FOR500: Windows Forensic Analysis

Overview

The Windows Forensic Analysis course starts with an examination of digital forensics in today's interconnected environments and discusses challenges associated with mobile devices, tablets, cloud storage, and modern Windows operating systems. Hard drive and digital media sizes are increasingly difficult and time-consuming to handle appropriately in digital cases. Being able to acquire data in an efficient and forensically sound manner is crucial to every investigator today. In this course section, we review the core techniques while introducing new triage-based acquisition and extraction capabilities that will increase the speed and efficiency of the acquisition process. We demonstrate how to acquire memory, the NTFS MFT, Windows logs, Registry, and critical files in minutes instead of the hours or days currently spent on acquisition.

We also begin processing our collected evidence using stream-based and file-carving-based extraction capabilities employing both commercial and open-source tools and techniques. Students come away with the knowledge necessary to target the specific data needed to rapidly answer fundamental questions in their cases.

Exercises

• Install the Windows SIFT Workstation and get oriented with its capabilities
• Undertake advanced triage-based acquisition and imaging resulting in rapid acquisition
• Mount acquired disk images and evidence
• Carve important files from free space
• Recover critical user data from the pagefile, hibernation file, memory images, and unallocated space
• Recover chat sessions, web-based email, social networking, and private browsing artifacts
• Parse the wealth of metadata information available in the NTFS Master File Table

Topics

• Windows Operating System Components

  • Key Differences in Modern Windows Operating Systems
• Core Forensic Principles
• Analysis Focus
• Determining Your Scope
• Creating and Investigative Plan
• Live Response and Triage-Based Acquisition Techniques
• RAM Acquisition and Following the Order of Volatility
• Triage-Based Forensics and Fast Forensic Acquisition
• Encryption Detection
• Registry and Locked File Extraction
• Leveraging the Volume Shadow Service
• KAPE Triage Collection
• Windows Image Mounting and Examination
• NTFS File System Overview
• Document and File Metadata
• Volume Shadow Copies
• File and Stream Carving
• Principles of Data Carving
• Recovering File System Metadata
• File and Stream Carving Tools
• Custom Carving Signatures
• Memory, Pagefile, and Unallocated Space Analysis
• Artifact Recovery and Examination
• Chat Application Analysis
• Internet Explorer, Edge, Firefox, Chrome, and InPrivate Browser Recovery
• Email and Webmail, including Yahoo, Outlook.com, and Gmail

Overview

Our journey continues with the Windows Registry, where the digital forensic investigator will learn how to discover critical user and system information pertinent to almost any investigation. You'll learn how to navigate and analyze the Registry to obtain user profile and system data. During this course section, we will demonstrate investigative methods to prove that a specific user performed keyword searches, executed specific programs, opened and saved files, perused folders, and used removable devices.

Data is moving rapidly to the cloud, constituting a significant challenge and risk to the modern enterprise. Cloud storage applications are nearly ubiquitous on both consumer and business systems, causing interesting security and forensic challenges. In a world where some of the most important data is only present on third-party systems, how do we effectively accomplish our investigations? In this section we will dissect OneDrive and OneDrive for Business, Google Drive, Google Workspace (G Suite), Dropbox, and Box applications, deriving artifacts present in application logs and left behind on the endpoint. We'll demonstrate how to discover detailed user activity, the history of deleted files, content in the cloud, and content cached locally. Solutions to the very real challenges of forensic acquisition and proper logging are all discussed. Understanding what can be gained through analysis of these popular applications will also make investigations of less common cloud storage solutions easier.

Throughout this course section, students will use their skills in a real hands-on case, exploring and analyzing a rich set of evidence.

Exercises

• Profile a computer system using evidence found in the Windows Registry
• Conduct a detailed profile of user activity using Registry evidence
• Examine which applications a user executed by examining Registry-based UserAssist, Prefetch, Capability/AccessManager, FeatureUsage, Background Activity Monitor data, and others
• Determine which files and folders a user opened and interacted with via multiple Registry keys tracking user interactions
• Examine recently opened Microsoft 365 and SharePoint files and determine first and last open times
• Identify critical folders accessed by a user via the Common Dialog and Open/Save keys in the Registry
• Perform cloud storage forensics, recovering information on local files, cloud-only files, and deleted items available in logs, application metadata databases, and host-based artifacts.

