Operating System Forensics

Operating System Forensics

 OS Forensics refers to the examination of an operating system to find, collect and preserve evidence
about a security incident.
 Forensics Investigators must have a thorough knowledge about the various OSs including Windows,
Mac, and Linux.

 In this chapter we will focus on Windows and we will learn how to:

 Collect volatile and non-volatile information

 Perform Windows memory and registry analysis
 Examine the cache, cookie, and history recorded in web browsers
 Examine Windows files and metadata

2
Windows Forensics
What can we learn from a Windows computer?
 Application use: what applications were used, when, by whom?
 Content, file creation, modification and deletion ..
 Connected devices, thumb drives, network connections ..
 Online behavior: visited websites, downloaded content, emails, social media
interaction....
 ….

3
 Some of the sources of evidence on a Windows computer
Volatile sources:

RAM Data Page (or Swap) file

 It is typically the first piece of  Used to store sections of memory when the RAM runs out of space.
evidence acquired on a compromised
 We can find in it information similar to those found in a RAM.
machine.
 Contains information about:  The computer may be configured to clear the page file on shutdown.
 Active processes, services,  A page file is typically present at C:\pagefile.sys.
 Command line history.
 Encryption keys Hibernation file
 Network connections,  Stores information about the system’s current state, e.g. active
 Registry data not written to disk, processes, services, files downloaded by a user, files being edited, etc.
 Clipboard data,
 Located at C:\hiberfil.sys.
 …..
4
 Some of the sources of evidence on a Windows computer
Non-Volatile sources:

Event Logs Prefetch files Windows Registry

 Stores information about system,  Every application has a prefetch  A database containing information
software and user evets. file. It contains information about : about:
 We can learn information such as :  When the app was run last,  Configurations information for
 Logged on users,  How many times it was applications,
 When services and executed,  User account settings
applications started,  Files and directories referenced  Hardware configurations
 Modified software and user by the application,
accounts,  ….
 Executed software  We can learn the applications that
 Changes to system have been executed recently
configuration.  Located in
 Located at …System32\Config %SYSTEMROOT%\Prefetch. 5
Some of the sources of evidence on a Windows computer
Non-Volatile sources:

SRUM Dump: Recycle Bin

A System Resource Utilization Manager (SRUM) Can be used to located deleted files if not deleted
dump provides information about the applications permanently.
that have been run on the system in the last 30
days. %SYSTEMROOT%\System32\sru\srudb
System File Log
Application logs Windows machine stores a log of recent changes
to its files and directories in a hidden system file
Most of the installed applications maintain their own
called $UsnJrnl.
logs, e.g. web browser applications.

6
RAM Memory Forensics
 RAM is an important source of information for the forensic investigation, it contains traces of recent
activities including:
 Running processes (including malicious ones) and threads,
 Network connections,
 Running applications and Malware (if any),
 Opened files and media,
 Encryption keys, passwords, etc.

 Memory dump is the term used to refer to the data

acquired from the RAM memory.

 Memory acquisition tools: AccessData FTK

Imager, Belkasoft RAM Capturer, Dumpit

 Memory analysis tools: Redline, Volatility, etc.

7
RAM Memory Forensics
Memory analysis using RedLine
 We can find all the processes
running when the dump was
acquired.

 The connections made by

processes to remote IPs and
the used PORTs,

 In this example, the Process

‘rundll32.exe’, PID 1896 is
making connection to
Remote IP Address
172.20.20.21 over Port 4444,
which looks suspicious

8
RAM Memory Forensics
Memory analysis using Volatility
Homework for the next Lab:

 How to acquire a memory dump with Dumpit and then analyze it with volatility:
 https://www.youtube.com/watch?v=mHhQ63juojg

 How to analyze a memory dump with Volatility 2 and 3, along with some interesting plugins:
 https://www.youtube.com/watch?v=EiETpyPgloQ

 https://www.youtube.com/watch?v=g1niQ3rp3-s

9
 Windows Crash Dump
 Windows stores a copy of the RAM content when it crashes
(after running into a critical error), it is called crash dump file.

 Analyzing the crash dump file can be very useful for

identifying the bugs in a program / driver that led to the crash.

 From a forensics perspective, analyzing these dumps can

sometimes help the investigator determine if the crash
happened due to an internal issue or caused by an attacker.

 You can check the dump file using DumpChk which is part of
the Win Debugger tool

URL: https://learn.microsoft.com/en-us/windows-
hardware/drivers/debugger/

10
This feature should be first enabled
 Windows Registry
 Microsoft defines the registry as a central hierarchical database. It stores configuration information
about all hardware devices and applications as well as user-specific settings.

 This information is organized into a number of keys and subkeys, which are similar to folders and are
themselves organized into five main branches called hives which make up the registry.

hive

key
subkey value
11
Windows Registry
What can the investigator learn from the registry?
 List of user accounts,
 Installed applications, when they were used last time,
 Installed hardware devices,
 Applications that start automatically when the system boots,
 USB activities,
 Network information (e.g. networks, ports, ),
 …

By analyzing this information the investigators can understand the incident and reconstruct its timeline.

12
Windows Registry
 HKEY_LOCAL_MACHINE It contains configuration information for all
hardware and software components of the computer.
Non Volatile
 HKEY_USERS: Contains the details of all user accounts present on the system and
their configuration settings.

 HKEY_CURRENT_USER: Contains the profile and settings information for the

currently logged on user (the active user).

 HKEY_CURRENT_CONFIG: Contains real-time information about the hardware

Volatile profile currently being used.

 HKEY_CLASSES_ROOT: Contains information about what applications can be

used to open file extensions (e.g. .doc can be opened with Microsoft Word).

13
Windows Registry
 The information stored in the hives are stored across four files (SAM, SECURITY, SOFTWARE, SYSTEM)
located in the folder: %SYSTEMROOT%\System32\Config

 There is an additional file, NTUser.dat, which is stored in the root of the user profile.

14
Windows Registry – Some interesting information
Computer Name:
Use the RegEdit to access the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName

15
Windows Registry – Some interesting information
Windows information: version, number, owner, ID, installation date
Use the RegEdit to access the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

16
Windows Registry – Some interesting information
Last Shutdown time and time zone:
Use the RegEdit to access the key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows
Install the Dcode to convert the time
https://www.digital-detective.net/dcode

17
Windows Registry – Some interesting information
Shares (shared folders on the network):
Use the RegEdit to access the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares

18
Windows Registry – Some interesting information
Wireless Networks:
Use the RegEdit to access the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

19
Windows Registry – Some interesting information
Autostart programs:
Use the RegEdit to access the key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

20
 Windows Event Logs
 Windows OS logs information about the various actions occurring on the computer and categorizes them into:

System Log Application Log Security Log

Stores information generated by the Stores information about the events Stores events relative to the security
Windows OS. We can find info such generated by installed applications: of the computer
as:
 Application installations /  Logon attempts,
 OS Updates, removals,  Resources access,
 OS reboots and shutdowns,  App updates,  …
 Changes to hardware  … Events contain information such as
configurations, Events contain information such as who initiated the action, timestamps,
 Services starting / stopping who initiated the action, timestamps, .. ..
 ….

 Event logs can be very helpful in finding data related to the incident and can help investigators build a timeline
analysis of events relating to it. 21
 Windows Event Logs
 Examples of System Events: Launch Event Viewer and search for the following events:
6013 and 4624

22
Windows Event Logs
 Examples of System Events: What is happening here?

23
Windows Event Logs
 Examples of System Events: What is happening here?

24
 Windows Event Logs
Some interesting events:

 4720- Creation of a user account

 4624- Successful logon
 4625- Unsuccessful logon
 4634- Logon session terminated
 4647- Logon session terminated by the user
 4648- User logon was attempted by a user using different credentials
 4672- User logon with Admin rights
 4720- User account created

25
Windows ShellBags
 Shellbags are a set of registry keys that remember the (display) size and locations of
the folders and libraries that the user has accessed on the computer.
 From a forensic point of view, we can discover:
 Folders that have been recently accessed.
 External media (e.g. hard disks, USB disks, CD) that had been used and accessed
 Zip files that had been accessed

26
 Windows ShellBags – Demo
Let’s see now if we can find traces of the following actions in ShellBags

 A user has recently inserted a CD and viewed

its content,
 They have also inserted two USE drives (H:
and F:) and viewed their content

 A user has created a secret folder (called Vault)

and copied some pictures into it,
 The Vault folder was marked as hidden.

27
Source: https://library.mosse-institute.com/articles/2022/05/windows-shellbags-in-digital-forensics/windows-shellbags-in-digital-forensics.html#windows-shellbags-in-digital-forensics
Source: https://library.mosse-institute.com/articles/2022/05/windows-shellbags-in-digital-forensics/windows-shellbags-in-digital-forensics.html#windows-shellbags-in-digital-forensics

Windows ShellBags – Demo

Shellbags can be viewed using

ShellBags Viewer

28