Disk Flashcards

Question

Finding fileless malware should start with

Answer 1

....looking for the evidence of its execution when it RUNS.

Answer 2

We can't detect the malware in memory

Answer 3

Automated enterprise wide sweeps that can be signature based should start early, and then using targeted EDR data and triage data should be spent only on narrowed hosts that are suspicious, as they are time consuming. More manual processes should be used sparingly.

Answer 4

Program execution, File opening, File knowledge, event logs, browser usage

Answer 5

Like to name it svchost, explorer.exe, win.,exe; app data folders (where outlook and explorer drop stuff) Likes to hide in temp folders, windows folders, and internet files, system volume files.... They'll often pack it, run it through python or after converting it to text, etc....obfuscating it

Answer 6

whitelisting

Answer 7

frequent compilation, packing, and armoring. It will mimic known good services and normal windows services.

Answer 8

Probably create a new service (scheduler @ cmd) replace an existing service, like the wireless zero config service register as an outrun process in memory process injection

Answer 9

Passport/phone bill (something to prove identity) | a Dun and Broadstreet rating (Level of financial standing/stability); shows that your org is a stable business.

Answer 10

Stuxnet opera browser manipulation that allowed access to private keys adobe key signing cert stolen

Answer 11

Server 2008, Drivers

Answer 12

On servers: Server 2016 Workstations: windows 10 You have to turn on executable signing!

Answer 13

For corporate, you need to have a Dun financial rating (Dun and Broadstreet) Shows you have a stable business.

Answer 14

around 3.5%; higher % for nation state attacks

Answer 15

If you revoke the signing cert (add it to the CRL) it would put a beacon on any version of that code in the wild. Makes rapid re-development/redeployment of code hard

Answer 16

You can usually ignore code signed by well known sources such as MSFT, google, apple, etc.

Answer 17

Identifying normal processes and their locations. (Lsass.exe, taskhostw.exe, winlogon) Cross check that it lives in the correct directory/location. (such as %SystemRoot%\System32\smss.exe)

Answer 18

Checks for signed code, upload to VT

Answer 19

Checks for possible obfuscation and packing of a file. File will receive a score; this score can be used to identify whether a set of files is worth investigation.

Answer 20

command line tool to scan portable executable (PE) files to identify how they were constructed. Various metadata is displayed, identifying items such as: Compile timestamp MACB timestamp File size and type of executable Target OS and whether binary is 32 or 64 bit Linker version used Entry point address and desired image base address Whether an X509 certificate was used and who the author is Whether there is a checksum present and does it match the binary Optional analysis of the PE internals to generate an abormality score which compares the internal construction to the standard operating system files. Higher scores equate to larger differences. Optional MD5 and/or SHA1 hashes of the file can be generated as part of the scan.

Answer 21

Prefetch, Shimcache, userassist registry keys, and jump lists.

Answer 22

Prefetch, Shimcache, userassist registry keys, and jump lists.

Answer 23

cmd.exe exeuction Sysinternals tools usage (psexec, procdump, psloggedon) at.exe or schtasks.exe execution (Persistence) wmic.exe, Powershell.exe, or winrm.vbs execution net.exe use, used for mapping drives or lateral movement reg.exe or sc.exe (addition of run keys or services) mount points2 registry key: records shares such as C$, Temp$, etc .job files in C:\Windows\Tasks: odd application tasks executed

Answer 24

Use of reg.exe or sc.exe

Answer 25

Sysinternals tools (psexec, procdump, psloggedon) or net.exe (network)

Answer 26

``` starting with wrong parent process image executable in wrong path misspelled processes incorrect sid (starting from wrong account) Processes with unusual boot times Unusual command line parameters packed executables ```

Answer 27

tries to compress a file; parts of the file that are obfuscated or encrypted won't compress. Finds parts of files that have high frequency letters (usually encrypted) content or high entropy. (randomly generated) You can usually compress standard EXEs very well (50%+) anything less than 10% compression represents concern.

Answer 28

fancy term for "time lining"

Answer 29

Look to see how common they are. Google/VT; put the full path into google. (If there's zero hits, or even a recommendation, it will have a hit)

Answer 30

packing. a "packed executable" is a piece of software with an unpacking program.

Answer 31

Code anomalies. Will present why it thinks the executable is weird, in the notes, and providing a rating. Compile data can be interesting....as is the CPU type. (32-bit code is unusual)

Answer 32

Syswow64, if they're standard windows processes

Answer 33

System32==

Answer 34

NTUSER and Software; executed when a user logs on

Answer 35

This key (in the Software hive) is used by Winlogon to execute explorer.exe and userinit.exe, at startup.

Answer 36

``` W-MI Event Consumers A-utostart locations A: GPO, MS-Office add-ins, BIOS. D-LL's (DLL hijacking) S-ervice creation/replacement S-ervice failure/recovery S-cheduled taskss ```

Answer 37

AEPs. Autostart Execution Points. Things that start with the O/S. Frequently abused.

Answer 38

%AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Answer 39

%AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup; shortcuts in here will link and execute to representative binaries

Answer 40

They replace unused services with malware, or modify an auto-start to include a new binary, or manipulate service recovery features (like dr. Watson)

Answer 41

They replace unused services with malware, or modify an auto-start to include a new binary, or manipulate service recovery features (like dr. Watson)

Answer 42

Putting a DLL with the same name in the directory of a core DLL, so it launches ahead of the existing DLL. Traditionally, search-order hijacking attacks utilize an executable file’s DLL search path to load spoofed DLLs through the known DLLs record.

Answer 43

Inserting a DLL into a place where it would normally exist, but doesn't. List of "known" DLLs for all the windows variants kept at KnownDLLs, and will include DLLS not found in that version. IE, for Windows 2016 R2 server, inserting a DLL that would normally be there but isn't turned on/used for that build; when windows sees that DLL exists at startup, it will launch it. Great example is replacing the FaxDLL (fxsst.dll) in the system32 folder.

Answer 44

Getting a new version of a legit-DLL loaded into the system. Part of the dynamic update features of Windows, just like a Web 2.0 AJAX style query. DLL side-loading, in contrast to search order hijacking, utilizes the WinSxSn assembly to load the malicious DLL from the SxS listing, which is located in the following registry key: %TEMP%\RarSFX%\%ALLUSERS PROFILE%\SXS\ or %TEMP%\RarSFX%\%ALLUSERS PROFILE%\WinSxS\

Answer 45

Easy means to collect and analyze services on a system. Similar to SC. Will also collect currently scheduled jobs.

