Overview

This comprehensive guide focuses on essential tools and methodologies used in Windows Digital Forensics and Incident Response (DFIR). Rather than analyzing a specific attack, we’ll explore the systematic application of forensic tools and when to leverage them effectively in an investigation.

Prerequisites

Training Resources

Required Tools

Analysis Methodology

Priority Order

  1. Windows Event Logs
  2. Windows Registry
  3. NTFS Analysis
  4. Additional Windows Artifacts

Registry Analysis

Registry Hive Locations

C:\Cases\E\Windows\System32\config
C:\Cases\E\Users\tstark\NTUSER.DAT
C:\Cases\E\Users\tstark\AppData\Local\Microsoft\Windows\Usr\Class.dat
Registry Hive Locations

Using Registry Explorer

  1. Import Registry Hives Registry Explorer Import

  2. Utilize Available Bookmarks for Common Analysis Points Registry Explorer Bookmarks

RegRipper Analysis

RegRipper provides automated registry analysis capabilities. Reference: Plugin Matrix

Single Hive Analysis

# Extract Windows version information
rip.exe -r C:\Cases\Analysis\SOFTWARE -p winver
RegRipper Command Execution

Bulk Hive Analysis

  1. Prepare Hidden Files
# View file attributes
attrib *

# Make hidden files accessible
attrib -h UsrClass.dat
attrib -h NTUSER.dat
File Attribute Modification
  1. Process Multiple Hives
for /r %i in (*) do (C:\Tools\RegRipper\rip.exe -r %i -a > %i.txt)
Bulk Registry Analysis

User Account Analysis

  1. Export SAM Database using Registry Explorer SAM Database Export

  2. Analyze with Timeline Explorer Timeline Analysis

User Behavior Analysis

UserAssist Analysis

Location: NTUSER.DAT Purpose: Tracks recently used applications UserAssist Records

Additional metadata in value names: UserAssist Metadata

Recent Documents

Location: NTUSER.DAT Analysis Tool: Registry Explorer Recent Documents Analysis

ShellBags Analysis

Location: UserClass.dat Purpose: Track folder access history

  1. Registry Explorer View: ShellBags Registry View

  2. ShellBagsExplorer Analysis: ShellBagsExplorer Timeline

NTFS Analysis

MFT Analysis

Using MFTECmd.exe:

MFTECmd.exe -f c:\cases\E\$MFT --csv C:\Cases\Analysis\NFTS\ --csvf MFT.csv
MFT Command Execution

Timeline Explorer Analysis: MFT Timeline Analysis

Timestamp Analysis: MFT Timestamp Analysis

Program Execution Analysis

Background Activity Moderator (BAM)

Location: SYSTEM hive Purpose: Track recently executed programs BAM Analysis

Amcache Analysis

Location: Windows\AppCompat\Programs

# Parse Amcache.hve
AmcacheParser.exe -f c:\cases\e\windows\appcompat\programs\Amcache.hve --csv c:\cases\analysis\execution
Amcache Parser Results

Prefetch Analysis

Location: C:\Cases\E\Windows\prefetch

Single File Analysis:

pecmd.exe -f c:\cases\e\windows\prefetch\ATOMICSERVICE.EXE-59E20F94.pf
Prefetch Single File Analysis

Bulk Analysis:

pecmd.exe -d c:\cases\e\windows\prefetch --csv C:\Cases\Analysis\Execution\
Prefetch Timeline Analysis

Persistence Analysis

Key Areas of Focus

  1. Auto-Run Keys
  2. Scheduled Tasks
  3. Services

Services Analysis

Search SYSTEM.txt for “services v.” or “svc v.” Services Analysis

Scheduled Tasks

Location: SOFTWARE hive Path: Microsoft\Windows NT\CurrentVersion\Scheduler\TaskCache\Tree
Scheduled Tasks Analysis

Autoruns Analysis

Tool: SysInternals Autoruns Method: “Analyze Offline System” Autoruns Service Analysis

Event Log Analysis

Resources

Analysis Process

Location: Windows\System32\winevent\logs

  1. Import logs into Event Log Explorer Event Log Explorer

  2. Key Event IDs:

    • Service Installation (7045)
    • Logon Events (4624)
    • PowerShell Execution (400)

  3. Logon Analysis: Logon Types

  4. Sysmon Events: Sysmon Event Analysis

References