Uploaded byMNCERT
902 views

MNSEC 2018 - Windows forensics

This document discusses forensic analysis on Windows systems. It provides an overview of important Windows artifacts for forensic investigation including the registry, event logs, file system metadata and memory analysis. Specific tools are also mentioned for acquiring disk and memory images, parsing timelines, analyzing the registry and memory, including FTK Imager, SIFT, Redline, Volatility and REGRIPPER. An example case is described where crypto-mining malware was found running on a system through analysis of process listings, file system metadata and logs.

Embed presentation

Windows Forensics G.Altangerel
What is computer forensics • Finding evidence from computer and digital storage media
Windows OS • ~90% OS market share • Juicy target of cyber attack
FORENSIC ANALYSIS ON WINDOWS
What should we know? • Operating system • File system • Important artifacts • Cyber attack methods • Basics of malware analysis
Artifacts • Registry • Event log • Volume Shadow Copies • Master File Table (MFT) • Windows Shell Bags • Prefetch file • Update Sequence Number Journal (USNJRNL)
What to do • Capture images • Create timeline • Analyze timeline • Analyze memory • Correlate finding with other sources • Prepare report
Arsenal • FTK Imager • SIFT workstation by SANS • Redline • Volatility • SIEM • IDS/IPS, Firewall, …
Capturing images • Disk & Memory (RAM) • DO NOT TURN OFF THE COMPUTER!!!
Cold boot attack
Cold boot attack
Cold boot attack
Playing with the images • High performance machine required • SIFT workstation (virtual machine) • Redline
SIFT workstation
Mounting the image #ewfmount image.E01 /mnt/ewf #mmls ewf1 DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 000: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 001: ------- 0000000000 0000002047 0000002048 Unallocated 002: 000:000 0000002048 0000206847 0000204800 NTFS / exFAT (0x07) 003: 000:001 0000206848 0479567219 0479360372 NTFS / exFAT (0x07) 004: ------- 0479567220 0479567871 0000000652 Unallocated 005: 000:002 0479567872 0585867263 0106299392 NTFS / exFAT (0x07) 006: ------- 0585867264 0585871963 0000004700 Unallocated # mount -t ntfs-3g -o ro,loop,show_sys_files,stream_interface=windows,offset=$((206848*512)) /mnt/ewf/ewf1 /mnt/windows_mount
Creating timeline #log2timeline.py /cases/ewf.plaso /mnt/ewf/ewf1 --parsers win_gen --hashers none -- workers 15 #psort.py -o l2tcsv -w test.csv test.plaso C:>Mft2Csv.exe /MftFile:Z:$MFT /TimeZone:0.00 /OutputFormat:l2t https://github.com/jschicht/Mft2Csv
Timeline
Timeline
Timeline
Windows Registry forensics REGRIPPER is the primary weapon when it comes to registry analysis # rip.pl -l | more 1. ide v.20080418 [System] - Get IDE device info from the System hive file 2. shelloverlay v.20100308 [Software] - Gets ShellIconOverlayIdentifiers values 3. auditpol v.20151202 [Security] - Get audit policy from the Security hive file ……………………… 346. usbstor2 v.20080825 [System] - Get USBStor key info; csv output 347. cpldontload v.20100116 [NTUSER.DAT] - Gets contents of user's Control Panel don't load key
Windows Registry forensics #rip.pl -r /mnt/windows_mount/Windows/System32/config/SOFTWARE -p winver Launching winver v.20081210 winver v.20081210 (Software) Get Windows version ProductName = Windows Server 2008 R2 Enterprise CSDVersion = Service Pack 1 InstallDate = Thu Nov 29 17:52:22 2012
Windows Registry forensics # rip.pl -r /mnt/windows_mount/Windows/System32/config/SAM -f sam Parsed Plugins file. Launching samparse v.20160203 (SAM) Parse SAM file for user & group mbrshp info User Information ------------------------- Username : Administrator [500] Full Name : User Comment : Built-in account for administering the computer/domain Account Type : Default Admin User Account Created : Fri Apr 13 17:27:01 2012 Z Name : Last Login Date : Mon Aug 6 02:24:21 2018 Z Pwd Reset Date : Wed Jan 3 10:42:54 2018 Z Pwd Fail Date : Sun Aug 5 13:49:04 2018 Z Login Count : 513 --> Normal user account
Windows Registry forensics • Account profile list #rip.pl -r /mnt/windows_mount/Windows/System32/config/SOFTWARE -p profilelist • Logon timeline #rip.pl -r /mnt/windows_mount/Windows/System32/config/SOFTWARE -p winlogon_tln • Parsing event log #rip.pl -r /mnt/windows_mount/Windows/System32/config/SYSTEM -p eventlogs • Services list #rip.pl -r /mnt/windows_mount/Windows/System32/config/SYSTEM -p services • Installed application list #rip.pl -r /mnt/windows_mount/WINDOWS/system32/config/software -p uninstall
Memory forensics • Volatility and Redline
Memory forensics
Memory forensics
Memory forensics
Memory forensics
Memory forensics #volatility –f memdump.mem –profile=Win7SP1x64 plugxconfig
Memory forensics
Memory forensics
REAL LIFE EXAMPLE
Example • A host infected with crypto-mining malware
Example • Found running suspicious process called WinSCV.exe (PID:3056) • WinSCV.exe file exists in C:WindowsTemp directory and is proven malicious software. • WinSCV.exe file was created on 2018/06/02. • Putty, well known SSH client software, was being used on the system at the time.
Example • server.txt file, PE executable, was created on the system. Afterward, PSCP.exe (Putty’s Secure Copy Client) and confirm.txt files were created. • The content of the “confirm.txt” file was just “y” • After creating those files, SMSvsHOST.exe, win.exe and WinSCV.exe files were created consequently. The attacker used PSCP.exe to download other executables. •
Example • To confirm previous findings, we need to check other logs. The target host might has been exploited by EthernalBlue. • The following log confirms that the exploitation was successful. •
Example • To confirm previous findings, we need to check other logs. The target host might has been exploited by EthernalBlue. • The following log confirms that the exploitation was successful. • After exploitation, the attacker downloaded another payload.
Example • Server.txt is a UPX compressed executable file. It’s very easy to decompress UPX packed executables. The static analysis can show something helpful.
The more sources, the more accurate result you will have.

