Windows 10 Forensics

Okay, the microphone is working. Hi everyone, my name is Mariusz Litwin. I've been dealing with this topic for several years, which is relatively niche in security, that is, investigative informatics. Today I came here to tell you a little about it, and also to confirm a few theses. The first thesis is relatively simple. I wanted to prove that I will be able to show a presentation from Linux. So far so good. I give you my thumbs up. The second one is a bit more controversial. I assume that due to the connotations of the word "search" you treat me as your opponent. What I want to prove today is that it is not so. The informatics of the investigation does not deal with following

you, violating your privacy. or anything like that, we just try to help. And we try to help in this way, so we can't blame anyone. This thesis also has a hidden thesis, which means that the mechanisms that we find in different systems, especially today in Windows, and especially in Windows 10, are not there to track us. And I think this is a rather controversial thesis. And of course, here is the star thesis, because it is a philosophical discussion whether they are there to track us or not. From my perspective, the threat of hype that Windows 10 is tracking us, Microsoft is tracking every move we make, often based on what I was just talking about, is exaggerated. Of course, with the right level of paranoia, everything is

a tracking. But in this case, I will try to show you on many examples that the elements I use in my work as a informatic investigator, the traces I am looking for, are not the effect of some villain sitting in Microsoft headquarters and wondering how to make our lives more difficult, how to make us more and more private, how to get into our lives with a pair of boots and look down on us. It's just the effect of certain mechanisms that work for our benefit, but leave traces in a natural way. Seeking these traces is investigative informatics. Of course, there is probably some beautiful dictionary definition. I will not force myself to any exaggeration. And

to get out of proving the thesis, which is unusual, I think that the notification mechanism in the system is relatively short. But you probably noticed that it is getting more and more common. Each page, especially with news, wants to communicate with us in real time, show us what's new on the page, allow us to track some articles that may interest us. Hence, such windows are becoming more and more popular. What was interesting for me when I first read about it on W3C is the fact that this prompt will only pop up once. You probably noticed that, right? The websites are trying to make us a fool and first send their own prompt, like: "Hey, listen, maybe you can add

me to these notifications?" And this prompt, since they generate it themselves with the help of your script, can torment us for weeks, years, and even the rest of the world. But this prompt will only pop up once, the one coming from the browser. And now it's cool, right? It's like it's taking care of our well-being sitting at the computer, that we're not bombarded with this information. And does it track us? Because generally, as soon as we click "block, accept, anything", a new file will appear on our disk. I mean, come back, this file is already there. In the context of Chrome, this file is already there. This is a very large JSON, the line numbers

show it a bit, because I copied it from my computer. And among others, for example, I have this information about how many visits there were on a given page. I went there twice, once to test, twice to click "block". And now, is it good or bad? Because here is also a timestamp. It changes. So I have information, let's say, by studying such a system, by studying myself, I know that I entered this page. And this page is innocent in this case. But what if it was, I don't know, if I have a computer in my hands, and I have information that it was used in Kali Linux. Kali Linux is a bad example because there

are no such prompts. But I'm going to summarize something that says that most of the things we do on the computer leave a mark. Most of the functionalities we use leave a mark. What's more, these are not always our conscious actions. In the context of Windows, there will be mechanisms that happen in the background to make our lives easier. But I will get to that in a moment. As for the principle that I will not discover the wheel again today. And I will not pretend that I have acquired all this knowledge through long-term meditation and the research of Windows 10 systems. The truth is that this information is on the Internet. Considering the niche of investigative informatics, I encourage you to check

out the Sans website. In this case, I have linked a specific poster, there are thousands of such posters. Sans website has a lot of information about what I will talk about today and much more. This is one of the organizations that I think are leading. in the field of digital forensics and incident response, as they are announced here. I'm not connected to Sansa in any way, except that I was once at their training. But it only boosted my opinion about them, so I feel fair to tell you about it as a valuable resource. because apart from the expensive trainings, I also share a lot of free materials, which you can learn by yourself. So what I'm going to do today is try to

decode this poster for you. Because if you open it, I don't know if anyone had the same experience to check this link now, it will turn out that there is a lot of information. This is a poster that I personally have in my office on the wall. and I can see it from the door, across the wall. It's huge. And it contains the same amount of information. So what I'm going to do is decode it for you and tell you what we can actually look for when we're studying a system like Windows 10. And now, the first point, the starting point for any analysis related to investigative informatics is something like Know Your File System.

Is this thing hidden enough? Most people here probably pay attention to how they format their pendrives, what format their hard drives are in, etc. But this is something we usually ignore. The file system is there, it works, it works, so let's move on. When we approach this from the perspective of investigative informatics, the knowledge of the mechanisms governing the specific file system we are dealing with is the key. It is key because after the first, second, third case, which you will analyze, it will turn out that it is impossible to do investigative informatics without dates. Without filtering certain actions in time, without filtering in time, without sorting in time, there is no good analysis. And this is again a rather bold thesis. Maybe someone

will prove it to me, that it's different. I can't analyze anything that doesn't have dates. It's nice to know that a given file was run twice, but if I don't know when, I still can't put it in the general context of the incident. So I prefer to know something about these dates. Depending on the actions we perform on a given file system, such tables can be made for other file systems and I guarantee you that they will differ, so depending on the actions we perform on this file system, these dates change in a less or easier way to predict. NTFS is a very special example here because it stores two collections of timestamps. It's not like there's only one collection

of data connected to a given file. "creation", "lastwritten" ... I've got a headache. I'll go to the Depress. "file access" is not true. "modified" is written. "access" Yes, MacTime. So, access is a myth. Speaking of NTFS. Microsoft has definitely given up on updating Last Access in a predictable way. If I open Word document, not on this computer, but on the computer I have in my backpack with Windows, then I will not update Last Access at all. It's a bit sad, but we have to live with it. Regardless of that, these three dates change in different ways, depending on what actions we perform. Here, where we have white fields, we see that something has changed. Where we have black

fields, everything remained the same. And now, the File Access example is for Bunny, as I said, because there is a star, that the last access will not change when we get to the file. But copying is a good example. Because it changes everything. Except for modified. Which leads us to the fact that we have two copies of the same file, with completely different dates, except for last modified. Last modified was transferred in the copy operation. And now, if we don't know about it, we can understand what was the action behind this file. Imagine a situation when I created a file two hours ago, when I got up from bed, making coffee, I started writing down ideas for what I'm going to say today. And

then I went to you here, so I copied it to my pendrive. And when I look at the pendrive, it turns out that last_modified is two hours earlier than created. It's wrong, isn't it? If I don't understand why it happened, I can't understand what this file is about. Where did it come from, where is it going, etc. The situation complicates the fact that, as I said, NTFS retains two data collections. It complicates it and not because, for example, I saw cases of this mythical anti-forensics. I don't know if you've encountered this term. I think it's a bit of a myth. As I mentioned at the beginning, each action leaves a trace, so anti-forensics as such... Oops, sorry. So it's impossible

to use Linux. Anti-forensics also leaves such traces. Regardless of that, I've seen such actions where someone tried to hide malware among system files, but so that it wouldn't show up, it wouldn't be the only file created yesterday. For example, the only DLL in C:\Windows, which has the date of creation yesterday at 12:00, and all of them are with the installation date or with the date imposed by Microsoft, so that it does not stand out, these entries were modified. As you probably expect, it's all with a file, or an entry on the disk, it can be changed, it's not new. And this time stamp was changed. It's a pity, it complicates my analysis, I have to find this malware in another way.

Well, it's not true. Because it still pops up. It pops up because someone hasn't changed the second stream of data. This means that the file has radically two different dates. And it's easy to catch it. Regardless of how we already know this file system, within our timeline built only from files, we can set up various other actions. I don't know if I mentioned at the beginning that if someone has any questions, they should ask them now. I quickly forget what I said. So if I start complicating something, please let someone interrupt me. Regardless of this... Sorry. Regardless of this, once we have this timeline, we can enrich it in billions of ways. What will be

interesting for most of you, probably, in the context of the response to the security incident, is the start of a given software. Usually, when we analyze an incident, we want to know when it happened, when the user started the malware, when an exploit was started, when someone did something with PowerShell. This leads us to the fact that the category of Program Execution and the category of System Artifacts that are included in the Program Execution area is particularly interesting, which is why the first slide is here. And here we have the meat. I promised Windows 10, so I'll start with the meat that is most promising for me. I haven't had a chance to look at it yet, but

