Without Event Logs!

so hi yeah my name is Franzen Cruz so I came from Philippines and I'll be discussing about forensic aid in Windows artifacts so investigation without event lags so okay stated with probably Michael um I saw like seven years working experience so yeah I came from Philippines and now working in Qatar from middle is I'm working as a senior security analyst and part of nation-state team their core member of cyber security which is a training center in Philippines as well and then I'm a former college instructor and some Apple bets that sometimes doesn't make sense sometimes so we're going to discuss some Windows artifacts that are kind of important from forensics perspective it's not everything that I put here

because there's also some files that we need like there's forensic value of it but I didn't put it because I have a limited time like user assist recycle beans cetera I just pick up the most fast and I've been using when it comes to investigating or analysis and analyzing some case or incidents to be the L&K files we fetch some cash so shop backs and register keys so it's not just for the blue teamers out there but also hopes but also it is also essential to the pen testers because they just normally delete windows event flags that we normally know about the fact is there's there's more to life than Windows Event lags so we can also

perform timeline analysis and contact some reports by not using the Windows Event locks but just using the Windows artifacts so yeah so have you have you ever feel like in the morning sitting down on the stock room and then like leaving a cup of coffee and then there's like Windows machine that you need to be forensic aid and there's no event flags that is there that's like the best feeling ever right so yeah so if you're a professional hacker you you just probably like trying to get the next big case and then that would be like one thing you can do is to just remove everything like remove the artifacts that you're there to become

more stealthy so in the physical world it's like of the CCTV camera footage some hairs footprints blood camera whatever and the digital world it's more like it all boils down to the logs itself so Windows is really a fan of logs it keeps on getting different logs even a PowerShell different applications now especially the windows 8 above so yeah it's kind of mind blow for the stock analyst to regenerate or to analyze every Lux that is there so yeah it's gonna be a big case so yeah Windows artifacts so let's just start with the LNK files and the files it's like more of a shortcut thing so it's basically we use this us to get the metadata of it

because there could be alike there could be a lot of forensic value of it so for example there's like a USB or network share that has been removed to the machine but you need to get that files or if that existing on that environment or on that Windows machine so you can just get that on the LNT files so it's location will be here user profile update or roaming Microsoft Windows and resent so you can just get those energy files and then get the metadata of it by using some tools that I'll be showing you later it's not hands-on because you know I have a limited time so I just took some screenshots of it and then make use of

it so I tried getting some screenshots of it on my machine so as you can see I just do a dir and under Windows environment and then get everything here so some of the files here was deleted already on my machines but still there so the forensic value of etiquette files are really great so yeah one of the tools that I've been using was from Eric Zimmerman if you're a forensic guy or like in the security world you probably know who's Eric Zimmerman is so he he created a lot of tools mainly for the forensics so I viv a quick rundown of this tool by using a vacuum and so as you can see on

the argument there that there's this - - CSV so you can just import that file to CSV and the result will be the file name so as you can see there oops okay as you can see there that there's a lot of time stamps there that could be essential or very beneficial for the forensics analysis the target create AB and whatever so I've like I've highlighted some of the suspicious things like we can we can say that if ever I am just a marketing guy that doesn't really into tech why does I need to have exploitation which will be there why does why why do I need to have a download files like apt 40 really so

it's kind of like interesting stuff there right so the next one will be the prefetch file so probably most of you guys know this thing so Windows creative this files just - - when you're when you're running in applications then there could be a cache of that so probably in the second time that you run that applications it would be more smooth and more fast and every time you load in applications so you can just check that prefetch files on this location and we can also use this when it comes to investigating something so for example there's a file or application that has been deleted already and we can use prefetch files as as an evident that these malicious

executable or binary has been run on that machine even if it was deleted so yeah I use the wind prefetch view as a tool so you just google it and also there's a tool from Eric Zimmerman as well for prefetched viewer so I cited a few example here kinda interesting so let's say that yeah I'm a marketing guy why do I need like BitTorrent or ftk imager there even if I deleted that one so look looks kinda interesting for me alright that exe is a rich repair which can be used to extract the account management some some hive Wireshark why do I need white shark and bean hacks or either Pro so it could be really beneficial they're

very helpful if we're conducting and investigations and stuff I'm cash so there's like a funny thing about kam cash so when I read some CTF way back in some online resources so there's an easy level bear on the forensics category and then I kept on buying my head for like an hour I guess I can't find the much quality is the flag and then I just find out that it's all the patents that DB so I just need to use it too and then it was just there you just have to use that tool so yeah if you if you look at this how's the DB you're kind of familiar on that icon so if you try to make a feel

film thumbnail view on different pictures and the Windows environment it creates a file known as x that DB and then you can really extract that metadata even if those pictures have been deleted on your machine so it can be used by the law enforcement incident responders and forensic ators especially if you're working on a child pornography if that guy said that she doesn't even have any child pornography pictures on his machine but if you know or you you see that there's a times that DB there you can eventually prove that there's like some suspicious photos there okay but it's not really a big picture but it's just a thumbnail view but it could be great for your forensic report so

