Posts

Did It Execute? amcahce.hve

amcache.hve? I first came across this when looking into the AppCompatCache, as this file is located in a directory which you would think stores the AppCompatCache Data: <DRIVE>\Windows\AppCompat\Programs\Amcache.hve When researching the Windows Application Comparability however, I found no reference of this hive. Further research indicates it is part of Windows Application Experience and Compatibility features and replaced the RecentFilceCache.bcf file from Windows 8 onwards. Tools: https://github.com/EricZimmerman/AmcacheParser Reference: https://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html

Did It Execute? MUI Cache (Shellbag)

What is the MUI Cache.... What are Shellbags Have you noticed when you open an application GUI using Windows, Windows seems to remember where the windows were, well it stores a bit more than that for this purpose, all of which is useful in an investigation. Location of Data:  Shellbags may be found in a few locations, depending on operating system version and user profile. On a Windows XP system, shellbags may be found under: HKEY\_USERS\{USERID}\Software\Microsoft\Windows\Shell\ HKEY\_USERS\{USERID}\Software\Microsoft\Windows\ShellNoRoam\ The NTUser.dat hive file persists the Registry key HKEY\_USERS\{USERID}\. On a Windows 7 system, shellbags may be found under: HEKY\_USERS\{USERID}\Local Settings\Software\Microsoft\Windows\Shell\ The UsrClass.dat hive file persists the registry key HKEY\_USERS\{USERID}\. Reference: http://www.williballenthin.com/forensics/shellbags/

Did It Execute? User Assist

Image
The User Assist functionality is that very helpful part of windows that sticks your most used/most recent used application in the start menu (if there is a start menu (Windows 8)). Where is the data stored: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist what is the data ROT13? Tools and interrogating the data http://www.nirsoft.net/utils/userassist_view.html References: https://blog.didierstevens.com/programs/userassist/ http://www.nirsoft.net/utils/userassist_view.html

Windows Event Logs and Incident Investigation

I have been looking at proof of execution artifacts a lot and keep coming back to event logs. rather than just focus on proof of execution I want to provide a list of the useful windows events I have come across which are of use in a forensic/incident investigation. Tip - Windows XP events can be converted to Vista+ events by adding 4096 to the Event ID. Locations of Logs The default locations are as follows: XP Era \%SystemRoot%\System32\Config\*.evt Vista+ \%SystemRoot%\System32\winevt\Logs\*.evtx Custom Log Locations: Log locations can be changes by the user, you can check this in the Registry in the following HKLM Keys: Application Events: HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application Hardware Events: HKLN\SYSTEM\CurrentControlSet\services\eventlog\HardwareEvents Security Events: HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security System Events: HKLM\SYSTEM\CurrentControlSet\services\eventlog\Syst

PowerShell FILETIME conversion

I intend to write about the uses of PowerShell on live systems investigations at a later date, for now thought I thought it worth sharing a useful time conversion. If you come across a windows FILETIME and would like it in a human readable format, you can use the following via PowerShell: [DateTime]::FromFileTime(<FILETIME>) The Windows FILETIME is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). e.g. PS C:\> [DateTime]::FromFileTime(130689408926752346) 20 February 2015 21:21:32

Did It Execute? AppCompatCache

Image
Application Compatability(or Shim) Cache The Application Compatibility Cache, which appears to be more commonly referred to as the ShimCache, is used by an element of windows dedicated to, yes you guessed it Application Compatibility. The basics concept of this feature is; when programs are written, they are usually compiled to work with the OS of the day. So as long as everything is as expected, the program runs, calls API's and the OS plays nice (round pegs in round holes). As you can imagine only a clairvoyant would know what changes were to be made in the future, and thus makes the likelihood of any programs being able to future proof themselves highly unlikely. The other problem that exists; is that current programs would be created with excess code to ensure they work on all other previous version. These both lead to the problem of the square peg to a round hole. Microsoft solved this problem for us, as they know what an API is calling and the differences be

Did It Execute?

I have been looking into the execution artifacts on windows systems over the past few weeks to see not only what artifacts a system may create which may indicate execution, but what the original purpose of these artifacts to get a better understanding of why they exist in the first place and how reliable that makes them. There are a lot of documented artifacts which are useful in forensic investigation: AppCompactCache (ShimCache) amcache prefetch MUICache UserAssist prefetch and superfetch IconCache SRUDB Windows Event Logs The way I like to get to know artifacts and methodology on collecting and interrogating them is through experimentation. I will look into the above and provide some future posts on what they are and how you can use them in forensic investigations.