Artifact Timeline Creation and Analysis - Tool Release: log2timeline. Using timeline analysis during investigations can be extremely useful yet it sometimes misses important events that are stored inside files on the suspect system (log files, OS artifacts). By solely depending on traditional filesystem timeline you may miss some context that is necessary to get a complete picture of what really happened. So to get "the big picture", or a complete and accurate description we need to dig deeper and incorporate information found inside artifacts or log files into our timeline analysis. These artifacts or log files could reside on the suspect system itself or in another device, such as a firewall or a proxy (or any other device that logs down information that might be relevant to the investigation).
Unfortunately there are few tools out there that can parse and produce body files from the various artifacts found on different operating systems to include with the traditional filesystem analysis. You are working for corporation X. What are you asked to find? De-mystifying Defrag : Identifying When the Windows Defragmenter Has Been Used for Anti-Forensics (Part 2 - Vista) In Part 1 of this post, we explored defragmenter usage in Windows XP, specifically trying to gain more information about user activity when we see the following in the Prefetch directory: Figure 1: Defrag entries shown from C:\\Windows\\Prefetch directory Vista made many file system changes, modifying some of the XP artifacts we relied upon in Part 1 and adding some artifacts that can greatly simplify our investigation. Importantly, Vista ships with a default scheduled task for a full volume defragmentation every Wednesday evening at 1am. This is in addition to the limited defrags conducted by the Prefetch / Superfetch components.
We will focus on the two primary methods a user can invoke the Windows Defragmenter tool: Running defragmenter from a graphical user interface (GUI)Running defrag from the command line using defrag.exeDefragmenter Artifacts in Vista - Identifying GUI Usage Prefetch EntriesUserAssist Registry KeyFile TimestampsEvent / Scheduler LogsPrefetch Entries File Timestamps. USB Key Analysis vs. USB Drive Enclosure Analysis. Computer Forensic Guide To Profiling USB Drive Enclosures on Win7, Vista, and XP There has been much talk about USB Device Forensic Analysis.
Many assume that analyzing a USB Key will be the same as analyzing a USB Drive Enclosure (e.g. USB Key Analysis = USB Drive Enclosure analysis). This is inaccurate. USB Drive Enclosure USB Key/Thumbdrive The fundamentals of examining a USB Key and a USB Drive Enclosure are similar, but have some unique properties that require a different set of guidelines to account for the differences. The fundamentals of the USB examinations are the same with a couple of key exceptions. 1. 2. MBR Disk Signatures The information that is needed is the MBR DiskSignature that is located in the MBR, it is a 4-byte value. How does this work? Example 1: Here is the first example: MBR Disk Signature Found At Decimal Offset 440 Finding the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices we will locate the signature in one of the drive letters and GUID found there: Computer Forensic Artifacts: Windows 7 Shellbags. As Windows Registry artifacts go, the "Shellbag" keys tend to be some of the more complicated artifacts we have to decipher.
But they are worth the effort, giving an excellent means to prove the existence of files and folders along with user knowledge. Shellbags can be used to answer the difficult questions of data enumeration in intrusion cases, identify the contents of long gone removable devices, and show the contents of previously mounted encrypted volumes. Information persists for deleted folders, providing an invaluable reference for items no longer part of the file system. A Brief Overview Windows uses the Shellbag keys to store user preferences for GUI folder display within Windows Explorer. Everything from visible columns to display mode (icons, details, list, etc.) to sort order are tracked.
The Shift from Windows XP The architecture of Shellbag keys within Windows XP is well understood and has been broadly covered [1,2]. What you need to know [1] Zhu, Gladyshev, James (2009). 36526 - Match a user profile to folders in HKEY_USERS. Summary Instructions provided describe how to identify which folder stored in the registry under HKEY_USERS is associated with each user profile on the computer. The Security Identifier (SID) is a unique name (an alphanumeric character string) that is assigned by a Windows Domain controller during the login process that is used to identify a user. This procedure enables administrators to make modifications to specific user profiles located in HKEY_USERS, mimicking those found in HKEY_CURRENT_USER when that user is logged in.
Procedure Expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. Related Information. The Windows Registry Files and where to find them. Forensic-analysis-windows-registry.pdf (objeto application/pdf) A Windows Registry Quick Reference.pdf (objeto application/pdf) Registry_examination.pdf (objeto application/pdf) p26-dolan-gavitt.pdf (objeto application/pdf) p69-zhu.pdf (objeto application/pdf) Registry. Sometimes during an examination, it can be important to determine what programs have been executed on a system, and more specifically, when and by which user.
Some of the artifacts on a system will provide us with indications of programs that have been executed, while others will provide information about which user launched the program, and when. As such, some of this information can be included in a timeline. Hopefully, something that will become evident throughout this post, as well as other HowTo posts, is that rather than focusing on individual artifacts, we're going to start putting various artifacts into "buckets" or categories. Okay, let's get started... AutoStart Locations Before we begin to look at the different artifacts that can be directly tied to a user (or not), I wanted to briefly discuss autostart locations.
Scheduled Tasks can be, and are, used as an autostart location. User There are a number of artifacts within the user context that can indicate program execution. Windows Registry. File Locations The Windows Registry is stored in multiple files. Windows NT 4 Basically the following Registry hives are stored in the corresponding files: HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT HKEY_USERS\DEFAULT: C:\Windows\system32\config\default HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system Windows 9x/ME \Windows\user.dat \Windows\system.dat \Windows\profiles\user profile\user.dat Keys Run/RunOnce System-wide: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Per user: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Special cases special characters key and value names codepaged ASCII strings Tools Open Source.
Windows Registry. When first introduced with Windows 3.1, the Windows registry's primary purpose was to store configuration information for COM-based components. With the introduction of Windows 95 and Windows NT, its use was extended to tidy up the profusion of per-program INI files that had previously been used to store configuration settings for Windows programs.[1][2] It is not a requirement for a Windows application to use the Windows Registry—for example, the .NET Framework applications use XML files for configuration, while portable applications usually keep their configuration data within files in the directory/folder where the application executable resides.
Rationale[edit] Prior to the Registry, .INI files stored each program's settings into a text file, often located in a shared location that did not allow for user-specific settings in a multi-user scenario. As the registry is constructed as a database, it offers improved system integrity with features such as atomic updates. Structure[edit]