Topics

• Registry Forensics In-Depth
• Registry Core
• Hives, Keys, and Values
• Registry Last Write Time
• MRU Lists
• Deleted Registry Key Recovery
• Identify Dirty Registry Hives and Recover Missing Data
• Rapidly Search and Timeline Multiple Registry Hives
• Profile Users and Groups
• Discover Usernames and Relevant Security Identifiers
• Last Login
• Last Failed Login
• Login Count
• Password Policy
• Local versus Domain Account Profiling
• Core System Information
• Identify the Current Control Set
• System Name and Version
• Document the System Time Zone
• Audit Installed Applications
• Wireless, Wired, VPN, and Broadband Network Auditing
• Perform Device Geolocation via Network Profiling
• Identify System Updates and Last Shutdown Time
• Registry-Based Malware Persistence Mechanisms
• Identify Webcam and Microphone Usage by Illicit Applications
• User Forensic Data
• Evidence of File Downloads
• Office and Microsoft 365 File History Analysis
• Windows 7, Windows 8/8.1, Windows 10/11 Search History
• Typed Paths and Directories
• Recent Documents
• Search for Documents with Malicious Macros Enabled
• Open Save/Run Dialog Evidence
• Application Execution History via UserAssist, Prefetch, System Resource Usage Monitor (SRUM), FeatureUsage, and BAM/DAM
• Cloud Storage Forensics
• Microsoft OneDrive
• OneDrive Files on Demand
• Microsoft OneDrive for Business
• OneDrive Unified Audit Logs
• Google Drive for Desktop
• Google Workspace (G Suite) Logging
• Google Protobuf Data Format
• Dropbox
• Dropbox Decryption
• Dropbox Logging
• Box Drive
• Synchronization and Timestamps
• Forensic Acquisition Challenges
• User Activity Enumeration
• Automating SQLite Database Parsing

Overview

Being able to show the first and last time a file or folder was opened is a critical analysis skill. Shell item analysis, including shortcut (LNK), Jump List, and ShellBag artifacts, allows investigators to quickly pinpoint the times of file and folder usage per user. The knowledge obtained by examining shell items is crucial to perform damage assessments, track user activity in intellectual property theft cases, and track where hackers spent time in the network.

Removable storage device investigations are an essential part of performing digital forensics. In this course section, students will learn how to perform in-depth USB device examinations on all modern Windows versions. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, drive capacity, and even the unique serial number of the device used.

Exercises

• Understand the difference between mass storage class (MSC), human interface devices (HID), and media transfer protocol (MTP) devices
• Track USB devices and BYOD devices connected to the system using the Registry, event logs, and file system artifacts.
• Determine first and last connected times of USB devices
• Determine last removal time of USB devices
• Explore the new removable device auditing features introduced in Windows 8 and Windows 10
• Use shortcut (LNK) file analysis to determine first/last times a file was opened, and track files and folders present on removable media and across network shares
• Use Shell Bag Registry Key Analysis to audit accessed folders
• Use Jump List examination to determine when files were accessed by specific programs.

Topics

• Shell Item Forensics
• Shortcut Files (LNK) - Evidence of File Opening
• Windows 7-10 Jump Lists - Evidence of File Opening and Program Execution
• ShellBag Analysis - Evidence of Folder Access
• USB and BYOD Forensic Examinations
• Vendor/Make/Version
• Unique Serial Number
• Last Drive Letter
• MountPoints2 and Drive Mapping Per User (Including Mapped Shares)
• Volume Name and Serial Number
• Username that Used the USB Device
• Time of First USB Device Connection
• Time of Last USB Device Connection
• Time of Last USB Device Removal
• Drive Capacity
• Auditing BYOD Devices at Scale
• Identify Malicious HID USB Devices

Overview

Depending on the type of investigation and authorization, a wealth of evidence can be unearthed through the analysis of email files. Recovered email can bring excellent corroborating information to an investigation, and its informality often provides very incriminating evidence. Finding and collecting email is often one of our biggest challenges as it is common for users to have email existing simultaneously on their workstation, on the company email server, on a mobile device, and in multiple cloud or webmail accounts.

The Windows Search Index can index up to a million items on the file system, including file content, email, and over 600 kinds of metadata per file. It is an under-utilized resource providing profound forensic capabilities. Similarly, the System Resource Usage Monitor (SRUM), one of our most exciting digital artifacts, can help determine many important user actions, including network usage per application and historical VPN and wireless network usage. Imagine the ability to audit network usage by cloud storage and identify excessive usage by remote access tools even after execution of counter-forensic programs

Finally, Windows event log analysis has solved more cases than possibly any other type of analysis. Windows 11 now includes over 300 logs, and understanding the locations and content of the available log files is crucial to the success of any investigator. Many researchers overlook these records because they do not have adequate knowledge or tools to get the job done efficiently. This section arms investigators with the core knowledge and capability to maintain and build upon this crucial skill for many years to come.

Exercises

• Employ best-of-breed forensic tools to search for relevant email and file attachments in large data sets
• Analyze message headers and gauge email authenticity using SPF and DKIM
• Understand how Extended MAPI Headers can be used in an investigation
• Effectively collect evidence from Exchange, Microsoft 365, and Google Workspace (G Suite)
• Learn the latest on Unified Audit Logs in Microsoft 365
• Search for webmail and mobile email remnants
• Use forensic software to recover deleted objects from email archives
• Gain experience with a commercial email forensics and e-discovery suite
• Extract and review document metadata present in email archives
• Understand the tools and logs necessary to respond to business email compromise events
• Analyze the various versions of the Windows Recycle Bin
• Use the System Resource Usage Monitor (SRUM) to answer questions with data never before available in Windows forensics
• Track cloud storage usage hour by hour on a target system
• Parse the Windows Search Index and take advantage of extended metadata collection
• Merge event logs and perform advanced filtering to easily get through millions of events
• Profile account usage and determine logon session length
• Identify evidence of time manipulation on a system
• Supplement registry analysis with BYOD device auditing
• Analyze historical records of wireless network associations and geolocate a device

Topics

• Email Forensics
• Evidence of User Communication
• How Email Works
• Email Header Examination
• Email Authenticity
• Determining a Sender's Geographic Location
• Extended MAPI Headers
• Host-Based Email Forensics
• Exchange Recoverable Items
• Exchange and M365 Evidence Acquisition and Mail Export
• Exchange and M365 Compliance Search and eDiscovery
• Unified Audit Logs in Microsoft 365
• Google Workspace (G Suite) Logging
• Recovering Data from Google Workspace Users
• Web and Cloud-Based Email
• Webmail Acquisition
• Email Searching and Examination
• Mobile Email Remnants
• Business Email Compromise Investigations
• Forensicating Additional Windows OS Artifacts
• Windows Search Index Database Forensics
• Extensible Storage Engine (ESE) Database Recovery and Repair
• Windows Thumbcache Analysis
• Windows Recycle Bin Analysis (XP, Windows 7-10)
• System Resource Usage Monitor (SRUM)
• Connected Networks, Duration, and Bandwidth Usage
• Applications Run and Bytes Sent/Received Per Application
• Application Push Notifications
• Energy Usage
• Windows Event Log Analysis
• Event Logs that Matter to a Digital Forensic Investigator
• EVTX and EVT Log Files
• Track Account Usage, including RDP, Brute Force Password Attacks, and Rogue Local Account Usage
• Prove System Time Manipulation
• Track BYOD and External Devices
• Microsoft Office Alert Logging
• Geo-locate a Device via Event Logs

Overview

With the increasing use of the web and the shift toward web-based applications and cloud computing, browser forensic analysis is a critical skill. During this section, students will comprehensively explore web browser evidence created during the use of Internet Explorer, Microsoft Edge, Firefox, and Google Chrome. The hands-on skills taught here, such as SQLite and ESE database parsing, allow investigators to extend these methods to nearly any browser they encounter. Students will learn how to examine every significant artifact stored by the browser, including cookies, visit and download history, Internet cache files, browser extensions, and form data. We will show you how to find these records and identify the common mistakes investigators make when interpreting browser artifacts. You will also learn how to analyze some of the more obscure (and powerful) browser artifacts, such as session restore, HTML5 web storage, zoom levels, predictive site prefetching, and private browsing remnants. Browser synchronization is explained, providing investigative artifacts derived from other devices in use by the subject of the investigation. Finally, skills to investigate Chromium-based Electron Applications are introduced, opening capabilities to investigate hundreds of third-party Windows applications using this framework, including chat clients like Discord, Signal, Skype, Microsoft Teams, Slack, WhatsApp, Yammer, Asana, and more.

Throughout the section, students will use their skills in real hands-on cases, exploring evidence created by Chrome, Firefox, Microsoft Edge, and Internet Explorer correlated with other Windows operating system artifacts.