More Related Content

PPTX
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
byIgor Korkin
 
PPTX
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
byIgor Korkin
 
PDF
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
byIgor Korkin
 
PDF
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
byIgor Korkin
 
PPTX
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
byIgor Korkin
 
PPTX
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
byIgor Korkin
 
PPTX
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
byIgor Korkin
 
PPTX
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
byIgor Korkin
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
byIgor Korkin
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
byIgor Korkin
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
byIgor Korkin
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
byIgor Korkin
 
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
byIgor Korkin
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
byIgor Korkin
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
byIgor Korkin
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
byIgor Korkin
 

What's hot

PDF
Shusei tomonaga pac_sec_20171026
byPacSecJP
 
PPTX
Malware analysis using volatility
byYashashree Gund
 
PDF
BlueHat v18 || Massive scale usb device driver fuzz without device
byBlueHat Security Conference
 
PPTX
Applying Memory Forensics to Rootkit Detection
byIgor Korkin
 
PDF
Volatile IOCs for Fast Incident Response
byTakahiro Haruyama
 
PPTX
Catching fileless attacks
byBalaji Rajasekaran
 
PDF
Di shen pacsec_final
byPacSecJP
 
PPT
Black Energy18 - Russian botnet package analysis
byRoberto Suggi Liverani
 
PDF
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
byNoSuchCon
 
ODP
Malware analysis - What to learn from your invaders
byTazdrumm3r
 
PPT
Mac Memory Analysis with Volatility
byAndrew Case
 
PDF
Windows Memory Forensic Analysis using EnCase
byTakahiro Haruyama
 
PDF
Auditing the Opensource Kernels
bySilvio Cesare
 
PPTX
UEFI Firmware Rootkits: Myths and Reality
bySally Feller
 
PPT
Live Memory Forensics on Android devices
byNikos Gkogkos
 
PDF
Finfisher- Nguyễn Chấn Việt
bySecurity Bootcamp
 
PDF
One-Byte Modification for Breaking Memory Forensic Analysis
byTakahiro Haruyama
 
PDF
Hunting Mac Malware with Memory Forensics
byAndrew Case
 
PDF
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
byNullbyte Security Conference
 
PDF
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
byenSilo
 
Shusei tomonaga pac_sec_20171026
byPacSecJP
 
Malware analysis using volatility
byYashashree Gund
 
BlueHat v18 || Massive scale usb device driver fuzz without device
byBlueHat Security Conference
 
