Wednesday, May 22, 2019

Windows 10 - May 2019 Update (version 1903)

Just downloaded the  May 2019 Update (version 1903)

First off, noticed you can now uninstall the following inbox apps:
  • 3D Viewer.
  • Calculator.
  • Calendar.
  • Groove Music.
  • Mail and Calendar.
  • Movies & TV.
  • Paint 3D.
  • Snip & Sketch.
  • Sticky Notes.
  • Voice Recorder.
  • Microsoft Solitaire Collection.
  • My Office.
  • OneNote.
  • Print 3D.
  • Skype.
  • Tips.
  • Weather.
Can all now be uninstalled

Goodbye Groove Music


















  • ALSO NEWish FEATURE slash me seeing it just now in this build(although was introduced previously)  
Windows Sandbox
Touts as using virtualization for kernel isolation, memory management, virtual GPU.  And
a lightweight Win10 VM.
Stripped down version of windows that runs in the OS
Windows Sandbox Screenshot - open.jpg



Optional Windows Features dlg.png
To turn on in Windows features



The Application executable is located in
"%windir%\system32\WindowsSandbox.exe"

Gonna try and see if any artifacts are left behind, although I think it may be tricky because it is described as working similar to a kernel based hyper-visor and being isolated.


Also this window pops up when closing
Content is "permanently" lost?










But curious to see if there is remnants of the sandbox in memory and may test in future blog.






--Bryan











To download 1903 BUILD:
https://www.microsoft.com/en-us/software-download/windows10?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-f4J_SoxhLxJJuz99FPlAlw&epi=TnL5HPStwNw-f4J_SoxhLxJJuz99FPlAlw&irgwc=1&OCID=AID681541_aff_7593_1243925&tduid=(ir__ke2ohvb99gkfritzkk0sohzn0m2xmeafzvvoul9e00)(7593)(1243925)(TnL5HPStwNw-f4J_SoxhLxJJuz99FPlAlw)()&irclickid=_ke2ohvb99gkfritzkk0sohzn0m2xmeafzvvoul9e00


Reference for Windows Sandbox:
https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849/page/2
Posted by at No comments:

Sunday, May 19, 2019

NIST data sets on Magnet AXIOM - Examine




Continued from Magnet AXIOM Process post
https://www.datadigitally.com/2019/05/processing-image.html

This post will be looking at the processed image from NIST data sets regarding a data leakage case from the Computer Forensics Reference Data Sets Project(CFReDS).
Found at:
https://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html


Opening Magnet AXIOM Examine and selecting the recent processed case



Magnet Axiom Examine - Home page

Drop down for different tabs in the home menu





Artifacts tab, tree pane view, within Axiom Examine


File system, tree pane, view.  2 partitions, System Reserved and C







Questions
  • What are the hash values (MD5 & SHA-1) of all images?


cfreds_2015_data_leakage_pc.E01
72432916933F5A309A8C456B40C9601D1F8D2A4F
cfreds_2015_data_leakage_pc.E02
0CAF4261ED8432A8B3BAA019B1B28FDF96F79130
cfreds_2015_data_leakage_pc.E03
BE836C891736C4C0C2253C6803399BF0F2A599BA
cfreds_2015_data_leakage_pc.E04
9159BFFD56097495F73FBBF967B75EB288B1E3DE





  •        Identify the partition information of PC image?

















  •        Explain installed OS information in detail.
    (OS name, install date, registered owner…)?

In the artifacts tab, drilling down to Operating System Information


OS information(Windows 7 Ultimate, 3/22/2015 install date, Owner is informant)




























































  •        What is the timezone setting?

Eastern Standard Time, gathered from registry
































































































  • Who was the last person to logon to the PC?
Because this is Win 7, it is located in the registry at:
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\

 LastLoggedOnUser
Registry Key for Last Logged on



























  • What application was last installed?
Eraser has the most recent created date in the Installed Programs
























  • Identify web related history

Web Related items include artifacts from Chrome History file and Edge\IE Webcache file




Search Terms in Google Web related item





























































  • When was the last recorded shutdown date/time?

HKLM\SYSTEM\ControlSet###\Control\Windows (value: ShutdownTime)

Pathing to registry key value and highlighting the hex
























Decode section to read the decoded time 








































  • What are some artifacts of recent execution?

Jump Lists sorted off recent Last Access time
































Link files showing activity to a D: drive, a share drive, and cloud drive services










































In the NTUSER.DAT location of "Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder"












































Decoded to Unicode





















Shellbags indicating access to a C:, D:, and share drive

























































  • What was written on the recent sticky note?
In Win7 it is located here: 
"\Users\informant\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt"
Tomorrow ... Everything will be OK









































NIST has kindly posted the solutions for the case.
And can be found at
https://www.cfreds.nist.gov/data_leakage_case/leakage-answers.pdf

It shows in better detail about the data leakage included with USB images that I did not include.  As well as looking at email artifacts and a burnt CD.

I do commend and thank NIST for making this and found it to be a fun resource.

--Bryan






Posted by at No comments:

Windows 10 Specific Registry Keys

The registry is a fascinating place.
Have seen it written as the heart of the OS where configurations are stored

For reasons as features, user experience, and updates; Windows 10 has made some changes and  additions to the locations of some of its registry locations.

Referencing a wonderful source of registry information from:






DFIR Training site.  "WINDOWS FORENSICS REGISTRY LIST"
https://www.dfir.training/resources/downloads/windows-registry

A list of Windows 10 specific registry keys below:

 App Information
UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.Microsoftedge\Microsoft.MicrosoftEdge_20.10240.16384.0_neutral 8wekyb3d8b bwe\MicrosoftEdge\Capabilities\FileAssociations

 App Install Date/Time
UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\Microsoft.Microsoftedge_8wekyb3d8bbwe\Microsoft.MicrosoftEdge_20.10240.16384.0_neut ral 8wekyb3d8bbwe / InstallTime

 Camera App
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ RecentDocs\.jpg&ls=0&b=0

 Common Dialog
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\.vhd

 Cortana Search
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ FileExts\.com/search?q=

 Cortana Search
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ RecentDocs\.&input=2&FORM=WNS BOX&cc=US&setlang=en- US&sbts=/ 0

 Disk Class Filter Driver stdcfltn
SYSTEM\ControlSet001\services\ stdcfltn

 Edge Browser Favorites, Edge Favorites
UsrClass.dat\Local Settings\Software\ Microsoft\Windows\CurrentVersion\ AppContainer\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\/ Order

 Edge History Days to Keep
UsrClass.dat \Local Settings\Software\ Microsoft\Windows\CurrentVersion\ AppContainer\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetSettings\ Url History / DaysToKeep

 Edge Typed URLs
UsrClass.dat \ Local Settings\Software\ Microsoft\Windows\CurrentVersion\ App Container\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\ MicrosoftEdge\TypedURLs

 Edge Typed URLs Time
UsrClass.dat \ Local Settings\Software\Microsoft\ Windows\CurrentVersion\App Container\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsTime

 Edge Typed URLs Visit Count
UsrClass.dat \ Local Settings\Software\ Microsoft\Windows\CurrentVersion\ App Container\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount

 EFS Attribute in File Explorer Green Color
NTUSER.DAT\Software\Microsoft\ Windows\ CurrentVersion\Explorer\ Advanced

 Favorites
UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\

 File Access Windows Apps
UsrClass.dat\Local Settings\Software\ Microsoft\Windows\CurrentVersion\ AppModel\SystemAppData\\PersistedStorage ItemTable\ManagedByApp

 History - Days to Keep
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Url History /DaysToKeep

 History days to keep
UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetSettings\Url History /DaysToKeep

 Identity
settings.dat\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\

 Identity Live Account
NTUSER\SOFTWARE\Microsoft\15.0\Common\Identity\Identities\

 IE/Edge Auto Passwd
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

 If hidden from timeline view, key is present
HKCU\Software\Microsoft\Windows\CurrentVersion\ActivityDataModel\ActivityAccountFilter\

 Links a ConnectedDevicePlatform PlatformDeviceId to the name, type, etc of the device
HKCU\Software\Microsoft\Windows\CurrentVersion\TaskFlow\DeviceCache

 Live Account ID
NTUSER.DAT\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Identities\_LiveId

 Live Account ID
NTUSER.DAT\SOFTWARE\Microsoft\IdentityCRL\UserExtendedProperties\/ cid

 Live Account ID
NTUSER.DAT\SOFTWARE\Microsoft\AuthCookies\Live\Default\CAW / Id

 Office Word OneDrive Synch Roaming Identities
NTUSER.DAT\Software\Microsoft\ Office\\Common\Roaming\ Identities\Settings\1133\\ ListItems\\

 OneDrive App Info
NTUSER.DAT\SOFTWARE\Microsoft\ OneDrive

 OneDrive User ID and Login URL
NTUSER.DAT\SOFTWARE\Microsoft\ AuthCookies\Live\Default\CAW

 OneDrive User ID Associated with User
NTUSER.DAT\SOFTWARE\Microsoft\ IdentityCRL\UserExtendedProperties\/ cid

 OneDrive User ID, Live ID
NTUSER.DAT\SOFTWARE\Microsoft\ Office\\Common\Identity\Identities\_LiveId

 OneNote User Information
Settings.dat\LocalState\ HKEY_CURRENT_USER\Software\ Microsoft\Office\16.0\Common\ Identity\Identities\_LiveId

 Password Face Enabled
SOFTWARE\Software\Microsoft\ Windows\CurrentVersion\ Authentication\LogonUI\FaceLogon\

 Photos App Associated User
Settings.dat\LocalState\OD\

 Place MRU
NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\User MRU\LiveId#>\Place MRU

 Reading Locations
NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\Reading Locations

 Recent Docs
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.&input=

 RecentApps
NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps

 RecentDocs
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

 RecentDocs
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.iso

 RecentDocs
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.vhd

 RecentDocs for .jpg
NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg

 RecentDocs for .jpg
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg&ls=0&b=0

 Recycle Bin Info
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\

 Regedit Last Key Saved
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

 Register.com search
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts / .com

 Roaming Identities (1125 PowerPoint, 1133 Word, 1141 Excel)
NTUSER.DAT\SOFTWARE\Microsoft\Office\15.0\Common\Roaming\Identities\\

 Run subkey - Active
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run / OneDrive

 Shared data to: e-mail
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU

 Shared Photos
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU

 Shared photos
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU

 Sharing MFU
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ SharingMFU

 Shell Bags
NTUSER.DAT\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop

 Skype App Install
HKEY_CLASSES_ROOT\ActivatableClasses\Package\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c

 Skype Assoc. Files 1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-skype

 Skype Assoc. Files 2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.skype

 Skype Assoc. Files 3
HKEY_CURRENT_USER\SOFTWARE\Classes\.skype

 Skype Assoc. Files 4
HKEY_CLASSES_ROOT\.skype

 Skype Install Path
HKEY_CURRENT_USER\SOFTWARE\Skype\Phone

 Skype Installation
HKEY_CLASSES_ROOT\AppX(RandomValue)

 Skype Language
HKEY_CURRENT_USER\SOFTWARE\Skype\Phone\UI\General

 Skype Process Name
HKEY_LOCAL_MACHINE\SOFTWARE\IM Providers\Skype

 Skype Update App ID
HKEY_CLASSES_ROOT\AppID\{27E6D007-EE3B-4FF7-8AE8-28EF0739124C}

 Skype User List
HKEY_CURRENT_USER\SOFTWARE\Skype\Phone\Users\

 Skype Version 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\(UID)\(UID)

 Skype Version 2
HKEY_CLASSES_ROOT\Installer\Products\74A569CF9384AC046B81814F680F246C

 TaskBar Application List
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband / FavoritesResolve

 Trusted Documents
NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\Security\Trusted Documents\TrustRecords

 Trusted Locations
NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\Security\Trusted Locations

 TypedURLs
UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs

 TypedURLs
NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLs

 TypedURLs Hyperlink
NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLs

 TypedURLsTime
UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs

 TypedURLsTime
NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime

 TypedURLsVisitCount
UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount


References:
Shavers, B. (2019, February 12). Window Registry. Retrieved from https://www.dfir.training/resources/downloads/windows-registry

Registry Hives - Windows applications. Retrieved from https://docs.microsoft.com/en-us/windows/desktop/SysInfo/registry-hives











Posted by at No comments:

Sunday, May 12, 2019

Processing an Image with Axiom Process




Create a new case


Going to use images from NIST's Computer Forensics Data Sets site:

Personal Computer (PC) – 'EnCase' Image

Download Linkspc.E01pc.E02pc.E03pc.E04 (total 7.28 GB compressed by EnCase) - hash
Imaging S/WEnCase Imager 7.10.00.103
Image FormatE01 (Expert Witness Compression Format) converted from VMDK
cfreds_2015_data_leakage_pc.E0172432916933F5A309A8C456B40C9601D1F8D2A4F
cfreds_2015_data_leakage_pc.E020CAF4261ED8432A8B3BAA019B1B28FDF96F79130
cfreds_2015_data_leakage_pc.E03BE836C891736C4C0C2253C6803399BF0F2A599BA
cfreds_2015_data_leakage_pc.E049159BFFD56097495F73FBBF967B75EB288B1E3DE


Using Powershell to retrieve the image files from the site to desktop:
run these two commands, 2nd one will need to be for each .E01 file
  • $client = new-object System.Net.WebClient
  •  $client.DownloadFile("https://www.cfreds.nist.gov/data_leakage_case/images/pc/cfreds_2015_data_leakage_pc.E01", C:\Users\bryan\Desktop\Data_Leakage_pc.E01")
*needs to be done for E01 - E04





Open Magnet's Axiom Process 

Filling in case details




































Selecting Evidence source.  In this case it is a Windows Computer image

































Load the evidence image file

Select the image option























Evidence Sources Added
Sources on the disk image from where artifacts are processed from. 

























































































Options for further processing.  Can choose to find keywords from artifact type.






































Select Analyze.  Magnet Examine will open and a percentage circle with time elapsed bar will count the process time


Currently processing progress percentage shown












































Next post will be showing the examination piece of this evidence image, once done processing.



Reference:
NIST.(2019). Data Leakage Case. Retrieved from https://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html



























Posted by at No comments:
Subscribe to: Posts (Atom)