it looks promising. I think it's a Creative Update. Microsoft has announced... I'm sorry, I think I'm getting sick. Microsoft has announced that a new function will be created in Windows. That Windows will be able to... to check the history of the Internet in terms of actions, just like we check the history of browsing in an Internet browser. Great, isn't it? I don't see it being used in my daily work, filling out Excel, sending e-mails, etc. But if someone tells me that I can extract such information from the computer of the person I'm researching, I'm more than happy with it. What is it all about? In this Windows 10 timeline all the running, opening files, cataloging,

etc. should be saved. What's cool about usability is that you can return everything. I can open GIMP window, with the same image I edited a week ago. So I have a question. Will this click be huge? In this case? It's clean. How often is it known? I don't know yet. But I'd like to know. If you want to talk about it, I'll write down this type of topics and maybe I'll come back to you by e-mail or on some instant messenger. On the other hand, is your history of viewing in the browser huge? I mean, I sometimes clean it, so I don't know, but... I couldn't hear you. I clean it when it's closed. Oh, so you

see. So I have a similar problem, maybe not exactly the same, but a similar problem that I'm not able to assess whether it's a lot or a little. I think that per analogy, it will be something we can agree on, considering that after the initial drop in the size of hard drives we had with the introduction of SSDs, for me it was a leap from the analysis of computers that have a 2TB drive to computers that suddenly have 128GB. Again, great. because I have less work and I process faster. After this initial decline, we have an increase again. Even when I bought a used computer, I got it with 256 SSD disk. If I devote 5 GB to the history of my system, is it a problem?

Most users will not notice it anyway. But this is just one example. And such examples can be multiplied. I'll skip this poster a bit. My favourite in the field of program execution is prefetch. Prefetch is so cool that it was introduced in XP in a rather complex way. Someone in Microsoft noticed that programs tend to run long. I mean, generally, it's not a big news for you that programs can run long. It will load a file, it will generate something in memory, it will take time. Microsoft decided to cache the part of the program that is loading at the beginning, it will run faster, everyone will be satisfied. It connects with one more thing -

it leaves a trace. It leaves a trace in the form of a prefix, it is a binary format, fortunately it was reversed. I say fortunately, because it is a treasure trove of knowledge about the program execution in the system. If you want to know when the last time the CMD was launched, you can look there. When you parse these files, they are located... not a very obvious name, c:\Windows\Prefer. You can determine when this file was launched last time, and in the 10th, to add a nice pivot, it is the last 10 days of launch. What's more, we could try to say that this partial memory could be analyzed. I don't know why, because these are static parts, which should be loaded with each program

running, so there probably won't be anything wrong with it. But if it's a wrong programming, then the question for the reversers in the room is whether such a part of the memory would be interesting for you. If so, keep an eye out. Regardless, these are examples of phenomena, Another example I like to look at is ResetApps. This is a perfect example of a thesis I wanted to present to you. Have you ever wondered how it is that when you click the Start menu, now unfortunately not with the 10th entry, but we had a list of: "Hey, hey, hey, have you recently used Internet Explorer, Excel and Outlook?" And "Hey, I've recently used Internet Explorer, Outlook and Excel. Perfectly in point. Interesting

how it knows that. The system analyzes in the background... I'm sorry for these switches, I'll try to jump between the slides faster, maybe it'll be better then. The system analyzes what was actually running in the meantime. And puts such a list in the system's registry. Generally, the system's registry, as soon as you run the analysis, your beloved Windows element. It turns out that in the registry, apart from the information about what drivers are installed, or what software is installed, which can also be valuable information, there are a myriad of different options that can be analyzed. There is one disadvantage of the registry - sometimes there are no timestamps. Isn't it? Isn't it the effect that all these logs make the Windows system so very swollen? After

installation, there is freshness at the beginning, it is running beautifully, and after half a year we have to reinstall it? I am not a programmer, so it is difficult to answer if this is the reason. But generally, the more garbage the registry, the more things are in memory, the more things the system has to check on a regular basis. The registry is a kind of windows crystallization axis. Most of the things that happen are in the registry. Because of that, there are two key points in the life of each registry. It is logging in, when the registry is read to memory, connected from different files in different areas of the hard drive, and closing the system,

