SANS 3MinMax

Kevin Ripa 101

5 Windows Quick Win Artifacts

Registry

aka. hives: SAM,System,Software,Secrutiy,NTUser
find what: MRU Lists, System searches, Browser typed URLs, USB/Wifi connection, SSIDs, Network connections, Programs/services running at startup, etc.
https://github.com/EricZimmerman -> Registry Explorer.
C:\Windows\system32\config\SAM
popular: OpenSavePidIMRU, RecentDocs, SAM, USBSTOR, AppCompatCache, WordWheelQuery, ComputerName, TimeZoneInformation, CurrentVersion.
Regeditor shows no information of SAM hive, but Registry Explorer shows the information.
Transaction Logs: https://andreafortuna.org/2021/02/06/windows-registry-transaction-logs-in-forensic-analysis/

Jumplists

file, folder user performed historically.
{userFile}\AppData\Roaming\Microsoft\Recent Items\AutomaticDestinations
last folder above need to be input manually.
“{appID}.automaticDestinations-ms” files
jumplist explorer: “jlecmd -f {one-ms file path} “
“jlecmd -f {one-ms file path} –csv {output path}” output as csv.

“.LNK”

{userFile}\AppData\Roaming\Microsoft\Recent Items
files in above folder, are files interacted before.
when date created same as date modified, mean opened once. Otherwise, more than once.
real file has different time stamp, as file above is the shortcut`s timestamp.
when real file deleted, link file still stays.
lecmd -f {linkFilePath} --csv {outPutPath} or -d to directory.

Shellbags

open a folder again, same location, same window size.
{userFile}\AppData\Roaming\Microsoft\Windows\UsrClass.dat
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell
ZM tool: ShellBags Explorer. SBECmd.exe -l --csv {outPutPath}
eg. F: may not be the same USB device, watch meta data to check.

Prefetch

C:\Windows\Prefetch
file name eg. CONHOST.EXE-0C6456FB.pf, MSEDGEWEBVIEW2.EXE-053FE714.pf
ZM tool: pecmd -f {.pf file path}
pecmd -d C:\Windows\Prefetch\ --csv C:\Temp1 -q
WinPrefetchView, www.nirsoft.net

Bigger data

NAS: network attached storage.
RAID: Redundant Array of Independent(Inexpensive) Disks.
RAID 5: maybe the most popular one. One drive lose is acceptable. Recover takes time. Use parity.
synology, QNAP.

Online evidence

https://hunch.ly/
https://www.aircrack-ng.org/ IP not sufficient -> device

image Surface Pro

only 3 ports: Power Interface, USB 3, mini Display.
use USB 3 powered hub.
connect: USB with boot program, hard drive(get image).
UEFI screen. Boot to Paladin OS.
https://sumuri.com/paladin-manual/

log

c:\Windows\System32\winevt\Logs
gkape: https://ericzimmerman.github.io/KapeDocs/#!index.md
EZ tool: Timeline Explorer.
Event Log Explorer. (filter)
logon type: https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types
Oalerts

lies computer tolds

LNK file: ftk imager can look at master file table(MFT), and show files, which Windows may not. (same file names, but some of them deleted)

Volume Shadow Copy

system->about->system protection
svvadmin list shadows /for=E:
arsenal image mounter
ShadowExplorer

webcache

Browser->Website Data Settings->Current Location.
If you want to see it: 1. show hidden files. 2. (Not) Hide protected operating system files.

Cellphone

Do not turn off.
Different kinds.

password

https://www.grc.com/haystack.htm
cupp: wordlist builder
Password Manager: Dashlane, Lastpass, Keypass, 1Password.

data

Bit: binary digit
Byte: By eight
nibble: 4 bits, one hex.

Forensic resources

Cellebrite.com/en/home; smarterforensics.com/blog/; Mac4n6.com
Thisweekin4n6.com; Aboutdfir.com; sans.org/blog/
blog.elcomsoft.com; Thebinaryhick.blog
https://www.youtube.com/@MagnetForensics1/videos; binaryforay.blogspot.com

Kape

Kroll Artifact Parser & Extractor
target, executable, modules.
GUI version: gkape.