Exercises

• Learn to manually parse SQLite databases from Firefox, Chrome, and Microsoft Edge
• Explore the similarities and differences between Google Chrome and Microsoft Edge
• Track a suspect's activity in browser history and cache files and identify local file access
• Analyze artifacts found within the Extensible Storage Engine (ESE) database format
• Examine which files a suspect downloaded
• Determine URLs that suspects typed, clicked on, bookmarked, or were merely re-directed to while web browsing
• Parse automatic crash recovery files to reconstruct multiple previous browser sessions
• Identify anti-forensics activity and re-construct private browsing sessions
• Investigate browser auto-complete and form data, bringing the investigation closer to a "hands-on keyboard"
• Learn how each browser synchronizes data with other devices and how to leverage synchronized data to audit activity occurring on previously unknown user devices like mobile phones, tablets, and other workstations.
• Recover Microsoft Teams chats via local Electron Application databases

Topics

• Browser Forensics
  • History
  • Cache
  • Searches
  • Downloads
  • Understanding Browser Timestamps
  • Chrome
    • Chrome File Locations
    • Correlating URLs and Visits Tables for Historical Context
    • History and Page Transition Types
    • Chrome Preferences File
    • Web Data, Shortcuts, and Network Action Predictor Databases
    • Chrome Timestamps
    • Cache Examinations
    • Download History
    • Media History
    • Web Storage, IndexDB, and the HTML5 File System
    • Chrome Session Recovery
    • Chrome Profiles Feature
    • Chromium Snapshots folder
    • Identifying Cross-Device Chrome Synchronization
  • Edge
    • Chromium Edge vs. Google Chrome
    • History, Cache, Cookies, Download History, and Session Recovery
    • Microsoft Edge Collections
    • Edge Internet Explorer Mode
    • Chrome and Edge Extensions
    • Edge Artifact Synchronization and Tracking Multiple Profiles
    • Edge HTML and the Spartan.edb Database
    • Reading List, WebNotes, Top Sites, and SweptTabs
  • Internet Explorer
    • Internet Explorer Essentials and the Browser That Will Not Die
    • WebCache.dat Database Examination
    • Internet Explorer and Local File Access
  • Electron Applications and Chat Client Forensics
    • Electron Application Structure
    • Electron Chromium Cache
    • LevelDB Structure and Tools
    • Manual Parsing of LevelDB
    • Specialized LevelDB parsers
  • Firefox
    • Firefox Artifact Locations
    • SQLite Files and Firefox Quantum Updates
    • Download History
    • Firefox Cache2 Examinations
    • Detailed Visit Type Data
    • Form History
    • Session Recovery
    • Firefox Extensions
    • Firefox Cross-Device Synchronization
  • Private Browsing and Browser Artifact Recovery
    • Chrome, Edge, and Firefox Private Browsing
    • Investigating the Tor Browser
    • Identifying Selective Database Deletion
  • SQLite and ESE Database Carving and Examination of Additional Browser Artifacts
    • DOM and Web Storage Objects
    • Rebuilding Cached Web Pages
    • Browser Ancestry
    • Capturing Stored Browser Credentials

Overview

Nothing will prepare you more as an investigator than a full hands-on challenge that requires you to use the skills and knowledge presented throughout the course. With the option to work individually or in teams, students will be provided new evidence to analyze, and the exercise will step them through the entire case flow, including proper acquisition, analysis, and reporting of investigative findings. Fast forensics techniques will be used in order to rapidly profile computer usage and discover the most critical pieces of evidence to answer investigative questions.

This complex case involves an investigation into one of the most recent versions of the Windows operating system. The evidence is from real devices and provides the most realistic training opportunity currently available. Solving the case requires students to use all of the skills gained from each of the previous course sections.

The section concludes with a mock trial involving presentations of the evidence collected. The team with the best in-class presentation and documentation wins the challenge - and solves the case!

Exercises

• Full-length Windows 10 forensic challenge
• Bonus: One additional complete take home exercise to continue honing your skills!

Topics

• Digital Forensics Capstone
• Analysis
• Process and Triage a New Full Set of Evidence
• Find Critical Evidence Following the Evidence Analysis Methods Discussed Throughout the Week
• Examine Memory, Registry, Chat, Browser, Recovered Files, Synchronized Artifacts, Installed Malware, and More
• Reporting
• Build an Investigative Timeline
• Answer Critical Investigative Questions with Factual Evidence
• Practice Executive Summary and Report Generation
• Present Technical Case Findings