when all our actions return to the disk. This is a simple example, because not all Not all register branches are saved in this cycle, but the most important one for us, i.e. the one about user actions, NTUserDat, located in its profile, will be read at the beginning and saved at the end. This has an interesting consequence, which I will talk about in a moment. So, answering the question, The more you allow the register to swell, the worse. Because it is a memory, it is constantly asked. But most of these lists are not growing-air lists. In XPQ, it was probably 12 entries. Now there is no such list in the 10th, the mechanism has remained. Nothing has changed there, probably,

when it comes to the amount. I mentioned that sometimes there are no timestamps in the registry. Then the topic of MRU appears. Most recently used. In this case, we usually have only one timestamp, saying when this particular fragment of the registry was last modified, and then all elements on the list are numbered. For example, Outlook 1, Excel 7, Paint 5. Based on this list, we can determine in the near future, that since Outlook was in the first place, it was opened together with the last modification of this registry. One certain date. The other? Probably earlier. What is also interesting in Windows 10, and what can be useful in a trial, such a security, SOC, I don't remember which

update they introduced it with, but before that Windows Timeline. It means System Resource Usage Monitor. I'm not wrong, I didn't want to use a shortcut because it looks a bit offensive. Regardless of that, this is another knowledge mine. In this database, I don't want to use a shortcut, there is information about what network connections have been established. how many bytes were sent, how many packets. This is a very complex goal, because in the end we can run the task manager and see all the information nicely visualized. But ultimately, in such a dead box forensics, when we get a computer, a lot can be read from this database. For example, I will go to another occasion

with Wi-Fi, but to sell you a little, think about it, how to say it, How much information about the location is in the Wi-Fi networks you connected to? To speed up a bit, what you may be interested in, what you see here is the core of such investigative work for, let's say, courts. This is the core of fraud investigation. This is the core of fraud investigation. I heard the name File Use and Knowledge. SANS uses Deleted Files and File Knowledge, no difference for me. There are many places in the system that record what files were opened, what files were on the disk, etc. What I find particularly interesting is the fact that in the history of Internet Explorer you can find information

about which paths were visited. If you're not Linux users or Apple users, when was the last time you turned on the Internet Explorer to clean up your browser history? To be honest, I don't remember when I turned it on. I work on Windows, apart from this computer. And there's information that I was in the location C:\users\mariusz\documents\tojazabijałem.docx

If we are looking for this type of information, it is great information for us that Microsoft decided to hide it in Internet Explorer. But it is not the only place where it is worth looking for it. After all, Internet Explorer can be uninstalled in 10. The same thing happens with Edge. I haven't tried to uninstall Edge, but I think Edge is not enough.

Agreed. If we block the service, then the information I mentioned will probably be lost with the service. Thanks. And the dead service is also a trace. An interesting fact that came up during the discussion. What's more interesting, we discussed last visit. It's strange that there's no second favourite artifact here. Never mind. What's cool is that xpeg keeps the information you entered into the search field. If you called a string, there was a search field. If you entered something there, it was saved. Cool, not cool, I like it. For example, if someone was looking for a file, I would kill them.docx. Moving on. ThumbsDB. I think everyone has already met ThumbsDB. Due to the way galleries work in Windows, for example galleries,

various information about these galleries are stored somewhere in the system. Miniatures, metadata information, etc. In particular, such information can be found in ThumbsDB. So what if we are looking for a specific photo? We have a collection of photos, but we wonder if it is a complete collection of photos. It's hard to answer, because we would have to have a time travel machine, go back three hours earlier and check if the catalog looked the same. Our time travel machine will be TAMSDB, because there will probably be information that a given file was in this catalog, and then disappeared. Recyclebin, I think there are no people here who are unaware that a simple delete on the file does not delete anything, only transfers it from one catalog to

another. But I can guarantee you that there are a myriad of people who think that if they click on something and click delete, it's gone. And then they are surprised that they have such a big basket and very little space on the disk. This is related to one advantage. Well, in Recycle Bean, when you open it, let's say low-level, with some special tool, let's not be enchanted, here, since I already mentioned tools, the easiest to access is Autopsy, it's open source, so when we open Recycle Bean in Autopsy, it turns out that every entry in Recycle Bean has two entries. The first one is data, It starts with a exclamation mark, and then there is a

consistent identifier for both. In one there are data that has been deleted, a specific file, and in the other there are metadata of this file. So even if someone deleted it, and it thinks it's been removed, then we have all the information from the system file stored there. Plus, we have additional information from the system file when it got to Recycle Bean. It builds a nice timeline when we wonder if any data was destroyed, if something was deleted, etc. File download is a rather interesting category. Everyone expects that these lists, like "last week you downloaded three free Linux distributions for your downloads catalog. They have to be somewhere. And it is independent of the browser, which

proves my thesis. Even browsers that promise us that they take care of our privacy, etc. etc. Mozilla etc. They have to keep the data somewhere. And they keep it on the disk. What is especially cool in the context of of these browser-based artifacts is that they are stored in SQLite. So you don't need any specific knowledge. You need to have a SQLite open source and be able to write simple queries. For example, SELECT * FROM DOWNLOADS. And that's it. Time stamps, information from where, where and how they are downloaded. What is interesting in the context of file download is the Zone Identifier category. It is not interesting because it is a very valuable source of

knowledge. Zone Identifier is a file that has one variable inside, which can take four values. It tells you where this file came from. If the browser has ever touched it, it tells you that this file came If it's zero, it's from Trusted, which is mostly from intranet. If it's three, it's from the Internet. If it's four, it's from untrusted, which is from the bad Internet. I don't know if you've ever configured Internet Explorer that deeply. It has four security zones that can be set. They then have a reflection in the Identifier zone. Why is the zone identifier interesting? What do we get from this information? There is no URL. The only goal behind this mechanism is to prompt you that when

you open the exec that you used to use on the Internet, you probably noticed that Windows tells you: "Hey, this file comes from the Internet. It can be bad. Do you want to run it for sure? Yes." I mean, except that it should be default, because most users react very optimistically to all buttons. This does not carry any information. What is interesting in the context of this specific artifact is how it is stored. And now a bit of archeology. NTFS is generally a very interesting file system. Very interesting because it has a myriad of functionalities. which Microsoft never implemented in Windows. I mean, implemented and never showed them to us. And Zone Identifier shows us one of them, i.e. Alternate Data Stream. Alternate Data Stream, as

far as I know, was created to pretend these additional features of Apple system files, because they have something like Extended Attributes. For those times, let's call it that. NTFS didn't have it directly, so they added They added these alternate data streams, and this is more or less something in the style of a file linked to a file. And now, Internet Explorer, Windows Explorer, will not show us such an alternate data stream. It is connected to the file, but there is no chance to see it. And now, why does an alternate data stream exist? I already mentioned extended attributes. I don't know if you noticed when you copy a photo from your camera to a computer for the first time. with Windows,

they have icons like any other image at the beginning, and then they start generating miniatures. These miniatures are usually saved in the alternate data stream. The third example is malware hiding. It was very, very popular for some time ago. The authors of antivirus have already paid attention to it. At least I haven't seen any malware hiding in alternate data streams lately. Especially when someone knows about it, it's very visible. The majority of forensic programming will just extract these alternate data streams, you can filter them all and see: "Oh, hey, there's another binary here." Because Microsoft finally took pity on us, from Windows Vista, these alternate data streams are still not visible in Explorer. but you can look at it in the command line, it's

a switch to dir, I always confuse slash with backslash, but I think slash r, and then alternate data streams will also show up, you can see if something is not connected there. Go to your download catalog, enter dir/r and you will see how many alternative data streams there can be in the form of zone identifiers. But Zone-Nighted Fire has an advantage, if it is connected to a file, it follows it. So if we copy it from downloads to pulpits, from the pulpit somewhere, this file is still attached. So, basically, we know that this file has been downloaded from the Internet. It's useful sometimes. What's interesting is that I don't think that Time Zone is in the area of network activity.

maybe it's in the physical location area, where it's definitely located, is the key information in every analysis. Because I never paid attention to time zones, I decided I live in Poland, it will never bother me that I'm in Central European time, until I started doing this type of analysis. It turns out that not everyone lives in Poland, and not everyone is in CET. Therefore, the information about what time zone was on a given system can be key in the analysis. What I recommend to you, and this is from the bottom of my heart, is to do any analysis that you want to do, which should be time-lined, which you want to filter after the dates, which you want to think about in the course of the time, spend

those extra two minutes and change all the dates on UTC. Reverse them for an hour or two from our CET or CEST, depending on whether we have summer or not summer time. Add a few hours if you have data from the US, but damn, you have it in one timezone. Without it, you will start to get such nonsense from these analyses that it will not fit in your head. And this is also very important in terms of working with someone from another timezone. Because if I opened a ticket in the future for him, something is not working here. Hence the timezone, I'm aware of it, but I still think it's a physical location. And now we're moving on to my

