Capturing and Retrieving a Memory Image Remotely

In some instances, particularly intrusions cases or with enterprise security, it may be necessary to acquire memory from a remote system for DFIR analysis.

Many cases there are solutions for that purpose with forensics or endpoint security tools that have agents installed that allow for this.

However, came across an excellent Incident Response tricks and tools cheatsheet resource from:
"JPMinty" @ https://jpminty.github.io

Specifically at "https://jpminty.github.io/cheatsheet/DFIR/#belkasoft-live-ram-capturer"

JPMinty mentions using psexec for a live ram capture on a remote windows pc.

The command is as follows:

psexec \\remotepcname -c RamCapture64.exe "output.mem"

So I set up two Windows 10 VMs with VMWare Workstation. And wanted to simulate a remote memory capture.  
* Note this is not necessarily a forensically sound method for imaging.  Because changes will be written to the remote machine.  However if a forensic/endpoint tool fail this may be a potential backup method.  

The machine on the left is the remote PC. And the right is the forensics host to launch psexec from.

TEST 1

Launching a cmd prompt with admin privileges.  

And run the following command : 

* PsExec64.exe <RemotePC> -u for username and -p for password -c <The Memory Capture tool> <output memory dump file>

Download of psexec can be found at: 

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

Running the PsExec with the RamCapture64.exe directly, returned an ERROR

GOT an ERROR



TEST 2

The RamCapture64.exe download unzips with some dlls and a sys file in a folder called x64.


Will use the xcopy command.
To copy the x64 folder with the RamCapture64.exe in it to the target.




But FIRST...
With the following command had to mount a share to the target drive with the following command:

The net use command with mount a share and authenticating

SECOND is using the XCOPY command to copy the memory dump tool to the target's C$ drive.

The RamCapture tool has been copied to the target.  

NEXT to initiate a remote cmd session with PsExec on the target and run the tool

Now in a remote cmd prompt

*NOTE, can skip the remote command prompt method and use psexec to just run the ".\RamCapture64.exe"

READY to run RamCapture64.exe

Memory dump completed and is located on the C:\ root of the target

While we are here let's hash the memdump.mem file.  We can use the certutil command

MD5 for memory file = b8eafad7bf112f2d565093b611a8b52b

Can exit the remote cmd session

LASTLY we can use xcopy again to bring the memdump.mem back to the Forensic host

xcopy <DESTINATION\memdump.mem> <FORENSIC HOST>

The memdump.mem file copied

The Memory Capture "memdump.mem" is now on the Forensics Host with the same MD5 hash.

This method of using xcopy and psexec is kind of the long way around.  But is not too many steps to run.

----NEXT POST----

I will be attempting to extract a pcap from the same memory dump using the bulk extractor tool.

Happy forensicating

--Bryan

Windows PowerShell Transcription Logs

How to turn on PowerShell Transcription Logging:


From the Windows Local Group Policy Editor, details of policy:
At least Microsoft Windows 7 or Windows Server 2008 family.
"This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.
If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. 

By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. 

Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session.

If you disable this policy setting, transcripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled through the Start-Transcript cmdlet.
        
If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users  from viewing the transcripts of other users or computers.

Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting."



1.  Windows key run --> gpedit.msc

     

2.   Navigate to: 

Computer Configuration – Administrative Templates – Windows Components –     Windows PowerShell and double-klick “Turn on PowerShell Transcription”.

Click on Enable and enter your preferred Output Directory. (include invocation headers will log the PS command start time)  

The transcript was manually picked to be at C:\PS_Transcripts.  Can output to anywhere, for instance a share server or log server.

3.  The transcript file will now be created in the selected output directory

Above is the PS transcript with the starttime, username, host, and scripts that was ran, with output

--Bryan

DFIR GEAR: Forensicate in Style

https://dfir.com/

Came across this cool site (https://dfir.com/) that has some neat shirts.
Shirts for Men, Women, and also sells posters.  That ship to the US.

My personal fav:

Kudos for the Wolverine reference

https://dfir.com/
The site has written that "All proceeds go to Girls Who Code"
https://girlswhocode.com/  
"We’re building the largest pipeline of future
female engineers in the United States."

Which looks like a awesome cause.



--Bryan

Sticky Notes Location (part 2) - restoring from Volume Shadow Copies

6/5/2019
Volume Shadow Copy (also known as Volume Snapshot Service or VSS ) is a technology included in Microsoft Windows. It allows the ability to take backup copies or snapshots of computer files or volumes whether in use or not. The process can be operated manually or automatically.

Can be used to view read only snapshot points in time.

How to turn on Volume Shadow Copies:

1. Type restore in the windows search menu
2. Select create restore point

     3.  Select Configure

4.  Turn on system protection



   5. Create is enabled as an option and name it

Success

  











CURRENT STICKY NOTE

USING VOLUME SHADOW COPIES TO VIEW RESTORED STICKY NOTES



Opening a CMD prompt with admin privileges 

Typing "vssadmin list shadows"

Using the Shadow Copy Volume field for the make link command

Typing "mklink /d outputvolume \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\"  *including the trailing back slash at the end of the Shadow Copy Volume name

mklink command /d <source><destination>

 

Linked Volume is now there

PATHING TO THE "plum.sqlite" file related to Sticky Notes


"Users\<Username>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState"

Using DB Browser to view SQLITE file
dowload from site:  https://sqlitebrowser.org/dl/

After copying the plite file to the another directory out of the mklinked directory, can open and view the deleted entry that was saved in the restored point shadow copy.

*Can also run strings on "plum.sqlite-wal" in the LocalState folder from the VS copy

strings .\plum.sqlite-wal

--Bryan

Windows 10 Sticky Notes Location

Sticky Notes

• Can be retrieved and located in a sqlite file "plum.sqlite"

File path:

%LocalAppData%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

• TESTING IT WITH A MESSAGE

• Viewing the "plum.sqlite" in a SQLite viewer

(Navicat for SQLite)

https://www.navicat.com/en/products/navicat-for-sqlite

• 

  Add caption

  
  

Notes:

• Database file is edited once a sticky note is changed.  
• And new notes are saved and old ones are not in the "plum.sqlite" file.

NEXT POST:

WILL DELETE THE MISSILE LAUNCH CODES FROM THE STICKY NOTE AND TRY AND RETRIEVE THEM FROM A VOLUME SHADOW COPY.

-STAY TUNED

BRYAN