Zip it Good - CLI ZIP with Powershell

Compress-Archive with Powershell

Compress-Archive

        [-Path] <String[]>

        [-DestinationPath] <String>

Example

Compress-Archive -Path <Files to compress(comma seperated)> -DestinationPath Output.Zip

Files Intended to be zipped into one folder

The above command, "Compress-Archive -Path .\* -DestinationPath '.\CLIzip.ZIP", compresses all in the current folder and sends to zip folder 

The zip folder was created

Expand-Archive with Powershell

Expand-Archive [-Path] <String> [[-DestinationPath] <String>]

Example

Expand-Archive -Path <Zippedfolder.Zip> -DestinationPath <Output Path>

Decompressing CLIzip.zip and using the -Force in case files are already there

Original files have been unzipped

In conclusion, this may be a handy way to zip up files for sending or storage.  And/or noticing the Compress and Expand Archive powershell commands that are associated with zipping folders if seen in PS logs.  

Done via command line.

--Bryan

Recently Opened Files and Docs

FILE PATH for RECENT DOCS:

C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Recent

or at file explorer title bar (paste this): %AppData%\Microsoft\Windows\Recent

Opens a folder of shortcut files of recently opened files.

Including png,txt,pdfs, docx, and recent folders.

Right click on top column to add column

Can view date modified and date created

This location is present on Windows 7 up to Windows 10.
And for Windows XP it is at "\Documents and Settings\$USER$\Recent".


A possible place to check for forensic artifacts or for that document that you had open recently and were looking for.


--Bryan

AutoStart and the AutoRun tool

There are locations that can shed light on which software, tasks, or configurations are set to run every time a user logs in or when the Operating System boots up.

These locations are good for use to know for a few different reasons.
One being for personal settings.  Maybe we want a tool or task to run every time we start up a computer.  Perhaps for updates or logging information.

Secondly, the autostart locations can be used by potentially malicious programs to remain installed and/or run at start up.

Below are a list of locations that can be configured for autostart:

Autostart folder of the current user

• shell:startup
• %appdata%\Microsoft\Windows\Start Menu\Programs\Startup
• C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Autostart folder of all users

• shell:common startup
• %programdata%\Microsoft\Windows\Start Menu\Programs\Startup
• C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

REGISTRY

Run keys (individual user)

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Run keys (machine, all users)

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
• HKLM\System\CurrentControlSet\Services
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
• Other autostart keys
• Active Setup has been designed to execute commands once per user during logon.
• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
• HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
• Undocumented autostart feature.
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
• Shell related autostart entries, e.g. items displayed when you right-click on files or folders.
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
• HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
• HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers
• HKCU\Software\Classes\Drive\ShellEx\ContextMenuHandlers
• HKLM\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers
• HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers
• HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers
• HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
• HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
• HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers
• HKCU\Software\Classes\Directory\Shellex\DragDropHandlers
• HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
• HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers
• HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers
• HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
• HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
• HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers
• HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
• HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers
• HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers
• HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers
• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
• The following keys specify drivers that get loaded during startup.
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
• HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
• Misc Startup keys
• HKLM\Software\Classes\Filter
• HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
• HKLM\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
• HKLM\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
• HKLM\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
• KLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
• HKCU\Control Panel\Desktop\Scrnsave.exe
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64

TASKS

• C:\Windows\Tasks
• C:\Windows\System32\Tasks

Files

The following files can be used to autostart programs on Windows start:

• c:\autoexec.bat
• c:\config.sys
• c:\windows\winstart.bat
• c:\windows\wininit.ini
• c:\windows\dosstart.bat
• c:\windows\system.ini
• c:\windows\win.ini
• c:\windows\system\autoexec.nt
• c:\windows\system\config.nt

REFERENCE: https://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/

_________________________________________________________________________________

Autoruns for Windows

download: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

The Autoruns tool is part of the Sysinternals Suite by Mark Russinovich, CTO of Microsoft and software engineer.  This tool is great for a one stop check of all the above mentioned autostart locations.

It will show what programs are configured to run during system bootup or login.  The tool also looks at software as being signed or unsigned third party.

Autoruns GUI

There is "badthing.exe" in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" and it is unsigned with no publisher.

In conclusion, knowing the autostart locations or where to reference them is valuable to answer what starts up at boot and login time.  For assistance there is the autoruns tool that I recommend be brought along with the system internals suite.

https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

--Bryan

Windows 10 Timeline Feature

There is a feature in updated versions of Windows 10 called "Timeline".
What might you think a feature with this name would do?

Could you say a similar to a browser history, but a history for the entire computer user activity?
MS might of dropped this one in the laps of forensicators.

Apart from websites that you visited, the Timeline shows the documents you worked with, the games you played, the images you viewed or created and recently executed applications.

Access the Timeline feature by the timeline icon on the bottom toolbar left side of windows startup button.

"WINDOWS KEY + Tab" will also take you there

Additional details about Timeline

Here's some additional information you need to know as you get started with Timeline on Windows 10:

• Timeline works only on devices running the Windows 10 April 2018 Update and later.
• Timeline is a feature that works on every version of Windows 10 that is connected using a Microsoft account.
• Office applications will appear in your timeline, but after saving the document or if auto save is enabled.
• You can't control which applications appear in your timeline.
• You can't check your timeline on the web, but you can view your activities in the privacy dashboard of your Microsoft account.
• You can't change the number of days that Timeline tracks on your devices. It's either 4 days or 30 days if the sync option is enabled.
• Timeline is supported on a multi-monitor setup, but your timeline will only appear in the display you invoked it.

The feature can be enabled and configured in "Settings --> Privacy --> Activity History"

***FOR FORENSIC PURPOSES


This is almost like a "organization" "productivity" feature, that can also double as a built-in forensics tool for us.

TIMELINE FEATURE DATA BASE FILE:
Located at :

C:\Users\<Username>\AppData\Local\ConnectedDevicesPlatform\L.<Username>\Activites.db

This file, "Activities.db" may be worth the while to parse and capture as a forensic artifact.

Can be viewed in FTK 

OR

Use the DFIR rockstar tool author, Eric Zimmerman's WxTCmd tool.

WxTCmd

0.3.1.0

Windows 10 Timeline database parser

https://cyberforensicator.com/2018/05/08/wxtcmd-windows-10-timeline-parser/
https://binaryforay.blogspot.com/2018/05/introducing-wxtcmd.html
https://ericzimmerman.github.io/#!index.md

1. Run the WxTCmd.exe tool against the ActivitiesCache.db file

.\WxTCmd.exe -f C:\Users\Win10\AppData\Local\ConnectedDevicesPlatform\L.Win10\ActivitiesCache.db --csv C:\Users\Win10\Desktop\

2.  Take the outputted csv or tsv(tab separated file) and open with Timeline Explorer(another of Zimmerman's finest)

Open in outputted .tsv file in Timeline Explorer

File-->Open-->path to .tsv

Timeline explorer will parse the Last Modified time, executable ran, display, and content info.

Also possible source for recent MS Edge browser activity

In Conclusion:

Windows 10 Timeline feature is a good feature for us forensicators to know.  The locations and presence of the Activities.db file can be potentially worth our while for recently used activities with timestamps.  And Edge browser recent history forensics with the timeline feature.
Big thanks to Eric Zimmerman for the never ending inspiration and awesome tools he provides the community.


--Bryan



RESOURCE

Microsoft. “{Get Help with Timeline}.” Support.microsoft.com, support.microsoft.com/en-us/help/4230676/windows-10-get-help-with-timeline.

Ways to Hash a File

So, you have begun your incident response and for documentation purposes you need to 

document the hashes of files.  Or you have imaged some media, perhaps memory. And you 

want the hashes of the image files.

In this post, I will outline a few ways to do so with some tools native to windows and some 

non-native tools.

___________________________________________________________________________

1. PowerShell (Get-FileHash)

Get-FileHash

Get-FileHash [-Path] <string[]> [-Algorithm {SHA1 | SHA256 | SHA384 | SHA512 

|MACTripleDES | MD5 | RIPEMD160}]

*Note

-(-al) can be abbreviated for Algorithm
- semicolon (;) to conjoin commands

Example:

The above command is hashing "hash_this.txt" with a MD5 and SHA1 algorithm.

___________________________________________________________________________ 

      2.   Certutil(-hashfile)

The above command is hashing "hash_this.txt" in an MD5 format

Example:

Certutil -hashfile <FILENAME><HASH ALGORITHM>

___________________________________________________________________________

3. MD5deep and SHA1deep

In your Incident Response kit, it would be a potentially good idea to have a subset of tools for

hashing.  MD5 deep, hashdeep, and SHA1deep are some possible options for you to do so.

Link to Download of MD5 deep:

https://github.com/jessek/hashdeep/releases

Example: md5deep64.exe <FILENAME>

*Note

There is also SHA1 deep, SHA256 deep, and a few other algorithm hashing exes from

the download link that works the same way as MD5 deep.

 ___________________________________________________________________________

4.  Hashing with MacOS and Linux

For MacOS:

Opening a terminal and using the command md5, shasum, or shasum -a 256 with the path to

the file will return a file hash.

Example:

md5 <FILEPATH>

md5 -r <FILEPATH>

openssl md5 <FILEPATH >

For Linux:

Opening a terminal and using the command md5sum, sha1sum, or sha256sum with the path to

the file will return a file hash.

Example

md5sum <FILEPATH>

sha1sum<FILEPATH>

sha256sum<FILEPATH>

___________________________________________________________________________

In conclusion, these are only a few ways to hash a file.  There are several more.  

There are also some 3rd party options, “HashTab” which adds a tab in the File’s Properties 

that details the hash.  

As well as “Hash Generator” and NitSoft’s “HashMyFiles” tool.  

And most forensics tools will include a hashing feature ability.  

But for an on the fly way, do remember that there are some command line methods to use at 

your helm. 

--Bryan