Plan for Windows Forensics
Done (Udemy watched, tools installed and used, conclusions made) is bolded:
- Prefetch
- LNK
- Shellbag
- Memory
Useful commands
Potentially to BTFM or RTFM
net user administrator /active:yes - activate default admin or lnsrmgr.msc -> enable.
psexec -i -s cmd.exe - escalate to System priviledges.
pwdump7 -d <path_to_protected_file> <where_to_copy>
Services
Processes running in the background and sometimes have SYSTEM privileges. May not even be listed in Task Manager, but Autorun tool will probably show them.
Types of services:
WIN32_SHARE_PROCESS-several instances of 1 service run within 1 process (code in dll) likesvchost.exe.WIN32_OWN_PROCESS- run as an independent process (code in exe).KERNEL_DRIV- load in kernel
se - command for managing services on Windows machine. Example: se gc "VMware NAT service".
HKLM\SYSTEM\CurrentControlSet\Services\VMware... ???
Networking API
| client | server |
|---|---|
socket(family, type, protocol). Creates a socket. Returns ID that is then passed to other functions. |
socket(family, type, protocol). Creates a socket. Returns ID that is then passed to other functions. |
bind(socket_id). Binds a socket to specific IP+port. |
|
listen(socket_id). Converts the socket to a passive one. Kernel accepts connection to it now. |
|
connect(). TCP handshake ————–> |
accept(socket_id). Retrieve connection request and convert to a request?? |
recv(). Receives data. |
|
send(). Sends data. |
|
close(). Closes connection. |
close(). Closes connection. |
Artifacts list
%SystemRoot%\NTDS\Ntds.dit and %SystemRoot%\System32\Ntds.dit on domain controller contain lots of information.
C:\Windows\System32\Config - SAM
Windows Prefetch. Can help in identifying malware initial infector. Used to speed the boot process and application startup by mounting the data and code accessed at startup and using it at subsequent startups.
NetBIOS
File Systems
Main file systems in use are NTFS and FAT32 for smaller partitions (32Gb max).