This is going to be an intro to windows forensics. and before you find some corrections in this article I think you should know that I am not that good with Windows and active directories. But this post will give you some idea of windows forensics. how it works, where you look for things, what things etc.
For demonstration purposes, I picked this Expert Witness file (E01) of a compromised windows server from cyberdefenders. You can acquire the E01 image of a system using an FTK imager (in Windows) and ewfacquire (in Linux). you can download the FTK-imager from here and ewfacquire comes in ewf-tools which is present in the kali repo pkgs. you can run this command:
apt install ewf-tools
but I am not going to show how you can create one in this article, maybe some other day.
so I have this `AD.E01` file which I can mount with ewfmount
tool.
mkdir ewf_dir
ewfmount ./AD.E01 ./ewf_dir
and then you can mount that DOS/MBR img with the `mount` command.
mkdir mount_point
mount -o ro,loop,show_sys_files,streams_interace=windows ./ewf_dir/ewf1 mount_point/
This is an NTFS file system (used by windows) which we just mounted in our EXT4 fs (used by Linux).
So, these are the files we will need while searching for answers in an investigation. we can literally find anything (a file gets modified after a malicious file was executed on the system or maybe info related to system updates or some crashes).
most of the information related to a windows system can be easily found in its registry hive. And to enumerate that in Linux, we can use tools like `hivexsh, hivexget, hivexml`.
HKEY_LOCAL_MACHINE\SYSTEM : \system32\config\system
HKEY_LOCAL_MACHINE\SAM : \system32\config\sam
HKEY_LOCAL_MACHINE\SECURITY : \system32\config\security
HKEY_LOCAL_MACHINE\SOFTWARE : \system32\config\software
HKEY_USERS\UserProfile : \winnt\profiles\username
HKEY_USERS.DEFAULT : \system32\config\default
- OS product name:
07:42:24 root@kali-lucky config → hivexget ./SOFTWARE '\Microsoft\Windows NT\CurrentVersion'
"SystemRoot"="C:\\Windows"
"BuildBranch"="rs1_release"
"BuildGUID"="ffffffff-ffff-ffff-ffff-ffffffffffff"
"BuildLab"="14393.rs1_release_inmarket.160906-1818"
"BuildLabEx"="14393.187.amd64fre.rs1_release_inmarket.160906-1818"
"CompositionEditionID"="EnterpriseS"
"CurrentBuild"="14393"
...
...
,00,00
"ProductId"="00378-20000-00003-AA721"
"RegisteredOwner"="Windows User"
"RegisteredOrganization"=""
"InstallTime"=hex(11):dd,3e,32,1e,5d,dd,d7,01
- Last Logon on the system
07:56:02 root@kali-lucky config → hivexget ./SOFTWARE '\Microsoft\Windows\CurrentVersion\Authentication\LogonUI'
"ShowTabletKeyboard"=dword:00000000
"IdleTime"=dword:00000000
"LastLoggedOnUser"="CYBERDEFENDERS\\0xMohammed"
"SelectedUserSID"="S-1-5-21-3200536464-3375982059-3076520942-500"
"LastLoggedOnSAMUser"="CYBERDEFENDERS\\0xMohammed"
"LastLoggedOnUserSID"="S-1-5-21-3200536464-3375982059-3076520942-500"
"LastLoggedOnProvider"="{60B78E88-EAD8-445C-9CFD-0B87F74EA6CD}"
"NetworkStatusType"=dword:00000000
"IsFirstLogonAfterSignOut"=dword:00000000
"LastLoggedOnDisplayName"="Mohammed Hasan"
- Execute programs on logon
10:50:06 root@kali-lucky config → hivexget ./SOFTWARE '\Microsoft\Windows\CurrentVersion\Run'
"VMware User Process"="\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr"
- drives infomation
10:57:43 root@kali-lucky config → hivexget ./SYSTEM '\MountedDevices'
"\\DosDevices\\C:"=hex(3):44,4d,49,4f,3a,49,44,3a,b3,05,d9,fa,35,fb,bd,4d,ab,31,a4,4f,02,28,09,d2
"\\??\\Volume{8cf4cfff-49a3-11ec-910f-806e6f6e6963}"=hex(3):5c,00,3f,00,3f,00,5c,00,53,00,43,00,53,00,49,00,23,00,43,00,64,00,52,00,6f,00,6d,00,26,00,56,00,65,00,6e,00,5f,00,4e,00,45,00,43,00,56,00,4d,00,57,00,61,00,72,00,26,00,50,00,72,00,6f,00,64,00,5f,00,56,00,4d,00,77,00,61,00,72,00,65,00,5f,00,53,00,41,00,54,00,41,00,5f,00,43,00,44,00,30,00,31,00,23,00,35,00,26,00,32,00,65,00,64,00,66,00,30,00,38,00,64,00,64,00,26,00,30,00,26,00,30,00,31,00,30,00,30,00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00
