Windows Forensics Flashcards
1
Q
What is a .lnk file?
A
- a data object that contains information that can be used to access another data object
- shortcuts
- metadata files specific interpreted by the Windows shell
- 0x4C (4C 00 00 00) at offset 0 within the file
2
Q
What is an important note about .lnk files?
A
- the absolute path to the file is NOT store in the lnk file
3
Q
Where are the most common locations to find .lnk files?
A
- My Recent Documents
- \%USERPROFILE%\Recent
- \%USERPROFILE%\Application Data\Microsoft\Office\Recent
4
Q
.lnk timestamps?
A
- when the file is opened, the MAC timestamps of the target file are read and stored within the associated link file
- FILETIME format using 8 bytes
5
Q
Tools for .lnk forensics?
A
- Exiftool
- Windows LNK Parsing Utility
- LECmd.exe (Eric Zimmerman)
- WinHex
6
Q
Thumbnails
A
- when the user uses the Thumbnails or Filmstrip vies from Windows folder, a small thumbnail version is created
- stored in thumbcache.db
- %USERPROFILE%\AppData\Local\Microsoft\Windows\ Explorer
7
Q
Volume ShadowCopy Service
A
- VSS
- a set of COM APIs that implements a framework to allow volume backups to be performed while applications on a system continue to write to the volumes
- Windows service that provides snapshots for a specific point back in time
- aka restore points
8
Q
Prefetch Files
A
- windows cache manager (memory management system)
- tracks the first 2 minutes of boot process and the first 10 seconds of all other applications startup
- these results written to prefetch files
- next time a system boots or a “prefetched” application executes, the cache manager can use these prefetch files like a “cheat sheet” to speed up the loading process
9
Q
Prefetch Content for Executables
A
- executable’s name
- absolute path to the executable
- no. of times the program ran w/in the system
- last time the application ran
- list of DLLs used by the program
10
Q
Location of Prefetch Files
A
- %SystemRoot%\Prefetch\
- .pf extension
11
Q
Prefetch Registry Keys
A
- settings related to prefetch files are written in the following registry key;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Control\SessionManager\Memory Management\PrefetchParameters
12
Q
ShimCache
A
- aka Application Compatibility Cache
- allows Windows to track executable files and scripts that may require special compatibility settings to properly run
- it is maintained within kernel memory
- alternative to Prefetch if disabled
- can track more items than prefetch
- amcache.hve
- %SYSTEMROOT%\AppCompat\Programs
13
Q
Windows Registry
A
- special type of file system
- stores low-level system settings, application settings, and user preferences
- two categories:
- system registry files
- user registry files
14
Q
Registry Structure
A
- Hives: contain keys (directories) and values
- Keys: directories
- Subkeys: no difference between key and subkey
- Values: store data (e.g. settings)
15
Q
Registry Root Keys
A
- HKEY_CLASSES_ROOT
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE
- HKEY_USERS
- HKEY_CURRENT_CONFIG
16
Q
Common Hive Locations
A
- BCD
- SYSTEM
- SAM
- SECURITY
17
Q
HKLM
A
- HKEY_LOCAL_MACHINE
- contains system-wide configuration subkeys, as listed below:
- BCD
- HARDWARE
- SAM
- SECURITY
- SOFTWARE
- SYSTEM
18
Q
BCD
A
- Boot configuration data replacing boot.ini
19
Q
HARDWARE
A
- maintains description of the system’s hardware and all hardware device-to-driver mappings
20
Q
SAM
A
- holds local account and group information
21
Q
SECURITY
A
- stores system-wide security profiles and user-rights assignments
22
Q
SOFTWARE
A
- stores system-wide configuration information not needed to boot the system
23
Q
SYSTEM
A
- contains the system-wide configuration information needed to boot the system
24
Q
What does a Registry Key hold?
A
- a signature found at offset 0x0
- last write timestamp
- major and minor revision numbers
- the root cell offset
25
Q
What are the registry value types?
A
- REG_BINARY
- REG_DWORD
- REG_DWORD_LITTLE_ENDIAN
- REG_DWORD_BIG_ENDIAN
- REG_EXPAND_SZ
- REG_LINK
- REG_MULTI_SZ
- REG_NONE
- REG_QWORD
- REG_QWORD_LITTLE_ENDIAN
- REG_SZ
26
Q
What is the best tool for Registry Analysis?
A
- Registry Explorer
27
Q
Which registry key contains system configuration information such as device drivers and services?
A
- HKEY_LOCAL_MACHINE\SYSTEM
28
Q
What are the most important Registry Artifacts?
A
- ControlSet No. (device drivers and services)
- Time Zone
- Windows Product Info
- Windows Computer Name
- Windows Services
- Windows DHCP Config
- NTFS Last Accessed
- Autoruns
- Installed Applications
- Windows Firewall
- Remote Desktop
- Network History
29
Q
What Registry Key contains the Windows Product information?
A
- SOFTWARE\Microsoft\WindowsNT\CurrentVersion
30
Q
What Registry Key contains the Windows Computer Name?
A
SYSTEM\ControlSet00#\Control\ComputerName\ComputerName
31
Q
What Registry Key contains the Windows Services?
A
SYSTEM\ControlSet00#\Service
32
Q
What Registry Key contains the Autruns?
A
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunOnce
- HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run bzw.\RunOnce
- Could also be found under HKCU
33
Q
What are important User registry artifacts?
A
- Windows Recycle Bin
- Last User Logged In
- User Sessions
- UAC
- User Assist Keys
- Most Recently Opened (applications and files)
34
Q
Why check User Assist Keys?
A
- Understand the frequency of program execution
- Identify the last time a program was launched
- Which items were being launched most often
- Evidence of programs after deletion/uninstall
- How long a user has interacted with a given program
35
Q
What is “Evidence of Absence?
A
- when an item is frequently accessed, but it empty
- Example: My Documents directory was accessed 333 times, but there are no files there; means there could have recently been something there that was deleted
36
Q
What are ShellBags?
A
- a set of Windows Registry keys located in NTUser.dat and USRClass.dat registry keys
- maintain view, icon, position, and size of folders
- can serve as a history into data that was removed from a system