example, which I've announced a little earlier, which is a network history. And now information about which Wi-Fi networks, when the user would be connected, is interesting or not. but it is interesting for me because I have a nice example from my work. Of course, I can't tell you too much about who and what I was doing, but in this particular case, it is more or less about the fact that we had a user who had a suspicion that on the same day when we were doing our work, he was deleting data. He was on a business trip, so it was hard to catch him on the spot, it was hard for him to take out this laptop. There was a suspicion that due to

the background surrounding it, i.e. we took the computer to his friends, they could call him because their phones were private, we had a suspicion that something could have happened there. Of course, soon after we got the computer, it turned out that half of the disk was reset, CC Cleaner was installed, and we thought: "Great!" But what we managed to pull out, which was very interesting for us, something that allowed us to counter what he said about his business trip. He said something like this: "I was in Poznań and as soon as I heard that I had to bring my computer, I ended up talking to a client, or I ended up meeting my friends, or I drank coffee and I got in the car and came to you, this

is my computer." Well, when we looked at network locations, it turned out that the last network that this computer connected to was I don't know, company, company, zoo, Wi-Fi. It's not particularly surprising, assuming that he worked for this company. What was surprising was that this connection took place between when he said "Hey, hey, I'm on my way" and when he brought us a computer. What did it eventually lead to? It turned out, well, as I mentioned, he had a lot of colleagues in the company, someone could call him, not only call, but also help him delete data. The working theory is that this specific user drank coffee, got into a car and came to Warsaw.

But the first place he went to was the company's office. A friend from IT was waiting for him there and said: "Look, they're digging something there. Look at your computer there. What would you like to remove here?" They removed it, launched CCleaner, and brought the computer to us. It was trivial, but useful. Now, back to my example, the fact that I connected to the Premium 100 network before the presentation. Can't I just format the computer, replace the disks, and install a new system? Don't you think it would be too much? You wouldn't find anything, and would it have to provide proof? Can't we reinstall the system? I wanted to ask about the BitLocker. For example, if you had just put BitLocker or

something else in your system, like TrueCrypt, and you encrypted the disk. I mean, if they came and said: "Hey, something just popped up, some current, I clicked, it started, and since then I've encrypted the disk, I don't know the password." That's the scenario, right? The password can be forgotten, nobody here... It's not like there's nothing you have to give a password for. You can forget it at any time. It's different in different countries. In Poland, you don't have to remember passwords. That's why it's worth forgetting them. As for the principle... I assume that the approach of most people who want to hide something is the assumption that on the other side someone is a bigger or

smaller scumbag. Even the smallest part-touch, responding to your question, will notice that the system has been reinstalled. Now you need a smaller part-touch, a better analyst, to notice that something was reset. Of course, it's not difficult, let's not be enchanted. What if I have a encrypted disk and I don't want to give a password? I wanted to answer this in the second order, so as not to leave unanswered questions. A encrypted disk, in principle, I won't surprise you, but no one has broken the ES yet. If we don't have a key that would unlock it, we probably won't get to this disk. I have a question. Has anyone tried to make a disk cipher with ransomware interface? So services come

in, take your disk, I mean, they take your computer, they turn it on, and it says that ransomware, pay as much as you can for bitcoin, then we decrypt it, and you actually know this key. A switch, I mean, security. I mean, a dead man's hand, I know what you're getting at. A dead man's hand with a built-in lawyer. I haven't encountered anything like that, but for example, the interesting thing is that I don't know if you remember NotPetya, Pirazoko last year, Ukrainian companies, encrypted and so on. What's interesting in this story, and I see that I have to speed up slowly, so I'll try to answer quickly, What is interesting in this story is that at some point the representative of the Treasury Office in

Ukraine said: "You know what, we understand how much impact your work has on the fact that you have encrypted disks through NotPetya, so we will postpone the tax settlement period for a few months, and you get to the point of charging with your IT systems." And you know what happened? People started to get infected with NotPetya to report tax declarations later. And to finish the BitLocker topic, as a rule, BitLocker has a lot of built-in mechanisms that it can prevent from forgetting a password. For example, when you BitLock a disk, it tells you: "Here is your recovery key. I'll display it to you once and only once, and you have to hide it in a safe place." You know what I did? I saved it on a pendrive, then

I lost it, usually. But in corporate systems, the recovery key is immediately transferred to the Active Directory. If it is configured like this, it immediately goes to the Active Directory. For example, there were situations where I received a computer I open it, I see BitLocker, oops, I go back to the client and say "Hey, listen, BitLocker" He says "Listen, we'll call Rysiek from IT and he'll give you all the keys" Yes, going back, a bit faster, cookies, everyone expects that cookies are tracking him This is a very bad case, in a moment I'll tell you about a special case of cookies EventLock will be here in various contexts Windows Event Log is the best system

log I've analyzed and the worst one. It has the advantage that it has all the timestamps, which is not obvious for Syslog in Linux. For some reason, we don't need a year there, for example. So sometimes events happen that are which, when sorted, are all from April, but one is from April 2017, the other is from April 2018. How to solve it? Diabli knows. I try to find, for example, a pro tip, that I usually try to find the last synchronization with MTP, and somehow arrange it accordingly. That's why it's the best, and why it's the worst? Reading these events and remembering which code is which and what can actually be found in it is some kind of a joke. It's a drama, it's a joke. Moving from XP

to higher systems, event codes have changed. Previously there were three digital ones, now there are four digital ones. Not all have their own equivalents. So if someone has learned then, let them learn again. There is a lot of information in there, and it's worth taking it into account in your analyses. There are tools that work well with CSVs, etc. - I'll tell you more about that at the end. System Resource User Monitor returns, browser search term - sometimes what we type at the top is removed. File Folder Opening - let's skip it, because it's the same thing. Office stores the recent file. It's a curiosity, it does it separately. And here are my favorites, so I should

go back to them. What's cool is ShellBucks. ShellBucks is an interesting example of a mechanism that works for our profit. ShellBucks works in such a way that, I don't know if you noticed, when you open a specific catalog, it usually appears in the same area of the screen as it was before. ShellBucks takes care of that. What's cool is that it does it every time we change the catalog. So, I open my computer, a shellback appears in the system. I open C, a new shellback appears in the system. C, Windows, a new shellback opens, which allows us to rebuild the paths that used to be on the system. There is a problem with timestamps, but besides that, it's a great place worth looking at and few people know about

it. The links, and specifically the jump lists, The shortcuts in the Windows system are nice, there is a lot of information, for example a copy of all metadata related to the dates of a given file. What is perhaps more interesting is the jump list. The jump lists are related to the functionality that when you have Excel on the start bar, or on the task bar, If you click on this arrow, you can see the last Excel spreadsheets I've edited. It's saved in jump lists. There are all the dates. Fun fact: Microsoft has become a bit lazy and decided not to invent a new format for jump lists. Let's make one that we have. So they used shortcut files. Jump list is a shortcut file on steroids

with all the consequences. And with one particularly funny one. All the dates that the system copies from the file system to the jump list at the very beginning, will never change. Which leads to very funny timelines sometimes. But it's worth knowing about it, because it used to bother me a lot in analysis. Prefetch, Office and Docs. Aha! What's even cooler in jump lists is that if I opened the txt file with notepad, and then notepad++, and then something else, there will be three jump lists connected to all three applications and a completely different collection of data. So you can browse the history of files if you are very undecided about which tools you want to use. Account usage - here we will have a lot to

do with event log, 4624, 4634 - these are event IDs that are always worth remembering, because it is logging and logging out. There are more event IDs like this, I will not discuss them all in order. What is interesting is the consequences of this mechanism of operating on the registry, which I mentioned earlier. If we wonder when the user logged out the last time, it will probably be the last written data of the NTUserData file, i.e. the register branch that is responsible for setting a specific user. If we wonder when the user was created, it will probably be the file created NTUserData. These are two quick dates that can be drawn in a few minutes, and

sometimes they can be very colorful on the timeline. There are a myriad of logins. Remote logging through RDEP is completely different from logging on a computer. Unlocking is another type of logging. Unlocking a computer, as I'm unlocking it here, is also logging according to the system, but just a different type. There are a lot of examples like this. In fact, most of what you will see is a network, batch, Windows service for services, credentials used to unlock, network logon sending credentials, and RDEP. In such AD corporates you will often see cached, because this is a case when you could not reach out to the AD. How to study RDEP? In the sense of Remote Desktop Protocol? It is probably worth looking

at event logs. The same is true for services, they are also turned on and off in the storm accompaniment. event storm, authentication, success/fail locks, I've already mentioned that. OK, to speed things up. What I'd like you to take away from this slide is the fact that when it comes to USBs, connected devices, there are billions of places where you can find this information. When we take it to the store, it turns out that we have quite detailed information about whether a given user used external memory. What's more, we can try to add a letter to the external memory and then, by looking at all the artifacts from the "file use and knowledge" category, we can determine whether there were any files that interested

us and whether they were opened from this pendrive. One of my favorite and surprisingly often appearing scenarios is when someone says: "Me? I didn't take any data!" No, I gave the computer to IT and then I stopped using it. It turns out that very often in these cases we see that the pendrive was connected before the computer was given away, or the camera to avoid the LPG, then something was copied, but we don't see it because it's not in the artifacts, unless Windows Timeline will help us someday. And then someone said: "Damn, did I copy what I wanted and double-click what was on the external device?" As I said before, it displays information in jump lists or in recent

docs. You can multiply examples. What I'm going to do is... It's great to see that it didn't copy the data. Okay, it turns out that the computer wants to prove that it can't... Okay, sorry. Browser... This is the interesting cookie I was going to talk about. Google Analytics... Damn, this is the one that follows us. I've been playing with marketing lately, trying to figure out what it's all about. I'm starting to like Google Analytics, but not as a cookie receiver. What's interesting about them is that it's not like Google Analytics sets one cookie for us. In most cases, it sets three. I will look at the list: UTMA, UTMB, UTMZ. Each of them contains a lot of

information about how many times we visited a given showcase. Or how much time we spent in a given showcase. In the context of later analysis, these Google Analytics Cookies are Very cool. Okay, I'm finishing this poster. But not to leave you in such a situation that "Jesus, there was a lot of it, I didn't remember anything", I would also like to mention something about tools that automate all this, collect it, allow themselves to somehow handle it. I'm putting Axiom here out of a chronicler's obligation, but it's not a free tool. I just think it's very good. They will notice that there is no n-case, because I don't consider it n-case, even though it is considered the best on the

market. With this short introduction commercial tools disappear, all the rest are free. PLASO is a great tool for creating timelines, which I already mentioned. When we want to analyze something, it is usually worth to pass this image through PLASO, just to have such a golden source of information. PLASO is open source, it is very often updated by various analysts around the world, so there are very often things that appear before they get to commercial solutions. On the other hand, it is open source, so sometimes there are things that are not in commercial solutions, you probably expect that. Regripper is a Swiss Army Knife for parsing a registry. If you want to pull anything from a registry, don't bother with it manually. Open Regripper and it

will produce a medium-readable but very informative report that will be everything about everything. I already mentioned Autopsy. Autopsy is a cover for an old Linux tool called DeathLootKit. DestludeKit has been with us since the 90s. It is a great open source tool for digital forensics. It is worth noting that there are often exotic things there. For example, XFS analysis. I don't know if I would be tempted to launch Axiom on it. I might not even understand it. And DestludeKit usually boasts because it is Linux itself, so XFS is not a novelty for it. Sift is not really a tool, it's a virtual tool, a Kali for forensics, issued by Sansa. Skadi is a collection of tools. I don't know

if you noticed, but lately, if something is from the security area, then there must be Elasticsearch. Skadi is an Elasticsearch for digital forensics. It's a collection of tools that is not really digital forensics, but a bit of trial. It's a central VM that has Elasticsearch and Timesketch. Timesketch is a very good tool for building timelines, plus it cuts most of the formats and files that we can encounter, for example, PLASO timelines. but also SCADI allows to receive reports from agents installed in various areas of the organization. So if we want to do a quick research, we send it to a computer where we want to check one exec with the SCADI address and soon we have something to analyze in SCADI. I hope I made myself in

time. There should also be questions, but we have only half a minute for them. I will answer the quick question and the rest in the backstage. I mean, I have already taken over the microphone, so unfortunately, a quick question is rather not. For sure, Mariusz, you will catch up in the backstage, you will probably not let him go. You will be at dinner, so there will be a chance for you a little more. Here you go, diploma. Thank you very much. Thank you very much.