"\\DosDevices\\D:"=hex(3):5c,00,3f,00,3f,00,5c,00,53,00,43,00,53,00,49,00,23,00,43,00,64,00,52,00,6f,00,6d,00,26,00,56,00,65,00,6e,00,5f,00,4e,00,45,00,43,00,56,00,4d,00,57,00,61,00,72,00,26,00,50,00,72,00,6f,00,64,00,5f,00,56,00,4d,00,77,00,61,00,72,00,65,00,5f,00,53,00,41,00,54,00,41,00,5f,00,43,00,44,00,30,00,30,00,23,00,35,00,26,00,32,00,65,00,64,00,66,00,30,00,38,00,64,00,64,00,26,00,30,00,26,00,30,00,30,00,30,00,30,00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00
"\\??\\Volume{9c2214e2-4a0b-11ec-9115-000c2949dd0d}"=hex(3):5c,00,3f,00,3f,00,5c,00,53,00,43,00,53,00,49,00,23,00,43,00,64,00,52,00,6f,00,6d,00,26,00,56,00,65,00,6e,00,5f,00,4e,00,45,00,43,00,56,00,4d,00,57,00,61,00,72,00,26,00,50,00,72,00,6f,00,64,00,5f,00,56,00,4d,00,77,00,61,00,72,00,65,00,5f,00,53,00,41,00,54,00,41,00,5f,00,43,00,44,00,30,00,30,00,23,00,35,00,26,00,32,00,65,00,64,00,66,00,30,00,38,00,64,00,64,00,26,00,30,00,26,00,30,00,30,00,30,00,30,00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00
There was some questions question that I couldn’t solve because I told you. I am not that good at Windows. There was this question where I needed to find out the IP address of the machine. And this could be solved by looking into `\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` of SYSTEM hive. but I didn’t find anything there. There was no `CurrentControlSet` but instead, there was `CurrentSet001` where I didn’t find anything related to network adapters.
The next important thing which we are going to analyze is the Mozilla Firefox browser. I mean the browser history and some other related stuff. It is mostly all same in any OS. Actually, it more depends upon the browser. For example, if you are analyzing Brave Browser, there are chances that It may store its data at some other place.
- Â What link did the user visit on 2021-11-22 at 19:45:55 UTC?
First of all, I need to find which user has Mozilla Firefox data. usually, Firefox and other applications store their data in the AppData
dir of the user and I guess we can find it with find
command in Linux.
11:14:29 root@kali-lucky mount_point → find . -name 'Mozilla'
./ProgramData/Mozilla
./Users/administrator/AppData/Local/Mozilla
./Users/administrator/AppData/LocalLow/Mozilla
./Users/administrator/AppData/Roaming/Mozilla
./Users/labib/AppData/Local/Mozilla
./Users/labib/AppData/LocalLow/Mozilla
./Users/labib/AppData/Roaming/Mozilla
./Windows/System32/Tasks/Mozilla
we can look into labib user’s AppData dir and eventually you will come across this path:
./Users/labib/AppData/Roaming/Mozilla/Firefox/Profiles/2305bdnv.default-release/
This is a location for a Firefox browser profile for the user `labib` and there is a file called `places.sqlite`Â which contains all the history. there are many forensics tools as well as you can do it online.
- Mozilla Firefox extensions info
file contains ./Users/labib/AppData/Roaming/Mozilla/Firefox/Profiles/2305bdnv.default-release/extensions.json
{
"schemaVersion": 33,
"addons": [
{
"id": "[email protected]",
"syncGUID": "{006fb1b4-8ffc-4488-a04f-f7e469e9e2ca}",
"version": "2.0.0",
"type": "extension",
"loader": null,
"updateURL": null,
"optionsURL": null,
"optionsType": null,
"optionsBrowserStyle": true,
"aboutURL": null,
"defaultLocale": {
"name": "DoH Roll-Out",
"description": "This used to be a Mozilla add-on that supported the roll-out of DoH, but now only exists as a stub to enable migrations.",
"creator": null,
"developers": null,
"translators": null,
"contributors": null
...
...
Saved cookies
file contains Users/labib/AppData/Roaming/Mozilla/Firefox/Profiles/2305bdnv.default-release\cookies.sqlite
Now the part comes where we will be analyzing the memory dump with the very famous forensics tool Volatility. if you haven’t used this tool for a while you should know that there are two versions of this tool (volatility2 & volatility3). we can use any one of these. I had extracted the memory dump (in the AD-MEM) already from the zip I downloaded. and I also have the volatility tool installed in my Kali Linux. you can check it out on its GitHub repo.
