This is going to be an intro to windows forensics. and before you find some corrections in this article I think you should know that I am not that good with Windows and active directories. But this post will give you some idea of windows forensics. how it works, where you look for things, what things etc.

For demonstration purposes, I picked this Expert Witness file (E01) of a compromised windows server from cyberdefenders. You can acquire the E01 image of a system using an FTK imager (in Windows) and ewfacquire (in Linux).  you can download the FTK-imager from here and ewfacquire comes in ewf-tools which is present in the kali repo pkgs.  you can run this command:

apt install ewf-tools

but I am not going to show how you can create one in this article, maybe some other day.

so I have this `AD.E01` file which I can mount with ewfmount tool.

mkdir ewf_dir
ewfmount ./AD.E01 ./ewf_dir

and then you can mount that DOS/MBR img with the `mount` command.

mkdir mount_point
mount -o ro,loop,show_sys_files,streams_interace=windows ./ewf_dir/ewf1 mount_point/

This is an NTFS file system (used by windows) which we just mounted in our EXT4 fs (used by Linux).

So, these are the files we will need while searching for answers in an investigation. we can literally find anything (a file gets modified after a malicious file was executed on the system or maybe info related to system updates or some crashes).

most of the information related to a windows system can be easily found in its registry hive. And to enumerate that in Linux, we can use tools like `hivexsh, hivexget, hivexml`.

HKEY_LOCAL_MACHINE\SYSTEM : \system32\config\system 
HKEY_LOCAL_MACHINE\SAM : \system32\config\sam 
HKEY_LOCAL_MACHINE\SECURITY : \system32\config\security 
HKEY_LOCAL_MACHINE\SOFTWARE : \system32\config\software 
HKEY_USERS\UserProfile : \winnt\profiles\username 
HKEY_USERS.DEFAULT : \system32\config\default
  • OS product name:
07:42:24 root@kali-lucky config → hivexget ./SOFTWARE '\Microsoft\Windows NT\CurrentVersion'
"SystemRoot"="C:\\Windows"
"BuildBranch"="rs1_release"
"BuildGUID"="ffffffff-ffff-ffff-ffff-ffffffffffff"
"BuildLab"="14393.rs1_release_inmarket.160906-1818"
"BuildLabEx"="14393.187.amd64fre.rs1_release_inmarket.160906-1818"
"CompositionEditionID"="EnterpriseS"
"CurrentBuild"="14393"
...
...
,00,00
"ProductId"="00378-20000-00003-AA721"
"RegisteredOwner"="Windows User"
"RegisteredOrganization"=""
"InstallTime"=hex(11):dd,3e,32,1e,5d,dd,d7,01
  • Last Logon on the system
07:56:02 root@kali-lucky config → hivexget ./SOFTWARE '\Microsoft\Windows\CurrentVersion\Authentication\LogonUI'
"ShowTabletKeyboard"=dword:00000000
"IdleTime"=dword:00000000
"LastLoggedOnUser"="CYBERDEFENDERS\\0xMohammed"
"SelectedUserSID"="S-1-5-21-3200536464-3375982059-3076520942-500"
"LastLoggedOnSAMUser"="CYBERDEFENDERS\\0xMohammed"
"LastLoggedOnUserSID"="S-1-5-21-3200536464-3375982059-3076520942-500"
"LastLoggedOnProvider"="{60B78E88-EAD8-445C-9CFD-0B87F74EA6CD}"
"NetworkStatusType"=dword:00000000
"IsFirstLogonAfterSignOut"=dword:00000000
"LastLoggedOnDisplayName"="Mohammed Hasan"
  • Execute programs on logon
10:50:06 root@kali-lucky config → hivexget ./SOFTWARE '\Microsoft\Windows\CurrentVersion\Run'
"VMware User Process"="\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr"
  • drives infomation
10:57:43 root@kali-lucky config → hivexget ./SYSTEM '\MountedDevices' 
"\\DosDevices\\C:"=hex(3):44,4d,49,4f,3a,49,44,3a,b3,05,d9,fa,35,fb,bd,4d,ab,31,a4,4f,02,28,09,d2
"\\??\\Volume{8cf4cfff-49a3-11ec-910f-806e6f6e6963}"=hex(3):5c,00,3f,00,3f,00,5c,00,53,00,43,00,53,00,49,00,23,00,43,00,64,00,52,00,6f,00,6d,00,26,00,56,00,65,00,6e,00,5f,00,4e,00,45,00,43,00,56,00,4d,00,57,00,61,00,72,00,26,00,50,00,72,00,6f,00,64,00,5f,00,56,00,4d,00,77,00,61,00,72,00,65,00,5f,00,53,00,41,00,54,00,41,00,5f,00,43,00,44,00,30,00,31,00,23,00,35,00,26,00,32,00,65,00,64,00,66,00,30,00,38,00,64,00,64,00,26,00,30,00,26,00,30,00,31,00,30,00,30,00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00
"\\DosDevices\\D:"=hex(3):5c,00,3f,00,3f,00,5c,00,53,00,43,00,53,00,49,00,23,00,43,00,64,00,52,00,6f,00,6d,00,26,00,56,00,65,00,6e,00,5f,00,4e,00,45,00,43,00,56,00,4d,00,57,00,61,00,72,00,26,00,50,00,72,00,6f,00,64,00,5f,00,56,00,4d,00,77,00,61,00,72,00,65,00,5f,00,53,00,41,00,54,00,41,00,5f,00,43,00,44,00,30,00,30,00,23,00,35,00,26,00,32,00,65,00,64,00,66,00,30,00,38,00,64,00,64,00,26,00,30,00,26,00,30,00,30,00,30,00,30,00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00
"\\??\\Volume{9c2214e2-4a0b-11ec-9115-000c2949dd0d}"=hex(3):5c,00,3f,00,3f,00,5c,00,53,00,43,00,53,00,49,00,23,00,43,00,64,00,52,00,6f,00,6d,00,26,00,56,00,65,00,6e,00,5f,00,4e,00,45,00,43,00,56,00,4d,00,57,00,61,00,72,00,26,00,50,00,72,00,6f,00,64,00,5f,00,56,00,4d,00,77,00,61,00,72,00,65,00,5f,00,53,00,41,00,54,00,41,00,5f,00,43,00,44,00,30,00,30,00,23,00,35,00,26,00,32,00,65,00,64,00,66,00,30,00,38,00,64,00,64,00,26,00,30,00,26,00,30,00,30,00,30,00,30,00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00

