Little Black Book of Windows Forensic Secrets

This is a page where I post little one-off hints and tips to performing forensic analysis of Windows systems.  Expect this page to change over time, as items are added, removed, or simply managed a bit better. 

The Task Scheduler log file (SchedLgu.txt) can be used to not only show what scheduled tasks have run, but also when the system itself was running.

F-Response
TSK's fls can be run over F-Response using the following command line:

fls -f ntfs -m C:/ -p -r \\.\F:

RDP Notes
default.rdp: http://support.microsoft.com/kb/885187
Change RDP port number: http://support.microsoft.com/kb/306759

Files
Download Manager
%UserProfile%\Application Data\Download Manager\DownloadManagerList.dmc
 
HTML Help
%UserProfile%\Application Data\Microsoft\HTML Help\hh.dat
 
Media Player
%UserProfile%\Local Settings\Application Data\Microsoft\Media Player\LastPlayed.wpl
- last file to be played, XML

Windows Media Player playlist format
http://www.wischik.com/damon/Comp/wplFormat.html

Google Toolbar URLs
%UserProfile%\Local Settings\Application Data\Google\Toolbar History\urls
files (no extensions) contain URLs in Unicode

TEMP folders (user profile)
Look for executable files and Java archives (JAR files) based on file signature, not extension.

Timeline Data
Firefox bookmark files & IE Favorites folder - entries contain timestamps,
including when last accessed.

Registry
Interesting blog post that describes how TypedURLs key can be populated by more than just the user typing in the URL in the Address Bar

OE
HKCU\Software\Microsoft\Internet Account Manager\Accounts; 0001, 0002
 - contains info such as NNTP servers, etc., used via Outlook Express

Log files
C:\Program Files\mIRC\logs - contains log files of channels and communications





"Default User" or LocalService user account has web browsing history
Incidents (malware, compromises) many times result in someone or something obtaining System level privileges on the system.  Often times, communications off of the system may occur via the WinInet APIs, which results in the addition of entries to the index.dat file for the user account, as well as cached files in the TIF directory (IE uses this API).  Ilomo/Clampi attempts to spread using psexec.exe, and as a result of how its used, there are web history artifacts in the LocalService (in one case, LocalService.NT Authority) profile, which include "\\NetBIOS_name\ADMIN$\PSEXESVC.EXE".

Goodness from Rob "van" Hensing
http://blogs.technet.com/b/robert_hensing/archive/2006/11/15/ever-found-malware-hiding-in-the-all-users-profile-on-windows-ever-wonder-how-it-got-there-or-why-it-was-there.aspx
http://blogs.technet.com/b/robert_hensing/archive/2005/01/27/361800.aspx


"Default User" TIF entries/UrlMon API
http://blog.sat0ri.com/?p=218

Off-system comms
Malware will often us 'normal' means to communicate off of a system; on Windows systems, this can mean using WinInet/URLMON APIs.  As such, one would expect (based on Robert's blog posts) to see some indication of this activity in the browser cache/index.dat; if you don't, then there may be another issue at hand...the "no-cache" tag in the HTML header; you should consider checking either network data or the page file/unallocated space from the image:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
http://msdn.microsoft.com/en-us/library/ms524721%28VS.90%29.aspx
http://support.microsoft.com/kb/234067 ("pragma: no-cache")

Also, Nick's post on off-system comms:
http://blog.mandiant.com/archives/1396

Event ID 552
Analyzing a Windows 2003 system, found that Security events with ID 552 (TechNet resource) indicated the bad guy reaching out to other systems; parsing the events from a micro-timeline (generated from *just* 552 events from the SecEvent.evt file) allowed us to compile a list of systems, and accounts used.  Depending on the architecture and set up, this may also work well for investigations involving a malicious insider, lateral movement, etc.

Event ID 20000
Testing on a Windows 7 system indicates that when the DateTime Control Panel applet is accessed to modify the system time, an event ID 20000 event is written to the Microsoft-Windows-DateTimeControlPanel/Operational Event Log indicating the date and time that the system was changed to, and by which user.

Event ID 4001
Windows 7, Microsoft-Windows-GroupPolicy/Operational Event Log - look for event ID 4001 to indicate a user logging in (initial testing, via the console).

IIV Determination
JS - http://www.cs.ucsb.edu/~chris/research/doc/www10_jsand.pdf
CaffeineMonkey - http://www.secureworks.com/research/tools/caffeinemonkey.html
ExtractScript - http://blog.didierstevens.com/programs/extractscripts/

External IP Addresses
If a user is behind a router or proxy, you may be able to get the externally-facing IP address by searching the source of the user's Yahoo or GMail (web brower) cache.

Perfect Keylogger
http://vil.nai.com/vil/content/v_100257.htm
Some Registry artifacts for this: http://www.av-expert.in/wordpress/?p=104

EliteKeylogger
Symantec refers to it as spyware (see item #3); ThreatExpert has correlating info here and here.

Persistence and AutoStart Locations
Greg Hoglund posted about persistence in the cloud, and to be honest, the mechanisms listed could be used in any infrastructure with two or more systems on the network; they aren't unique to "the cloud".  However, he does make an excellent point...there are more ways to remain persistent on a system than are dreamt of in your philosophy.  Besides Registry locations, there are a number of means that do not rely on the Registry, but can use the DLL Search Order Vulnerability, Scheduled Tasks, commonly-used files (DLLs, login scripts, spreadsheets or other infected file formats), etc.

iPhone Backup Files
Processing iPhone Backup Files - AppleExaminer; includes iTouch backups, as well.

Malware Research Resources
Lenny's page...