Applying Memory Forensics to Rootkit Detection
byIgor Korkin
 
Volatile IOCs for Fast Incident Response
byTakahiro Haruyama
 
Catching fileless attacks
byBalaji Rajasekaran
 
Di shen pacsec_final
byPacSecJP
 
Black Energy18 - Russian botnet package analysis
byRoberto Suggi Liverani
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
byNoSuchCon
 
Malware analysis - What to learn from your invaders
byTazdrumm3r
 
Mac Memory Analysis with Volatility
byAndrew Case
 
Windows Memory Forensic Analysis using EnCase
byTakahiro Haruyama
 
Auditing the Opensource Kernels
bySilvio Cesare
 
UEFI Firmware Rootkits: Myths and Reality
bySally Feller
 
Live Memory Forensics on Android devices
byNikos Gkogkos
 
Finfisher- Nguyễn Chấn Việt
bySecurity Bootcamp
 
One-Byte Modification for Breaking Memory Forensic Analysis
byTakahiro Haruyama
 
Hunting Mac Malware with Memory Forensics
byAndrew Case
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
byNullbyte Security Conference
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
byenSilo
 

Similar to MNSEC 2018 - Windows forensics

PDF
windows-forensics-analysis-v-1.0-4_2.pdf
byAmineBesrour
 
ODT
Operating System Forensics
byArunJS5
 
PPTX
Msra 2011 windows7 forensics-troyla
byCTIN
 
PDF
2010 2013 sandro suffert memory forensics introdutory work shop - public
bySandro Suffert
 
PDF
Disk forensics
byChiawei Wang
 
PDF
sift_cheat_sheet.pdf
byNaveenVarma Chintalapati
 
PPTX
Leveraging NTFS Timeline Forensics during the Analysis of Malware
bytmugherini
 
PDF
Memory Forensic CheatSheet - SANS Institute
byAnderson Carvalho Silva
 
PPTX
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
byJared Greenhill
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
bySam Bowne
 
PPTX
Disk forensics for the lazy and the smart
byJeff Beley
 
PPTX
44CON London 2015: NTFS Analysis with PowerForensics
byJared Atkinson
 
PDF
Free Computer Forensic Software's list - by Forensic Control
byraiyankhair47
 
PDF
(130105) #fitalk trends in d forensics (dec, 2012)
byINSIGHT FORENSIC
 
PDF
kbrgwillis.pdf
byKblblkb
 
PDF
Stop pulling the plug
byKamal Rathaur
 
PDF
Memory forensics cheat sheet
byMartin Cabrera
 
PPTX
Digital forensics for technology134.pptx
bytbalingit
 
PDF
Debian Linux as a Forensic Workstation
byVipin George
 
PPS
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
byClubHack
 
windows-forensics-analysis-v-1.0-4_2.pdf
byAmineBesrour
 
Operating System Forensics
byArunJS5
 
Msra 2011 windows7 forensics-troyla
byCTIN
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
bySandro Suffert
 
Disk forensics
byChiawei Wang
 
sift_cheat_sheet.pdf
byNaveenVarma Chintalapati
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
bytmugherini
 
Memory Forensic CheatSheet - SANS Institute
byAnderson Carvalho Silva
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
byJared Greenhill
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
bySam Bowne
 
Disk forensics for the lazy and the smart
byJeff Beley
 
44CON London 2015: NTFS Analysis with PowerForensics
byJared Atkinson
 
Free Computer Forensic Software's list - by Forensic Control
byraiyankhair47
 
(130105) #fitalk trends in d forensics (dec, 2012)
byINSIGHT FORENSIC
 
kbrgwillis.pdf
byKblblkb
 
Stop pulling the plug
byKamal Rathaur
 
Memory forensics cheat sheet
byMartin Cabrera
 
Digital forensics for technology134.pptx
bytbalingit
 
Debian Linux as a Forensic Workstation
byVipin George
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
byClubHack
 