There was some questions question that I couldn’t solve because I told you. I am not that good at Windows.  There was this question where I needed to find out the IP address of the machine. And this could be solved by looking into `\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` of SYSTEM hive. but I didn’t find anything there. There was no `CurrentControlSet` but instead, there was `CurrentSet001` where I didn’t find anything related to network adapters.

 

The next important thing which we are going to analyze is the Mozilla Firefox browser. I mean the browser history and some other related stuff. It is mostly all same in any OS. Actually, it more depends upon the browser. For example, if you are analyzing Brave Browser, there are chances that It may store its data at some other place.

  •  What link did the user visit on 2021-11-22 at 19:45:55 UTC?

First of all, I need to find which user has Mozilla Firefox data. usually, Firefox and other applications store their data in the AppData dir of the user and I guess we can find it with find command in Linux.

11:14:29 root@kali-lucky mount_point → find . -name 'Mozilla'
./ProgramData/Mozilla
./Users/administrator/AppData/Local/Mozilla
./Users/administrator/AppData/LocalLow/Mozilla
./Users/administrator/AppData/Roaming/Mozilla
./Users/labib/AppData/Local/Mozilla
./Users/labib/AppData/LocalLow/Mozilla
./Users/labib/AppData/Roaming/Mozilla
./Windows/System32/Tasks/Mozilla

we can look into labib user’s AppData dir and eventually you will come across this path:

./Users/labib/AppData/Roaming/Mozilla/Firefox/Profiles/2305bdnv.default-release/

This is a location for a Firefox browser profile for the user `labib` and there is a file called `places.sqlite`  which contains all the history. there are many forensics tools as well as you can do it online.

