Windows Forensic Analysis
When doing Windows Forensic Analysis, it can be quite overwhelming to see a large amount of data that one needs to collect, assuming you know what you are looking for. In case you don’t know what are you looking for, the entire process becomes twice as hard.
In this article we will be discussing following topics:
What is Windows Forensic Analysis?
Windows Forensic Analysis focuses on 2 things:
- In-depth analysis of Windows Operating System.
- Analysis of Windows System Artifacts.
Windows artifacts are the objects which hold information about the activities that are performed by the Windows user. The type of information and the location of the artifact varies from one operating system to another. Windows artifacts contain sensitive information that is collected and analyzed at the time of forensic analysis.
What are Forensic Artifacts?
Forensic artifacts are the forensic objects that have some forensic value. Any object that contains some data or evidence of something that has occurred like logs, register, hives, and many more. In this section, we will be going through some of the forensic artifacts that a forensic investigator look for while performing a Forensic analysis in Windows.
1. Recylce Bin: The windows recycle bin contains some great artifacts like:
- $1 file containing the metadata. You can find this file under the path C:\$Recycle.Bin\SID*\$Ixxxxxx
- $R file containing the contents of the deleted files. This file can be located under the path C:\$Recycle.Bin\SID*\$Rxxxxxx
- $1 file can be parsed using a tool $1 Parse.
2. Browsers: Web browsers contain a lot of information like:
3. Windows Error Reporting: This features enables user to inform Microsoft about application faults, kernel faults, unresponsive application, and other application specific problems. This feature provides us with various artifacts like:
- Program Execution, if a malicious program crashes during program execution.
- You can locate these artifacts at the following locations:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive C:\Users\XXX\AppData\Local\Microsoft\Windows\WER\ReportArchive C:\ProgramData\Microsoft\Windows\WER\ReportQueue C:\Users\XXX\AppData\Local\Microsoft\Windows\WER\ReportQueue
4. Remote Desktop Protocol Cache: When using the “mstc” client that is provided by the Windows, RDP can be used to move laterally through the network. Cache files are created containing the sections of the screen of the machine to which we are connected to and that is rarely changing. These cache files can be located in the directory:
C:\Users\XXX\AppData\Local\Microsoft\Terminal Server Client\Cache
Tools like BMC-Tools can be used to extract images stored in these cache files.
5. LNK Files: .lnk files are the windows shortcut files. LNK files link or point to other files or executables for ease of access. You can find following information in these files:
- The original path of the target file.
- Timestamp of both the target files and the .lnk files.
- File Attributes like System, Hidden, etc.
- Details about the disk.
- Remote or local execution.
- MAC address of the machines.
6. Jump Lists: They contain information about the recently accessed applications and files. This feature was introduced with Windows 7. Two types of Jump Lists can be created in Windows:
- AUTOMATICDESTINATIONS-MS: These jump lists are created automatically when a user opens a file or an application. They are located under the path:
- CUSTOMDESTINATIONS-MS: These jump lists are custom made and are created when a user pins a file or an application. They are located under the directory C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
7. Prefetch Files: These files contain a wealth of information like:
- Application Name.
- Application path.
- Last execution timestamp.
- Creation timestamp.
Top Open-Source Tools for Windows Forensic Analysis
In this section, we will be discussing some of the open-source tools that are available for conducting Forensic Analysis in the Windows Operating System.
1. Magnet Encrypted Disk Detector: This tool is used to check the encrypted physical drives. This tool supports PGP, Safe boot encrypted volumes, Bitlocker, etc. You can download it from here.
2. Magnet RAM Capture: This tool is used to analyze the physical memory of the system. You can download it from here.
3. Wireshark: This is a network analyzer tool and a capture tool that is used to see what traffic is going in your network. You can download it from here.
4. RAM Capture: As the name suggests, this is a free tool that is used to extract the entire contents of the volatile memory i.e. RAM. You can download it from here.
5. NMAP: This is the most popular tool that is used to find open ports on the target machine. Using this tool you can find the vulnerability of any target to hack. You can download it from here.
6. Network Miner: This tool is used as a passive network sniffer to capture or to detect the operating systems ports, sessions, hostnames, etc. You can download it from here.
7. Autopsy: This is the GUI based tool, that is used to analyze hard disks and smartphones. You can download it from here.
8. Forensic Investigator: This is a Splunk toolkit which is used in HEX conversion, Base64 conversion, metascan lookups, and many more other features that are essential in forensic analysis. You can download it from here.
9. HashMyFiles: This tool is used to calculate the SHA1 and MD5 hashes. It works on all the latest websites. You can download it from here.
10. Crowd Response: This tool is used to gather the system information for incident response. You can download it from here.
11. ExifTool: This tool is used to read, write, and edit meta information from a number of files. You can download it from here.
12. FAW (Forensic Acquisition of Websites): This tool is used to acquire web pages image, HTML, source code of the web page. This tool can be integrated with Wireshark. You can download it from here.
There is such a large variety of forensic tools available in the market. Some are free and open-source and some tools charge annual or monthly fees. You just need to identify your requirements and choose a tool that best suits your requirements.