windows forensics

• Forensics Analysis of Pagefile and hibersys File in Physical Memory

Pagefile.sys:
Microsoft Windows uses a paging file, called pagefile.sys, to store frames of memory that do not current fit into physical memory. Although Windows supports up to 16 paging files, in practice normally only one is used.

Hiberfil.sys: hiberfil file stores the data when Microsoft windows computer system is on Hibernate mode.
These files are very useful for digital investigation because these files are not stored in physical Hard Disk

https://www.hackingarticles.in/forensics-analysis-of-pagefile-and-hibersys-file-in-physical-memory/

• How to extract forensic artifacts from pagefile.sys?

Microsoft Windows uses a paging file, called pagefile.sys, to store page-size blocks of memory that do not current fit into physical memory.
This file, stored in %SystemDrive%\pagefile.sys is a hidden system file and it can never be read or accessed by a user, including Administrator.
It is possible to read this file by parsing the raw file system, or exact it using tools like FTKImager.

Analysis with YARA rules
you may scan the pagefile.sys using YARA.
you may scan the pagefile in order to seek some malware artifacts not found in the volatile memory:
https://www.andreafortuna.org/2019/04/17/how-to-extract-forensic-artifacts-from-pagefile-sys/

• Finding malware on memory dumps using Volatility and Yara rules

a brief and simple workflow, useful for a first high-level analysis of memory dumps in order to search the presence of a generic malware

During the first phase of a memory dump analysis, could be useful check the dump for the presence of artifacts related to the most known malware: but to performs this operation should be needed to scan the image with all rules located in “malware” section of repository.

The memory analysis with Volatility
Although all Volatility commands can help you find malware, there are a few designed specifically for hunting rootkits and malicious code.

One of this is the “yarascan” plugin, that can help you locate any sequence of bytes (like assembly instructions with wild cards), regular expressions, ANSI strings, or Unicode strings in user mode or kernel memory.
https://www.andreafortuna.org/2018/07/16/finding-malware-on-memory-dumps-using-volatility-and-yara-rules/

• WHAT IS UNALLOCATED SPACE AND WHY DOES IT MATTER?

Just what is unallocated space, and why is it important? Data and information are located in two areas on a computer’s hard drive: allocated and unallocated space. Allocated space typically contains all active system and user generated data, including email messages, documents, photographs, log files, and database files in an organized structure that allows for easy access and retrieval. Unallocated space on the computer is where deleted documents, file system information, and other electronic artifacts reside on the hard drive, which is often able to be recovered and analyzed through a forensic investigation. Unlike allocated space on the hard drive, the electronic evidence in unallocated space may be overwritten (and thus lost completely) with new data as the computer continues to be used.

For example, nefariously deleted documents can be recovered using data carving tools which enable the reconstruction of file fragments by scanning the raw bytes of the disk and reassembling them. Similarly, fragments of emails from a web-based personal email account of the departed employee to a competitor may exist in unallocated space which would prove the theft of company trade secrets and establish the participation of the competitor in the theft
https://insights.bit-x-bit.com/computerforensics/what-is-unallocated-space-and-why-does-it-matter/

•  Splunk App for Stream for Enhanced Operational Intelligence from Wire Data 

  Custom Content Extraction Enables Efficient Real-Time Insights
  Improved Security Posture
  • Easily and selectively analyze web traffic for security risks
  • Identify data exfiltration, including PII or exposed assets
  • Prevent data loss, perform forensics and reduce troubleshooting time

  Efficient Real-Time Business Analyses
 
  • Real-time granular insights into key business indicators from web traffic
  • Selective on-the-fly visibility into shopping carts, user interactions, etc.

   Efficient IT Ops and Applications Visibility
  • Monitor web services performance on-the-fly for quick troubleshooting and performance analysis
  • Enable real-time custom protocol monitoring
  https://www.slideshare.net/Splunk/splunk-app-for-stream-nyc-deck

• FOR500: Windows Forensic Analysis

FOR500.1: Windows Digital Forensics And Advanced Data Triage
Exercises
    Install the Windows SIFT Workstation and get an orientation about its operations
    Image a hard drive for evidence using a WiebeTech UltraDock Write Blocker
    Undertake advanced triage-based acquisition and imaging - rapid acquisition
    Mount acquired disk images and evidence
    Carve important files from free space
    Recover critical user data from the pagefile, hibernation file, memory images, and unallocated space
    Recover chat sessions, web-based email, social networking, and private browsing

