I decided to put this post together because some things just need to persist beyond the typical Twitter life cycle. The focus here is free and open source tools that can be used on Windows to investigate/parse/enable analysis of Windows artifacts. It's not my intention to take anything away from current repositories of such tools, such as the DFIRTraining site, but rather to bring these tools to the forefront again.
Random
Windows 10 Oct 2018 update includes clipboard history and cloud sync
Ryan Kovar shared this resource regarding detailed properties in O365 audit logs
Registry
Maxim tweeted (on 4 Sept, I just saw it today) that yarp-carver had been run against the image from the LoneWolf scenario and recovered a good deal of Registry data.
Here's a great explanation of ShimCache data from the folks at Mandiant.
yarp tools - be sure to follow Maxim on Twitter (ex: tweet regarding yarp-carver)
Windows 10 Timeline
Matthew Seyer wrote up a nice article over on Medium regarding a tool that he wrote to parse the Windows 10 Timeline database (SQLite format). In that article, he also referred to Eric Zimmerman's WxTCmd tool, which can be found here.
Anytime you're working with an SQLite database, be sure to incorporate Mari's SQLite deleted data parser (blog, Github)
Paper: A Forensic Exploration of the Microsoft Windows 10 Timeline
Windows 10 Notification Database
Yogesh's post - 2016
David Cowen's post - 2018
Malware Maloney's post on parsing the .wal file - 2018
Windows Event Logs
Tools for parsing Windows Event Log (*.evtx) files:
LogParser - MS's tool
parse_evtx.exe - KasperskyLab ForensicTools (x64)
Evtx2json - includes experimental support for EVTXtract output
EVTXtract - Willi Ballenthin's Python code (presentation)
EvtxParser - Andreas Schuster's Perl code (here's some more info on getting it installed)
EventCleaner - reportedly will allow you to remove EVTX records
VSCs
I blogged about accessing VSCs recently (actually, I blogged about it twice...), and I wanted to include the information in this post.
Something to be clear about...the version of Arsenal's Image Mounter tool is the one from GitHub, NOT the one discussed here. Yes, one of the issues I ran into when seeking assistance in this endeavor was that there is more than one tool with same name, and that presented some challenges in communication.
My hope is that the version found on Github is updated to include the ability to mount raw/dd-style images via "Write-Temporary".
Here's a tweet about a presentation regarding recovering deleted VSCs using vss-carver.
DFIRTraining list of tools -
Parsing RDP Cache Files
remotecache.py -
bmc-tools.py -
Link to tools at DFIRTraining site
I'm more than happy to add to this list as new things come in.
2 comments:
Post a Comment