  • Mozilla Firefox extensions info

file contains ./Users/labib/AppData/Roaming/Mozilla/Firefox/Profiles/2305bdnv.default-release/extensions.json

{                                                                                                                                                                                                                                                                                 
  "schemaVersion": 33,                                                                                                                                                                                                                                                            
  "addons": [                                                                                                                                                                                                                                                                     
    {                                                                                                                                                                                                                                                                             
      "id": "[email protected]",                                                                                                                                                                                                                                            
      "syncGUID": "{006fb1b4-8ffc-4488-a04f-f7e469e9e2ca}",                                                                                                                                                                                                                       
      "version": "2.0.0",                                                                                                                                                                                                                                                         
      "type": "extension",                                                                                                                                                                                                                                                        
      "loader": null,                                                                                                                                                                                                                                                             
      "updateURL": null,                                                                                                                                                                                                                                                          
      "optionsURL": null,                                                                                                                                                                                                                                                         
      "optionsType": null,                                                                                                                                                                                                                                                        
      "optionsBrowserStyle": true,                                                                                                                                                                                                                                                
      "aboutURL": null,                                                                                                                                                                                                                                                           
      "defaultLocale": {                                                                                                                                                                                                                                                          
        "name": "DoH Roll-Out",                                                                                                                                                                                                                                                   
        "description": "This used to be a Mozilla add-on that supported the roll-out of DoH, but now only exists as a stub to enable migrations.",                                                                                                                                
        "creator": null,                                                                                                                                                                                                                                                          
        "developers": null,                                                                                                                                                                                                                                                       
        "translators": null,                                                                                                                                                                                                                                                      
        "contributors": null 
...
...

 

Saved cookies

file contains Users/labib/AppData/Roaming/Mozilla/Firefox/Profiles/2305bdnv.default-release\cookies.sqlite

Now the part comes where we will be analyzing the memory dump with the very famous forensics tool Volatility. if you haven’t used this tool for a while you should know that there are two versions of this tool (volatility2 & volatility3). we can use any one of these. I had extracted the memory dump (in the AD-MEM) already from the zip I downloaded. and I also have the volatility tool installed in my Kali Linux. you can check it out on its GitHub repo.

  • Windows process list
PS D:\volatility3> python .\vol.py -f ..\AD-MEM\memory.dmp windows.pslist.PsList
Volatility 3 Framework 2.3.0
Progress:  100.00               PDB scanning finished
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output

