Stacking - outlier analysis based on frequency.
File Systems
FAT12, 32, 64, NTFS, ReFS.
Logical Backup - doesn’t copy all, doesn’t copy slack, free space and deleted files. Imaging - bit-by-bit copy. It should not be used on a live system!
Write Block
Windows Software Write BlockerΒ Basically, one can do this manually. This includes changing the value in the registry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies
changing the value of the WriteProtect DWORD to 1 under this key, the device will be set to read-only mode, preventing any data from being written to it.
Collection Checklist
The order in which the evidence is to be collected on a Windows system:
- Volatile data
- file slack. File slack refers to the unused space in a file cluster that can contain remnants of previously deleted or overwritten files. This space may contain valuable evidence of past activities.
- registry
- memory dumps
- file system
- system state backup
- internet traces
- Ensure the target media (evidence drive) is sterilised (ref. Identification/Assessment stage above).
- Turn the machine off (better unplug it to prevent data from being overwritten).
- Attach the write blocker and the evidence drive.
- Connect external HDD or SSD through the write blocker (if itβs hardware-based)
- Launch some forensic distribution (for example, Paladin). Make an image of the local HDD or use the original OS with all remote tools (Bluetooth, AitDrop, WiFi, Cellular etc.) and a software-based write blocker on (if no hardware-blocker is used).
π BTFM
Kansa
Get-NetConnectionProfile
Set-NetConnectionProfile -InterfaceIndex X -NetworkCategory private # requires admin
.\kansa.ps1 -Pushbin -Target localhost -Credential username -Authentication Negotiate
βοΈ On macOS Parallels 18 with Windows 11 running as a VM, you’d need to change the password for the user first to provide them in the prompt.
Select-String "something" *.csv # search for something keyword in all csv files in the current directory
Autoruns
autorunsc.exe /accepteula -a * -c -h -s '*' -nobanner
a
- all artefacts (boot, appinit dlls, explorer addons, sidebar gadgets, image hijacks, IE addons, known dlls, logon startups, WMI, office addons, printerr mon dll, LSA sec providers, autostart services and non-disabled drivres, winlogon entries, scheduled tasks, winlock protocol and net providers).
c
- codec
h
- hashes
s
- verify digital signature
'*'
- all user profiles
Kansa
If the -Analysis
option is provided when collecting data, it will generate analysis files following the collection from remote hosts. This script can be used to pull the frequency of autoruns based on ImagePath, LaunchString and MD5 tuple (given that the publisher is not verified): Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1
https://github.com/davehull/Kansa/blob/master/Analysis/asep/Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1. Here is the most crucial part of the script, its heart β€οΈ:
SELECT
COUNT(ImagePath, LaunchString, MD5) as ct,
ImagePath,LaunchString,MD5,Publisher
FROM
*autorunsc.csv
WHERE
Publisher not like '(Verified)%' and (ImagePath not like 'File not found%')
GROUP BY
ImagePath, LaunchString, MD5, Publisher
ORDER BY
ct ASC
This script accomplishes frequency analysis using Get-Command logparser.exe
with the above SQL statement.
Select columns ImagePath, LaunchString, MD5, and Publisher
from all CSV files with the names that end with autorunsc.csv
. Then use (ImagePath, LaunchString, MD5)
as a unique identifier, discard all that have been Verified
in the Publisher
column and File not found
in the ImagePath
column. Count unique values, put in the ct
column, group by ImagePath, LaunchString, MD5, Publisher
and sort in ascending order.
KAPE
Provides the ability to extract artefacts from the mounted drives (be it an image, over network or a loval drive). Here are the files/folders pulled: https://ericzimmerman.github.io/KapeDocs/#!Pages%5C2.1-Targets.md.
RAM
…force a crash and subsequently produce a memory dump as a mechanism for collecting volatile data. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 165). BCS Learning & Development Limited. Kindle Edition.
dd if=\\.\PhysicalMemory of=memory.img conv=noerror # requires elevated privileges.
References
Expand…
[1] 2020 overview of forensic challenges for different devices
[2] DFSP Podcast, interview with Steve Wahlen (Samuri co-founder)
[3] Imaging Mac surviving tips (before the release of the T2 chip, I presume)
[4] Imaging Mac Fusion Drives
[5] About the Apple Thunderbolt 3 (USB-C) to Thunderbolt 2 Adapter
[6] PowerShell Tools for IR Forensics Collection