Friday, September 14, 2018

Random Stuff

I decided to put this post together because some things just need to persist beyond the typical Twitter life cycle.  The focus here is free and open source tools that can be used on Windows to investigate/parse/enable analysis of Windows artifacts.  It's not my intention to take anything away from current repositories of such tools, such as the DFIRTraining site, but rather to bring these tools to the forefront again.

Random
Windows 10 Oct 2018 update includes clipboard history and cloud sync

Ryan Kovar shared this resource regarding detailed properties in O365 audit logs

Registry
Maxim tweeted (on 4 Sept, I just saw it today) that yarp-carver had been run against the image from the LoneWolf scenario and recovered a good deal of Registry data.

Here's a great explanation of ShimCache data from the folks at Mandiant.

yarp tools - be sure to follow Maxim on Twitter (ex: tweet regarding yarp-carver)

Windows 10 Timeline
Matthew Seyer wrote up a nice article over on Medium regarding a tool that he wrote to parse the Windows 10 Timeline database (SQLite format).  In that article, he also referred to Eric Zimmerman's WxTCmd tool, which can be found here.

Anytime you're working with an SQLite database, be sure to incorporate Mari's SQLite deleted data parser (blog, Github)

Paper: A Forensic Exploration of the Microsoft Windows 10 Timeline

Windows 10 Notification Database
Yogesh's post - 2016
David Cowen's post - 2018
Malware Maloney's post on parsing the .wal file - 2018

Windows Event Logs
Tools for parsing Windows Event Log (*.evtx) files:
LogParser - MS's tool
parse_evtx.exe - KasperskyLab ForensicTools (x64)
Evtx2json - includes experimental support for EVTXtract output
EVTXtract - Willi Ballenthin's Python code (presentation)
EvtxParser - Andreas Schuster's Perl code (here's some more info on getting it installed)
EventCleaner - reportedly will allow you to remove EVTX records

VSCs
I blogged about accessing VSCs recently (actually, I blogged about it twice...), and I wanted to include the information in this post.

Something to be clear about...the version of Arsenal's Image Mounter tool is the one from GitHub, NOT the one discussed here. Yes, one of the issues I ran into when seeking assistance in this endeavor was that there is more than one tool with same name, and that presented some challenges in communication.

My hope is that the version found on Github is updated to include the ability to mount raw/dd-style images via "Write-Temporary".

Here's a tweet about a presentation regarding recovering deleted VSCs using vss-carver.

DFIRTraining list of tools -

Parsing RDP Cache Files
remotecache.py -
bmc-tools.py -
Link to tools at DFIRTraining site

I'm more than happy to add to this list as new things come in.

2 comments:

Troy Larson said...

There is no 'execution" bit or flag in an appcompatcache record entry-at least not in Vista through Windows 10. Appearance of a program in the appcompatcache does not mean that the program was executed. Simply opening a folder with executable files in it with Explorer will create entries for those executables in the appcompatcache.

There appear to be correlations between program execution and a program appearing the cache and certain bits being set a certain way in the cache entry. These are only correlations, and other things may cause these bits to be set. (These bits actually mean something other than execution to the OS.) I would be interested in any work that has examined the strength or reliability of these correlations.

How reliable as an indicator of program execution is the appcompatcache?

Troy

Brett Shavers said...

"It's not my intention to take anything away from current repositories of such tools, such as the DFIRTraining site"

Certainly not! I believe it is very helpful when anyone blogs/posts/comments/writes/publishes anything about any DFIR software or hardware. One negative of the DFIR Training list is that it is simply a list of tools (which is also a positive, as there is a list for practically every tool category you can think of).

Your post did give me an idea to supplement talk about tools, is that if someone does write about a tool, submit it to dfir.training at the specific tools page as a review. Just submitting the URL of the blog post about the tool would be helpful for those finding a tool and wondering what someone thought about using it.