EZViewer

If do not know how to handle a file, it will open in hex.
right bottom, view in hex.

Incorrected conclusion.

MFT entry 2 - Deleted abc.dll -> Cluster 13.
MFT entry 3 - Exists Koala.jpg -> Cluster 13.
Then, MFT entry 3, Koala.jpg deleted, and points to Cluster 14 like abc.xlsx.
wrong conclusion may be: some one hide Koala.jpg as abc.dll in a system directory.
Because Entry and storage space have no relationship between each other.

USB

Vendor, Product Name, Version, and device S/N

Tools

Acquisition tools

Arsenal Image Mounter, FTK Imager, Magnet Acquire, gkape
USB WhiteProtectOFF/ON, Forensic Copy, Magnet RAM Capture

Forensic Suites

BlackLight, IEF - Internet Evidence Finder, IEF Report Viewer
AXIOMProcess, AXIOMExamine, Paraben P2C, Autopsy

Artifact Tools

autorunner, DCode Date, ExifTool GUI, GENA, Hexinator - HEX EDITOR
Highligher, JumpList Explorer, md5summer, PhotoRec GUI
QuickHash - FILE HASHER, ShadowExplorer, ShellBags Explorer
Skype Log View, SRUM_DUMP, Structured Storage Viewer, thumbcache_viewer
thumbs_viewer, Timeline Explorer, win prefetch view, WinHex

Browser Tools

ESEDatabase View, chrome cookies view, FOXTRON History Examiner
mozilla history view, mozilla cache view, hindsight GUI, chrome cache view
Mozilla Cookies, DB Browser for SQLite, browser add ons view
browsing history view, chrome history view, firefox downloads view
flash cookies view, GA Cookie Cruncher, NirLauncher

USB Forensics

USBDevice Forensics, USB Detective, UVCView

Event Log Tools

Event Log Explorer, EVTX_VIEW

Email Tools

NUIX, Kernel OST Viewer, Kernel Outlook PST Viewer

Registry Tools

Registry Explorer, Registry Recon, RegistryViewer
regripper, SAMInside, UserAssist

Guided Hacking

Where to Download New Malware Samples

https://abuse.ch/
https://bazaar.abuse.ch/
https://www.virustotal.com/gui/home/upload
https://www.intezer.com/
https://malpedia.caad.fkie.fraunhofer.de/
https://tria.ge/
https://www.unpac.me/#/

setup VM

https://github.com/mandiant/flare-vm common tools on Windows.
https://www.uwamp.com/en/ light weight PHP server, can change version.
https://www.telerik.com/fiddler Proxy, Find C2, script(own language) reponses.
https://github.com/mandiant/flare-fakenet-ng python script
https://github.com/a0rtega/pafish check what to patch, to make malware do not aware in VM.
https://github.com/d4rksystem/VBoxCloak After this ps script, pafish will find much less VM traits.
https://hex-rays.com/ida-free/
https://github.com/mandiant/flare-ida IDA plugins.
IDA plug: ret-sync.

syscalls

32bit: https://syscalls32.paolostivanin.com/
64bit: https://syscalls64.paolostivanin.com/

malware traffic analysis

https://www.malware-traffic-analysis.net/
infection chains
https://unit42.paloaltonetworks.com/january-wireshark-quiz/
https://unit42.paloaltonetworks.com/wireshark-workshop-videos/

YouHacker

Detect It Easy -> find library .NET
dnspy -> . NET assembly editor
https://pypi.org/project/pydumpck/

Paradies Clipper

when copy and paste BTC address, the malware will change it.
A C2 server to monitor the replacement.
user32.dll -> f: Open/Get/Set/EmptyClipboard

book: Practical Malware Analysis

types

- Backdoor, botnet, downloader, launcher, rootkit, scareware, spam, worm
- persistence mechanism: windows registry

static

hash as a fingerprint.
find strings
detect packed and obfuscated malware
linked library and functions
PE file headers: meta data about the file

Dynamic:

1. source-level, assembly-level debug.
2. kernel, user-mode debug.

Process VS Service:

- A process is an instance of a particular executable (.exe program file) running. 
- A service is a process which runs in the background and does not interact with the desktop

PE: magic number “MZ”

1. PE Header
	metadata information, pointers, and links to address sections in memory. 
2. PE Data Section
	.text stores the actual code of the program
	.data holds the initialized and defined variables
	.bss holds the uninitialized data (declared variables with no assigned values)
	.rdata contains the read-only data
	.edata: contains exportable objects and related table information
	.idata imported objects and related table information
	.reloc image relocation information
	.rsrc links external resources used by the program such as images, icons, embedded binaries, and manifest file, which has all information about program versions, authors, company, and copyright!

AV Evasion:

staged payload.
packer. Packing and Obfuscation.
Binder.
Sandbox evasion. 

Virtual memory:

page virtual memory to the disk to slove: more virtual memory than physical memory allocated.

Tools:

- PEview
- FSG packer
- UPX packer
- Dependency Walker
- Resource Hacker
	To counter: resource section contains another PE executable.
	Use:save the resource as binary data, then analyze.
		click Action>Save resource as binary file.
- downloader
	downloads additional malware
- Regshot
	take a baseline snapshot of the registry

Imports: (MSDN documentation)

- type: networking, service-manipulation, registry-manipulation.

- WS2_32.dll		-> network functionality
- wininet.dll		-> F: InternetOpen, InternetOpenURL	-> connects to Internet
	InternetReadFile, InternetCloseHandle, InternetOpenUrlA, InternetOpenA
- advapi32.dll	-> permissions

- kernel32.dll	-> F: FindFirstFile, FindNextFile	 -> filesystem(modify files)
- kernel32.dll	-> F: CreateProcess, Sleep			 -> backdoors
- kernel32.dll	-> F: CreateFile, WriteFile, WinExec -> write to disk & execute
- kernel32.dll	-> F: LoadResource, FindResource	 -> loads data from resource section 

- CreateFileA, CreateFileMappingA, and MapViewOfFile -> probably opens a file and maps it into memory.
- LoadLibrary, or GetProcAddress -> load DLL and use its function at runtime.

Exports: mostly for DLL

- ServiceMain 	-> malware needs to be installed as a service.
	svchost.exe: a shared-service process that serves as a shell for loading services from DLL files.
- rundll32: can run DLL with exports.

Use of mutex

only one copy of the program is running at a time.

Dynamic analysis…

Before run malware:

- run procmon
- start Process Explorer
- set up virtual network (including ApateDNS, Netcat, Wireshark) #### Run malware:
- In Process Explorer: 
	Handlers: may find Mutant.
	Dlls.
- procmon filter process actions:
	need to filter out a certain amount of noise.
	find if it: RegSetValue, WriteFile.
		write file to copy itself.
		modify register to run on system startup. #### Check ApateDNS
	if malware performed DNS requests. #### Check netcat
	find what the malware requested.

IDA Pro DLL

- Start from DllMain
	all code that executes from the DllEntryPoint until DllMain has likely been generated by the compiler
- CTRL-X with the cursor on gethostbyname: check cross-references.
- byte_ prefix: IDA believes a one byte variable.
- off_ prefix: a pointer variable.
- Rabit hole: IDA may fail to label function like printf, and you may lost in it.

book: Learning malware analysis

all kinds of malware: https://www.malwarebytes.com/glossary
INetSim: Internet Services Simulation Suite

Static

source

Hybrid Analysis: https://www.hybrid-analysis.com/
KernelMode.info: http://www.kernelmode.info/forum/viewforum.php?f=16VirusBay: https://beta.virusbay.io/
Contagio malware dump: http://contagiodump.blogspot.com/
AVCaesar: https://avcaesar.malware.lu/
Malwr: https://malwr.com/
VirusShare: https://virusshare.com/
theZoo: http://thezoo.morirt.com/
https://zeltser.com/malware-sample-sources/

Strings

https://github.com/mandiant/flare-floss, extract strings and decode obfuscated strings. $ ./floss test.exe

pack

$ upx -o spybot_packed.exe spybot.exe

pe structure in image.

https://github.com/corkami/pics/blob/master/binary/pe101/pe101.pdf
http://www.openrce.org/reference_library/files/reference/PE%20Format.pdf
more file stuctures in picture: https://github.com/corkami/pics/tree/master/binary

import table

can not display function loaded by: LoadLibrary() or LdrLoadDLL(), then GetProcessAdress().
Search API get info: https://learn.microsoft.com/en-us/
python to get pe information: https://github.com/erocarrera/pefile python enum_imports.py test.exe

dll export

attacker may use fake export names to mislead.

pe data sections

idata: import table, if not present, import table in rdata.
edata: export info, if not present, export info in rdata.
rdata: read only; or import and export.
data: read/write data and global var.

resource section

.rsrc
resourcehacker: http://www.angusj.com/resourcehacker/, save resource to *.bin file

pescanner

https://github.com/hiddenillusion/AnalyzePE/blob/master/pescanner.py

Fuzzy hashing

$ ssdeep -pb * check the similarity of files in pwd, -p: determine percentage similarity.
$ ssdeep -lrpa samples/
python-ssdeep, https://pypi.org/project/ssdeep/
other hash: import hash, section hash,

Yara

yara rule generator: https://www.joesandbox.com/#windows
yarGen: https://github.com/Neo23x0/yarGen
write simple rule: https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/

Dynamic

tools

inetsim, flare-fakenet-ng
Process Hacker, Process Monitor.
Noriben (put Noriben.py in same folder as Procmon.exe)

dll

rundll32
https://learn.microsoft.com/en-US/windows-server/administration/windows-commands/rundll32
whenever dll loaded, entry point function gets called.
DLLRunner, run all functions with fuzz parameters in DLL, https://github.com/Neo23x0/DLLRunner
some mal DLL may check if its running under rundll32.exe
RemoteDLL has 3 injection methods, may evade above checks.
some dll may only run when loaded as a service.

assembly

mov dword ptr [ebx], 100; 00 00 00 64
mov word ptr [ebx], 100; 00 64
mul ebx: eax * ebx -> edx:eax.
mul bx: bx * ax -> dx:ax.
div ebx: edx:eax / ebx.
movsx: move a sequence of bytes.
movsb, movsw, movsd: move esi to edi by 1/2/4 bytes.
repe/repz: move until ecx=0 or ZF = 0.
repne/repnz: move until ecx=0 or ZF = 1.
stosb/stosw/stosd: move 1/2/4 bytes from al/ax/eax to [edi]. With rep, like C memset().
lodsb/lodsw/lodsd: move 1/2/4 bytes from [esi] to al/ax/eax.
scasx: search [edi] until ecx=0 or find equal to al.
cmpsx: compare a byte in [esi] to [edi], until ecx=0 or not equal.
WOW64: a subsystem for the execution of 32-bit on 64-bit windows.
https://www.tutorialspoint.com/assembly_programming/
http://pacman128.github.io/pcasm/
https://opensecuritytraining.info/IntroX86.html
https://en.wikibooks.org/wiki/X86_Disassembly

IDA

IDA database: .id0, .id1, .nam, .id2, .til
offset keyword: indicate address of variables are used.
IDA keeps track of your navigation history

common dlls

Kernel32.dll, process, memory, hardware, and filesystem
Advapi32.dll, service and registry
Gdi32.dll, graphics
User32.dll, desktop, windows, menus, message boxes, prompts, etc.
MSVCRT.dll, C standard lib
WS2_32.dll, network
WSock32.dll, network
Wininet.dll, HTTP FTP
Urlmon.dll, wrapper around WinInet.dll
NTDLL.dll, Most of the functions in ntdll.dll areundocumented

Windows API

IDA employs a technology called Fast LibraryIdentification and Recognition Technology (FLIRT)
replace the constants with symbolic names.
CreateFileA: take ANSI string. CreateFileW: take Unicode string. as input.
RegCreateKeyEx: Ex mean update function which is incompatible with old function.

