During a Windows Forensics engagement, I occasionally find myself forgetting essential tasks or unintentionally skipping analyzing importants artifacts. Therefore, this checklist (along with cheatsheet) could help myself (or readers) and ensure that I adhere to a systematic workflow when conducting Windows Forensics.

Typical Forensic investigation flow

If you ask me the details on the acquisition and analysis part, here it is:

1. Evidence acquisition ⇛ Disk, memory
2. Live response, scanner and live forensics ⇛ Autoruns, process hacker, THOR or Loki, Inquisitor
3. Memory forensics ⇛ MemProcFS, volatility
4. Disk Image mounting ⇛ Mounting and Triage important artifact
5. Persistence analysis ⇛ Autoruns location, registry, WMI, Scheduled Tasks
6. Malware analysis ⇛ Static and Dynamic analysis
7. Checking system information ⇛ Registry
8. Root cause analysis ⇛ Logs, web, malware, file folder activity, exploit, email, executed file
9. Lateral movement investigation ⇛ event log, executed file, registry, file system
10. Timeline analysis ⇛ MFT, Logfile, UsnJ parsing
11. File access artifacts ⇛ File sharing, MountPoints, USB
12. Recovering deleted data ⇛ Recyclebin, MFT, VSS, File carving, Keyword search (Autopsy)
13. Malware reverse engineering
14. Writing report

Tools

Acquire artifact’s Tools

Forensic analysis tools

OS / Linux Distros

1. Windows
2. SIFT Linux
3. Tsurugi Linux
4. REMnux

Acquire artifacts

1. Check disk encryption using EDD
2. Perform disk imaging using FTK Imager
3. Perform memory dump activity using Magnet RAM Capturer for example.
4. Save all files in the external harddisk
5. Optional:
   • Perform live analysis collection scanner such as Inquisitor
   • Scan the compromised using scanner such as THOR
   • Perform Registry scanner such as RegHunter
   • Perform memory scanner such as hollows_hunter or moneta
   • Perform persistent scanner such as PersistenceSniper or Trawler

KAPE cheatsheet

Basic command

# Target
.\kape.exe --tsource [DRIVE LETTER] --tdest [DESTINATION INCLUDE FOLDER NAME] --module [MODULE NAME] --gui
# Module
.\kape.exe --msource [DRIVE LETTER] --mdest [DESTINATION INCLUDE FOLDER NAME] --module [MODULE NAME] --gui

Target

KAPE target extraction

.\kape.exe --tsource E: --tdest D:\KAPE_cases\ --target KapeTriage,MessagingClients,RemoteAdmin,ServerTriage,WebBrowsers,WebServers,WSL,MemoryFiles --gui

Module: Live Response

Memory dump

.\kape.exe --msource C:\ --mdest D:\KAPE_cases\%m --module MagnetForensics_RAMCapture --gui

