Scribd
Upload
84 views

System Files Tricks For Forensic Investigations and Incident Response

This document discusses the use of system files for forensic investigations and incident response using Belkasoft software. It describes how system files can contain traces of user activity even after deletion and how tools like Belkasoft can extract these artifacts. Specific artifacts that can be uncovered include Jumplists, Windows Timeline databases, registry keys related to applications, network activity, and remote connections. The document demonstrates how these artifacts can help build a timeline of activity on an infected system. It promotes the wide range of features in Belkasoft's forensic software.

Uploaded by

You Ssëf CH
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
84 views

System Files Tricks For Forensic Investigations and Incident Response

This document discusses the use of system files for forensic investigations and incident response using Belkasoft software. It describes how system files can contain traces of user activity even after deletion and how tools like Belkasoft can extract these artifacts. Specific artifacts that can be uncovered include Jumplists, Windows Timeline databases, registry keys related to applications, network activity, and remote connections. The document demonstrates how these artifacts can help build a timeline of activity on an infected system. It promotes the wide range of features in Belkasoft's forensic software.

Uploaded by

You Ssëf CH
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 28

System Files Tricks for

Forensic Investigations and


Incident Response
Yuri Gubanov, Belkasoft
00 What is Belkasoft
About Belkasoft and its customers

• Company totally devoted to digital forensics


• Started at 2007
• Offices in the USA and Europe
• Customers in 130+ countries: mostly police/LE
• More than 3000 licenses sold all over the world

https://belkasoft.com
Belkasoft US customers

https://belkasoft.com
Customers from other countries

www.belkasoft.com

https://belkasoft.com
What is Belkasoft Evidence Center (BEC)

• All-in-one digital forensic software from Belkasoft


• Covers five major digital forensic branches
• Mobile Forensics
• Computer Forensics
• Memory Forensics
• Remote Forensics
• Cloud Forensics
• For corporate customers:
• Incident Investigations

https://belkasoft.com
01 Today’s agenda
Today’s agenda

• Why system files analysis?


• Forensic investigation artifacts
• Incident response artifacts

https://belkasoft.com
02 Why system files analysis?
Why system files analysis?

• Unlike regular files (pictures, videos, app databases) system


files are less known to regular user
• Some system files are not widely known even by investigators!
• Can store explicit or implicit traces of desktop user’s actions
• Even tools like CCleaner don’t delete every system file
• Many can be carved

• Tools like Belkasoft can help

https://belkasoft.com
03 System files: Forensic
artifacts
Forensic artifacts supported by Belkasoft

• Jumplists
• Windows 10 Timeline
• Importance of SQLite forensics
• Registry forensics
• macOS system configuration files
• Other artifacts:
• TOAST notifications
• Thumbnails
• Event logs
• Prefetch
• Link files (LNK)
• etc.

https://belkasoft.com
Jumplists and Timeline

• Jumplists
• Introduced in Windows Vista
• C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\
AutomaticDestinations\*.automaticDestinations-ms
• Whenever a file is opened in a default app, Windows remembers that
• Stored forever, not known by a regular user
• Can be carved if deleted
• Cleared jumplists are pretty suspicious

https://belkasoft.com
Windows 10 Timeline

• Timeline
• Introduced in Windows 10 April 2018 update
• User perspective: WinKey + Tab
• “Jumplist on steroids”
• Stores every switch to an app along with duration of that app usage
• SQLite database!
• Freelists, WAL can be found in every Timeline database
• Not yet supported by many forensic tools

https://belkasoft.com
Registry forensics

• Belkasoft’s Registry Viewer


• Opens even corrupted registries
• Carved from hard drive or RAM
• Out of the box support for 100+ forensically important keys
• USB devices
• Wifi connections
• Network cards
• Windows users
• Timezone
• Etc.

https://belkasoft.com
macOS system configuration analysis with Belkasoft

• Wireless networks: com.apple.airport.preferences.plist


• Timezone: GlobalPreferences.plist
• Spotlight (links): com.apple.spotlight.Shortcuts
• Recent searches: com.apple.finder.plist
• Recent documents:
com.apple.LSSharedFileList.RecentDocuments.sfl
• Recent apps: com.apple.LSSharedFileList.RecentApplications.sfl
• IP-connection preferences: preferences.plist
• Dock-panel (task panel): com.apple.dock.plist
• Installed apps: InstallHistory.plist
• User geolocation: .GlobalPreferences.plist

https://belkasoft.com
04 System files: Incident
response artifacts
Incident response artifacts supported by Belkasoft
• Registry
• AppInit DLLs
• Logon Scripts
• Startup
• Change default file association
• Services
• Scheduled Tasks
• BAM/DAM
• Remote connections (RDP, TeamViewer and others)
• Non-standard registry files
• Syscache
• Amcache
• Explorer programs
• Non-registry
• System Event Log
• Prefetch
• Team Viewer
• WMI Event Subscription

https://belkasoft.com
Registry-based (persistence)

• AppInit DLLs (T1103)


• Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs
value are loaded by user32.dll into every process that loads
user32.dll (nearly all of Windows processes)
• These values can be abused to obtain persistence and privilege
escalation by causing a malicious DLL to be loaded and run in the
context of separate processes on the computer
• Logon scripts (T1037)
• Batch/VBScript/JScript what is executed during user login to Windows
account
• Startup (T1060, T1165 on Mac)
• Executed during Windows startup

https://belkasoft.com
Registry-based (persistence), continued

• Change default app association (T1042)


• Binding arbitrary program to open this or that type of file
• Services (T1050, T1035)
• Filtering services by date of installation helps
• Scheduled tasks (T1053)
• Can be scheduled even remotely!

https://belkasoft.com
Registry-based (execution)

• BAM (Background Activity Moderator)


• Windows service that Controls activity of background applications
• Windows 10 only after Fall Creators update - version 1709
• Stores full path of the executable file that was run on the system and
last execution date/time
• DAM (Desktop Activity Moderator)
• Similar, but controls activity of desktop applications

https://belkasoft.com
Registry-based (remote connections)

• Registry stores remote connections data


• Which remote computers connected to this one
• Which remote computers were connected from this one

NTUSER.DAT –> Software\Microsoft\Terminal Server Client\Default

https://belkasoft.com
Non-standard registry files

• Syscache
• Not clear purpose
• Stores data of SRP (Software Restriction Policies) and AppLocker
• Amcache
• Stores data about executed apps
• https://www.andreafortuna.org/2017/10/16/amcache-and-
shimcache-in-forensic-analysis/

https://belkasoft.com
WMI Event Subscription

• Fileless malware
• https://www.blackhat.com/docs/us-15/materials/us-15-
Graeber-Abusing-Windows-Management-Instrumentation-WMI-
To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-
wp.pdf

https://belkasoft.com
Demo of building infected computer timeline

• Filtering out cookies and file access events to simplify timeline


• Updater.exe file in WMI subscriptions
• Batch file in startup
• Executable run from IE temporary folder

https://belkasoft.com
Is this it?

• Belkasoft has hundreds of features on top of system file


forensics
• Mobile, cloud and computer forensics
• Communication graph with Communities detection
• Photo Forgery detection
• Geodata analysis
• Detection of faces, scanned texts and skin tone
• OCR in 50 languages
• Free portable cases tool to split work at no cost
• Scripting to customize unusual tasks
• Integration with other major forensic software
• And many many more…

https://belkasoft.com
Test it yourself

• Free trial with full features:


• https://belkasoft.com/trial
• Academic version
• Up to 95% discount

• Visit our booth at the end of the hall opposite main entrance
• Free T-Shirts and baseball caps
• Chance to win a full license of Belkasoft Evidence Center

• Add me in LinkedIn – Yuri Gubanov, first result in search

https://belkasoft.com
Questions? Comments?

You might also like