Thursday, May 02, 2019

What's New...

Magnet Forensics Free Tools
The folks over at Magnet Forensics have several free tools available, which were discussed recently on the 13Cubed YouTube channel.

Okay, so parsers abound (more on that later), but what then? Parsing is great, but that's just the first step toward analysis, and the true value of a tool, regardless of where it comes from, is how it integrates into your analysis process.  Parsing is not analysis.

On a bit of a side note on that topic, IWS was released last fall, and I'm still somewhat curious to see how it's received by the community. In the book, I exposed my analysis process, in a manner that anyone can follow along with; with the exception of the first image (which seems to be no longer accessible), anyone can download the images, and perform their own analysis.  This is a complete departure from my previous work; in all of my previous books, I'd followed a pretty standard's an artifact, here's how to parse it, here's what it can tell you...but like other works, I'd pretty much left it to the reader to figure out how to stitch everything together into a cohesive investigation.  IWS is my first real shot at doing that, going beyond just throwing up my findings into a blog post.  Yes, I've been told, "'s good...", and "...I like it...", but like a brewer who's stepped outside their comfort zone and tried something radically different from their previous approach, I'm really curious to better understand what readers really think about the content of the book, how it impacts them, and

JumpList AppID
Not long ago, I saw a question about an Automatic JumpList application ID; the OP was asking which application the AppID referred to.  I did a quick Google search and found no reference to that specific AppID, but it did get me can someone go about determining the AppID of a JumpList, when said AppID is not publicly listed?

I came up with two means for doing so, and in hindsight, they are not mutually exclusive; that is, one supports the other.

The first method would be to parse the JumpList and get a list of files that it points to; you can get this information from both the individual LNK streams within the JumpList file, as well as the DestList stream.  From there, you could then check the Registry for file associations; that is, which application is associated with the listed file's extensions.

The second method would be to create a timeline of system activity, and include the JumpList DestList stream as a data source.  With additional information, such as UserAssist and BAM entries, RecentDocs values, Prefetch metadata, etc., you should be able to 'see' applications that were launched prior to at least some of the files in the JumpList DestList stream being accessed.

I've got a couple of upcoming presentations, the first one being at RVASec, coming up later this month. I've submitted to OSDFCon this year, as well, but that's in the fall.

A friend asked me to provide a presentation to her forensics class, which I did recently, via Zoom.  I resurrected a presentation on Registry analysis, which I thought was appropriate given the audience, and it seemed to pretty well-received.  If anything, I hope that seeds were planted.

No comments: