Saturday, August 18, 2018


Win10 Notification Database
Leave it to MS to make our jobs as DFIR analysts fun, all day, every day!  Actually, that is one of the things I've always found fascinating about analyzing Windows systems is that the version of Windows, more often than not, will predicate how far you're able to go with your analysis.

An interesting artifact that's available on Win10 systems is the notification database, which is where those pop up messages you receive on the desktop are stored.  Over the past couple of months, I've noticed that on my work computer, I get more of these messages, because it now ties into Outlook.  It turns out that this database is a SQLite database. Lots of folks in the community use various means to parse SQLite databases; one of the popular ways to do this is via Python, and subsequently, you can often find either samples via tutorials, or full-on scripts to parse these databases for you.

MalwareMaloney posted a very interesting article on parsing the write-ahead logging (.wal) file for the database.  Also, as David pointed out,

Anytime you're working with a SQLite database, you should consider taking a look at Mari's blog post on recovering deleted data.

Based on input from a user, I updated the plugin in a way that you may find useful; it now displays a brief sample of the data 'found' by the plugin (default is 48 bytes/characters).  So, instead of just finding a value of a certain size (or above) and telling you that it found it, the plugin now displays a portion of the data itself.  The method of display is based on the data type...if it's a string, it outputs a portion of the string, and if the data is binary, it outputs of hex dump of the pre-determined length.  That length, as well as the minimum data size, can be modified by opening the plugin in Notepad (or any other editor) and modifying the "$output_size" and "$min_size" values, respectively.

Here is some sample output from the plugin, run against a Software hive known to contain a malicious Powershell script:

sizes v.20180817
(All) Scans a hive file looking for binary value data of a min size (5000)

Key  : \4MX64uqR  Value: Dp8m09KD  Size: 7056 bytes
Data Sample (first 48 bytes) : aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAA...

From here, I'd definitely pivot on the key name ("4MX64uqR"), looking into a timeline, as well as searching other locations in the Registry (auto start locations??) and file system for references to the name.

Interestingly enough, while working on updating this plugin, I referred back to pg 34 of Windows Registry Forensics and for the table of value types.  Good thing I keep my copy handy for just this sort of emergency.  ;-)

Mari has an excellent example of how she has used this plugin in actual analysis here.

Speaking of books, Investigating Windows Systems is due out soon.  I'm really looking forward to this one, as it's a different approach all together from my previous books.  Rather than listing the various artifacts that are available on Windows systems, folks like Phill MooreDavid Cowen and Ali Al-Shemery graciously allowed me access to the images that they put together so that I could work through them.  The purpose of the book is to illustrate a way of stringing the various artifacts together in to a full-blown investigation, with analysis decisions called out and discussed along the way.

What I wanted to do with the book is present something more of a "real world" analysis approach.  Some of the images came with 30 or more questions that had to be answered as part of the challenge, and in my limited experience, that seemed a bit much.

The Github repo for the book has links to the images used, and for one chapter, has the code I used to complete a task.  Over time, I may add other bits and pieces of information, as well.

My submission for OSDFCon was accepted, so I'll be at the conference to talk about RegRipper, and how you can really get the most out of it.

Here is the list of speakers at the conference...I'm thinking that my speaker bio had something to do with me being selected.  ;-)

No comments: