Windows forensics Part 1 of 2 : A comprehensive guide to evidence collection and analysis

Photo by Andres Siimon on Unsplash

Windows forensic investigation is a critical process for uncovering evidence and analyzing post-exploit activity on a system. This guide provides an in-depth look into the essential commands and techniques used in Windows forensics, covering network discovery, scanning, user management, system configuration, and much more. These techniques are invaluable for identifying the nature of a breach, understanding attacker behavior, and preserving crucial evidence for further analysis.

Explore the Digital Forensic Resources by Exterro (FTK Imager)

• Chapter 1 : Fundamentals of digital forensics — Understanding the key differences between forensic investigations and other investigative processes.
• Chapter 2 : Deep dive into digital forensic investigations — Learn more about the investigation process, including crucial details like maintaining the chain of custody.
• Chapter 3 : Common types of digital forensic investigations — An overview of the major types of investigations conducted by digital forensics professionals.

Creating a forensic disk image : Preserving evidence on windows systems

In the initial steps of digital forensics on a Windows machine, safeguarding evidence is the top priority. The first critical task is to create a forensic image of the disk to prevent any accidental tampering with the original data. This can be done using trusted tools like FTK Imager, which allows investigators to generate a bit-for-bit copy of the hard drive, ensuring that every piece of data, including deleted files and hidden partitions, is preserved exactly as found. If the disk is encrypted, decryption tools or proper credentials are needed to unlock it before imaging. Once the image is created, investigators can proceed with the analysis using forensic tools like Autopsy, which enables detailed file system exploration while keeping the original disk untouched, thereby maintaining the integrity of the evidence for future legal proceedings.

RAM dump analysis : Capturing volatile data for comprehensive forensics

Capturing a memory (RAM) dump is equally important in digital forensics, as it holds volatile data that disappears when the computer is powered off. This includes crucial information such as active processes, network connections, and encryption keys that may not be available on the disk. Tools like FTK Imager or Belkasoft Live RAM Capturer (free product) allow investigators to acquire a live memory dump from a running system. The extracted RAM data is then analyzed with software like Volatility or Redline, which can provide insights into malicious activity, malware presence, and other real-time events that were occurring at the time of capture. This volatile data often holds critical evidence that disk analysis alone may not uncover, making memory dumps an essential component of a thorough forensic investigation.

Network discovery and monitoring

One of the first steps in forensic investigation is understanding the network environment and identifying active connections or shared resources. The following commands can help discover available hosts, shared files, and sessions:

• net view /all : Lists all available network shares on the local network.
• net view \\HOSTNAME : Retrieves shared resources from a specific host.
• net share : Displays shared folders on the local machine.
• net session : Provides information about active network sessions.
• wmic volume list brief : Lists system volumes.
• wmic share get : Displays shared resources on the system.

For scanning network addresses, you can use:

• nbtstat -A <IP_address> : Retrieves NetBIOS information for a given IP address.
• Batch ping command to scan a subnet :

for /L %I in (1,1,254) do ping -w 30 -n 1 192.168.1.%I | find "Reply" >> output.txt

2. Wi-Fi Networks and Stored Credentials

Investigating saved Wi-Fi profiles and their corresponding passwords can reveal useful information about past connections:

• netsh wlan show profile : Lists all saved Wi-Fi profiles.
• netsh wlan show profile <profile_name> key=clear : Reveals the saved password for a specific Wi-Fi profile.

3. Network Connections and Traffic Monitoring

For tracking network traffic and active connections, these commands are essential:

• netstat -e : Displays Ethernet statistics.
• netstat -naob : Shows active connections along with the owning process.
• netstat -vb : Displays connections with verbose details.
• route print : Shows the routing table.
• arp -a : Lists the ARP cache of the system.

4. Firewall Control and Management

Firewall rules can provide insight into allowed or blocked traffic, which is crucial for understanding an attack vector:

• netsh advfirewall show rule name=all : Lists all firewall rules.
• To enable/disable the firewall for different profiles (e.g., public or private networks) :
• netsh advfirewall set allprofile state on : Enables the firewall for all profiles.
• netsh advfirewall set allprofile state off : Disables the firewall for all profiles.

Adding custom firewall rules for specific ports or applications is also useful :

netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80

5. User Management

Managing users and user groups on the system is a key area of forensic investigation:

• net user /add <username> <password> : Adds a new user.
• net localgroup administrators <username> /add : Adds the user to the administrators group.
• net user <username> : Displays details about a specific user account.

For changing user passwords or viewing all users :

• net user <username> <new_password> : Changes the user’s password.
• net users : Lists all user accounts on the system.

6. Service Management

Analyzing running services can help identify malicious processes or misconfigured services:

• wmic service list brief | findstr “Running” : Lists all running services.
• wmic service list config : Provides the configuration details of all services.
• sc stop “service_name” : Stops a service.
• wmic service where name=’service_name’ call ChangeStartMode Disabled : Disables a service from starting automatically.

7. Scheduled Tasks and Autoruns

Scheduled tasks or startup entries are common methods used by attackers to maintain persistence on compromised systems:

• schtask : Lists scheduled tasks.
• wmic startup list full : Lists programs configured to start automatically.

8. Registry Investigation

The Windows registry is a vital source of information for forensics, storing configuration details and potentially malicious entries:

• reg query “HKCU\Control Panel\Desktop” : Queries a specific registry key.
• To enable or disable Remote Desktop or Remote Assistance :

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f # Enable RDP

9. Volume Shadow Copy and File System Investigation

Analyzing shadow copies and file system activity is important for recovering deleted or altered data:

• vssadmin List Shadow : Lists shadow copies on the system.
• vssadmin List ShadowStorage : Displays shadow storage used by each volume.

10. System and Security Configuration

Gathering system information, applied patches, and security configurations helps to identify any system vulnerabilities or unpatched systems :

• systeminfo : Retrieves detailed information about the operating system, hardware, and configuration.
• wmic qfe : Lists installed patches.
• gpresult /r : Displays the applied group policy settings.

For logging and auditing purposes:

• wevtutil gl Security : Lists security log settings.
• auditpol /get /category:* : Retrieves current audit policies, which are essential for tracking system activity and access control violations.

11. Rebooting and Shutdown

In certain scenarios, investigators may need to reboot or shut down a system during the forensic process:

• shutdown.exe /r : Reboots the system.

12. Conclusion

Windows forensic investigation involves a combination of system commands, network discovery, user management, and system configuration analysis to thoroughly understand an incident or potential breach. The techniques outlined above provide a robust toolkit for any forensic investigator, enabling efficient evidence collection and a deep understanding of system behavior post-exploitation.

N.B. (nota bene) :

1. Forensic professionals must continuously adapt and stay informed about new forensic techniques and tools to stay ahead of evolving cyber threats.
2. In the next article, we will cover the PsTools Suite : Essential Sysinternals Utilities for Windows Forensics.