Sunday, July 23, 2023

The Next Step

A lot of times, we'll run across something or read something really very profound and valuable, something that opens our eyes and makes us go, "oh, wow", and impacts us enough that it changes the way we do things. I can say that of a number of blogs posts and articles, by various authors, going back quite a few years. And then later, being able to add additional information to the original findings, information that may not have been recognized or available at the time, can really aid in our investigations.

A while back, Krz shared this blog post, detailing how default settings for Scheduled Tasks include the "stop if the computer switches to battery power" setting by default, and the impact that setting can have on a forensic investigation. For example, PCI forensic investigations require the analyst to specifically address the "window of compromise", and malware that persists via a Scheduled Task will be impacted by whether or not the system in question was running on battery power or not. Krz's previous blog post addressed using the SRUM database to determine the battery charge level, and in that post, Krz linked to a tool he'd written to extract and display that data.

I ran across something recently that I wanted to use to build on Krz's excellent work; from the Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx Event Log, we see a UniversalTelemetryClient/60 event record that lets us know if the system was on battery power or not, as illustrated in figure 1:

Fig 1: UniversalTelemetryClient/60 event, on batter power 

In this particular case, I took my laptop from my office to another room, so I could attach it to the TV via an HDMI cable and watch our church service remotely. When service was complete, and I reconnected the laptop to the power cord in my office, I saw the UniversalTelemetryClient/60 record illustrated in figure 2.

Fig. 2: UniversalTelemetryClient/60 event, off batter power

From the same Windows Event Log file, UniversalTelemetryClient/55 records will let us know if the system had access to the Internet or not, further aiding us in our investigation. This information (system is on or off battery, on or off the Internet) can be extremely valuable during an investigation, particularly when incorporated into a timeline. If a system has malware that persists via a Scheduled Task using default settings, and the system if on battery power when the task was scheduled to run, then it will not run. It may also be helpful to understand when the system did and did not have an Internet connection.

No comments: