πŸͺŸ Windows Evidence Collection

Created: 12.10.2020

Stacking - outlier analysis based on frequency.

File Systems

FAT12, 32, 64, NTFS, ReFS.

Logical Backup - doesn’t copy all, doesn’t copy slack, free space and deleted files. Imaging - bit-by-bit copy. It should not be used on a live system!

Write Block

Windows Software Write BlockerΒ Basically, one can do this manually. This includes changing the value in the registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies changing the value of the WriteProtect DWORD to 1 under this key, the device will be set to read-only mode, preventing any data from being written to it.

Collection Checklist

The order in which the evidence is to be collected on a Windows system:

  1. Volatile data
  2. file slack. File slack refers to the unused space in a file cluster that can contain remnants of previously deleted or overwritten files. This space may contain valuable evidence of past activities.
  3. registry
  4. memory dumps
  5. file system
  6. system state backup
  7. internet traces
  • Ensure the target media (evidence drive) is sterilised (ref. Identification/Assessment stage above).
  • Turn the machine off (better unplug it to prevent data from being overwritten).
  • Attach the write blocker and the evidence drive.
  • Connect external HDD or SSD through the write blocker (if it’s hardware-based)
  • Launch some forensic distribution (for example, Paladin). Make an image of the local HDD or use the original OS with all remote tools (Bluetooth, AitDrop, WiFi, Cellular etc.) and a software-based write blocker on (if no hardware-blocker is used).

πŸ“˜ BTFM

Kansa

Get-NetConnectionProfile
Set-NetConnectionProfile -InterfaceIndex X -NetworkCategory private # requires admin

.\kansa.ps1 -Pushbin -Target localhost -Credential username -Authentication Negotiate

❗️ On macOS Parallels 18 with Windows 11 running as a VM, you’d need to change the password for the user first to provide them in the prompt.

Select-String "something" *.csv # search for something keyword in all csv files in the current directory

Autoruns

autorunsc.exe /accepteula -a * -c -h -s '*' -nobanner

a - all artefacts (boot, appinit dlls, explorer addons, sidebar gadgets, image hijacks, IE addons, known dlls, logon startups, WMI, office addons, printerr mon dll, LSA sec providers, autostart services and non-disabled drivres, winlogon entries, scheduled tasks, winlock protocol and net providers). c - codec h - hashes s - verify digital signature '*' - all user profiles

Kansa

If the -Analysis option is provided when collecting data, it will generate analysis files following the collection from remote hosts. This script can be used to pull the frequency of autoruns based on ImagePath, LaunchString and MD5 tuple (given that the publisher is not verified): Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1 https://github.com/davehull/Kansa/blob/master/Analysis/asep/Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1. Here is the most crucial part of the script, its heart ❀️:

SELECT
		COUNT(ImagePath, LaunchString, MD5) as ct,
	ImagePath,LaunchString,MD5,Publisher
	FROM
		*autorunsc.csv
	WHERE
		Publisher not like '(Verified)%' and (ImagePath not like 'File not found%')
	GROUP BY 
		ImagePath, LaunchString, MD5, Publisher
	ORDER BY
		ct ASC

This script accomplishes frequency analysis using Get-Command logparser.exe with the above SQL statement.

Select columns ImagePath, LaunchString, MD5, and Publisher from all CSV files with the names that end with autorunsc.csv. Then use (ImagePath, LaunchString, MD5) as a unique identifier, discard all that have been Verified in the Publisher column and File not found in the ImagePath column. Count unique values, put in the ct column, group by ImagePath, LaunchString, MD5, Publisher and sort in ascending order.

KAPE

Provides the ability to extract artefacts from the mounted drives (be it an image, over network or a loval drive). Here are the files/folders pulled: https://ericzimmerman.github.io/KapeDocs/#!Pages%5C2.1-Targets.md.

RAM

…force a crash and subsequently produce a memory dump as a mechanism for collecting volatile data. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 165). BCS Learning & Development Limited. Kindle Edition.

dd if=\\.\PhysicalMemory of=memory.img conv=noerror # requires elevated privileges.

References

Expand…

[1] 2020 overview of forensic challenges for different devices

[2] DFSP Podcast, interview with Steve Wahlen (Samuri co-founder)

[3] Imaging Mac surviving tips (before the release of the T2 chip, I presume)

[4] Imaging Mac Fusion Drives

[5] About the Apple Thunderbolt 3 (USB-C) to Thunderbolt 2 Adapter

[6] PowerShell Tools for IR Forensics Collection