IDA python

The Beginner’s Guide to IDAPython by Alexander Hanel: https://leanpub.com/IDAPython-Book
Hex-Rays IDAPython documentation: https://www.hex-rays.com/products/ida/support/idapython_docs/
idautils.Names(),

plugins

https://github.com/onethawt/idaplugins-list
https://www.hex-rays.com/contests/
https://www.hex-rays.com/decompiler/

debugging

IDA pro commercial disassemble/debugger
x64dbg
dnSpy (debug .NET app), radare2
WinDbg, Ollydbg, Immunity Debugger, Hopper, Binary Ninja
exe executed with the privileges of the userrunning the debugger
software breakpoint: int 3 (0xCC). malware can look for 0xCC and modify it.
hardware breakpoint: maximum four, DR0-DR3.
TLS callbacks: Thread Local Storage, run mal code before main application runs.
System Breakpoint: dubugger first breaks in the system function.
64-bit code-> FASTCALL calling convention -> rcx,rdx,r8,r9,rest on stack.(pram on register and stack)
32-bit function: stack grows when arguments pushed. 64-bit function: stack allocated at beginning.
64-bit: hard to say whether it is local var or parameter, (as mov to pre-allocated stack, not push), when no API doc.
debug DLL by rundll32.exe: After oad rundell32.exe, Debug Change Command Line, add dll path parameter.
DLL already running in a process. https://securityxploded.com/remotedll.php
trace log text: https://help.x64dbg.com/en/latest/introduction/Formatting.html
trace log condition: https://help.x64dbg.com/en/latest/introduction/Expressions.html
IDAPython debugger script: https://www.hex-rays.com/products/ida/debugger/scriptable/
https://unit42.paloaltonetworks.com/using-idapython-to-make-your-life-easier-part-1/
dnspy example: https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/

THM

room keywords

forensic, DFIR, AV, malware, reverse engineering, siem, blue.

Eric Zimmerman

DFIR: An Introduction, room

artifacts:

- pieces of information that provide evidence of human activity.
- collected from the Endpoint or Server's file system, memory, or network activity.

#### type:
	- Strings ("exec": a backdoor)
	- API calls
	- Memory dumps
	- Filesystem modifications
	- Log events
	- Running processes
	- Web requests
	- IP address string routable to Command and control server
	- IOCs can be MD5, SHA1, SHA256 hashes, IP address, C2 domain, file size, filename, file path, a registry key, etc.

#### Windows Registry
	- if only access to disk image.
		C:\Windows\System32\Config
		NTUSER.DAT, USRCLASS.DAT
		C:\Windows\AppCompat\Programs\Amcache.hve
			save information on programs that were recently run on the system
	- transaction logs
		journal of the changelog of the registry hive.
	- Registry backups
	- tools: Registry Viewer, similar to Windows Registry Editor, but on disk image.
	- Forensic use:
		Find OS version: SOFTWARE\Microsoft\Windows NT\CurrentVersion
		Computer Name, Time Zone Information, Autostart Programs.
		Network Interfaces: IP, DNS server, DHCP server, Subnet. 
		Past Networks: a given machine was connected to, write time is the connection time.
		SAM hive and user information: RID, login times, last login time, password change/policy/hint.
		NTUSER hive
			recently opened files information.
		Evidence of Execution.
			User Assist (registry keys)
			ShimCache
		External Devices, USB

#### Disk:
	- Autospy disk recovery.
		data on the disk in different unallocated clusters, which can possibly be recovered. 
		X mark indicates a deleted file.
	- Windows Prefetch files
		program information for future use.
	- Windows 10 Timeline
		a database, store recently used applications
	- Windows Jump Lists
		last executed programs and the last opened files in a system
	- setupapi.dev.log
		information related to attached devices

Linux forensic:

- Information
	/etc/os-release, /etc/passwd, /etc/shadow, /bin/bash, /etc/group, /etc/sudoers
	sudo last -f /var/log/wtmp, binary file read by last, data of logins.
	cat /var/log/auth.log
- System Configuration
	/etc/hostname, /etc/timezone, /etc/network/interfaces, /etc/resolv.conf
	/etc/bash.bashrc, /etc/profile
	netstat -natp
	ps -aux
- Persistence mechanisms: ways a program can survive after a system reboot
	Cron jobs, /etc/crontab
	Service startup, /etc/init.d
	~/.bashrc, run commands when bash shell is spawned.
- Evidence of Execution
	cat /var/log/auth.log* 
	cat ~/.bash_history, cat ~/.zsh_history
	cat ~/.viminfo, file accessed using vim
- Logs
	Syslog, Auth logs, Third-party logs

Evidence Preservation

Chain of custody

integrity of the data.

