It wasn’t that long ago that every report I read containing Windows prefetch artifacts included only the basics: executable name, first and last time executed (now eight timestamps in Win8), and number of executions. There is much more information stored in prefetch files, but until recently there were few tools to easily parse and provide it to the examiner. Mark McKinnon wrote one of the first prefetch parsers to include full path names for additional files accessed within the first ten seconds of application launch. TZWorks’ pf tool now also provides this information. Depending on case type, this information could be overkill, but imagine a prefetch file tracking execution of a malicious binary while also identifying a related malicious DLL loaded, or the location of keylog output. A lot of files are accessed within the first ten seconds of execution, so you may find evidence of specific documents opened in the prefetch file for the Microsoft WinWord application or in the case of Figure 1, files accessed within zip archives via a 7zip prefetch file.


Figure 1: Excerpt showing file access recorded inside a prefetch file (output from TZWorks pf)

Continue Reading…

With the release of Internet Explorer 10, Microsoft made a radical departure from the way previous browser artifacts were stored.  The perennial Index.dat records were replaced with a centralized meta-data store for the browser using the proven “JET Blue” Extensible Storage Engine (ESE) database format.  While many forensic examiners have remained blissfully unaware of the ESE format, it has been increasingly used throughout Microsoft products for Exchange, NTDS.DIT, the Windows search database, Windows Live Messenger contacts, and Internet Explorer (IE).  With the introduction of an enterprise-grade database hosting network artifacts, it is now time for every Windows investigator to understand how the database works and what data they may be missing.  Remember that even if a user never opens Internet Explorer, there may still be valuable records in their IE database including files opened on the local system, network shares, and removable devices.  It may also hold evidence of malicious activity including HTTP connections initiated on behalf of malware or suspicious sites visited via links clicked in email clients.  Internet Explorer and its supporting libraries are deeply tied to the Windows operating system and WinINet API functions often interact with IE databases.  Thus IE history, and the WebCache database in particular, continues to be a rich data source during many forensic examinations. Continue Reading…

One of the great pleasures of performing Windows forensics is there is no shortage of application execution artifacts.  Application execution tells us what has run on a system and is often the pivot point that reveals important activity on the system.  Why was FTP run on this workstation?  Is it normal to see execution of Winsvchost.exe?  Why was a privacy cleaning tool used for the first time during the system owner’s last week of work?  While undoubtedly useful, our adversaries are more forensic-aware than ever and often take steps to eliminate application execution artifacts.  At CrowdStrike we routinely encounter nation-state groups that attempt to delete Prefetch.  Even the popular CCleaner anti-forensics tool defaults to clearing Prefetch and UserAssist data.  Hence having additional sources of data can often mean the difference between an easy examination and a long, painful one.CCleaner Prefetch Delete

Continue Reading…

The third release of the free CrowdResponse incident response collection tool is now available!  This time around we are including plugins facilitating collection of Windows registry data.  Our inspiration for this release was one of those vulnerabilities that just won’t die, Windows Sticky Keys, and we’ll show how to identify this attack while demonstrating the new additions.

New Plugins

@RegDump [-ds]

RegDump recursively extracts Windows registry key and value data.

-d  Nested output format
-s  Recursive dump
<reg key> Registry key to start dump from

Valid registry hive names are: HKLM, HKCU, HKCR, HKU, and HKAU (pseudo key representing all users)

@RegFile [-scmh]

RegFile searches for registry string values (REG_SZ and REG_EXPAND_SZ) and identifies file path data.  If the file exists on disk, file information, hash, and digital signature details are recorded.  Continue Reading…

My recent webcast with Jaron Bradley was recorded and a link is available below.  If you have been looking for an excuse to get more familiar with Windows PowerShell, have a look.

What Malware?  Hunting Command Line Activity

There is a reason hackers use the command line, and it isn’t to impress you with their prowess. Throughout the history of Windows, the command line has left far fewer forensic artifacts than equivalent operations via the GUI. To make matters worse, the transition to Windows 7 and 8 has spread PowerShell throughout the enterprise. While it makes our lives easier as defenders, it does the same for our adversaries. Every time you marvel at the capabilities of PowerShell, you should fear how your adversaries may use that power against you.

