Logo
RSS Feed

πŸ‘ˆπŸΌ Back to
Incident Investigation πŸ”Ž πŸ₯·

Old

⛅️ Cloud Storage

Windows

For OneDrive the most useful artifacts are stored locally. If you get access to the account online - may see the deleted items and their versions. C:\Users\%Username%\AppData\Local\Microsoft\OneDrive\logs. This folder contains Personal and Common. Neither has anything of particular interest, but may be an indicator, that the software was used.

⚠️ Business version of OneDrive adds a few lines of code to the start of every doc, thus MD5 hashes will differ.

🦠 Malware Analysis

Reversing malware is a complex topic and is beyond the scope of this article. If you are interested in reversing techniques - refer to the Reverse πŸ”§ section of this website. However, to reverse engineer something, one first needs to get that something. And to “catch” the malware, one needs to find it. To find it, one needs to know where to look. This article is to aid in that. I will also look into what evidence can be obtained from the malware.

πŸ–₯ System Information

Windows

Installed programs and applications

Key πŸ”‘: Microsoft\Windows\CurrentVersion\Uninstall. There can be some data for programs that do not exist on the system anymore. The last write time is when the application was installed.

Key πŸ”‘ Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore for installed Microsoft applications. Defines between those that were installed for a specific user or system-wide.

Key πŸ”‘: Wiw6432Node (SYSTEM hive root node) - those that run a 32-bit mode. Separate sub-keys for different versions of a program.

🌎 Network Traffic

Collection

Most of the devices keep some logs. As for the network-related issues are switches, routers, firewalls, IDS and IPS, web proxies, DC and authentication servers, DCHP servers and application servers.

SIEMs are log aggregators. When configured correctly, all logs and events from all systems in the enterprise flows to a centralised repository where they can then be analysed. Sometimes these SIEM analyse what’s normal and what’s not. However, they are quite costly πŸ’°.

πŸ“š OSINT Techniques

This all about searching for the information publicly available.

πŸ’¬β—οΈNotifications

Windows

Toast notifications on Windows 10: C:\Users\%Username%\AppData\Local\Microsoft\Windows\Notifications contains wpndatabase.db and appdb.dat. Both can be opened with πŸ›  SQLite Browser.

Calendars

πŸ—£ Voice Assistants

Windows

Cortana is a great source of information. C:\Users\%Username%\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.db contains user locations, reminders etc. Use a πŸ›  SQLite browser to see the contents, or export to cvs and work in Excel.

πŸ›‘οΈ Defence Mechanisms

In this section, I will collect different defence mechanisms, bypass techniques and possible artefacts to look out for.

Misc

πŸ“ˆ User Statistics

This is about … .