Order of volatility

preserve RAM before hard drive.

Timeline creation

puts all the activities in chronological order.

Tools:

- KAPE (Kroll Artifact Parser and Extractor)
	bypass the OS locks and copy the files
- Autopsy
	analyzes major file systems
- Volatility
	analyzing memory dumps
	python3 vol.py -f <file> windows.info
	pslist, pstree, netstat, dlllist
	compare the memory file against YARA rules
	SSDT Hooks: system Service Descriptor Table
		An adversary can hook into this table and modify pointers to point to a location the rootkit controls.
- Redline 
	IOC: Indicators of Compromise
		artifacts of the potential compromise
	collects various data for analysis 
		running processes, download histroy, services, files, registry structures, event logs,
- Velociraptor

NIST and SANS incident handling guide.

1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned

BTK serial killer

he sent a floppy disk, recover a deleted word document.

KAPE, room

Bin: execute when exe not on system. mostly EZ tools.
Process VSCs: process Volume Shadow Copies.
When both Target and Module Options. Module Source is not required. Target destination is the Module source.
“_kape.cli”: batch mode commands in the same directory of Kape.
What search query was run on the system? -> registry: WordWheelQuery.
module out -> Automatic Destinations -> FileFolderAccess.

Autopsy, room

More than the room:

Global Hash Lookup Settings
Global File Extension Mismatch Identification Settings
Global Keyword Search Settings
Global Interesting Items Settings
Yara Analyser

Full excercise: https://cfreds.nist.gov/ , to download the disk image

Linux Forensics, room

system config

cat /etc/os-release
cat /etc/sudoers
sudo last -f /var/log/wtmp last logins
sudo last -f /var/log/btmp failed logins
/var/log/auth.log Authentication logs
cat /etc/hostname hostname
cat /etc/timezone timezone
cat /etc/network/interfaces network config
ip address show
netstat -natp Active network connections
ps running processes
/etc/resolv.conf DNS server

persistence

ways a program can survive after a system reboot.

cat /etc/crontab Cron jobs.
cd /etc/init.d services startup in this folder.
cat ~/.bashrc commands run after bash shell spawned.
/etc/bash.bashrc, /etc/profile. -> System-wide settings

evidence of execution

Sudo execution history: cat /var/log/auth.log* |grep -i COMMAND
Bash history: cat ~/.bash_history
Files accessed using vim: cat ~/.viminfo

Log

Syslog, cat /var/log/syslog*, check former hostname.
Auth logs, cat /var/log/auth.log*
Third-party logs, ls /var/log
/var/log/httpd, /var/log/cron, /var/log/auth.log, /var/log/secure, /var/log/kern.
/var/log/apache, /var/log/httpd.
Ways of Log Ingestion of SIEM: 1) Agent / Forwarder, 2) Syslog, 3) Manual Upload, 4) Port-Forwarding

Volatility, room

https://volatility3.readthedocs.io/en/latest/
https://github.com/volatilityfoundation/volatility3
syntax changed in volatility3 from volatility2. (python3 -> python2)
Virtual memory: VMWare - .vmem; Hyper-V - .bin; Parallels - .mem; VirtualBox - .sav file.
imageinfo: list best possible OS profiles
python3 vol.py -f dump.vmem windows.info use plugin windows.info to get information from dump.vmem.
python3 vol.py -f <file> windows.pslist listing processes. Can not see unlinked rootkits.
python3 vol.py -f <file> windows.psscan help combat evasion techniques above.
python3 vol.py -f <file> windows.pstree
python3 vol.py -f <file> windows.netstat another tool in this case may be better-> bulk_extractor.
python3 vol.py -f <file> windows.dlllist
python3 vol.py -f <file> windows.malfind attempt to identify injected processes
python3 vol.py -f <file> windows.yarascan