More from MNCERT

PDF
MNSEC 2018 - Threat Intel Sharing from a CSIRT Standpoint
byMNCERT
 
PDF
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
byMNCERT
 
PPTX
MNSEC 2018 - Active Directory - how not to
byMNCERT
 
PDF
MNSEC 2018 - Mongolian Internet Healthiness
byMNCERT
 
PPTX
MNSEC 2018 - Malware Distribution Trends, October 2018
byMNCERT
 
PDF
MNSEC 2018- FortiGuard Lab’s Threat Landscape Highlights
byMNCERT
 
PPTX
MNSEC 2018 - Evolving DDoS Threat Landscape
byMNCERT
 
PPTX
MNSEC 2018 - Linux hardening
byMNCERT
 
PPTX
MNSEC 2018 - Cryptography
byMNCERT
 
PPTX
MNSEC 2018 - MNCERT REPORT
byMNCERT
 
PPTX
MNSEC 2018 - Data center security
byMNCERT
 
PPTX
MNSEC 2018 - Information security in blockchain
byMNCERT
 
MNSEC 2018 - Threat Intel Sharing from a CSIRT Standpoint
byMNCERT
 
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
byMNCERT
 
MNSEC 2018 - Active Directory - how not to
byMNCERT
 
MNSEC 2018 - Mongolian Internet Healthiness
byMNCERT
 
MNSEC 2018 - Malware Distribution Trends, October 2018
byMNCERT
 
MNSEC 2018- FortiGuard Lab’s Threat Landscape Highlights
byMNCERT
 
MNSEC 2018 - Evolving DDoS Threat Landscape
byMNCERT
 
MNSEC 2018 - Linux hardening
byMNCERT
 
MNSEC 2018 - Cryptography
byMNCERT
 
MNSEC 2018 - MNCERT REPORT
byMNCERT
 
MNSEC 2018 - Data center security
byMNCERT
 
MNSEC 2018 - Information security in blockchain
byMNCERT
 

Recently uploaded

PDF
The Future of AI-Powered Fashion Design 10 Top Generators for 2026
bymockitseo
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
PDF
Chapter 1 Introduction to Computer Security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
PDF
The CISO_Transformation_Playbook From Cost Centre to Chief Trust Officer
bysajjasridhar1990
 
PPTX
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
PDF
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
PPTX
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
PDF
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
PPTX
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
PPTX
ICT Entrepreneur Quiz for grade 7...........
bykayramos6
 
PPTX
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
PPTX
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
PPTX
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
PDF
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
PPTX
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
PDF
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
The Future of AI-Powered Fashion Design 10 Top Generators for 2026
bymockitseo
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
Chapter 1 Introduction to Computer Security.pdf
byGetnet Tigabie Askale -(GM)
 
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
The CISO_Transformation_Playbook From Cost Centre to Chief Trust Officer
bysajjasridhar1990
 
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
ICT Entrepreneur Quiz for grade 7...........
bykayramos6
 
