Too Many Secrets: You Can Run But You Can't Hide From Windows Forensics

W it yes it does

hey I've never been so glad to have intro music hi everybody thanks for coming along um I'm Anie Mone today we're going to be talking about Windows forensics um and I'm going to cover um an overview of how forensic investigation can start out some key areas to look at uh I'll touch very briefly on anti forensics and then finally I'll give a couple of ideas for next steps first of all I got to talk about me um I know I work in the Microsoft cloud sock um so that is a group of teams that receive alerts or reports of suspicious or damaging behavior on Azure or the other clouds um and investigate those and respond to them

uh I've only been in this role 3 months though previously I still worked for Microsoft but it was in product security so it was all Defenders and Sentinel and things um I have a masters in applied cyber security which I did in 2018 in Queens and Belfast um and I this is where I first kind of came across forensics there was a little forensics module um my dissertation was Android forensics related uh so that was fun um more recently I passed gcfe which is a Windows forensic certificate by by Sans um and before I got here I had a whole ton of different jobs uh for a while I was a teacher I made VR games I

ran a bookstore I had an artisan Tea Company H I worked for the dyslexia Association and I was an app developer um way back in the '90s I owned an internet cafe and did Network installations so lot of different Vari stuff um I'm also super keen on community stuff I'm a massive fan of meetups um I want to say this slide says I'm currently helping but I'm now no longer helping to run infos second I because I don't live there anymore um I'm on still on the committee for bides Belfast um and my new fun thing is security brunch which is going to be brunch where you talk about security what's not to love um so look out for

the first one of those um but I just really believe that Community stuff is the Bedrock of industry in terms of accessibility for learning um developing contracts supporting people through their security careers and as they navigate the industry and it stops people falling through the cracks uh I really believe that if you invest in the community everyone comes out much stronger I think it's important for this talk to say what I don't have um I don't have a job where windows for manics is a big part of my daily job um so this talk is based on the theory I know and some amateur tinkering and what I've learned from the industry just from having a

bunch of friends in it I'm still learning so this is the journey I'm on so far um I'm also obliged to say I'm not here although I work in Microsoft this is hopefully presumably not a Microsoft slide deck it's not a Microsoft talk these opinions are all mine um uh I'm not actually a private investigator either this is just a fun slide I can't help you catch your spicee cheating or whatever sorry anyway let's get [Music] started so forensics is all about recovering data from systems and investigating it to piece together what happened um so that's documents pictures multimedia Financial files internet browsing email and chat zipped or encrypted files and also file artifacts which are the little pieces of files or

temporary files or deleted files and with Windows forensics a lot of system events also and settings that your computer records in order to help improve your user experience and that can also be used to help work out what happened so let's have an example I've tried to pick a really old example because I didn't want to get into any political trouble I don't know what it's like to live here um anyway in 2017 in the course of investigating another crime police discovered that MP Green's work machine contained a vast amount of porn um so it was a big news story at the time it's it's not secret or anything um and he denied it of course

and he said that uh he shared a password with the staff in work in his office so it wasn't him it could have been anyone um and a lot of MPS at the time came out to support him and in particular Nadine Doris said she tweeted that her staff log into her computer on her desk with her login every day um in fact so many MPS said something similar that the information commissioner's office got involved to investigate and remind everybody about their data handling obligations under gdpr um but there's a couple of key statements around that time that I want to consider on the one hand uh this editor guy Steven Pollard came out to

say he has no idea if green watched porn or not but the argument put forward by police that he is guilty just because he was logged in at the time is risible but is that true and I saw someone else say at the time if a forensic examiner said it's true then it's then it's true but how do we know great question um so Windows forensics is not a monolith there are lots of different types of investigation that you can do um so if you have have detected Intruders for example speed is important uh you probably start looking at credentials and logins you probably don't really care too much about strict preservation of evidence the goal is to

understand quickly what happened and fix it however if you're investigating workplace crime so fraud stealing company data um you're likely maybe to involve HR or legal in that and so maybe some evidence preservation is needed and you'll focus on different logs more activity logs or logs tracking documents or other kinds of data access for criminal investigations there's a need to balance the speed versus the evidence preservation like is it a kidnapping which means speed is going to be critical but if it's a multi-year operation making a case against a drug lord which is going to need watertight evidence well you'll need to focus much much more on chain of custody and detailed and on bu

documentation and creating an audit Trail for reproducibility and the timeline of events will be key too so you might look more for contacts and external interactions so again the focus is on different logs and for private investigation domestic cases accident reconstruction for insurance perhaps um things where the results May not end up in court but they still are used to make decisions uh for that we would really like corroboration and a timeline of events but we're probably not so concerned about speed or really strict evidence

handling um okay so regardless of the type of investigation we're doing some of the first steps are the same and it is a bit tricky if there's any regulatory involvement I just want to remind everybody I don't do this stuff for my day job especially for law enforcement there's lots of digital evidence preservation and chain of custody stuff that I can't fully speak to the first step we would like is triage um you need to prioritize what you need to collect first and that's based not just on the type of investigation um but also the state you finding the machine in because you have some things to consider if it's parred up and it's logged in um you can grab a

bunch of detail from memory so sometimes login credentials or um chat conversations but more importantly these days um this is when you work out if there's encryption on the dis um because if there is and you turn it off you've lost everything um other volatile data that you can grab from memory um is things like current Active network connections uh any running apps and listening ports and now is also the time to collect data from cloud services if you're legally authorized to do so um next we want to think about image capture so we try to work out which logs we will look at first to give the greatest return on investment because there's way too many um so often at the

very start only a partial image is taken um at the scene so the investigation can get started and when I say at the scene I don't mean necessarily a police crime scene this can also be your office fraud scene wherever the machine happens to be um and there are a few different options for this so you can have a physical image which is an exact copy of the bits on the drive but it takes a lot longer and it costs more to store and manipulate and if there's encryption there's a chance it's no use however it is the most forensically signed option um a logical image is slightly different it is the currently accessible contents of the file system so it's

going to miss things like the operating system internals and it's going to miss any fragments or deleted files in on allocated space and then finally we get to processing ideally this is the part I would like to come in at uh just to be handed an image to work on uh because then you don't have to deal with all the other stressful stuff um so first of all before we do anything else we start with a backup um and that's in case our tools accidentally make changes or we mess up and then once we've got our backup we run some tools against image now we use the tools for Speed um and also because the raw logs are

really mostly in unreadable formats because they're not really for humans um so while you can do manual work on the logs it's very slow and painful um so you set your tools to work parsing the logs into a nice format that's more understandable and it's only then that we can really start our analysis of what happened so what kind of things can we potentially find um there's kind of too much to cover so I've just highlighted a few examples on each slide of the things that I thought were interesting um okay so the mft is the master file table and it is a database of info about every single file on the system it keeps a log of all files that

have changed on the system and what caused the change and it is in ut TC Tim stamps so we love it um it records things like file size the time stamps like we said the permissions so the read execute write modify and then it links out to the rest of the file content on the hard drive and the timestamps mean that just with the mft we can build a handy timeline now even when a file is deleted from the disk the record is not actually deleted from the mft it just has the flag changed in the mft so that the computer now knows hey you can use this space but the file data is still in that

spot on the hard disk so if it hasn't been overwritten already you can grab it or parts of it um each file has a header which explains what type of file it is and so the file carving tools that we use to find these look for that and can recover the file or parts of it the registry is database of con configuration settings for the hardware and the software and the users in the system uh I like to think of it like a big sprawling City so there's lots and lots of different buildings in this case called registry hives and they have lots of different uses they're certainly not all useful to visit so it's not like

when we do this work we understand the whole registry just like a big city what we have is a few places that we know really well and that predictably have the things we're looking for and there are a few key hives that have the kind of information we know we might need for an investigation and these are the Sam hiive so that has user info oh I'm one forward user info ID numbers account creation last login times last field login times and also some metadata about any Cloud accounts associated the system Hive uh is all operating system settings and services the security Hive is about authentication and user Behavior file and resource access and any modification

of settings software is all about application settings and product keys and N user. is good because there's a separate one for every user and in that it contains a lot of those user personalization settings and logs and of course there's just a lot of General logs through the system in fact out of the box Windows 11 has over a 100 different types of log by default and I know that's scary but it's not even surveillance really it's just things that the machine does to function and settings that the operating system or the apps need in order to keep working that we just happen to be able to use for investigations for example when your PC

starts a login prompt pops up for the last user to successfully log in uh how does it know who the last user is how does it know which desktop paper to load for you or which Dropbox account to connect I mean it's all logged somewhere and it knows who was the last one to log in because it stores the date time information with that and the signin logs also record field logins and whether the logins were remote or whether they were at the keyboard whether they use their Windows account all that kind of thing so logs can generally be text or database and they come in very variable formats so they can be Json Windows

Event log CF protuff lots of different types and unfortunately they also have very variable time stamps and they're not always reliable either so um they are usually storing when things are created access and modified but unfortunately the time stamps can be in UTC or they can be in system time or ook time or web kit time so you have to be really careful with your analys analysis because of that um and that is because again these logs are not there to do forensic investigations they're there to do whatever the machine needs done sometimes they only need to be in local time um this is we're not going to dwell on this this is a just an example of why

you don't want to do the manual work on the stuff yourself we had this in the Masters they they sent us out print outs and you had to actually go in and do it by hand it was miserable um but this is an example for of the mft for example um and what it is is all in heximal um but different parts of it uh show the structure of the next bit so the bit that um starts with o x30 is always going to be the file name so this whole section is the file name so you can go in character by character and work out what the file name is but you know using

tools is better um for the like the next bit is the um ID so you can go through all of the logs like that um shell bags for another example just randomly uh if you look at that as a human being it's difficult to work with and it's difficult to parse so that's why we use the tools but it's useful to be able to to see it and understand it manually if you needed to because sometimes your tools are giving you different results and you need to go and check under the hood anyway so that's the places we can find the evidence let's look at some of the categories of evidence we might look for um so here are just a few examples

of where you could find evidence of file usage um first we have the openc of mru so mru stands for most recently used um and it's just a list and it lists and tracks files that have been opened or saved via a dialogue box like when you go to save a file and the system opens up the same location as the previous file you saved this list is how it knows how to do that uh similarly we have recent files and office recent files mru so that tracks your recent files opened and then when you go to the little um uh dropdown menu and you see your recent files populated this is um how you can quickly

reopen what you're working on and this is where it's stored um so when you use your computer you can open programs you can drag their window positions around you can maximize them and change the size and if you close them or you shut down your machine when you open them up again they'll pop back up in the position they were before how does your computer remember where to put them well you should know by now of course it logs it um and one of those places is called shellbags so shellbags stores details on the folders you've accessed on local or network or removable driver drives and it's per user and it has time stamps for the

first and last interaction and the shell bikes entry persists even after the folder is deleted and we also have shim cach which is a log which helps with backwards compatibility with older versions of windows but it can tell us information about whether you opened a folder and viewed the files in it and whether you launched any files so if you compare the de times with the ones from shellbags showing what windows were open at the time and what possession on the screen they were in well now we can tell when the porn was on the screen and if other things were on the screen at the same time or maybe within such close timestamps that

it was unlikely that the person in the chair changed we've also got

sorry that's a great question I'm pretty sure it's just the user interaction but I wouldn't take my word for it I can check um thumb TV and thumb cash um you may have heard of so this is the one that stores the little thumbnails of pictures um and documents and folders that are used when you open stuff or even when you just hover over things in the taskbar um so you can take these and you can correlate them with Windows search DB for the file name and the path and other meta metadata for that file and of course we've got cloud storage so even when the files in your cloud storage are not synced locally the

metadata usually exists locally so that's things like file names and time stamps uh which can help us to build a picture of the kind of stuff you're accessing and work out if there might be items of Interest stored in your Dropbox that we then need to go and get some more permission for so maybe after all this you think well I'll just keep it on a USB well you'd be a to luck um because USB store has a list of every USB that's ever been plugged into your machine um when you plug in a USB stick to your computer it records the make and the serial number and the date time and some other stuff

so um when someone's saying oh I've never seen that in my life before May that's not mine we can probably actually tell if it's been in their computer before or not so anyway how does any of this help us first of all it proves the user interacted with the files and folders it gives us a timeline for those user interactions it identifies any network or removable storage locations that we may also need to investigate and it helps us just identify Trends and the kind of things that people are doing for evidence of application usage link files link files are the little things that allow you to pin things to the taskbar or create shortcuts but there's a log of them of

course uh along with datetime information about when it was created and when it was last accessed so even if you delete program and you delete the taskbar icon did you remember to delete the link file um and there's other records specific to the taskbar that include whether the app is in focus on the screen or not so that helps to corroborate things like whether it was running in the background or whether you were really looking at it we also have capability access manager for those times when the system pops up and asks you do you you want to let this app access your microphone or your webcam or your location um and that doesn't just store

whether you've given the app permission it also includes the St and top times for those Services um srum shum I never know how to say this one um this monitor system resource usage so uh it stores 30 days of app data per app uh including who the user was and the network by sent and received and background productivity monitor storage details about power management and the full path and last execution so that's quite a lot of stuff that you can see already from somebody using apps or not and then of course the one everybody knows about is prefetch so that preloads all the files and directories used by the app so that after the first time all the other times

you open it up it goes much much faster to load because it already knows what it needs to show you and can fetch it in the background and it stores the app's first execution time so you can't say oh I've never opened that um and it stores the last eight executions as well and count of how many times you've run it and these are just a few examples there's loads more um now sometimes log data can be altered or deleted we'll touch on that later and that's why we also come back to corroborating evidence you have to find multiple corroborating things to push past that reasonable Di so once again this helps us to prove the

user interaction with applications to timeline the user interaction with applications and identify Trends in their usage and again all these things have legitimate system or user functions we're just fortunate that we can also use them for investigations uh browser activity okay so obviously we all know by cookies and cash and bookmarks but all the major browsers store data in the user profile to make browsing work better um you will maybe already have come across session restore so of course this stores a list of your past websites and the sites that referred them and your session times so that when you close your browser accidentally you can still open it back and have all the nice

things uh we also mostly know about autocomplete data so autocomplete obviously stores websites and Search terms and usernames and form data and here's a sneaky thing uh if you think you'll avoid it by never using autocomplete and you choose don't ask again for this website on the little popup well how is it going to remember not to ask you again uh you've guessed it uh it's going to store the website on your choice so now there's evidence you've been there um the browser um may also have a d load manager in addition to the system download manager so that's a extra place where you have to delete things if you uh were downloading stuff and you wanted

to hide it um so we can see all the files that were downloaded in the browser and we can also tell where the files came from with alternate data streams so this is a little pointer in the mft record to additional info and the additional info can be anything but um everybody has agreed to also use them for or Zone IDs and Zone IDs are used in lots and lots of places they're used in browsers they're used in email slack teams and um this is the thing that when the Office doc pops up to say Hey you downloaded this file are you sure you want to enable editing editing um this is the thing that how it knows where it

came from and that's an easy way then for investigators to prove where a file came from and it also in includes the URL unless you're using private browsing it is also supported in all the forensic tools so you can easily find things like all the files downloaded last Wednesday media history is another one that's surprised me so audio and video you would expect there to be a log somewhere but it tracks your last play time which um fair enough but did you also know it records your watch duration and the last video position um and then Chrome Network action predictor this one's really interesting and I really love hate it um so this is used when you're typing in your browser

um to search for something and it tries to make suggestions about what sites you might like to visit um as you type and it tries to get better at it by recording letter by letter what you type what sites were suggested for each letter and then how often that's correct so that's like super for Google to do some you know more accurate predictions not just for you but for everybody but it's really interesting to me how granular it is that it's literally recording every single character so this is a log that's going to show your type searches um and it does also me however that there are suggested websites in this list that were never actually

visited by the user so once again this is proving user interaction with the websites and the media it is identifying frequent words and personal information and it's identifying the source of where Files come from so all scary so far um let's let's touch briefly on anti forensics so anti forensics is what we call it when a person deliberately does things to try and avoid creating or actually removes evidence of what happened in the system and that can include things like wiping files or logs so we already know from the mft and unallocated space that regular deletion is not going to be enough but you can use a secure Wiper like estate or C cleaner uh that does a more thorough job

of overwriting the files in the system time stamps are not always fully trustworthy so um for example things like if the modified time stamp is before the creation timestamp that sometimes happens but all it shows is that the file has been copied from somewhere else but also tools like time stomp let you change file time stamps and that can make ke files appear outside of the date scope of your investigation so you're investigating you're setting the date range that you're looking for but if the T if the if the files have been changed to a different one you're missing them and so you miss key data or It cast enough doubt on the Integrity that it's

no longer evidence um also changing file headers and extensions to disguise one type of file as another so if you've ever done any ctfs this is quite a common CTF thing um and often you have to open up the file and modify it or you have to change the extension you can also add a lot of confusion just by doing things across multiple user accounts because it makes it much harder to join up events or just simple things like using the private browser it doesn't store no data but it stores very little data however there are some mitigations for these um so we might suspect deleted data whenever um expected alerts or other things are conspicuously missing

so for this uh Sherlock Holmes story there was no incident with the dog in the nighttime and that was the clue because it was expected to bark at strangers and it didn't um so esate and C cleaner do rename files but they do it in a particular pattern and that might not show you what the files were but it will show you that there was an intent to conceal something um we can suspect timestamp changes when things don't add up across sources or the seconds of a file are shown as 000000 0 and we can use corroborating sources to try and figure out what that used to be so for both of these problems you can also try using

volume Shadow copies so they're made by Windows restore points and they are like a differential of what's on the drive and what was there before so you can replay them in the forensic tool and view the disc contents as if it was the old version so if you've spotted files that have been C cleaned or whatever you can go and look at them hopefully in the old version and the tools are really good they'll also highlight the changes you do need to take extra care with time stamp anomalies and timeline logic um but sometimes just paying extra attention helps you identify those um always check file headers in the tool and examine suspicious file sizes

because files that are unusually big for the file type that they would be that's an indication that something funny is going on there um and it's also useful to document accounts that are in scope and out of scope um clearly documenting what's available on the system even if it's not the main focus of the investigation makes your report clearer but also if references to those things appear later on um then it's much easier for you to widen the scope as necessary and oh private browsing does leave some little traces and this changes quite a lot so it's really good to stay up to date and do some research if you're having to deal with private browsing

stuff but the main thing to bear in mind is for everything this is why corroboration with multiple sources is so important [Music] so um what are the takeaways um tools is the first one there are so many tools from Big software Suites that automate and process almost everything cost an absolute Fortune but add so much speed and integrity to investigations that that's what big Enterprises are using um but the free tools are surprisingly good so things like cap which is very powerful and customizable for processing and collecting logs and then Eric Zimmerman's tools which are all open source and there's so many of them like timeline Explorer mft Explorer and actually even some of the tooling that

the dart team so the dart team is the detection and response team in Microsoft and they go in when when someone's had a breach and try to find out what happened um and obviously it's all very Mission critical everything's on fire um the dart team actually used tools with are built on top of some of Eric zman's tools um and excitingly actually in the tools area it's quite legitimate to write your own um even if you're fairly new windows logs change and new Windows apps or tools create different logs um and there are lots of Niche cases as well so for example maybe there's a new pc VR headset and you have an interest in what

it's storing about the user uh so you can make a big impact quite easily just by doing your own tooling um jobs there are all sorts of forensics jobs from fraud and ecovery to incident response to law enforcement law enforcement can be a little hard to get into um security clearance helps a little but there's quite a strong need for understanding procedures and evidence handling acpo guidelines those kind of things um but my recommendation is forensics focus.com they have tons of job listings and it's really interesting to just brise through them that gives you some of the language that you need to go and search other places as well tons of learning as well so a

couple of places you can start out if you're interested is dfir do trining or The Hitchhiker guide I must put this link somewhere The Hitchhiker guide to dfir book which was open sourced from the dfir community so that's kind of cool and it's pay what you want as well so you can just pay what you afford for that one people um this is in no way EX positive um I'm a big believer in learning by osmosis uh by keeping the right company so you can reach out to people or even just follow them on social media and you start to absorb new knowledge just by listening to them talk just by reading their posts um this is

these particular ones are focused mostly on the UK because that's where we are uh and the mindset the mindset is one of the most important parts your job isn't just to collect all the data and it's not even just to parse it into a form that makes sense you have to also contextualize it you have to present what uh conclusions can and can't be drawn from it so it's important to keep in mind sometimes the evidence is going to exonerate the person you're hoping it convicts and that winning is actually about puzzling out the truth whatever the truth is and of course stay curious because that's what drives all of this and I want to say that I think two of

the key skills are firstly contemporaneous notes um contemporaneous notes is when you add notes to the investigation as you go and they're supposed to in theory be reproducible by the next person that comes along um I added this recently because I have now worked in a job where contemporaneous notes would be really freaking useful uh there's nothing more frustrating than opening an old investigation to try and deal with an issue or a complaint with it and the notes to be incomplete in a way that means that you either can't reproduce What the investigator find or because logs don't hang around forever the logs are gone and then you have no way of reproducing it so it's

really important to have good note taking skills that's a good way to focus um and also to be able to identify key log sources because this is different all the time logs change all the time or organizations have their own proprietary logs so if you want to do an identity investigation having an idea in your head what the right places to look for those logs are is a good thing so that's a really fundamental thing of having an idea of what the key log sources are okay uh thank you for your time and Happy friender kidding um any questions

hey what do you think this is the highly anticipated question about Microsoft recall um you'll appreciate that I'm not able to give a full answer to this question but also genuinely I have not been involved in the product I haven't had my hands on the product um I setting aside my personal opinions about that kind of thing I think that it looks like it's going to be a fantastic resource for forensicator um yes but maybe if I'm drunk in the bar later it' be

different um honestly very happy to chat later hit me up in the bar and you don't even need to buy me a drink I'm not drinking um and thank you for coming and listening to me