Hooking

one evasion technique
SSDT Hooks, IRP Hooks, IAT Hooks, EAT Hooks, Inline Hooks.
SSDT: System Service Descriptor Table. modify pointers to a location the rootkit controls.
python3 vol.py -f <file> windows.ssdt

find driver files as part of their evasion

python3 vol.py -f <file> windows.modules dump a list of loaded kernel modules
python3 vol.py -f <file> windows.driverscan identify driver files in the kernel, which “modules” may miss

dump pid 1640

python3 vol.py -f /Scenarios/Investigations/Investigation-1.vmem -o ./mydump windows.memmap.Memmap --pid 1640 --dump

resources

https://github.com/volatilityfoundation/volatility/wiki
https://eforensicsmag.com/finding-advanced-malware-using-volatility/
https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet
https://book.cyberyozh.com/counter-forensics-anti-computer-forensics/

Redline, room

FireEye tool

book.cyberyozh.com

anti-forensic

hidden OS. Different password to different file container. TrueCrypt, VeraCrypt.
DMA attack: FireWire port, cold boot attack.

13Cubed (Investigating Windows Endpoints)

https://www.13cubed.com/

Alexiou principle

What question are you trying to answer?
What data do you need to answer that question?
How do you extract that data?
What does that data tell you?

Setup

windows sandbox (ctr+R: optionalfeatures)
linux on windows (windows store)
sysinternals suite (windows store) -> RDCMan(RDP manager)
powertoys (windows store)
FTK imager.
Arsenal Recon: Arsenal Image Mounter, Hibernation Recon.
Zimmerman tools. & KAPE
NIRSOFT tools.
Other: Chainsaw, MemProcFS, PEstudio, RegRipper, TestDisk, thumbs_viewer.

Windows Event Log

file: .evt
vista introduce evtx format.
ctl+R: \windows\system32\winevt\logs
Event Viewer -> Windows Logs -> Channels: Application, Security, Setup, System, Forwarded Events.
power shell: Get-Help Get-WinEvent
Get-WinEvent -LogName Security
Ntds. dit: a database that stores Active Directory data. (hashcat: can get the credentials)
application event ID 216: move Nsds.dit database, caused by volumn shadow copy, no worry.
RDP related logs: https://ponderthebits.com/
ZMtool -> EvtxeCmd -> Maps. EvtxECmd.exe -d {logPath} --csv {outputPath}
ZMtool -> – vss options -> powerful to get data from shadow volume.
https://github.com/BeanBagKing/BaselineLogging
https://nullsec.us/windows-baseline-logging/
Sysmon: addtion to event log, not default.

Registry

https://dfir.ru/2020/10/03/exporting-registry-hives-from-a-live-system/
some may only stay in memory, others on disk as hive.
system hives: C:\Windows\System32\config, DEFAULT; SAM; SECURITY; SOFTWARE; SYSTEM.
HKEY_CURRENT_USER: NTUSR.DAT; usrClass.dat.
C:\Windows\appcompat\Programs\Amcache.hve
https://www.13cubed.com/downloads/windows_registry_cheat_sheet.pdf
keys and subkeys have last write time; but values in it do not have.
shellbag: even delete the path, shellbag still exists.
HKLM/SYSTEM/Select(current) -> check which control set is using.
https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/Kroll_Batch.reb (filter out potentially irrelevant information from the Windows Registry)
regripper: another tool

Evidence of Execution

two major type: 1. user experience. 2. backwards compatibility.

prefetch

user experience
prefetch: speed up app start up. (monitor app for around 10 seconds, to see the resources it needs.)
GUI or CMD.
C:\Windows\Prefetch
name: {appName}-{8digitsHash}.pf
different hash may means same exe name in different locations or with different parameters.
sometimes parameters in hash calculation, not always.
created time -> first execute; modified time -> last execute.
default on desktop windows, not server.
last 8 time of execution is tracked in pf file, since windows 8.
32-bit app runs on 64-bit system, not reverse. so malware authors use 32-bit. at: windows/SysWOW64. 2 CMD pf files, one 32-bit.
ZM tool: PECmd.exe
after delete binary, prefetch still exists.
anti-forensic: delete prefetch. sdelete *.pf delete all prefetch.
sdelete-hash.pf left, in PECmd.exe, in “file referenced”, we can know what it deleted.
https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete
https://www.youtube.com/watch?v=f4RAtR_3zcs

