# Post-mortem analysis ## Main objectives of the practice - Analyze the evidence provided by different artifacts in Windows operating systems. --- ## PART A ### 1. Regarding *prefetch* - **What are they?** These are files generated by Windows that contain data about executed programs. - **What file extension do they have?** .pf - **In which directory can they be found?** The default path for prefetch files is `C:\Windows\Prefetch`. - **What forensic information do they store that may be important for an investigation?** They allow reconstruction of user activity, showing a chronology of executed programs and sometimes how many times they were run. ### 2. Regarding *LOGs* - **Which ones do you think are the most important based on the content they store?** Application logs are the most important for forensic analysis, as they show user actions. In enterprise environments, system logs are also crucial to check for damage caused by malware. - **Where can they be found?** System logs are located at `C:\Windows\System32\winevt\Logs`. *These logs record security events, system events, and application events.* ### 3. Regarding the hibernation file `hiberfil.sys` - **Where can it be found?** The typical location is the root of the disk: `C:\`. - **Which tool can be used to decode its contents?** Rekall, Volatility, or WinDbg (Microsoft Windows Debugger), among others. - **Do you think the information it contains is important?** Yes, it contains a snapshot of RAM when the system enters hibernation, potentially holding sensitive user data and system state. ### 4. Regarding snapshots, restore points and/or Volume Shadow Copies Service (VSS) - **What file system is required to use this technology?** NTFS - **Is it enabled by default or does the user need to activate it?** It is enabled by default, but periodic snapshots are not configured automatically. - **How often are they created?** They are typically created during major installations or updates. - **Think of a couple of scenarios where they may be useful:** 1. Recovering the system after a ransomware attack. 2. Undoing changes caused by faulty driver updates. ### 5. Questions related to the Windows Registry - **Research how to import and export registry keys in CLI and GUI environments:** a) GUI: Open Regedit → select key → File → Export / Import ![alt text](./images./image.png) b) CLI: reg export "(Key)" C:\(Name_to_export) reg import C:\(Name_of_the_key_to_import) - **List registry keys that are forensically interesting to export and analyze, explaining what information they reveal:** `Run`: Programs executed at startup. `RecentDocs`: Recently opened files. `USBStor`: USB devices connected to the system. ### 6. Events of forensic interest - **What types of events may be interesting to inspect from a forensic perspective? Give a couple of examples:** Security events: Track user logins. System events: Track software installations and failures. ### 7. Software tools **Tools for each artifact:** - **Prefetch:** [PECmd](https://github.com/EricZimmerman/PECmd) - **Logs:** [Event Log Explorer](https://www.eventlogxp.com/) - **Hibernation file:** [Volatility](https://volatilityfoundation.org/) - **Volume Shadow Copies Service:** [ShadowExplorer](https://www.shadowexplorer.com/downloads.html) - **System registry:** [FTK Imager](https://www.exterro.com/digital-forensics-software/ftk-imager) - **Event management:** [Event Log Explorer](https://www.eventlogxp.com/) - **Shortcuts & Caches and browsing history:** [Nirsoft](https://www.nirsoft.net/web_browser_tools.html) - **Recycle Bin:** [Rifiuti](https://abelcheung.github.io/rifiuti2/) --- ## PART B The practice consists of extracting as much evidence as possible from a Windows operating system by performing targeted searches on the different artifacts it uses. Although in a real scenario this would be done using a system image, for this practice it is recommended, for agility, to use the operating system installed on the student’s computer. In my case, I will use a Windows partition that I use for a few things, but as I don't use it a lot some hives will not exist because I do not use Windows for daily life. ### Software to be used - **A.** Windows 10 (32 or 64 bits) - **B.** FTK Imager - **C.** Arsenal Image Mounter - **D.** Registry Explorer - **E.** Reg Ripper - **F.** WRR - **G.** LinkParser - **H.** JumpListExplorer - **I.** ShellbagExplorer - **J.** USB Detective ### Evidence extraction Open FTK Imager and click the image icon. ![alt text](./images/image-1.png) *This will allow you to mount the disk image for analysis.* Click "Logical Drive" and click on "Next". ![alt text](./images/image-2.png) Select your disk and click "Finish". ![alt text](./images/image-3.png) Verify the evidence tree appears in FTK Imager. ![alt text](./images/image-4.png) Now extract some files for analysis by navigating to `\root\Windows\System32\Config\` and clicking "Export Files..." ![alt text](./images/image-5.png) *These are critical registry hives for forensic analysis.* I'll save them as "windows-artifacts". ![alt text](./images/image-6.png) Open WRR, click "File" → "Open...". ![alt text](./images/image-8.png) Select "SOFTWARE", "SYSTEM" and "SAM" and click on "Open". ![alt text](./images/image-9.png) *These registry hives contain software settings, system info, and user account data.* Verify files were correctly exported to WRR. ![alt text](./images/image-10.png) Repeat the same process for `root\Windows\Users\{USER}`. ![alt text](./images/image-26.png) Add "NTUSER.DAT" inside {USER}\ and "UsrClass.DAT" inside {USER}\AppData\Local\Microsoft\Windows\ to WRR. ![alt text](./images/image-85.png) --- ### Artifacts and paths of interest #### System information - **System version** `Software\Microsoft\Windows NT\CurrentVersion` *Shows OS version, build, and install info.* ![alt text](./images/image-11.png) - **Machine name** `System\ControlSet001\Control\ComputerName\ComputerName` *Stores the hostname of the computer.* ![alt text](./images/image-13.png) - **Time zone** `System\ControlSet001\Control\TimeZoneInformation` *Shows local time zone settings.* ![alt text](./images/image-12.png) - **Last access timestamp** `System\ControlSet001\Control\Filesystem` ![alt text](./images/image-80.png) *Controls if Windows updates the last access date of files and folders.* | Value | Actual behavior | |------:|-----------------| | **0** | Updates the last access timestamp for both files and directories (legacy behavior, lower performance). | | **1** | Does not update the last access timestamp for **files or directories**. | | **2** | **System managed** (default since Windows Vista/7). Windows decides when to update to balance compatibility and performance. | | **3** | Updates the last access timestamp **for directories only**, **not for files**. | - **Shutdown time** `System\ControlSet001\Control\Windows` *Stores last shutdown or restart timestamps.* ![alt text](./images/image-14.png) ![alt text](./images/image-15.png) #### Network - **Network interfaces** `System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{GUID_INTERFACE}` *Stores DNS root servers and whether the computer has completed the network configuration after installation.* ![alt text](./images/image-16.png) ![alt text](./images/image-17.png) - **Network history** `Software\Microsoft\Windows NT\CurrentVersion\NetworkList\` *Contains networks the computer connected to, including SSIDs.* ![alt text](./images/image-20.png) ![alt text](./images/image-19.png) ![alt text](./images/image-18.png) *These are the root DNS* `Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache` (Not present.) *Cached information about networks.* `Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Wireless` *Cached information about wireless networks.* ![alt text](./images/image-22.png) ![alt text](./images/image-21.png) - **When a network was connected** `Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles` *Shows timestamps of network connections.* ![alt text](./images/image-24.png) ![alt text](./images/image-23.png) #### Sharing and startup - **Shared folders** `System\ControlSet001\Services\LanmanServer\Shares\` *Lists folders shared over the network.* ![alt text](./images/image-25.png) - **Startup programs** `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run` *Programs set to start automatically when the user logs in.* ![alt text](./images/image-27.png) `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce` *Per-user programs that run once on the user’s next login.* ![alt text](./images/image-28.png) `Software\Microsoft\Windows\CurrentVersion\RunOnce` *System-wide programs that run once at the next login for any use.* ![alt text](./images/image-29.png) `Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run` *Sometimes contains enforced startup items.* (Not present.) `Software\Microsoft\Windows\CurrentVersion\Run` *Programs that start automatically every time the user logs in* ![alt text](./images/image-30.png) #### User activity - **Searches in the search bar** `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery` *Stores user search queries in Windows Explorer/Start menu* (Not present.) - **Typed paths in Start or Explorer** `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths` *Shows file paths the user manually entered.* ![alt text](./images/image-31.png) - **Recent documents** `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` *Tracks recently opened files.* ![alt text](./images/image-33.png) ![alt text](./images/image-32.png) - **Recent Office documents** `NTUSER.DAT\Software\Microsoft\Office\{Version}\{Excel|Word}\UserMRU` *Tracks recently opened Office file.* (Not present.) - **Reading position of last opened document** `NTUSER.DAT\Software\Microsoft\Office\Word\Reading Locations\Document X` *Stores where you left off in Word documents.* (Not present.) - **Autosaved Office files** `C:\Users\{user}\AppData\Roaming\Microsoft\{Excel|Word|PowerPoint}\` *Temporary autosave files for Office apps.* (Not present.) - **OpenSaveMRU** `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU` *Stores recently opened/saved files per application.* ![alt text](./images/image-34.png) - **Last executed commands** `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU` *Tracks commands typed in Run dialog.* ![alt text](./images/image-35.png) `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Policies\RunMRU` *Same as RunMRU but enforced by policies.* (Not present.) - **UserAssist (programs executed)** `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count` *Tracks execution counts of applications.* ![alt text](./images/image-36.png) - **Taskbar-related events** `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage` *Tracks user interaction with taskbar features.* ![alt text](./images/image-37.png) `...\AppBadgeUpdated` ![alt text](./images/image-38.png) *Records when a taskbar app badge (like notifications) is updated.* `...\AppLaunch` ![alt text](./images/image-39.png) *Logs when a user launches an application from the taskbar.* `...\AppSwitched` ![alt text](./images/image-40.png) *Tracks when the user switches between apps pinned or open on the taskbar.* `...\ShowJumpView` ![alt text](./images/image-41.png) *Logs when the user opens a jump list (right-click menu) on a taskbar app.* - **Recent applications** `Software\Microsoft\Windows\CurrentVersion\Search\RecentApps` *Lists recently used apps.* (Not present.) #### Shortcuts and Jump Lists - **Recent documents (LinkParser / LeCMD)** `C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent` *Contains shortcut (.lnk) files of recently opened documents.* ![alt text](./images/image-43.png) ![alt text](./images/image-42.png) ![alt text](./images/image-44.png) - **Jump Lists** `C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations` *Shows recent and pinned items for applications.* ![alt text](./images/image-45.png) ![alt text](./images/image-46.png) ![alt text](./images/image-47.png) `C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations` ![alt text](./images/image-48.png) ![alt text](./images/image-49.png) #### Shellbags ![alt text](./images/image-50.png) `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags` *Stores the view settings of folders (icon view, details view, window size, etc.) for individual folders.* ![alt text](./images/image-87.png) `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU` *Stores the hierarchy of folders that the user has accessed, linking to the corresponding Bags entries.* ![alt text](./images/image-88.png) `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU` *Another location tracking folder access and structure, used by newer versions of Windows for the MRU (Most Recently Used) folder list.* ![alt text](./images/image-89.png) Using a tool like Shellbags Explorer is it possible to visualize Shellbags on a easiest way. ![alt text](./images/image-86.png) #### USB and MTP devices - **MTP devices** `C:\Users\{user}\AppData\Local\Temp\WPDNSE\{GUID}` (Not present.) - **USB storage (VID / PID)** `SYSTEM\ControlSet001\Enum\USBSTOR` *Shows vendor/product IDs and device serials.* ![alt text](./images/image-51.png) - **USB volume names** `SOFTWARE\Microsoft\Windows Portable Devices\Devices` *Stores friendly device names.* ![alt text](./images/image-52.png) - **User who used the USB device** `SYSTEM\MountedDevices` `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2` *Shows which user mounted the device and assigned drive letters.* ![alt text](./images/image-53.png) ![alt text](./images/image-54.png) - **Logical volume serial number** `Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt` *Stores volume serials for identification.* ![alt text](./images/image-55.png) - **First and last connection time** `SYSTEM\ControlSet001\Enum\USBSTOR\{VEN_PROD_VERSION}\{USB_SERIAL}\Properties\{83da6326-97a6-4088-9453-a1923f573b29}` *Tracks timestamps of USB device connections.* ![alt text](./images/image-81.png) `C:\Windows\inf\setupapi.dev.log` *Tracks the installation and configuration of device drivers on the system* ![alt text](./images/image-99.png) - **0064 – First connection (InstallDate)** Indicates the first time the USB device was installed/connected on the system. ![alt text](./images/image-82.png) - **0065 – Last connection (LastArrivalDate)** Indicates the most recent time the USB device was connected. ![alt text](./images/image-83.png) - **0066 – Last disconnection (LastRemovalDate)** Indicates the most recent time the USB device was safely removed. ![alt text](./images/image-84.png) #### Databases and system artifacts - **Cortana database** `C:\Users\{user}\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.dat` (Not present.) - **Windows notifications** `C:\Users\{user}\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db` *Tracks notifications shown to the user.* ![alt text](./images/image-57.png) ![alt text](./images/image-58.png) ![alt text](./images/image-59.png) ![alt text](./images/image-60.png) - **Timeline** `C:\Users\{user}\AppData\Local\ConnectedDevicesPlatform\ActivitiesCache.db` *Tracks app and file activity over time.* ![alt text](./images/image-61.png) - **Windows Store** `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\` *Contains Windows Store app installation state.* ![alt text](./images/image-101.png) #### Other artifacts - **Thumbnails and Thumbcache** `thumbs.db` `C:\Users\{user}\AppData\Local\Microsoft\Windows\Explorer` *Stores thumbnail images of files for faster previews.* ![alt text](./images/image-62.png) ![alt text](./images/image-63.png) ![alt text](./images/image-64.png) ![alt text](./images/image-65.png) ![alt text](./images/image-66.png) - **Recycle Bin** `C:\$Recycle.Bin` *Stores deleted files.* ![alt text](./images/image-68.png) Copy for analysis: ```powershell Copy-Item -Recurse -Force 'C:\$Recycle.Bin\S-1-5-21-4071608857-1089510339-248207473-1000' 'C:\RecycleBackup' ``` ![alt text](./images/image-69.png) Export to CSV: ```powershell .\rifiuti-vista.exe -t "," -o "recycle-bin.csv" "C:\RecycleBackup" ``` ![alt text](./images/image-67.png) - **OfficeFileCache** `C:\Users\{user}\AppData\Local\Microsoft\Office\{Version}\OfficeFileCache` (Not present.) - **OfficeBackstage** `C:\Users\{user}\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache` (Not present.) - **Public IP (ETLParser)** `C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs` ```powershell .\ETLParser.exe -c DeliveryLogs -s "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs" -o "C:\Users\adrian\Downloads\ETLOutput" ``` ![alt text](./images/image-71.png) ![alt text](./images/image-70.png) ![alt text](./images/image-72.png) - **PowerShell command history** `C:\Users\{user}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt` *Stores previously executed PowerShell commands.* ![alt text](./images/image-73.png) - **Prefetch** `C:\Windows\Prefetch` *Stores data about program execution.* ![alt text](./images/image-74.png) ![alt text](./images/image-75.png) ![alt text](./images/image-76.png) ![alt text](./images/image-77.png) - **SuperFetch** `C:\Windows\Prefetch\Ag*.db` *Caches frequently used applications to speed up loading.* *As I'm using a ssd superfetch files are not generated* - **SRUM** `C:\Windows\System32\sru\SRUDB.dat` *Tracks network, CPU, and power usage.* ![alt text](./images/image-90.png) - **ShimCache** `SYSTEM\ControlSet001\Control\SessionManager\AppCompatCache\AppCompatCache` *Registry-based cache listing previously executed programs, even if deleted.* - **AmCache (AppCompatCacheParser)** `C:\Windows\AppCompat\Programs\Amcache.hve` *Stores metadata about executed programs, installation times, and file paths.* ![alt text](./images/image-91.png) ![alt text](./images/image-92.png) - **Scheduled Tasks** `SOFTWARE\Microsoft\Windows NT\Current Version\TaskCache\Tree` *Lists tasks scheduled by the system or users.* ![alt text](./images/image-94.png) - **Services** `SYSTEM\ControlSet001\Services` *Registry keys storing installed services and their configuration.* ![alt text](./images/image-95.png) - **BAM (DCode)** *Tracks per-user application activity and resource usage.* `SYSTEM\ControlSet001\Services\bam\UserSettings{SID}` *Not present* `SYSTEM\ControlSet001\Services\bam\state\UserSettings{SID}` ![alt text](./images/image-96.png) - **Windows Event Logs** `C:\Windows\System32\winevt\Logs` *Stores system, security, and application events for auditing and forensic analysis.* ![alt text](./images/image-97.png) ![alt text](./images/image-98.png)