Answer 46

both at.exe and schtasks.exe

Answer 47

1. Create an event filter, that "triggers" based on an event occuring (for example, run every 20 seconds) 2. Once triggered, an event *consumer* is added to the system with a script and/or executable to run (run this PS script to beacon to a backdoor) 3. Finally, tie the event and consumer together as a "binding" and enter it in the WMI repository

Answer 48

MOF file (managed object format)

Answer 49

Stuxnet A zero day (print spooler service) was exploited to deliver an EXE and an MOF file. The MOF file was auto-compiled by the system, creating a WMI event and consumer that immediately executed the malicious executable.

Answer 50

Powershell: Get-wmi-object

Answer 51

autorunsc.exe; goes through and analyzes, like sigcheck,. (doesn't do dll hijacking or service failure)

Answer 52

Something to be concerned about. IEX is the "Invoke Expression" cmdlet, which takes the argument of a script and executes it. Often used to download the malicious script, which then gets passed in to PS. Evades many A/V tools.

Answer 53

Something to be concerned about. IEX is the "Invoke Expression" cmdlet, the underlying .net command is "Net-Object.System.Net.WebClient) which takes the argument of a script and executes it. Often used to download the malicious script, which then gets passed in to PS. Evades many A/V tools.

Answer 54

A download cradle is a single line command for download and code execution. ... A download cradle can also be part of a persistence mechanism, tooling or execution at other attack stages when an attacker attempts to download capability or run fileless

Answer 55

WMI + WMIC

Answer 56

Non-interactively. (Network logons)

Answer 57

Doesn't do historical well; mostly live, in place. (The LR functionality is FE using Redline for the historical)

Answer 58

If you do, you're likely using something less secure. (PSEXEC) It's no more dangerous than RDP/RPC. Powershell remoting is MUCH more secure.

Answer 59

.NET framework objects, which mean the objects carry multiple aspects or properties of the command. (Cmdlets)

Answer 60

By encapsulating it in objects, which can be passed to other cmdlets for additional processing. One cmdlet might make an array of objects for computers, files, network objects, the next might groom out the files, next might perform actions on those files.

Answer 61

how Powershell abstracts collections of items into containers. For example, "Get-ChildItem HKLM:Software" would abstract all the registry keys in that hive to an object.

Answer 62

PSSession: ps for secure remoting

Answer 63

Invoke-Command (E I X) Sends commands without an interactive session being established.

Answer 64

It doesn't cache credentials; only vulnerability is to things like ticket attacks

Answer 65

invoke-command, then use a -scriptblock parameter, or -filpath to have it run from a local file. Doesn't need to set an array to loop through data.

Answer 66

The former uses the resources of the target to execute the commands, the latter relies on the processes/power of the invoker.

Answer 67

It caches the credentials so that it can pass them to a 3rd party/system that requires it; similar to SSO. Creds aren't cached otherwise, so Mimikatz/Incognito can't steal them.

Answer 68

Organized collection of scripts andl modules and scripts into a framework for IR purposes. Much of it PS, but can execute anything. Uses PS for remoting.

Answer 69

``` your account must have admin privs on the remote host windows remoting (WinRM) enabled. ```

Answer 70

./Modules folder

Answer 71

./Analysis All of the ways that it will crunch that data produced by the Modules in Kansa are listed in individual Analysis scripts. You can enable and disable ones you want it to run at the end of a pull, or run them ad-hoc.

Answer 72

If it's been around a long time, it's less likely to be used as C2 unless the adversary is just holding it for a long time. (Infoblox will block recently registered domains tho, so smart bad guys will hold them past that time)

Answer 73

It's the stackable feature of Kansa. If you see 30 hosts that have a specific run key, it will provide a "counter" for that occurrence across the environment. Frequency analysis scripts.

Answer 74

Put the binaries you want to run in the .\Modules\bin and when executing, push with -pushbin. Remove them after with -rmbin Must add the tool as a BINARY DEPENDENCY #BINDEP in the collector script. Even commented, it will run

Answer 75

Get-RekalPsList.ps1

Answer 76

Windows Management Instrumentation. Deeply invasive control of the underlying Windows architecture, meant for administrative tasks in a large environment

Answer 77

It exists for uses in every stage of the kill chain It's largely only in memory Windows native, minimal logging of actively evades whitelists scripts can be obfuscated when run through it encrypted runs over standard PScom/WinRM pipes

Answer 78

List user accounts, groups, netuse lists, list of fixes and patches installed, etc

Answer 79

Powershell has history and logging. WMI is often the underlying commands being run, and usually silently. There's no automatic logging for WMIC commands by default

Answer 80

Powershell Empire has multiple WMI tools for finding services running in the wrong directories or with elevated privs, that could be manipulated. Also looks for services that have a space and aren't quoted, where you could inject other services.

Answer 81

WMI Process Call Create: used by NotPetya and BadRabbit uses to execute code remotely

Answer 82

It's the valid app that calls DLLs; if you want to run a malicious DLL, you could invoke this manually to call another DLL, thus skipping some whitelist controls.

Answer 83

Creation of Event Consumer Backdoors. (Embedded in WMI database) is there an event/trigger condition (MOF file) that doesn't belong?

Answer 84

Use PowerShell or mofcomp.exe

Answer 85

Direct RCE for systems accessible via WMI Process Call Create. Also uses Remote shares accessible via NetEnum/Netadd to spread its payload

Answer 86

Enable Event logs (will fill up your logs QUICK) Sysmon has its OWN event log (better) Use PowerShell to discover suspicious events Commercial EDR tools (Carbon Block, Tanium, HX) (best)

Answer 87

Looking at: 1. event filters (Trigger) 2. EventConsumer (Script or executable to run) 3. FilterToConsumerBinding (binding, storage, persistence)

Answer 88

WMI explorer tool (wmie2) Mandiant WMI-Flare tool (Offline parsing) Mandiant PyWMIPersistenceFinder WMI forensics scripts

Answer 89

ActiveScriptEventConsumer - execute a predefined script CommandLineEventConsumer - Launch an arbitrary process (more common: launch a download cradle) Focus on consumers!

Answer 90

Think of it as text file representing the WMI definitions and instances. Used for rebuilding and recovering the WMI database. Found in WMI repository.

Answer 91

Can use it to create WMI objects from anywhere; doesn't NEED to reside in the WMI repo or even on the same computer. (-N to add remote machine names) Can use it to rebuild WMI from another machine with arbitrary events/consumers. In this scenario, the residue isn't even on disk, but in memory.

Answer 92

You can send a MOF file to the Print Spooler, which will compile it and import it into the WMI repo. (Was just a windows service, not an exploit) Anything you wrote in there was written in as an admin account to the backend.

Answer 93

mofcomp -N \\machinename\root\subscription test.mof have to delete the #PRAGMA from the first line of the file

Answer 94

No. Can write directly into it using .NET code (like PS)

Answer 95

HKLM registry, WBEM auto recover key

Answer 96

Consumer portion look for wmipvrse (especially on non-servers) Look for wmipvrse's parent process. (Should be svchost!) Look for wmipvrse spawning things like cmd/ps Active script portion Look for scrcons.exe RARELY SEEN!

Answer 97

``` Looking for WMIC call create /node: invoke-wmimethod or invoke-CimMethod (PS) wmiprvse with unusual parent wmipvrse with unusual children (like PS) scrcons.exe running PS with encoded commands ```

Answer 98

4624 (Logons) 4720 (Account Creation) 4776 (Local account authentication) 4672 (Privileged account usage)

Answer 99

Windows 8: Protected processes can only load signed code and can only be attached to other protected processes.

Answer 100

It's not on by default, and Mimikatz gets around it via a signed driver.

Answer 101

Update to restricted admin: protects any account (not just admin) during RDP sessions.

Answer 102

Credential protections, via KB2871997. (Backport to Windows 7)

Answer 103

It's hardware heavy; works with virtualized sandboxes. Has a lot of work to do for exceptions.

Answer 104

Kerberos and NTLM (for using local accounts, network logon w/SMB vs domain creds

Answer 105

an identity and an authenticator (secret)

Answer 106

cached creds for users (ie, Joe on computer a has logged in via NTLM on another box, and his creds are cached there) Helpdesk account (pushed to every box for local admin work) Administrator account (if it hasn't been randomized as part of build, with sysprep)

Answer 107

They're encrypted and salted, so have to be offline cracked, unless you're passing the hash. If you *do* crack them, you have the password, so you don't need to pass the hash.

Answer 108

Stored cached credential NTLM Hash Token Ticket

Answer 109

The threat actor has access to a box, find a LOGGED IN system user, accesses the stored credential in the form of the NTLM hash, and then accesses another machine that has that account cached; when it asks the first box for the cred, the hash is passed over. Requires a logged on user, another machine that has that same user cached, and access to the hash.

Answer 110

Starting at 8,1, any priv account is *not* allowed to do a network logon over NTLM, with the exception of the default administrator account. (Why you dont clone computers)

Answer 111

It must be for a user that is LOGGED ON, or the process is still running

Answer 112

Monitor admin accounts/boxes Stop remote interactive sessions w/Admin accounts Properly terminate RDP Windows 10 (cred guard, tspkg, domain protected users group)

Answer 113

...from LSASS to a hypervisor controlled isolated process.

Answer 114

SeImpersonate or Delegate. (or admin privileges necessary to add those permissions)

Answer 115

Delegate tokens Can be used w/PSExec to map remote admin shares

Answer 116

Impersonate tokens. (SeImpersonate)

Answer 117

Extract the token Reuse it to manage group membership or add users Escalate local privileges

Answer 118

Console logons, RDP, using "Run As" on the machine.

Answer 119

"restricted admin" prevents tokens from being available on the machine during remote admin sessions (which should be avoided, anyway) Remove delegation of high value accounts in AD Use group policy to set time values for sessions, after which it disconnects (to prevent improperly terminated RDP sessions

Answer 120

SECURITY\Cache reg key

Answer 121

caches the last 10 logon hashes. (25 for 2008+)

Answer 122

indefinitely, even after a reboot.

Answer 123

extract hashes off-line, to be cracked

Answer 124

Creates a standard admin, same RID, which can be used in credential theft/lateral movement very easily

Answer 125

Minimize amount of cached accounts | Use Protected Users group

Answer 126

0-1 (NSA) | <4 (DoD)

Answer 127

through Get-Lsasecret.ps1, can dump and decrypt the LSA secrets. These secrets, if they're privileged incorrectly, can let a service account be used to exploit escalation of privilege. (looking for overprivileged service accounts) Can be combined with ticket requests (kerberoasting); offline the ticket, crack it, and use it with the service account.

Answer 128

Nishang Powershell framework (pulling encrypted service account details from LSA) Kerberoasting to marry that account with a ticket for its use

Answer 129

dont employ services or schedule tasks requiring domain administrative trusts reduce number of services that require domain accounts Group managed services, through "Group Managed ServiceAccounts"

Answer 130

Stolen from memory | kerberos ticket w/o an expiration date, and has domain admin.

Answer 131

request tickets for service accounts: they send you the ticket for a service account, you roast it(crack it) and then reuse it

Answer 132

Expires when the krbtgt is rotated. Changing other credentials is meaningless

Answer 133

Server 2008R2 | Introduces frequent password changes and long passwords

Answer 134

If you dump a privileged ticket, you can export it from the system, dump it into Mimikatz (or other utilities) and then import it into another system, where it will be cached and available

Answer 135

ANY user can request a ticket from a DC for ANY service The ticket returned for the service has a non-salted hash for the account that runs the service. This password can be easily cracked offline

Answer 136

1. If an attacker loses access, ANY user-level access to a domain joined system will provide a mechanism to re-use the golden ticket to get priv access again using Pass the Ticket. 2. Works even if a full password reset is conducted for all enterprise accounts 3. Attack can be constructed with access to either the NTDS.dit or memory. (attacker must have Admin access on a DC to get this)

Answer 137

"Silver ticket"

Answer 138

they're excellent backdoors: auth occurs without requiring comms with the DC. Attacks a computer account password.

Answer 139

After gaining access to a DC, a tool like Mimikatz can "patch" LSASS to enable a backdoor password for any valid domain user. It's a SECONDARY password for the account; even if they change the primary, the secondary remains available.Easy and persistent backdoor for access.

Answer 140

Credential guard/Remote credential guard Long and complex passwords on service accounts Audit service accounts Regularly change the KRBTGT password (no more than yearly

Answer 141

Gains access to all the user and computer account hashes, which are encrypted. (though the encryption is easy to break) Easiest way to get to a users personal access/drives/phones/computers,

Answer 142

use Volume Shadow Copy service.

Answer 143

\Windows\NTDS ``` Can be ripped by: ntdsutil NTDSXtract ntdsdump VSSAdmin PS Metasploit ```

Answer 144

Often, using admin credentials are noisy: if you have the NTDS.dit, you can natively log in as a user and see what they see, have access to their browser, OneDrive, phone, etc. Less noisy.

Answer 145

The total number of times an application has been executed, the original path of the execution, and the last time of execution. (up to the last 8 times) telemetry for execution

Answer 146

It provides an extra bonus 9th "evidence of execution" for the application in question.

Answer 147

_.pf ON WORKSTATIONS, in Stored in \Windows\Prefetch (not a server service) Up to 128 files on

Answer 148

Meant to give a process an extra bit of juice when it executes, next time will launch quicker/more efficiently. (On old hard drives, it would co-locate executables in close digital space so the hard drive didn't have to scan to it)

Answer 149

IN windows 7, they started disabling prefetch for SSDs, but realized it was still providing efficiencies.

