Windows Forensics Analysis Cheat Sheet

Introduction

• Presenter's Intro: Created an introduction to memory forensics video.

• Follow-up: Explanation of basic Windows forensic analysis techniques.

• Differ: Digital Forensics and Incident Response.

• Cheat Sheet: Contains a subset of SANS FOR 500 (formerly FOR 408) Windows forensic analysis class.

• Certifications:

  • FOR 500 prepares for GX Certified Forensic Examiner (GCFP).
  • FOR 508 for GX Certified Forensic Analyst (GCFA).

• Important Note: Knowledge of the material is essential for forensic investigators.

• MacOS Spying: Collects data unintentionally useful for forensic purposes.

Windows Registry Basics

Registry Location

• The registry is a database storing configuration settings and options.
• Located at WINDOWS\System32\Config.
• Key registry hives: DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM.

User-Specific Registry Files

• Located within user profiles as NTUSER.DAT.
• Registry for logged-in users (HKCU): NTUSER.DAT.
• Important for forensic extraction of user-specific hives.

Registry Protective Measures

• Windows protects registry files; requires tools like FTK Imager to access.
• Backups stored in RegBack directory.

Key Registry Artifacts

• HKCU and HKLM: User and machine-specific keys.
• Common Registry Paths: Analysis
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunMRU
  • Recent Files: Can provide information on files interacted with or deleted.
  • Typed Paths: Tracks explicitly typed paths in Windows Explorer.
  • UserAssist Data: Indicates executed GUI programs and usage frequency.

Shell Bags

• Purpose: Tracks folder view settings and directory structures.
• Location: HKCU\Software\Microsoft\Windows\Shell.
• Tools: ShellBags Explorer for analysis.
• Forensic Usefulness: Shows previously accessed and deleted directories.

User Class Data

• User Class Hive: Registered file locations.
• Path: APPDATA\Local\Microsoft\Windows\USRCLASS.DAT
• Purpose: Records processes unable to access standard registry hives for security reasons.
• Note: FTK Imager does not capture USRCLASS.DAT automatically.

USB Device Forensics

• Purpose: Identify connected storage devices.
• Key Paths:
  • Live systems: HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
  • Forensic image: ControlSet001\Enum\USBSTOR
• Tools & Techniques:
  • Identify make, model, serial numbers, and timestamps.
  • Setup API Logs can reveal the first install and device history.
  • Important: Always get the correct control set (current from Select key).

Network Location Awareness (NLA)

• Registry Paths: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
• Forensic Usage: Track network connections and profiles.
• Profiles Classification: Wired, wireless, or broadband connections.
• Time Data: Can be decoded into readable date/time information.

Link File Analysis (LNK Files)

• Purpose: Analyze shortcuts for metadata showing file interactions.
• Key Details in LNK:
  • Original file path, size, volume serial number, MAC address of host.
  • Recent files may persist even after deletion of the actual files.
• Utility: Tools like EXIFTool and LP.EXE for metadata extraction.

Prefetch & SuperFetch

• Purpose: Improve user experience by caching frequently accessed data.
• Evidence: Shows executed applications for all users, including CLI.
• Location: WINDOWS\Prefetch
• Analysis Tool: WinPrefetchView from NirSoft.
• Registry Control Key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

Conclusion

• Importance: Prefetch, user assist, registry hives, link files, shell bags, etc., provide vital forensic data.
• Tools: Multiple tools for validation recommended.
• Depth: Only scratched the surface; more specific videos planned.

Next Steps: Subscribe, like video for more forensic analysis content.