Shimcache

backwards compatibility
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
used to be evidence of execution, before windows 10, not in windows 10/newer.
the higher on the list, the more recent it shimed.
same modified time, may mean same file just with different name.(eg. find renamed malware)
files viewd in window explorer, will be in the cache. NOT only when executed.
reboot computer will refresh shimcache.
ZM: AppCompatCacheParser.exe

AmCache

https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf
C:\Windows\appcompat\Programs\Amcache.hve
contain many program metadata. linkdate(compilation date)
can not use to proof execution.
InventoryApplication, InventoryApplicationFile, InventoryDriverBinary.
ZM: AmcacheParser.exe

PCA (Program Compatibility Assistant)

very new, Windows 11 22H2
C:\Windows\appcompat\pca\PcaAppLaunchDic.txt

MUICache

HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
ApplicationCompany, FriendlyAppName. (rename exe do not change them)
no MRU list, so no timestamp info.
per user artifact for gui program.

UserAssist Registry

Run counter, Focus Count.
https://imphash.medium.com/userassist-with-a-pinch-of-salt-as-an-evidence-of-execution-4dc4e9640a77

SRUM

System Resource Utilization Monitor
C:\Windows\System32\sru\SRUDB.dat
ZM: SrumECmd.exe

persistentence

BatchExamples/RegistryASEPs.reb (Auto Start Extensibility Points)
Process: Local Security Authority Process.
https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/
ntdlutil
https://www.crowdstrike.com/cybersecurity-101/privilege-escalation
impacket below:
https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf
https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet_poster.pdf
MACB: Modified, Accessed, Changed ($MFT Modified), Birth (file creation time)
SumECmd.exe
User Access Logging (UAL)

13cubed videos

thumbnail forensic

tools: thumbsviewer, thumb cache.
thumbcache_xxx.db (xxx is the resolution)

malware analysis

IDA -> plugin -> OllyDumpEx
IDA -> plugin -> Scylla: IAT Autosearch

Certs

GIAC Reverse Engineering Malware (GREM)

Analyzing Malicious Office Macros
Analyzing Malicious PDFs
Analyzing Malicious RTF Files
Analyzing Obfuscated Malware
Behavioral Analysis Fundamentals
Common Malware Patterns
Core Reverse Engineering Concepts
Identifying and Bypassing Anti-Analysis Techniques
Malware Analysis Fundamentals
Malware Flow Control and Structures
Overcoming Misdirection Techniques
Reversing Functions in Assembly
Static Analysis Fundamentals
Unpacking and Debugging Packed Malware

GIAC Certified Incident Handler (GCIH)

Detecting Covert Communications
Detecting Evasive Techniques
Detecting Exploitation Tools
Drive-By Attacks
Endpoint Attack and Pivoting
Incident Response and Cyber Investigation
Memory and Malware Investigation
Network Investigations
Networked Environment Attack
Password Attacks
Post-Exploitation Attacks
Reconnaissance and Open-Source Intelligence
Scanning and Mapping
SMB Scanning
Web App Attacks

GIAC Certified Intrusion Analyst (GCIA)

Advanced IDS Concepts
Application Protocols
Concepts of TCP/IP and the Link Layer
Fragmentation
IDS Fundamentals and Network Architecture
Intrusion Detection System Rules
IP Headers
IPv6
Network Forensics and Traffic Analysis
Packet Engineering
SiLK and Other Traffic Analysis Tools
TCP
Tcpdump Filters
UDP and ICMP
Wireshark Fundamentals

GIAC Battlefield Forensics and Acquisition (GBFA)

Acquiring RAM and OS Artifacts
Acquisition Preparation
Data on Drives
Data on the Network
Dead Box Acquisition
Host Based Live Acquisition
Manual Triage
Manually Finding Data
Mobile Device Acquisition/Triage
Physical Storage Devices
Remote Acquisition
Storage Technologies
Working With Evidence Files

GIAC Certified Forensic Analyst (GCFA), aka. FOR508

Analyzing Volatile Malicious Event Artifacts
Analyzing Volatile Windows Event Artifacts
Enterprise Environment Incident Response
File System Timeline Artifact Analysis
Identification of Malicious System and User Activity
Identification of Normal System and User Activity
Introduction to File System Timeline Forensics
Introduction to Memory Forensics
NTFS Artifact Analysis
Windows Artifact Analysis