Answer 150

the prefetch file for sdelete has the target of what was deleted. Doesn't include registry keys, but file/filehandles.

Answer 151

If there's a huge recent amount of "living off the land" type tools, like netstat/net-use from command line, that might indicate that someone is in your space.

Answer 152

the .pf file.

Answer 153

Overwritten with the most recent runs of the file, or erased if the application hasn't been used in a long time. (After which it gets re-created for a new run, with a new timestamp)

Answer 154

that an application ATTEMPTED to execute, not that it did so successfully.

Answer 155

It changes the hash value, because it's been executed from a new location. (useful info!)

Answer 156

Pulls information on a directory or a single application for prefetch, including volume information, files and directories referenced, and all execution time info.

Answer 157

-f is for a single application, -d is a directory of applications

Answer 158

the directory path that the executable is in, and the command line options of the programs

Answer 159

it will launch a 32 bit version of the calc app. A 32 bit process can't have a 64 bit child process.

Answer 160

Because bad guys write a lot of malware in 32 bit, and a lot of child processes are launched in 32 bit as well, which is unusual for system activity

Answer 161

Trigger Action Host it runs on

Answer 162

Sdelete has a -z option, to zero-ize unallocated spac.e

Answer 163

Volume shadow copy (provided they didn't turn VS off/on again or memory (volatility can pull prefetch) pecmd can use a -vss option to also look in volume shadow copy at run

Answer 164

Designed to detect program compatability challenges. (Apps should be able to run in any version of Windows, but that's hard)

Answer 165

All the application files, AS they're run, that have been checked for compatibility/shimmed

Answer 166

the last modification time of the executable the full path of the exe (not when it was shimmed, when it was executed) Also, when explorer browses the folder with the executable, and it's shown in the gui (weird) You hav etc see it with your eyeballs

Answer 167

a *new* version of psexsvc is pushed to that machine. The NEW version gets shimmed every single time, even though it's overwriting the same file. (good to know)

Answer 168

an entry in the shimcache, because it's shimmed again

Answer 169

On shutdown. Prior to that, shimcache entries exist only in memoruy

Answer 170

a Flag in the registry flag that means that confirms the application was executed; if the flag is empty, it likely wasn't.

Answer 171

the temporal order. What executables ran in what order, starting most recently to most distant, historically.

Answer 172

Programs installed, programs executed

Answer 173

amcache.hve (registry) at C:\Windows\appcompat\programs\amcache.hve and Within that hive, a Root\File\{Volume GUID} which tells you where the executable was run from, volume wise.

Answer 174

Each key represents a numerical value, which each represents another executable. Key # is a combo of the MFT entry and a sequence number. (written in hex) Parsers can break that out.

Answer 175

a SHA-1 hash for it.

Answer 176

indicates client is receiving a remote WMI command

Answer 177

Shellbags (using shellbags explorer) and opening the userclass.dat file (found in the user's home directory) E\C\users\\AppData\Local\Microsoft\Windows\userclasss.dat

Answer 178

%systemroot%\System32\config (older) | %systemroot%\System32\winevt/logs (modern)

Answer 179

The System Event log

Answer 180

Forwarded events log

Answer 181

150+ Application, Security, System are only 3.

Answer 182

Defender Firewall Task Scheduler

Answer 183

Only system (LSASS); third party apps don't log to this log facility

Answer 184

``` Auth attenmpts User behavior/actions File/folder/share Security Settings modifications LSASS process Processes (manually?) ```

Answer 185

Logon event: user logon (where the logons are tracked at): You going through TSA and showing ticket/ID Account logon event: Authentication event (board the plane) Security checkpoints! (Where did you authenticate)

Answer 186

an account logon event, or "authentication event"

Answer 187

4624 and 4625, successful vs. failed logon

Answer 188

4648 (logon using explicit creds)

Answer 189

4672 (VIP in the room!)

Answer 190

You'll need the pairing of a Successful logon (4624) and 4672 (superuser/priv account logon)

Answer 191

They aren't reliably recorded (as 4634, logoffs) so look for 4647.

Answer 192

malicious activity is used to access a system. Backdoor, exploited service, or similar.

Answer 193

HOW the user logs into the system (IE, 7 is RDP, VNC/Console is 2, cached ares to logon is 11, etc)

Answer 194

3; network logon

Answer 195

MSFT tries to reduce the traffic to the DC and sometimes defaults to cached creds, even when the DC is online.

Answer 196

Use the Logon ID value; creates "parenthesis" on the front and back end of a session

Answer 197

interactive

Answer 198

$: Account is used when communicating with AD and accessing network resources

Answer 199

Assigned to processes or services that need network access

Answer 200

Enumerate the privileges coming with you.

Answer 201

Not just a member of an admin group, but the additional privileges assignment (as part of event id 4672) that indicates that after the logon, special creds were assigned that COULD BE IMPERSONATED IN TOKEN ATTACKS

Answer 202

4672, where things like SeTakeOwnership, SeDebug, and SeImpersonate are admin-equivalent.

Answer 203

they indicate account creation happened, which can be an easy true positive.

Answer 204

In auxiliary logs Remote Desktop-Services-RDPCoreTSZ and TerminalServices-RdpClint

Answer 205

The RDP client/server connection will document the source IP, so if you don't want it to show your actual IP, you have to chain RDP; jump from host to host.

Answer 206

Windows-TerminalServices-RDPClient\Operational one of the only places that you get discrete source logging (where did the RDP session connect to)

Answer 207

When a user is logged on locally, NTLM style, ro a workstation or group

Answer 208

The third party authorization of creds provided during that logon session. (Authentication vs logon) Checks for user credential against the DC would be an account logon type.

Answer 209

4776: Root account authenticated from workstation (account logon) 4624 Successful account logon In that logon, the type of logon is network

Answer 210

4788/4799, groups were enumerated

Answer 211

Look for the enumeration of group membership (not turned on by default)

Answer 212

Tolerant of log corruption filtering free

Answer 213

Network share event logs | 5140/5145. Have to be turned on!

Answer 214

they are often recorded on the originating system, versus the target system. (A logon attempt was made using explicit creds....or, RunAs) Occasionally recorded on both, such as when RDP connections use different crds..

Answer 215

Task Scheduler, Security, and Tasks folder (Windows\System32\Tasks Locally, remotely and in the "tasks" folder, where the registration/creation of tasks is put.

Answer 216

sc.exe /remote system name, etc | service control

Answer 217

new service installed (4697) goes in the security log

Answer 218

Mimikatz and Dandersprintz, post eternalblue

Answer 219

Event log forwarding Logging "heartbeats" log gap analysis

Answer 220

They still exist in memory Gaps in the records You need admin rights

Answer 221

Map network share (net use) | RDP

Answer 222

Jumplists (AppData\Roaming\MSFT\Windows\Recent\Automatic\Destinations) --> mstc-appid shows all the Remote Desktop times/destinations Prefetch files (on disk, not memory) Bitmap cache (RDP puzzles!) cache##.bmc, cache###.bin in user directory, terminal server client/cache

Answer 223

Event logs, Registry, and file system Looking for mstc.exe (MSFT terminal server client) execution

Answer 224

Default.rdp

Answer 225

Regripper "rdphint" RDP key found in NTUSER\Software\MSFT\Terminal Server Client\Servers

Answer 226

4624, Logon Type 10 Will also produce a 4778/4779 event, with the ip source, system name, logon user name

Answer 227

rdpclip. exe | tstheme. exe

Answer 228

any interactive login is conducted

Answer 229

net. exe net1. exe Can be found in event logs (Security, smbclient) registry (mount points, shell bags, shimcche, bam/dam, amcache) FileSystem (prefetch, user profile artifacts)

Answer 230

NTuser\Software\MSFT\Windows\CurrentVersion\Explorer\ MountPoints2

Answer 231

Because you need the privilege to be able to connect to an admin share, thus, 4672, privileged user breakdown

Answer 232

