This week I talk about Amcache Forensics, a Windows artifact that collects details about programs that have been run on a given system. This evidence can support malware/ intrusion investigations, file use and knowledge exams and data spoliations inquiries.
The last talk in the Open-Source password cracking series focuses on a tool that rivals the pay tools in function and capability - Hashcat.
Last episode I talked about using Cain to attack Windows LANMAN and NTLM hashes. Next we will discuss John the Ripper, Linux password files and rainbow tables.
In the last episode I talked about PW psychology, an important part of operationalizing any PW cracking tool effectively. Face it, the math is against you so understanding a person’s probable PW patterns is important. In this episode we will talk about our first tool that can be used against a PW file. First let’s go over some general features you will likely find in a PW cracking tool.
The next mini series will focus on open source password attack tools. There are some pay options out there, however, most IR teams do not have a need for it and disk forensic teams use if infrequently. Despite this many labs want the capability so it makes sense to explore the open source options first before spending the money. My goal here is talk about these options to provide some insight and to open the series I thought I's talk about password psychology since the weakness link in any password algorithm is usually the person using it.
The $UsnJrnl is an artifact that logs certain changes to files in NTFS volumes. It is a great source of timeline information for malware\ IR investigations, time stomping concerns and anti-forensics activities (i.e. wiping) as well as an additional source of file use and knowledge evidence for disk forensics.
In this episode I talk Shimcache, otherwise known as the Application Compatibility Cache. This registry key has existed since Windows XP and tracks executable on a system, making it a great source of digital evidence for both disk forensics and incident response cases. In addition, there are freely available tools that will parse the data. It is not a difficult artifact to understand. Once an analyst spends the time learning how to pull, parse and interpret the data it is easily incorporated into an investigation and aligns well with other Windows artifacts.
In this episode I cover something I have been intending to do for some time: a Windows 10 artifacts overview. Here, I explore some key artifacts changes and what has stayed the same. Once I got into it I found there was a lot to talk about so, to start, I will discuss the topics from a high level. In future episodes I will dig in deeper to each artifact.
This episode I talk Just-Metadata, a freely available tool that gathers data about IP addresses from publicly available resources. Check out Truncer's website to learn more. I put together my quick start notes (below) for anyone interested in getting set up. This tool is very powerful and useful for Incident Response investigations, especially since you can batch upload IP addresses and quickly get useful details.
This episode I talk about PALADIN from SUMURI. PALADIN is a modified “live” Linux distribution based on Ubuntu that simplifies various forensics tasks in a forensically sound manner via the PALADIN Toolbox and used by thousands of digital forensic examiners from Law Enforcement, Military, Federal, State and Corporate agencies.
This episode covers Investigation Survival Tips.... for the new guy. Newer examiners are often thrown into a world where it is there mission to find "everything." Not on that, they are usually given inadequate investigative support to accomplish their assigned goals. I have seen this happen often so I thought I would spend an episode giving some advice on how to steer the conversation to keep expectation realistic and in-check.
In this episode I cover using Linux as a forensic platform... for the new guy. I find many examiners are very Windows-centric. There is nothing wrong with that as most tools and evidence is Windows based. However, Linux comes in handy from time to time and knowing some basic commands is always helpful.
In this episode I talk all about virtual machines; the reasons you should be using them (more), prebuilt ones that are freely available and loaded with digital forensic tools and a free virtual machine application that has the same functionality you need as the pay tools.
In this episode we wrap up the File Use & Knowledge artifacts discussed previously and talk about how they connect to help strengthen a case.
Have you ever been asked to find out what the "F" drive is? Have you ever needed to prove a USB drive was attached to a target system? Collecting and presenting this information is a core skill all computer forensic analysts need know. This episode breaks down the process of collecting and interpreting the data necessary to make the connection between USB device and Windows systems.
In this episode we examine how to use Windows Shellbag records to help prove file use and knowledge. Shellbag records are created by certain user activity and can be used to show where a user has navigated to on a computer system and when they did so. Very powerful evidence!
Windows Prefetch data is a great source of evidence to help determine file use and knowledge of applications running on the system.
Oftentimes you will be asked to find information on a target system that shows if a user accessed certain files, the last time they did and/ or how often they did. Being able to put a picture together that answers these questions can be critical and make or break the case.
Windows LINK files are a great source of information when your aim is proving file use and knowledge during a computer forensic investigation. Knowing how to interpret these files will break reliance on automated tools and give you the versatility to quickly examine - interpret - and gain investigative insight.