yeah so it's all the creative here on this location so I put those locations here because I think it would be helpful for us like on the blue team inside soft forensics or in businesses and responder to make use of these locations so I got an example here so you probably know this logo so this is a tor browser so I use the time cache viewer on my machine and then white shark so on my first part of my talk I said that let's assume that I'm a marketing guy so you can or we can assume that why why the hell this marketing guy has a tor browser on his machine or even a white shark so you can

just prove that by just getting a face thumbnail view office machine and then a shell back so I watched a lot of thoughts about shell bags so it's really really a complicated artifact that you can really use for your report or if you're investigating something so for example if you're managing are trying to access different files network shares via Windows Explorer or even USB or if you change some controls and control panels you can just probably track that out using the shell bags so yeah you can use it cool bye of course Eric Zimmerman as well so there's a fine good tool there for shell bags that you can track down those activities that I will show

to you later yeah this is one example of that so from here from the desktop the user try to have a files in the Downloads folder this is internal suit and somehow debug and a very good there's like a fake point there even if was deleted if you try to extract the user class that tab and then get into the shell back Explorer you can still see it there that there's a fake point folder there so yeah you can make an evidence out of it and make an context of it you can see here also that a user try to configure Windows Firewall power options and systems recovery so if you're a marketing guy why why would you

just wake of those configuration or options and open your machine so probably something is going on there all right so John place is well technically it's just like the frequent if you notice the Windows environment like there's a frequent features there that if you use some of applications that you currently or mostly resent the applications that you use you can just spin that out on the frequent or on the recent tab or features and Windows environment so there's also a files that generates on that one that you can try to look on this file location so you may track down if you're investigating an image or a machine you can just check what are those applications that

commonly run by a user or by your suspect by using the Japanese artifacts so every jump list or every application has its own application ID so it's too many to mention but I just have this browser applications here it looks like an empty 5 hash but it's not so yeah if you wanted to have a full this you can just go on this link and then try to figure out what are the application IDs depending on the application all right so I try to get the Chum please on my machine as well by just doing dir so yeah it looks like this one okay so I use accomplice Explorer by again Eric Zimmerman which is a great guy

so on this part I try to extract more of them there's more sense of doing this because a marketing guy that tried to explore a websites that is dealing with some hacking stuff then you may just find out like okay so he tried to go to Metasploit calm or even carry that org for what if your marketing guy are you going to on your machine and made fun of it so it makes a lot of sense to make this and evidence as well on your report Windows registry so we're all familiar with Windows registry and it's kind of mind-blowing that there's a lot of informations that we can get on the Windows registry side so yeah there

could be different hives there hkz are it's mainly used for configuration information of the application side HTC you it's actually the profile that is current in black on as hklm it's more of the software as well as the hardware part of the thing so you can get a lot of information there which is an HP you it's actually it contains information of all the loaded users within that machine and then the last would be the HPCC it contains a lot of informations about the hardware during this startup so basically a lot of information was there and one of the favorite artifacts that a forensic 8 or a must-have so yeah there's these are the forensic value of it so that's like

what I've discussed and the devices mounted it can also be tracked down so for every USB devices or even in effort shares you can also check that one using a registry explorer or you can just check the registries I've cited some of my favorite links on the registry Explorer or in the register keys so let me just try to look at this one particularly on the start run you may check what are the applications that has been run during the startup type URLs what are the type what either URLs that have been used by the user all installed programs and as well as the market drivers next could be another run so there's a lot of malware that keeps on

hiding on the author end so for us to for them to just run even after the reboot our funding services and then also services here some user last user login information here and that's wrap up my presentation so any questions don't bother with the image so any questions comments thoughts questions

great presentation I I was quite interested in the tool something to show the hidden streams do have one I'm sorry was that again hidden streams here screen streams or streams I didn't put that one but I watched some videos of that I'm not particularly sure about the tool that they've been using to just get the streams but I believe that the github profile of Eric there's like it's all there but it's in a command line not in the GUI side to detect those streams on that machine so yeah I can take no advantage just get back to you to know specific name of that tool does anyone have an idea where there's a tool that

would show hidden streams when internal system journals camera was this in terminal doesn't show okay other questions it's a it's always great when you can turn to the audience and say does anyone know of a tool that does and not only are there three of them but people will argue about whether or not it works it works right it doesn't work well etcetera etcetera it's all good you could tell they the system was evolving other questions comments thoughts ideas okay one in the battle like I said I'm gonna get my steps and and I know you couldn't read the slides from back here quit complaining oh good hi and if Eric Zimmerman gave up tomorrow what tool set

would you use so it could be a lot of thought that Eric Superman maybe that made my life very easily but for me it's like my favorite one would be the register Explorer so yeah that helps me a lot during my day-to-day investigations and yeah there's a couple of those that I didn't mention but yeah he's really great that other questions comments thoughts on once twice three times thank you very much