FOR500.2: Core Windows Forensics Part I: Windows Registry Forensics And Analysis   
Exercises

    Profile a computer system using evidence found in the Registry
    Conduct a detailed profile of user activity using Registry evidence
    Examine which programs a user recently executed by examining Registry-based UserAssist, AppCompability, Amcache, RecentApps, BAM/DAM, and others
    Determine which files a user recently opened via the RecentDocs keys in the Registry
    Examine recently opened Office 365 files and determine first/last open times
    Find folders recently accessed by a user via the Open/Save keys in the Registry

FOR500.3: Core Windows Forensics Part II: Usb Devices And Shell Items
Exercises

    Track USB and BYOD devices that were connected to the system via the Registry and file system
    Determine first and last connected times of USB devices that are plugged into your system
    Determine last removal time of USB devices that are plugged into your system
    Use Shortcut (LNK) file analysis to determine first/last times a file was opened
    Use Shellbag Registry Key Analysis to determine when a folder was accessed
    Use a jump list examination to determine when files were accessed by specific programs
    Unlock BitLocker-To-Go encrypted USB devices


FOR500.4: Core Windows Forensics Part III: Email, Key Additional Artifacts, and Event Logs
Exercises

    Employ best-of-breed forensic tools to search for relevant email and file attachments in large data sets
    Analyze message headers and gauge email authenticity using SPF and DKIM
    Understand how Extended MAPI Headers can be used in an investigation
    Effectively collect evidence from Exchange and Office365
    Learn the latest on Unified Audit Logs in Office365
    Search for Webmail and Mobile Email remnants
    Understand key concepts like email object filtering, de-duplication, and message similarity
    Use forensic software to recover deleted objects from email archives
    Gain experience with a commercial email forensics and e-discovery tool
    Perform data visualization and timeline analysis
    Analyze document metadata present in email archives
    Analyze the various versions of the Windows Recycle Bin
    Analyze Windows Prefetch files to determine thousands of application execution times
    Use the System Resource Usage Monitor (SRUM) to answer questions never before available in Windows forensics
    Merge event logs and perform advanced filtering
    Profile account usage and determine logon session length
    Audit file and folder access
    Identify evidence of time manipulation on a system
    Supplement registry analysis with BYOD device auditing, including new Windows 10 events
    Analyze historical records of wireless network associations and geolocate a device

FOR500.5: Core Windows Forensics Part IV: Web Browser Forensics for Firefox, Internet Explorer, and Chrome
Exercises

    Track a suspect's activity in browser history and cache files and identify local file access
    Analyze artifacts found within the Extensible Storage Engine (ESE) database format
    Examine which files a suspect downloaded
    Determine URLs that suspects typed, clicked on, bookmarked, or merely popped up while they were browsing
    Parse automatic crash recovery files to reconstruct previous browser sessions
    Leverage Google Analytics cookies to profile user behaviors
    Learn to manually parse SQLite databases from Firefox and Chrome
    Identify anti-forensics activity and re-construct private browsing sessions
    Investigate browser auto-complete data
   

FOR500.1: Windows Digital Forensics And Advanced Data Triage
Install the Windows SIFT Workstation
Image a hard drive for evidence using a WiebeTech UltraDock Write Blocker

FOR500.2: Core Windows Forensics Part I: Windows Registry Forensics And Analysis
        Registry Explorer
        TZWork's CAFAE and YARU (Yet Another Registry Utility)

FOR500.5: Core Windows Forensics Part IV: Web Browser Forensics for Firefox, Internet Explorer, and Chrome       
Tools Used

    Nirsoft Tools
    SQLite Parsers
    ESE DatabaseView
    Hindsight

https://www.sans.org/course/windows-forensic-analysis

• Forensic Artifacts: evidences of program execution on Windows systems

Background Activity Moderator (BAM)
BAM is a Windows service that Controls activity of background applications
https://www.andreafortuna.org/2018/05/23/forensic-artifacts-evidences-of-program-execution-on-windows-systems/

• Personal data, also known as personal information, personally identifying information (PII)

sensitive personal information (SPI)
any information relating to identifying a person
https://en.wikipedia.org/wiki/Personal_data