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 

MNSEC 2018 - Windows forensics

  • 1.
  • 2.
    What is computerforensics • Finding evidence from computer and digital storage media
  • 3.
    Windows OS • ~90%OS market share • Juicy target of cyber attack
  • 4.
  • 5.
    What should weknow? • Operating system • File system • Important artifacts • Cyber attack methods • Basics of malware analysis
  • 6.
    Artifacts • Registry • Eventlog • Volume Shadow Copies • Master File Table (MFT) • Windows Shell Bags • Prefetch file • Update Sequence Number Journal (USNJRNL)
  • 7.
    What to do •Capture images • Create timeline • Analyze timeline • Analyze memory • Correlate finding with other sources • Prepare report
  • 8.
    Arsenal • FTK Imager •SIFT workstation by SANS • Redline • Volatility • SIEM • IDS/IPS, Firewall, …
  • 9.
    Capturing images • Disk& Memory (RAM) • DO NOT TURN OFF THE COMPUTER!!!
  • 10.
  • 11.
  • 12.
  • 13.
    Playing with theimages • High performance machine required • SIFT workstation (virtual machine) • Redline
  • 14.
  • 15.
    Mounting the image #ewfmountimage.E01 /mnt/ewf #mmls ewf1 DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 000: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 001: ------- 0000000000 0000002047 0000002048 Unallocated 002: 000:000 0000002048 0000206847 0000204800 NTFS / exFAT (0x07) 003: 000:001 0000206848 0479567219 0479360372 NTFS / exFAT (0x07) 004: ------- 0479567220 0479567871 0000000652 Unallocated 005: 000:002 0479567872 0585867263 0106299392 NTFS / exFAT (0x07) 006: ------- 0585867264 0585871963 0000004700 Unallocated # mount -t ntfs-3g -o ro,loop,show_sys_files,stream_interface=windows,offset=$((206848*512)) /mnt/ewf/ewf1 /mnt/windows_mount
  • 16.
    Creating timeline #log2timeline.py /cases/ewf.plaso/mnt/ewf/ewf1 --parsers win_gen --hashers none -- workers 15 #psort.py -o l2tcsv -w test.csv test.plaso C:>Mft2Csv.exe /MftFile:Z:$MFT /TimeZone:0.00 /OutputFormat:l2t https://github.com/jschicht/Mft2Csv
  • 17.
  • 18.
  • 19.
  • 20.
    Windows Registry forensics REGRIPPERis the primary weapon when it comes to registry analysis # rip.pl -l | more 1. ide v.20080418 [System] - Get IDE device info from the System hive file 2. shelloverlay v.20100308 [Software] - Gets ShellIconOverlayIdentifiers values 3. auditpol v.20151202 [Security] - Get audit policy from the Security hive file ……………………… 346. usbstor2 v.20080825 [System] - Get USBStor key info; csv output 347. cpldontload v.20100116 [NTUSER.DAT] - Gets contents of user's Control Panel don't load key
  • 21.
    Windows Registry forensics #rip.pl-r /mnt/windows_mount/Windows/System32/config/SOFTWARE -p winver Launching winver v.20081210 winver v.20081210 (Software) Get Windows version ProductName = Windows Server 2008 R2 Enterprise CSDVersion = Service Pack 1 InstallDate = Thu Nov 29 17:52:22 2012
  • 22.
    Windows Registry forensics #rip.pl -r /mnt/windows_mount/Windows/System32/config/SAM -f sam Parsed Plugins file. Launching samparse v.20160203 (SAM) Parse SAM file for user & group mbrshp info User Information ------------------------- Username : Administrator [500] Full Name : User Comment : Built-in account for administering the computer/domain Account Type : Default Admin User Account Created : Fri Apr 13 17:27:01 2012 Z Name : Last Login Date : Mon Aug 6 02:24:21 2018 Z Pwd Reset Date : Wed Jan 3 10:42:54 2018 Z Pwd Fail Date : Sun Aug 5 13:49:04 2018 Z Login Count : 513 --> Normal user account
  • 23.
    Windows Registry forensics •Account profile list #rip.pl -r /mnt/windows_mount/Windows/System32/config/SOFTWARE -p profilelist • Logon timeline #rip.pl -r /mnt/windows_mount/Windows/System32/config/SOFTWARE -p winlogon_tln • Parsing event log #rip.pl -r /mnt/windows_mount/Windows/System32/config/SYSTEM -p eventlogs • Services list #rip.pl -r /mnt/windows_mount/Windows/System32/config/SYSTEM -p services • Installed application list #rip.pl -r /mnt/windows_mount/WINDOWS/system32/config/software -p uninstall
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
    Memory forensics #volatility –fmemdump.mem –profile=Win7SP1x64 plugxconfig
  • 30.
  • 31.
  • 32.
  • 33.
    Example • A hostinfected with crypto-mining malware
  • 34.
    Example • Found runningsuspicious process called WinSCV.exe (PID:3056) • WinSCV.exe file exists in C:WindowsTemp directory and is proven malicious software. • WinSCV.exe file was created on 2018/06/02. • Putty, well known SSH client software, was being used on the system at the time.
  • 35.
    Example • server.txt file,PE executable, was created on the system. Afterward, PSCP.exe (Putty’s Secure Copy Client) and confirm.txt files were created. • The content of the “confirm.txt” file was just “y” • After creating those files, SMSvsHOST.exe, win.exe and WinSCV.exe files were created consequently. The attacker used PSCP.exe to download other executables. •
  • 36.
    Example • To confirmprevious findings, we need to check other logs. The target host might has been exploited by EthernalBlue. • The following log confirms that the exploitation was successful. •
  • 37.
    Example • To confirmprevious findings, we need to check other logs. The target host might has been exploited by EthernalBlue. • The following log confirms that the exploitation was successful. • After exploitation, the attacker downloaded another payload.
  • 38.
    Example • Server.txt isa UPX compressed executable file. It’s very easy to decompress UPX packed executables. The static analysis can show something helpful.
  • 39.
    The more sources,the more accurate result you will have.