``` PsExec Windows Remote management tools PowerShell/WMIC Exploiting a vuln Application deployment software ```

Answer 233

Windows admin shares

Answer 234

The Sysinternals\PsExec\EulaAccepted key (NTUser.dat)

Answer 235

Any increase in the amount of Eula's accepted, which should always remain relatively static. (Same amount of users)

Answer 236

Being on the receiving end (destination) of a psexec connection.

Answer 237

wmiprvse.exe scrcons. exe mofcomp. exe

Answer 238

System32\wbem\repository

Answer 239

wsmprovhost.exe

Answer 240

PS 5 and beyond

Answer 241

GPO, SCCM, Cloud control panels.

Answer 242

A running diatribe of processes that were executed, and who the parent process was - includes full command line processes (both cmd and Powershell.exe)

Answer 243

HUGE amount of data, same as what's in prefetch

Answer 244

Windows event logs: adds process information section

Answer 245

turn on process tracking, with CLI auditing. Will include the full script that was executed

Answer 246

Have the malicious script call script blocks, and have the necessary evil in a file in temp or wherever

Answer 247

Powershell script block logging, Powershell remoting logging

Answer 248

downgrade Powershell to pre-PS5, where it was introduced. Downgrade attacks are very popular!

Answer 249

WinRM connections, which is the primary protocol for Powershell Remoting

Answer 250

the transcript log. Records to the users documents folder by default. Only records input/output to the PS terminal

Answer 251

Invoke-Obfuscation tool and Revoke-Obfuscation tool

Answer 252

PS saves it's history in PSReadline ConsoleHost_history.txt Stored at %AppData%\Roaming\MSFT\Windows\PowerShell\PSReadline Records last 4096 commands typed in PS console

Answer 253

Set it to disabled in PS, or just remove the PsReadline Module Do it by Set-PSReadlineOption -HistorySaveStyleSavenothing Remove-Module-Name PsReadine

Answer 254

WMI-Activity log; look for EID 5861, new permanent customers. You must be able to "whitelist" typical WMI activity in the environment

Answer 255

It doesn't track processes or command lines, without that being turned on, and then it is tracked in security logs

Answer 256

Anti-Malware Scanning Engine; something that antivirus vendors can hook into for visibility. Windows 10+

Answer 257

Zimmerman's event log extraction tool evt log explorer (command line version) evtwalk/evtxtract carving tool with Powershell, grab it remotely or locally: Get-WinEvent

Answer 258

Sysmon! Easy configuration, filtering requires a LOT of tuning.

Answer 259

Can be used to create a WMI event for persistence (Creates WMI filters)

Answer 260

Ultimate Windows Security EventID a good second option.

Answer 261

Invoke-Obfuscation and Revoke-Obfuscation

Answer 262

The "magic" option, which will try to do a first few passes on scripts to see what they're supposed to be used for/attempting to accomplish.

Answer 263

The transcript logs are trivial to manipulate on a box (unencrypted in the users documents folder) Powershell remoting limits the sharing of the logs over the network due to problems w/network authentication "double hopping" Best to have it set as an automated forwarding (UF, filebeat, etc)

Answer 264

PSReadline Console Host history. Stored in each user's profile No process tracking or script output

Answer 265

Look for New WMI Event Consumer Creation

Answer 266

Look for evil DLL extending WMI capabilities | Look for uncommon words, software terms (Eval, activexobject, .vbs or .ps1 scripts, etc)

Answer 267

Exporting tools will often partially corrupt log files | stored in binary form, so they need to be converted

Answer 268

Creates a new log output dir, Windows-Sysmon/Operational

Answer 269

F-Response

Answer 270

Triage program: Collects files, and processes the files across its program set. Fasty, flexible, collects locked system files/shadow copies.

Answer 271

the list of files for it to collect

Answer 272

``` CLI artifacts Network Activity Process tracking/tracing DLL injection Rootkit insertion ```

Answer 273

Because much of the modern attack ecology is memory resident

Answer 274

You can hide executables on disk, obfuscated, but you can't hide them from the processor. They have to be uncloaked to

Answer 275

Dump all the executables, drivers, dll's from memory analysis, and run antivirus/clamav at it. Cant hide the raw in memory!

Answer 276

Memory samples; stuff injected into processes, or obfuscated, will be easier to find in memory. (Harder on live host)

Answer 277

It's tied to specific profiles and variations of operating systems.

Answer 278

``` F-response (and SIFT) Winpmem (Velociraptor) Dumpit (CLI from USB) Belkasoft Magnetforensics ```

Answer 279

Hibernate file (hiberfi.sys) Swapfile.sys Pagefile.sys Windows Memory Dump (%WINDIR%\Memory.dmp)

Answer 280

On VMWare, you can just grab the .vmem file On Hyper-V, you have to attach a process (like Winpmem or F-response) and pull memory like you would any other running system

Answer 281

A fully compressed copy of memory (RAM) at the moment of hibernation. Some tools can uncompress it. (Volatility) Some can just process it natively.

