Cybersecurity Learner
0%

Forensics Summary

Posted on In

Digital forensics

  1. Registry keys and their locations
  2. Prefetch files
    Find from C:\Windows\Prefetch
  3. Browser history - use Browsinghistoryview-x64
    Find from C:\Users%username%\AppData\Local\Microsoft\Windows\History
  4. Cache - use IECacheView
    Find from C:\Users%USER%\AppData\Local\Microsoft\Windows\WebCache
  5. Cookies - use IECookieViewer
    Find from C:\Users%username%\AppData\Roaming\Microsoft\Windows\Cookies
  6. Windows firewall logs
    Find from C:\Windows\system32\logfiles\firewall\pfirewall.log
  7. Windows event logs
    Find from C:\Windows\System32\config
  8. If you have full access to the source, the easiest way to determine when a USB was installed
    Find from C:\Windows\inf\setupapi.dev.log
  9. OS name and product ID
    Find from HKEY_LOCAL_MACHINE\TEST\Microsoft\Windows NT\CurrentVersion 14
  10. Check URLs under NTuser.dat
    under raw data\software\microsoft\typed urls
  11. SYSTEM file can show the network connection information
  12. Chrome cache - use ChromeCacheView
    Find from C:\Users%username\Desktop\Google\AppData\Local\Google\Chrome\User Data\default\Cache
  13. Chrome history - use ChromeHistoryView
    Find from C:\Users\username\Desktop\Google\AppData\Local\Google\Chrome\User Data\Default\History
    More useful tools
    Autopsy, Windows Registry Recovery, RegRipper, Technology Pathways ProDiscover Basic.

Network forensics

  1. Some useful tools
    Snort, Security onion, Pfsense, Wireshark, NetworkMiner.
  2. A useful website to practice
    Find from https://www.malware-traffic-analysis.net/training-exercises.html

Memory forensics

  1. A useful tool - Volatility
  2. Some examples:

Identify the information for the captured image

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem imageinfo

Print process list as a tree

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 pstree

Show the running processes

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 pslist

Print list of loaded dlls for the Pid 404 process

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 dlllist -p 404

View active & previous network connections

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 connections

To find hidden and injected code

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 malfind

IE history records

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 iehistory

Review the services list

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 svcscan

Live response (triage)

Use LiveResponseCollection-Cedarpelta
Find from https://www.brimorlabsblog.com/2019/04/live-response-collection-cedarpelta.html