In this CrowdCast we have collected tips and tricks from our incident responders describing how they are countering the command line threat. Learn to identify when it is in play, extract commands from memory and network packets, and see what is new on the horizon from Microsoft to make tracking command line activity easier.

It has been an interesting year for attacks against the Windows credential model.  If you aren’t familiar with the Mimikatz “Golden Ticket” attack, it represents some of the best justification for guarding your domain administrator credentials with your life (if you really needed additional justification).  CERT EU published an excellent whitepaper on strategies for mitigating this attack.


CrowdResponse is a free tool written by Robin Keir from CrowdStrike. Robin has a long history of developing excellent tools for the community including SuperScan, BinText, Fpipe, and CrowdInspect. The goal of CrowdResponse is to provide a lightweight solution for incident responders to perform signature detection and triage data collection. It supports all modern Windows platforms up to Server 2012 and is command-line based making it easy to deploy at scale. Version 1.0 focuses on signature detection, with a powerful YARA scanning engine. It ships with a very detailed user manual but since only a few actually read such things, I thought it would be interesting to show the tool in action.

Running YARA Scans

YARA, or Yet Another Regex Analyzer, has become one of the leading tools for describing and detecting malware. A YARA rule consists of a series of strings tied together by a Boolean condition. It facilitates searching with text, hex, Unicode, wildcards, case-insensitivity, and regular expressions. Combining these options allows construction of complicated tests to limit false positives. As an example, consider this YARA rule:

Continue Reading…

Web shells epitomize the hacking tenant of hiding in plain sight.  In a previous post, we showed how a web shell could hide as a single file among thousands present on a web server and as a single line of code in an otherwise legitimate page on a site. The best web shells are not detected by anti-virus and can defeat vulnerability scanning applications using novel techniques like cookie and HTTP header authentication. Identifying the presence of a web shell can be difficult, but there are effective and repeatable ways to find them in your network. Today we will cover log review, concentrating on the following techniques:

  • SQL injection identification
  • Directory enumeration
  • Statistical web log analysis

Continue Reading…

It has been over six months since Edward Snowden’s unprecedented NSA leaks, and we are still a long way from being able to assess the damage. Worldwide trust in United States tech companies has undoubtedly been shaken. Cisco Systems blamed a ten percent revenue drop on fallout from the leaks. Microsoft is offering the ability for foreign customers to have their data stored outside of the United States. And Silicon Valley stalwarts from Apple to Google to Yahoo have spent considerable resources defending themselves as each new embarrassing revelation becomes public. The trickle-down effect of this is even touching the small niche of digital forensics. Personal privacy has been central to the Snowden debate, and users today are more educated than ever about how their information is stored and transmitted. Web services companies are taking notice, and we have already seen some very useful artifacts disappear. I expect the trend to continue and would like to share a few examples.

Google Chrome

On October 1, 2013, version 30 of Google Chrome was released. Absent in this release was one of the most unique browser artifacts available: History Index files. Prior to version 30, Chrome not only stored browser history, cache and cookies but also recorded a full text index of each visited page. Since page content can change, this was a wonderful forensic artifact for proving what existed on a given page when a user viewed it. Chrome version 30 not only stopped recording this information, it also deleted any existing History Index files from the user’s profile.

Google Chrome Index c2body

Figure 1: The Chrome c2body field previously held a full text index of visited pages.

Continue Reading…

Ouch! Security Awareness

The December 2013 issue of OUCH! is out, and I am pleased to be this month’s guest editor.  The SANS Securing the Human team is impressive and it is always a pleasure to work with professionals with such diverse security backgrounds.  If you aren’t familiar with OUCH!, it is a free Creative Commons resource intended to supplement user awareness training.  OUCH! is translated into over 20 languages by a team of incredible volunteers.  Pass it along to any loved ones getting a tablet computer this holiday season!