Answer 282

Hibernating isn't a normal thing: only occurs from loss of power/power about to drain out of device or for shutdown/fastboot. When installing new files/programs (recovery functions)

Answer 283

Every new major update changes it's memory profile, for tools, making them less effective. Things like artifact formats (prefetch, shim cache) change! Also, hibernation file formats and use changes. (It's not used as frequently any more)

Answer 284

Windows 10 feature. It protects the kernel and user mode components, which often block the insertion of the driver necessary to do the memory acquisition

Answer 285

Data is zeroed after return from hibernation Hibernate files only keep smaller (and less interesting) files for Hibernate, HybridSleep. (40% of total memory space) BUT they're kept more often! Stored in case of power loss. Fast Startup mode only holds for reboots, about 20% of memory.

Answer 286

Trick question! Nowhere. It's not backed up in VSS.

Answer 287

Kernel Processor Control Region (KPCR) Kernel Debugger Data Block (KDBG) Directory Table Base (DTB)

Answer 288

Things like image location, with a file path, or a specific O/S profile (Win10, update 6, etc)

Answer 289

Volatility plugin -imageinfo

Answer 290

telling it what O/S and build number/service pack the memory sample is from

Answer 291

kdbgscan plugin

Answer 292

Pslists, pecan, filescan, and hiveliest don't return sane results or gibberish

Answer 293

imagecopy plugin

Answer 294

EPROCESS blocks, which show the file links (forward and backward) to parent and child processes

Answer 295

Name - Spelled correctly, legit process Path - Running from correct dir Parent process - what you'd expect command line - arguments and switches make sense Start time: was it started at boot, near attack? SID - do the SIDs make sense? Are system/user account SIDs launching correct processes?

Answer 296

malprocfind - automatically identify suspicious system processes processbl - compare processes and loaded DLLs with a baseline (a known good image for comparison)

Answer 297

processbl ; run against a baseline image

Answer 298

Use the psscan plugin | Rootkit detection may have crashed or not cleanly exited

Answer 299

Use PStree: see commands being sent by the parent web process.

Answer 300

It only looks at common system processes: items like cars, wnnlogon, services, lass, etc.

Answer 301

processbl servicebl driverbl Can be run to tell you what the "diff" between the image is, or, what matches. (The latter can be useful for showing the same driver, but with different paths, etc)

Answer 302

Windows Process Objects

Answer 303

Pointers to a resource Directories and Registry keys access by a process Mutex/Semaphores (access to objects) Events

Answer 304

memory sections of a process object (volatility)

Answer 305

handles (Prints the list of open handles)

Answer 306

in volatility, use dullest to display the loaded dlls and command lines

Answer 307

use dlllist to identify a specific DLL (and its base offset) and then use dlldump to extract it.

Answer 308

Give us the running user of the process, and the relative authority given to the overall process. use getsids plugin to see token info, which shows you the account Sid AND the group info

Answer 309

S-1-5-32-544

Answer 310

S-1-5-32-545 Guests: S-1-5-32-546

Answer 311

Nouns. Files, Objects, Keys, etc.

Answer 312

there's hundreds or thousands per process -t (gripping the file) can limit it to File or Registry Keys for quick wins

Answer 313

Type of process structure: it's a governor. Processes will use it often as a flag so that if you run a second copy of the process, it won't launch. (Wont need to instantiate another version of it) Malware uses it to prevent multiple infections/dos'ing yourself. Make great IoC!

Answer 314

use a mutex flag Carbon Black and Falcon, etc will look for these. When intel produces it as an IoC for malware, can load it as a yara signature

Answer 315

Make a yara signature and sweep for that flag, as it's usually a solid IoC that the malware was installed on the host

Answer 316

Scan for service records, with associated info on processes and drivers. Can look for windows services that are used as a persistence mechanism: Auto starts, etc. Can also find services that malware stopped. (Like antivirus services being stopped) the verbose option will identify the DLLs used by services.

Answer 317

Things that aren't web browsers that are connecting on 80,443,8080 Eliminate product updates. Focus especially on anything RDP or DNS to unusual names

Answer 318

Using network sockets for a process that are opened. use iexplore/edge opening sockets to a weird port

Answer 319

Look for 4444 or 5555, or straights (4567) because those tend to mean something/suspicious

Answer 320

workstations don't fully establish RPC connections to communicate natively in AD environments!

Answer 321

Evidence of port redirection. (Netcat shoveling, etc)

Answer 322

both active and terminated connections - pay attention to the process.

Answer 323

Something, on the system, that is causing the code injection. (Aircraft carrier during pearl harbor analogy; for planes to get there, they had to have been carried somewhere. Must be an aircraft carrier somewhere) spearfish code; initial access.

Answer 324

``` Camoflagues code Access memory/permissions of target system Process migration Evade A/V and Allowlisting Facilitates complex attacks (Rootkit) ```

Answer 325

Simple code injection: easy for A/V, EDR; hard for manual Complex code injection: harder for A/V/EDR find, much easier to find manually

Answer 326

Simple code injection: Writing into existing DLLs or code Reflective DLL injection: Loading code independent of host processes. (For example, meterpreter uses it's own loader) Powershell can do this, too. Process hollowing: starts a suspended service, carves out a section for new code, and then starts service. Much of the code (like DLLs, handles, etc are from original process, making it harder to see)

Answer 327

Process Hollowing

Answer 328

Simple Code injection (DLL injection) They create space in the DLL, on disk, and write in new code.

Answer 329

When it gets loaded from the volume it lives on into memory, and is checked.

Answer 330

Its easy to see DLLs that aren't loaded from file, or loaded from a standard location. DLLs loaded in unusually way are glaring beacons of weirdness. For example, DLLs loaded down from memory dont have a source file on disk!

Answer 331

ldrmodules | Malfind

Answer 332

Detect unlinked DLLs and non-memory mapped files Checks the "DLL manifest" of the PEB (Process Execution Block) and finds DLLs that were removed from the manifest, or unlinked. Look for DLLs with no "MappedPath" info

Answer 333

Finds hidden and injected code, and will dump affected memory sections

Answer 334

That it was not loaded using the Windows API, or loaded in some unusual way. (Often indicative of a DLL injection attack)

Answer 335

They will flag as "false" for InInit, because they're executable.

Answer 336

Process injection Can find duplicate examples of dlls that should only have 1 version of it, which is glaring In memory, the lack of a mapped path from where the DLL was loaded combined with it not being on the PEB (manifest) is a red alarm light

Answer 337

the memory section it's present in. (Will be mapped to the Process Execution Block, PEB, for legit DLLs)

Answer 338

When you can get arbitrary code execution (injection into a process) without using the Windows LoadLibrary code. Manage to get code into a process/DLL w/out using Windows process. Metasploit, Cobalt Strike, Pulsar, etc

Answer 339

Manual memory analysis! Because most security tools are looking at manipulation of the Windows loader API, these techniques when successful are harder to see, but glaring in manual memory review. (malfind)

Answer 340

Memory, every process, and looking in "mapped Path, page execution read/write" which is a section that and looks for anything that's marked as being executable Then, looks for a section on disk mapped to that executable.

Answer 341

reflective types of code injection techniques

Answer 342

The VAD tree MappedPath section that Malfind looks at

Answer 343

Malfind: --dump-dir=

Answer 344

the "MZ" Header is usually indicative of code. MZ is indeed the characteristic signature of a .exe file: The DOS MZ executable format is the executable file format used for .EXE files in DOS. The file can be identified by the ASCII string "MZ" (hexadecimal: 4D 5A) at the beginning of the file (the "magic number"). "MZ" are the initials of Mark Zbikowski, one of leading developers of MS-DOS.

Answer 345

Malfind only shows a preview of the first 64 bytes; can start with nonsense, then have a jump/redirect later to the code. By manipulating the file with memory reads, so that the first two bits aren't the standard MZ header, but that it jumps to it under conditions. Advanced stuff.

Answer 346

Take a piece of bread PB on bread Jelly on PB Take a piece of bread and put it on the jelly Code in assembly often has the same instruction as the one below, can see a discernible sequence.

Answer 347

USe --dump-dir options that outputs the entire contents, vs. just the 64 byte header. Can also just scan the files, or set up yara scans.

Answer 348

Hollowfind and threadmap

Answer 349

modscan: finds modules via pool tag scanning apihooks: Finds DLL function hooks psxview: finds hidden processes via cross-view tech ssd: displays system service descriptor table entries

Answer 350

Has to be signed code, so it can get into ring 0 process

Answer 351

ssdt module of volatility

Answer 352

grep out entries with ntoskrnl and wn32k, which are normal mods.

Answer 353

Hide Rootkits by removing them from the EPROCESS double linked list. (Forward link, backward link)

Answer 354

psxview; checks the splits and psscan output against what's running a thread.

Answer 355

modscan/modules plugin of volatility

Answer 356

driverbl plugin to volatility; like servicbl, lets you compare it against a known good baseline image

Answer 357

the Windows API, which can be "hooked" Find these hooks with the apihooks module of volatility

Answer 358

unlinking and identifying api hooking

Answer 359

``` dlldump moddump procdump memdump cmdscan dumpfiles filescan ```

Answer 360

memdump, or vaddump. (Will dump memory sections owned by a process to a file or group of files)

Answer 361

can do strings/unicode extraction; can pull useful commands out of the sample (using grep on the extracted filename)

Answer 362

Use cmdscan and consoles plugins, and run strings/greps against that output. (Better resideue of command_history and console_information)

Answer 363

Recall and GRR/Velociraptor (Free EDR tools)

Answer 364

bstrings - handles regex, too

Answer 365

FileSystem data Windows Artifact Data Registry keys

Answer 366

An event, malicious or otherwise, in which you can see a group of threat actor activity just by "temporal" analysis

Answer 367

Fls or MFTEcmd

Answer 368

Plaso (log2timeline) Contains filesystem artifacts, artifact timestamps, registry timestamps, and works on all O/S variants

Answer 369

m - Data content change time (modified) a - Data last access time (accessed) c - metadata change time (MFT changed) b - metadata creation time (Created)

Answer 370

The specific timestamp that was modified: Modified Accessed Changed Birthed (created)

Answer 371

a master timeline with relevant data from all the individual images

Answer 372

1. Allocated files (Normal files) 2. Deleted files (Files deleted normally, but still have structures; file path name, permissions, timestamps) 3. Unallocated inodes (Orphan files, with no structure.

Answer 373

Mactime tool (perl script)

Answer 374

Manually set the Standard Information attributes Copy the file to another folder Manually set the Standard Information attributes (some will change during the move)

Answer 375

Manually setting timestamps (using file copy operations) to change the times, cover up when it was actually done

Answer 376

The log2timeline binary, which extracts timelines pinfolds: displays storage metadata sort - sorts and processes output

Answer 377

Uses Log2Timeline, but pulls relevant forensic data from ALL the places ``` LNK Jumplists All Browsers webhistory Registry )shellbags, mountpoints. services, autoruns; terminal server. task scheduler, etc etc) Prefetch Shimcache Winfirewall and many more ```

Answer 378

everything. Cache, cookies, history, etc, from all browsers

Answer 379

mactime parser

Answer 380

``` Mount point Image Kape output directory partition etc ```

Answer 381

When it detects, it will ask if it wants to extract them in the timeline. Have to be careful, it slows down analysis a lot.

Answer 382

Can use a filter file, or just use specific parsers (just MFT, or just specific registry key, or trigger if it finds certain things)

Answer 383

Use pipe for OR, also the .+ will recurse something in the directory. Lets you set wildcards and conditions for directories. EX: /(Users|Docs and Settings)/.+/NTUSER{.}.DAT

Answer 384

Uses 99% of the standard use cases for extractions. Conditions found in cape. Looks for see idic things in memory, registry, LNK, Jump lists, prefetch, specific Event Logs, MFT entries, ec.

Answer 385

in the --parsers command line switch, do a - log timeline.py --parsers parsers "win7, -winevt"

Answer 386

pinfo.py and psort.py

Answer 387

Takes a plaso dump and tells you what's in it, and how big it is. Shows you what parsers have been run and what's inside each file, how many events

Answer 388

Shortcut files.

Answer 389

Sorted the data output from Plaso. Can use it to "date bound" the results. Can also change the output type. (CSV vs. xlsx. Can also sort it into a specific timezone, ie EST/PST

Answer 390

Mount the remote system drive Extract with log2timeline.py (with parsers we care about) Filter the timeline w/psort to the range of time you're interested in.

Answer 391

Mount the remote disk w/f-response create timeline w/ standard windows filters, with log2timeline gather the filesystem data, with MFTECmd.exe and create a body file parse the body file with the maytime parsers (log2timeline) sort the data for the date range you're interested in

Answer 392

``` Red for evidence of execution Gray for event logs of interest Yellow: web history Blue: USB usage Black for deleted items Light green: file opening dark green: folder opening ```

Answer 393

Modified, accessed, (MFT record) changed, birthed.