4       0       System  0xba033d2ae040  119     -       N/A     False   2021-11-20 14:10:38.000000      N/A     Disabled
292     4       smss.exe        0xba033e53e800  2       -       N/A     False   2021-11-20 14:10:39.000000      N/A     Disabled
416     404     csrss.exe       0xba033eadb280  11      -       0       False   2021-11-20 14:11:15.000000      N/A     Disabled
508     292     smss.exe        0xba033eec6080  0       -       1       False   2021-11-20 14:11:21.000000      2021-11-20 14:11:22.000000      Disabled
516     508     csrss.exe       0xba033eec0580  11      -       1       False   2021-11-20 14:11:22.000000      N/A     Disabled
540     404     wininit.exe     0xba033eebf080  1       -       0       False   2021-11-20 14:11:22.000000      N/A     Disabled
572     508     winlogon.exe    0xba033eefa080  2       -       1       False   2021-11-20 14:11:22.000000      N/A     Disabled
664     540     services.exe    0xba033ef77080  5       -       0       False   2021-11-20 14:11:35.000000      N/A     Disabled
672     540     lsass.exe       0xba033ef746c0  36      -       0       False   2021-11-20 14:11:38.000000      N/A     Disabled
860     664     svchost.exe     0xba033efb4080  15      -       0       False   2021-11-20 14:12:14.000000      N/A     Disabled
912     664     svchost.exe     0xba033ee9c800  8       -       0       False   2021-11-20 14:12:16.000000      N/A     Disabled
1016    572     dwm.exe 0xba033f362080  14      -       1       False   2021-11-20 14:12:23.000000      N/A     Disabled
356     664     svchost.exe     0xba033ee98800  41      -       0       False   2021-11-20 14:12:24.000000      N/A     Disabled
512     664     svchost.exe     0xba033ee96800  14      -       0       False   2021-11-20 14:12:24.000000      N/A     Disabled
796     664     svchost.exe     0xba033ee92800  15      -       0       False   2021-11-20 14:12:27.000000      N/A     Disabled
848     664     svchost.exe     0xba033ee90800  31      -       0       False   2021-11-20 14:12:27.000000      N/A     Disabled
1100    664     svchost.exe     0xba033ef56800  39      -       0       False   2021-11-20 14:12:34.000000      N/A     Disabled
1220    664     svchost.exe     0xba033f3fa800  10      -       0       False   2021-11-20 14:12:42.000000      N/A     Disabled
1228    664     svchost.exe     0xba033f3fc800  23      -       0       False   2021-11-20 14:12:42.000000      N/A     Disabled
1544    664     svchost.exe     0xba033f3d3080  6       -       0       False   2021-11-20 14:13:02.000000      N/A     Disabled
1832    664     spoolsv.exe     0xba033f6d6800  10      -       0       False   2021-11-20 14:13:27.000000      N/A     Disabled
1884    664     svchost.exe     0xba033f7bd800  9       -       0       False   2021-11-20 14:13:32.000000      N/A     Disabled
1956    664     svchost.exe     0xba033f7e76c0  8       -       0       False   2021-11-20 14:13:33.000000      N/A     Disabled
1964    664     dns.exe 0xba033f79f800  21      -       0       False   2021-11-20 14:13:33.000000      N/A     Disabled
2020    664     ismserv.exe     0xba033f7d7800  8       -       0       False   2021-11-20 14:13:34.000000      N/A     Disabled
688     664     wlms.exe        0xba033f7a75c0  2       -       0       False   2021-11-20 14:13:35.000000      N/A     Disabled
1280    664     vm3dservice.ex  0xba033f7d1800  2       -       0       False   2021-11-20 14:13:35.000000      N/A     Disabled
1272    664     MsMpEng.exe     0xba033f7cb800  34      -       0       False   2021-11-20 14:13:36.000000      N/A     Disabled
1540    664     dfssvc.exe      0xba033f7c9800  11      -       0       False   2021-11-20 14:13:38.000000      N/A     Disabled
2184    1280    vm3dservice.ex  0xba033f6c7080  2       -       1       False   2021-11-20 14:14:03.000000      N/A     Disabled
1560    664     msdtc.exe       0xba033f493080  9       -       0       False   2021-11-20 14:16:17.000000      N/A     Disabled
1936    3064    MpCmdRun.exe    0xba0341950800  6       -       0       False   2021-11-20 14:16:22.000000      N/A     Disabled
1456    664     Microsoft.Acti  0xba034180a540  10      -       0       False   2021-11-20 14:16:30.000000      N/A     Disabled
1432    860     RuntimeBroker.  0xba033f7af680  8       -       1       False   2021-11-20 14:20:04.000000      N/A     Disabled
80      356     sihost.exe      0xba0341a1b700  9       -       1       False   2021-11-20 14:20:05.000000      N/A     Disabled
1976    664     svchost.exe     0xba033ff59080  8       -       1       False   2021-11-20 14:20:05.000000      N/A     Disabled
2140    356     taskhostw.exe   0xba033f499800  10      -       1       False   2021-11-20 14:20:05.000000      N/A     Disabled
2288    572     userinit.exe    0xba0341825340  0       -       1       False   2021-11-20 14:20:10.000000      2021-11-20 14:20:38.000000      Disabled

These are the processes which were present when the forensics expert was creating this memory dump file. and sorry that I am using windows here instead of Linux. I have some really bad problems with my python versions in Linux. And I am lazy as hell, I don’t even try to fix it. anyway, the syntax of this tool is quite simple. (I am using volatility3)

  • Find a malicious process
PS D:\volatility3> python .\vol.py -f ..\AD-MEM\memory.dmp windows.malfind.Malfind                                                                                                                                                                                                
Volatility 3 Framework 2.3.0                                                                                                                                                                                                                                                      
Progress:  100.00               PDB scanning finished                                                                                                                                                                                                                             
PID     Process Start VPN       End VPN Tag     Protection      CommitCharge    PrivateMemory   File output     Hexdump Disasm                                                                                                                                                    
                                                                                                                                                                                                                                                                                  