- Windows process list
PS D:\volatility3> python .\vol.py -f ..\AD-MEM\memory.dmp windows.pslist.PsList
Volatility 3 Framework 2.3.0
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0xba033d2ae040 119 - N/A False 2021-11-20 14:10:38.000000 N/A Disabled
292 4 smss.exe 0xba033e53e800 2 - N/A False 2021-11-20 14:10:39.000000 N/A Disabled
416 404 csrss.exe 0xba033eadb280 11 - 0 False 2021-11-20 14:11:15.000000 N/A Disabled
508 292 smss.exe 0xba033eec6080 0 - 1 False 2021-11-20 14:11:21.000000 2021-11-20 14:11:22.000000 Disabled
516 508 csrss.exe 0xba033eec0580 11 - 1 False 2021-11-20 14:11:22.000000 N/A Disabled
540 404 wininit.exe 0xba033eebf080 1 - 0 False 2021-11-20 14:11:22.000000 N/A Disabled
572 508 winlogon.exe 0xba033eefa080 2 - 1 False 2021-11-20 14:11:22.000000 N/A Disabled
664 540 services.exe 0xba033ef77080 5 - 0 False 2021-11-20 14:11:35.000000 N/A Disabled
672 540 lsass.exe 0xba033ef746c0 36 - 0 False 2021-11-20 14:11:38.000000 N/A Disabled
860 664 svchost.exe 0xba033efb4080 15 - 0 False 2021-11-20 14:12:14.000000 N/A Disabled
912 664 svchost.exe 0xba033ee9c800 8 - 0 False 2021-11-20 14:12:16.000000 N/A Disabled
1016 572 dwm.exe 0xba033f362080 14 - 1 False 2021-11-20 14:12:23.000000 N/A Disabled
356 664 svchost.exe 0xba033ee98800 41 - 0 False 2021-11-20 14:12:24.000000 N/A Disabled
512 664 svchost.exe 0xba033ee96800 14 - 0 False 2021-11-20 14:12:24.000000 N/A Disabled
796 664 svchost.exe 0xba033ee92800 15 - 0 False 2021-11-20 14:12:27.000000 N/A Disabled
848 664 svchost.exe 0xba033ee90800 31 - 0 False 2021-11-20 14:12:27.000000 N/A Disabled
1100 664 svchost.exe 0xba033ef56800 39 - 0 False 2021-11-20 14:12:34.000000 N/A Disabled
1220 664 svchost.exe 0xba033f3fa800 10 - 0 False 2021-11-20 14:12:42.000000 N/A Disabled
1228 664 svchost.exe 0xba033f3fc800 23 - 0 False 2021-11-20 14:12:42.000000 N/A Disabled
1544 664 svchost.exe 0xba033f3d3080 6 - 0 False 2021-11-20 14:13:02.000000 N/A Disabled
1832 664 spoolsv.exe 0xba033f6d6800 10 - 0 False 2021-11-20 14:13:27.000000 N/A Disabled
1884 664 svchost.exe 0xba033f7bd800 9 - 0 False 2021-11-20 14:13:32.000000 N/A Disabled
1956 664 svchost.exe 0xba033f7e76c0 8 - 0 False 2021-11-20 14:13:33.000000 N/A Disabled
1964 664 dns.exe 0xba033f79f800 21 - 0 False 2021-11-20 14:13:33.000000 N/A Disabled
2020 664 ismserv.exe 0xba033f7d7800 8 - 0 False 2021-11-20 14:13:34.000000 N/A Disabled
688 664 wlms.exe 0xba033f7a75c0 2 - 0 False 2021-11-20 14:13:35.000000 N/A Disabled
1280 664 vm3dservice.ex 0xba033f7d1800 2 - 0 False 2021-11-20 14:13:35.000000 N/A Disabled
1272 664 MsMpEng.exe 0xba033f7cb800 34 - 0 False 2021-11-20 14:13:36.000000 N/A Disabled
1540 664 dfssvc.exe 0xba033f7c9800 11 - 0 False 2021-11-20 14:13:38.000000 N/A Disabled
2184 1280 vm3dservice.ex 0xba033f6c7080 2 - 1 False 2021-11-20 14:14:03.000000 N/A Disabled
1560 664 msdtc.exe 0xba033f493080 9 - 0 False 2021-11-20 14:16:17.000000 N/A Disabled
1936 3064 MpCmdRun.exe 0xba0341950800 6 - 0 False 2021-11-20 14:16:22.000000 N/A Disabled
1456 664 Microsoft.Acti 0xba034180a540 10 - 0 False 2021-11-20 14:16:30.000000 N/A Disabled
1432 860 RuntimeBroker. 0xba033f7af680 8 - 1 False 2021-11-20 14:20:04.000000 N/A Disabled
80 356 sihost.exe 0xba0341a1b700 9 - 1 False 2021-11-20 14:20:05.000000 N/A Disabled
1976 664 svchost.exe 0xba033ff59080 8 - 1 False 2021-11-20 14:20:05.000000 N/A Disabled
2140 356 taskhostw.exe 0xba033f499800 10 - 1 False 2021-11-20 14:20:05.000000 N/A Disabled
2288 572 userinit.exe 0xba0341825340 0 - 1 False 2021-11-20 14:20:10.000000 2021-11-20 14:20:38.000000 Disabled
These are the processes which were present when the forensics expert was creating this memory dump file. and sorry that I am using windows here instead of Linux. I have some really bad problems with my python versions in Linux. And I am lazy as hell, I don’t even try to fix it. anyway, the syntax of this tool is quite simple. (I am using volatility3)
- Find a malicious process
PS D:\volatility3> python .\vol.py -f ..\AD-MEM\memory.dmp windows.malfind.Malfind
Volatility 3 Framework 2.3.0
Progress: 100.00 PDB scanning finished
PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory File output Hexdump Disasm
1272 MsMpEng.exe 0x25e98930000 0x25e98a3cfff VadS PAGE_EXECUTE_READWRITE 269 1 Disabled
56 57 53 55 41 54 41 55 VWSUATAU
41 56 41 57 48 83 ec 28 AVAWH..(
4c 8d 3c 24 48 8b e9 48 L.<$H..H
8d b1 98 38 00 00 ff e2 ...8....
49 8d 67 28 41 5f 41 5e I.g(A_A^
41 5d 41 5c 5d 5b 5f 5e A]A\][_^
c3 00 00 40 00 80 00 00 ...@....
00 48 89 e9 48 b8 80 a9 .H..H... 56 57 53 55 41 54 41 55 41 56 41 57 48 83 ec 28 4c 8d 3c 24 48 8b e9 48 8d b1 98 38 00 00 ff e2 49 8d 67 28 41 5f 41 5e 41 5d 41 5c 5d 5b 5f 5e c3 00 00 40 00 80 00 00 00 48 89 e9 48 b8 80 a9
- Dump a process (not process memory)
consider a scenario where you have identified an unusual process in the process list and what you could do next is dump it to get the malicious content it supposes to run.
PS D:\volatility3> python .\vol.py -f ..\AD-MEM\memory.dmp windows.pslist --pid 2644 --dump
Volatility 3 Framework 2.3.0
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
2644 860 ShellExperienc 0xba03418aa800 28 - 1 False 2021-11-20 14:20:18.000000 N/A pid.2644.0x7ff673c00000.dmp
and now you should have a file `pid.2644.0x7ff673c00000.dmp`. I like to do further things in Linux after getting the process dump as I don’t even know what is similar command to `file` command in Powershell.
- Dump password hashes (registry hive)
There is a tool called `samdump` which can dump windows password hashes with SAM and SYSTEM registry hives. and you may already know about the pass-the-hash attacks where you can literally pass the hashes instead of passwords as an authentication unit.
09:40:22 root@kali-lucky config → samdump2 ./SYSTEM ./SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
0xMohammed:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
- Dump password hashes (lsass.dmp)
Sometimes you may not have the registry hives as it is not accessible by the users with normal privileges. if somehow you can dump the lsass
process using volatility, you can extract the hashes out of it because it is the process in windows which handles passwords for all authentication. but remember one thing, you will need a minidump file for that. you can create a minidump file using task manager (GUI) or using Procdump(CLI).
After that, we will need mimikatz (in windows) or pypykatz (in Linux) to extract hashes. I am using mimikatz here.
11:25:32 root@kali-lucky AD-MEM → pypykatz lsa minidump ./lsass.dmp
INFO:root:Parsing file ./lsass.dmp
FILE: ======== ./lsass.dmp =======
== LogonSession ==
authentication_id 21797004 (14c988c)
session_id 0
username lucky
domainname DESKTOP-OLQLDA6
logon_server DESKTOP-OLQLDA6
logon_time 2022-07-22T05:50:40.171282+00:00
sid S-1-5-21-1623495601-4023490135-1061596140-1001
luid 21797004
== MSV ==
Username: lucky
Domain: DESKTOP-OLQLDA6
LM: NA
NT: a1d2e31c1d54fd593d35aa51c2******
SHA1: a43552ff8ac99ba0a98c171588a0559270******
DPAPI: NA
== WDIGEST [14c988c]==
username lucky
domainname DESKTOP-OLQLDA6
password None
== Kerberos ==
Username: lucky
Domain: DESKTOP-OLQLDA6
== WDIGEST [14c988c]==
username lucky
domainname DESKTOP-OLQLDA6
password None
...
...
I also wanted to explain MFT (master file table). But I don’t find any working way to analyze it in Linux. and since all the approaches in this article are shown with Linux, I didn’t think it was a good idea to include it here.