Answer 394

``` Timestomping File Deletion (Delete) FreeSpace Wiping Data Encryption (.rar) Fileless malware ```

Answer 395

Registry anti-forensics techniques

Answer 396

SSDs and Disks will cleanup via optimization or drive "trimming" which wipes out unallocated storage areas, which zeroize deleted files. Around weekly, or less depending on how long it's been. Expect 72 hrs.

Answer 397

outside of 72 hrs, residue will likely exist in the volume shadow if at all

Answer 398

Registry key, as a download cradle type abbreviated script

Answer 399

It's a database. It acts like a mini-file system; when the key is deleted, it will exist as unallocated space forever. It leaves permanent forensic residue, indefinitely. Anything that is a filesystem works this way, without defragging/disk cleanup.

Answer 400

When it's COMPACTED. Compaction removes deleted files, which would cover forensic residue, but create it's own record of being compacted.

Answer 401

Ineffectual. They will clean out your files, but not delete them forensically; in fact they point out specifically what was deleted

Answer 402

Use registry explorer (or regcmd, the Zimmerman tool) and search for anything that has Base64 in values above a specific length, like 400 characters; scripts are unusually large for a key.

Answer 403

Use the --vss option; looks at all 3 versions, dedups, and catalogs them.

Answer 404

the Volume Shadow copies. Usually have overlap with each other.

Answer 405

about 3-5% of the hard drive.

Answer 406

For servers, daily For workstations, 3-6 that cover about a week; triggered on installation of software, reboots, events

Answer 407

Convert to VHD for analysis use iSCSI and mount it to SIFT vshadowinfo, vshadowmount

Answer 408

SIFT; it does a better job of ignoring permissions, seeing everything. (Windows APIs respect windows permissions)

Answer 409

ewfmount to see the mount points/ vshadowmount to mount them

Answer 410

Attach the remote system drie vshadowmount /dev/sdc2 /mnt/vss Make a for loop, mount every individual VSS "drive" to a Linux file point

Answer 411

The O/S hides them. (Truly hidden) if you mount a disk imagine on Linux, it will ignore those MSFT rules and expose them.

Answer 412

You have to look at it on a non-windows (Linux) machine, mount the drive for analysis, and it's there, BUT NOT EXPOSED BY LS command?!

Answer 413

A backup copy of the MFT. Only contains the first 4 records.

Answer 414

Transactional logging file

Answer 415

Contains the volume name, NTFS version number, and a "dirty flag"

Answer 416

Contains the attribute definitons

Answer 417

Tracks allocations (in-use versus free) of each cluster in the volume

Answer 418

Something that tracks bad/defective clusters so NTFS won't use them

Answer 419

Tracks all the security information for files on the volume (Security manifest)

Answer 420

A directory containing $UsnJrnl, ObjId, $Quota, $Reparse

Answer 421

Metadata catalog; think of it as a Dewey Decimal Card Catalog. (where is book stored, when was it last checked out, etc) contains data that describes files. Pointers to data layer for files, MACB times, permissions. Everything has a numeric address.

Answer 422

Shows where stuff lives on the disk; what cluster. It's an index number. If the drive is fragmented, what fragment does the data/file live on. What's the starting number for the volume, what's the end number.

Answer 423

1024 bytes. Databases.

Answer 424

For NTFS volumes, those records get a bit flipped that it's "allocated space" and now is "unallocated space" Those entries remain until they're overwritten by new entries.

Answer 425

Files are recorded in the MFT by inode in alphabetical order, typically. Items that were added to directories like System32 (core Windows files) will show up as far outliers. (Or be grouped with the non-native programs)

Answer 426

Sequentially. Since the MFT records them contiguously into the catalog, it can be used to find values that are close to each other, representing related files or malware in two separate places.

Answer 427

creates a hash dump of a files contents, so you can view magic numbers and such "When you’re trying to make sense of a binary file format, a good hex viewer or hex editor is an invaluable tool. As shown in “Ultima 1 Reverse Engineering: Decoding Savegame Files“, a typical workflow involves viewing a hex dump of the binary data, making some small change, taking a second hex dump, and comparing the differences. If you’re lucky, you might even be able to observe patterns in the data directly."

Answer 428

the "FILE" signature: 46 49 4c 45, where the entry starts. (can see FILE0 in the readout) Can see the sequence number, node entry number.

Answer 429

$STANDARD_INFORMATION $FILE_NAME (long and/or short) $DATA

Answer 430

What type of file it is MACB times ARCANE RULES OF NTFS timestamps

Answer 431

Unicode name of the file, what folder is it found in.

Answer 432

1. Using MFTcmd and running the timestamp anomaly engine. Will find lack of sub second precision, differences in timestamps. 2. Can run a scatterplot of times things were created, inode creation time.

Answer 433

It should show you a sequence of all the binaries/dll installed at the same time (install!) and then the outliers.

Answer 434

the Data run: starting location, and length, of a data section on a cluster. Is Resident will tell you whether the data lives in a space on cluster, or (isResident) is stored on the MFT itself.

Answer 435

It's a flag marked in the MT, in the MFT, as an evidence of download. It's marked as data that was downloaded from the internet.

Answer 436

itstat Shows the SID of the file, nanosecond-accuracy MACB metadata inode number, etc.

Answer 437

Does wipe as much as you think: it overwrites the content of the file, and scramble the MFT entry. It does NOT, however, get the second language of the MFT info, which is the directory. (just the file, which shows as zzzzzzzz in the metadata, but the directory folder has the file name/MACB timestamp)

Answer 438

i30 Directory folder; shows the file data and the deleted file information. FTK imager shows this! The slack space of a directory file will contain the file name and file metadata. File system metadata is another place to look.

Answer 439

....the file name and file metadata for files in it.

Answer 440

Stored in an index called $I30

Answer 441

$I30 INDEX_ROOT: directly in the MFT INDEX_ALLOCATION: Stored as separate index chunks for large directory listings, like System32

Answer 442

It's all stored as per-record list of files, with the MACB time stamp.

Answer 443

WISP windows Slack Parser Directory file extraction timeline, with MACB values of the files.

Answer 444

the Journal; can be used to identify the prior state of files. Like VSS, it's a time machine.

Answer 445

USN System journal; can be combined with the MFT and $Logfile transactions to find files and what happened when

Answer 446

changes to the volume. $Max - pointers that tell the system where to start reading the disk $J - enteries for each file that has changed since log was started

Answer 447

MFTECmd (Zimemrman tool) ANJP (Advanced NTFS Journal Parser) jp (Journal parser)

Answer 448

ANJP (Advanced NTFS Journal Parser)

Answer 449

It automatically flags things like open outlook attachments, Skype downloads, disk wiper artifacts, etc. (The email attachment is hard to see anywhere else)

Answer 450

Volume Shadow or disk, MFTs, using ANJP to see the access to the file/action.

Answer 451

$Bitmap is scanned for a cluster to write to $MFT record created $Bitmap updated to show where clusters are allocated. $I30 of parent directory is updated. $USNJrnl updated $logfile updated with this transaction.

Answer 452

Data clusters marked as unallocated in $Bitmap, but data is intact until the cluster is reused - Slack space - MFT record flags, $LogFile/UsnJrnl still have a record - $FILE_NAME attribute is preserved until overwritten - $I30 index entry