1272    MsMpEng.exe     0x25e98930000   0x25e98a3cfff   VadS    PAGE_EXECUTE_READWRITE  269     1       Disabled                                                                                                                                                                  
56 57 53 55 41 54 41 55 VWSUATAU                                                                                                                                                                                                                                                  
41 56 41 57 48 83 ec 28 AVAWH..(                                                                                                                                                                                                                                                  
4c 8d 3c 24 48 8b e9 48 L.<$H..H                                                                                                                                                                                                                                                  
8d b1 98 38 00 00 ff e2 ...8....                                                                                                                                                                                                                                                  
49 8d 67 28 41 5f 41 5e I.g(A_A^                                                                                                                                                                                                                                                  
41 5d 41 5c 5d 5b 5f 5e A]A\][_^                                                                                                                                                                                                                                                  
c3 00 00 40 00 80 00 00 ...@....                                                                                                                                                                                                                                                  
00 48 89 e9 48 b8 80 a9 .H..H...        56 57 53 55 41 54 41 55 41 56 41 57 48 83 ec 28 4c 8d 3c 24 48 8b e9 48 8d b1 98 38 00 00 ff e2 49 8d 67 28 41 5f 41 5e 41 5d 41 5c 5d 5b 5f 5e c3 00 00 40 00 80 00 00 00 48 89 e9 48 b8 80 a9                                           
  • Dump a process (not process memory)

consider a scenario where you have identified an unusual process in the process list and what you could do next is dump it to get the malicious content it supposes to run.

PS D:\volatility3> python .\vol.py -f ..\AD-MEM\memory.dmp windows.pslist --pid 2644 --dump
Volatility 3 Framework 2.3.0
Progress:  100.00               PDB scanning finished
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output

2644    860     ShellExperienc  0xba03418aa800  28      -       1       False   2021-11-20 14:20:18.000000      N/A     pid.2644.0x7ff673c00000.dmp

and now you should have a file `pid.2644.0x7ff673c00000.dmp`. I like to do further things in Linux after getting the process dump as I don’t even know what is similar command to `file` command in Powershell.

  • Dump password hashes (registry hive)

There is a tool called `samdump` which can dump windows password hashes with SAM and SYSTEM registry hives. and you may already know about the pass-the-hash attacks where you can literally pass the hashes instead of passwords as an authentication unit.

09:40:22 root@kali-lucky config → samdump2 ./SYSTEM ./SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
0xMohammed:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

 

  • Dump password hashes (lsass.dmp)

Sometimes you may not have the registry hives as it is not accessible by the users with normal privileges. if somehow you can dump the lsass process using volatility, you can extract the hashes out of it because it is the process in windows which handles passwords for all authentication. but remember one thing, you will need a minidump file for that. you can create a minidump file using task manager (GUI) or using Procdump(CLI).
After that, we will need mimikatz (in windows) or pypykatz (in Linux) to extract hashes. I am using mimikatz here.

11:25:32 root@kali-lucky AD-MEM → pypykatz lsa minidump ./lsass.dmp                                                                                                                                                                                                               
INFO:root:Parsing file ./lsass.dmp                                                                                                                                                                                                                                                
FILE: ======== ./lsass.dmp =======                                                                                                                                                                                                                                                
== LogonSession ==                                                                                                                                                                                                                                                                
authentication_id 21797004 (14c988c)                                                                                                                                                                                                                                              
session_id 0                                                                                                                                                                                                                                                                      
username lucky                                                                                                                                                                                                                                                                    
domainname DESKTOP-OLQLDA6
logon_server DESKTOP-OLQLDA6
logon_time 2022-07-22T05:50:40.171282+00:00
sid S-1-5-21-1623495601-4023490135-1061596140-1001
luid 21797004
        == MSV ==
                Username: lucky
                Domain: DESKTOP-OLQLDA6
                LM: NA
                NT: a1d2e31c1d54fd593d35aa51c2******
                SHA1: a43552ff8ac99ba0a98c171588a0559270******
                DPAPI: NA
        == WDIGEST [14c988c]==
                username lucky
                domainname DESKTOP-OLQLDA6
                password None
        == Kerberos ==
                Username: lucky
                Domain: DESKTOP-OLQLDA6
        == WDIGEST [14c988c]==
                username lucky
                domainname DESKTOP-OLQLDA6
                password None
...
...

 

I also wanted to explain MFT (master file table). But I don’t find any working way to analyze it in Linux. and since all the approaches in this article are shown with Linux, I didn’t think it was a good idea to include it here.

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here