Live response command and scanner

.\kape.exe --msource E:\ --mdest D:\KAPE_cases\%m --module PowerShell_Get-InjectedThread,PowerShell_Get-NetworkConnection,PowerShell_Netscan,PowerShell_Signed,SIDR_WindowsIndexSearchParser,WIFIPassView,MagnetForensics_EDD,Nirsoft_BluetoothView,Nirsoft_LastActivityView,Nirsoft_OpenedFilesView,NirSoft_USBDeview,NirSoft_VideoCacheView,NirSoft_WebBrowserPassView,Nirsoft_WhatInStartup,Nirsoft_WifiHistoryView,Nirsoft_WirelessKeyView,SysInternals_Autoruns,SysInternals_Handle,SysInternals_PsFile,SysInternals_PsInfo,SysInternals_PsList,SysInternals_PsLoggedOn,SysInternals_PsService,SysInternals_PsTree,SysInternals_Tcpvcon,Powrshell_LiveResponse_SystemInfo,PowerShell_Arp_Cache_Extraction,PowerShell_Bitlocker_Key_Extraction,PowerShell_Bitlocker_Status,PowerShell_Defender_Exclusions,PowerShell_DLL_List,PowerShell_Dns_Cache,PowerShell_Local_Group_List,PowerShell_LocalAdmin,PowerShell_NamedPipes,PowerShell_NetUserAdministrators,PowerShell_Network_Configuration,PowerShell_Network_Connections_Status,PowerShell_Network_Share,PowerShell_Process_Cmdline,PowerShell_ProcessList_CimInstance,PowerShell_ProcessList_WMI,PowerShell_Services_List,PowerShell_SMBMapping,PowerShell_SMBOpenFile,PowerShell_SMBSession,PowerShell_Startup_Commands,PowerShell_User_List,PowerShell_WMIRepositoryAuditing,Windows_ARPCache,Windows_DNSCache,Windows_GpResult,Windows_IPConfig,Windows_MsInfo,Windows_nbtstat_NetBIOSCache,Windows_nbtstat_NetBIOSSessions,Windows_Net_Accounts,Windows_Net_File,Windows_Net_LocalGroup,Windows_Net_Session,Windows_Net_Share,Windows_Net_Start,Windows_Net_Use,Windows_Net_User,Windows_netsh_portproxy,Windows_NetStat,Windows_qwinsta_RDPSessions,Windows_RoutingTable,Windows_schtasks,Windows_SystemInfo,Reghunter,hasherezade_HollowsHunter --gui

.\kape.exe --msource E:\ --mdest D:\KAPE_cases\%m --module Thor-Lite_Upgrade,Thor-Lite_Scan --gui

.\kape.exe --msource E:\ --mdest D:\KAPE_cases\%m --module Loki_LiveResponse --gui

.\kape.exe --msource E:\ --mdest D:\KAPE_cases\%m --module hasherezade_HollowsHunter --gui

.\kape.exe --msource E:\ --mdest D:\KAPE_cases\%m --module MagnetForensics_RAMCapture --gui

Module: Parsing and scanning

All in one artifact parsing

Warning: Super slow!

.\kape.exe --msource E:\ --mdest D:\KAPE_cases\ --module Loki_Scan,DensityScout,BackstageParser,BitsParser,CCMRUAFinder_RecentlyUsedApps,Chainsaw,DeepblueCLI,DHParser,EvtxHussar,hasherezade_HollowsHunter,INDXRipper,LevelDBDumper,OneDriveExplorer,PowerShell_Get-ChainsawSigmaRules,TeamsParser,ThumbCacheViewer,WMI-Parser,Zircolite_Scan,Zircolite_Update,LogParser_ApacheAccessLogs,LogParser_DetailedNetworkShareAccess,LogParser_LogonLogoffEvents,LogParser_RDPUsageEvents,LogParser_SMBServerAnonymousLogons,Nirsoft_AlternateStreamView,NirSoft_BrowsingHistoryView,NirSoft_FullEventLogView_AllEventLogs,NirSoft_FullEventLogView_Application,NirSoft_FullEventLogView_PowerShell-Operational,NirSoft_FullEventLogView_PrintService-Operational,NirSoft_FullEventLogView_ScheduledTasks,NirSoft_FullEventLogView_Security,NirSoft_FullEventLogView_System,NirSoft_TurnedOnTimesView,NirSoft_WebBrowserDownloads,Nirsoft_WinLogonView,SysInternals_SigCheck,TZWorks_CAFAE_Registry_System,Events-Ripper,Hayabusa,LogParser,MFTECmd,NTFSLogTracker,RECmd_AllBatchFiles,Reghunter,RegRipper,AmcacheParser,AppCompatCacheParser,EvtxECmd,EvtxECmd_RDP,iisGeoLocate,JLECmd,LECmd,PECmd,RBCmd,RecentFileCacheParser,SBECmd,SQLECmd,SQLECmd_Hunt,SrumECmd,SumECmd,WxTCmd,Sync_EvtxECmd,Sync_KAPE,Sync_RECmd,Sync_SQLECmd,Windows_ManageBDE_BitLockerKeys,Windows_ManageBDE_BitLockerStatus --gui

Event log / log scanning and parsing

.\kape.exe --msource E:\ --mdest D:\KAPE_cases\ --module !!ToolSync,PowerShell_Get-ChainsawSigmaRule,Chainsaw,DeepblueCLI,EvtxHussar,Zircolite_Update,Zircolite_Scan,Events-Ripper,hayabusa_EventStatistics,hayabusa_OfflineEventLogs,hayabusa_OfflineLogonSummary,hayabusa_UpdateRules,EvtxECmd,EvtxECmd_RDP,LogParser,iisGeoLocate

Program Execution

.\kape.exe --msource E:\ --mdest D:\KAPE_cases\ --module CCMRUAFinder_RecentlyUsedApps,AmcacheParser,AppCompatCacheParser,PECmd,RecentFileCacheParser --gui

File folder activity

.\kape.exe --msource E:\ --mdest D:\KAPE_cases\ --module BackstageParser,OneDriveExplorer,ThumbCacheViewer,JLECmd,LECmd,RBCmd,SBECmd,WxTCmd --gui

NTFS and FileSystem parsing

.\kape.exe --msource E:\ --mdest D:\KAPE_cases\ --module !!ToolSync,INDXRipper,MFTECmd,NTFSLogTracker,RegRipper,RECmd_AllBatchFiles --gui

System activity

.\kape.exe --msource E:\ --mdest D:\KAPE_cases\ --module SRUMDump,WMI-Parser,RECmd_AllBatchFiles,SrumECmd,SumECmd --gui

Mounted image scanner

.\kape.exe --msource E:\ --mdest D:\KAPE_cases\ --module Loki_Scan --gui
.\kape.exe --msource E:\ --mdest D:\KAPE_cases\ --module DensityScout --gui

Analysis Findings

First, create a spreadsheet that will be the main documentation of your findings especially for Timeline. Include few relavant aspects in the spreadsheet such as:

1. Artifact type
2. Findings
3. Location of artifact
4. Created
5. Accessed
6. Modified
7. Notes / Payload

Live Forensics

1. Check all the results of the script collection (Inquisitor / Kansa / FastIR)

Memory analysis

1. Tool used: Volatility, MemProcFS, MemProcFS-Analyzer
2. Check network connection (netstat, netscan)
3. Check process list (pslist, pstree, psscan, cmdline)
4. Check injected process, dll injection (malfind, dlllist)
5. Dump malicious process (dumpfiles –pid PID)
6. Volatilit3 command: python3 vol.py -f <memdump> <plugin name>
7. MemProcFS command: memprocfs.exe -device D:\mem.raw -forensic 1
8. MemProcFS-Analyzer: .\MemProcFS-Analyzer.ps1

Disk analysis

Mount image

1. Perform KAPE execution on the mounted drive using “KAPE triage” module to extract important artifacts.
2. Run malware scanner on the mounted drive (Loki scanner, THOR scanner, AV scanner, Densityscout)
3. Perform data recovery on the mounted drive using Photorec
4. Check any shadow copy, view it in Shadow Explorer

Autopsy

1. Attach disk in Autopsy
2. Run ingest module “Recent activity” and “Keyword search”
3. Check Data artifacts in Autopsy, record all interesting findings
4. Check file and folder (Access time, and created time)
5. View Timeline Analysis in Autopsy
6. Search any interesting keywords

Windows event logs analysis

1. Located at C:\Windows\System32\winevt\Logs
2. Perform event log scanner
3. Manually view in Event Log Explorer

Interesting log sources

Event log scanner

Important Security Event IDs

Logon type corresponding to Succesfull (4624) or Failed logins (4625)

Other’s log important Event IDs

Event ID KB: https://system32.eventsentry.com/ and https://www.myeventlog.com/search/browse

Triage artifacts parsing and analysis

File Records

MFT Attributes:

1. $STANDARD_INFORMATION ($SI)
2. $FILE_NAME ($FN)
3. $DATA
4. $EA (Extended Attributes)

Other useful tools:

1. analyzeMFT.py: Parse $MFT files and summarize those information
2. MFTRCRD: MFT record decoder for online filesystem
3. Mft2Csv: Parse $MFT files and raw disk images. It can extract resident files from $MFT.
4. Fte: Parse MFT and INDX
5. MFTCarver: Can recover old MFT entries that are not listed in current MFT
6. Bulk Extractor: Contains scanner plug-ins for records of $MFT, $LogFile, $UsnJrnl:$J, $INDEX_ALLOCATION, and utmp structure.
7. NTFS Log Tracker: Parses $Logfile and $UsnJrnl:$J
8. USN Analytics: Parse records of $UsnJrnl that were extracted by BE
9. Indx2Csv: Parse for INDX
10. INDXParse: Parses a single $I30
11. IndxCarver: Can recover old INDX records to get information about deleted files and folders

Follow Windows Time Rules below:

Credit: SANS Windows Forensic Analysis Poster (digital-forensics.sans.org)

System and user Information (via Registry)

Application Execution

File and Folder Opening

Deleted Items and File Existence

Browser activity

Network Usage

USB Usage

AntiVirus logs

Another good reference: https://ruler-project.github.io/ruler-project/RULER/av/

Other Artifacts

Other

• Command to parse all registry in a folder using Regripper

  cd folder_containing_all_registries
  for /r %i in (*) do (C:\RegRipper3.0\rip.exe -r %i -a > %i.txt)
  

• USB usage also can be investigate using “USB Detective Community Edition”
• Nirsoft software might have a good tool for viewing your artifacts
• Reghunter command on the live system: reg_hunter --all -z --outfile reg_hunter_result.txt

Lateral Movement Detection and Investigation

Detail information refer: https://jpcertcc.github.io/ToolAnalysisResultSheet/#

Typically lateral movement will involve with (depend on the attacker TTP):

1. Credential harvesting
2. File sharing
3. Remote login
4. AD enumeration
5. Remote execution
6. Pass-the-hash/ticket
7. Privilege Escalation
8. Golden/Silver Ticket
9. User creation
10. Deleting evidence

Below list shows the sum up of the information in the above reference but focusing only on standard setting and configuration of Windows.

1. Credential harvesting

• Analysts can rely on the Prefetch, MFT, USNJartifact for standard settings on the host computer.
• Various password dump tools that utilize PowerShell can be found in:
  • Microsoft-Windows-PowerShell/Operational
  • C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

2. File sharing

Windows Admin share (net use)

Commonly for transfering their tools and malware. Or can be abuse for exfiltrate data.

3. Remote login

Attacker might utilizes the remote login feature such as RDP, VNC, external software or SSH to login remotely

RDP

Remote tools software

• Check for any installation, files of remote tools or services
• List of remote administaration tool can be refer here: https://ruler-project.github.io/ruler-project/RULER/remote/ and https://docs.google.com/spreadsheets/d/1G_pJ1H2yJeoLUnki6kibujUJ9445M_2hRTEm3kUCf0M
• Identify the software installed and running processes. Oftenly it has agent running.
• Investigate the logs.

SSH

Remote Execution

Pass-The-Hash-Ticket (WCE)

Pass-The-Hash-Ticket (Mimikatz)

PsExec

Memory analysis, find this pipe in the processes:

\\X.X.X.X\pipe\PSEXESVC-<sourcehostname>-<PID>-stdin
\\X.X.X.X\pipe\PSEXESVC-<sourcehostname>-<PID>-stdout
\\X.X.X.X\pipe\PSEXESVC-<sourcehostname>-<PID>-stderr

Remote Services

Scheduled Task

WMIC

WinRM and Powershell

SMB

DCOM

File Transfer

Impacket