Overlooked Artifacts: Enhancing Windows Forensics Analysis

hello and welcome to overlooked artifacts enhancing windows forensic analysis my name is fernando tomlinson and i'll be going through this topic today a little bit about myself i'm with the united states army i've been in the army for 20 years now where i'm a cyber security professional focused on defensive and offensive tactics and techniques i'm a adjunct cyber security professor where i teach cyber security related topics as well as programming topics as well i'm a developer of various blue and red team tools and where i can pry it out of the government's hand if you will i like to post those on my github so i can share them with the community there's a number of other educational cyber

security related platforms that i'm the author of or co-author and i'll talk about those a little bit later near the end of our presentation but if you're looking to connect with me here's my presence on the internet if you will all right so enough about me let's get into really why you're here and this really sets the stage for that um that calling if you will okay so we're gonna go through a number of aspects really looking at an artifact that while it exists uh in my opinion it's certainly overlooked and not talked about enough okay so that brings us to this this picture of this dog and you may be asking okay what's this about right well

it's really setting the stage for when someone or something is doing wrong and in this case we have a dog trying to take some cookies off the counter they're fresh out the oven and the aroma is uh you know it's such where the dog is willing to risk it all the dog at the core may realize and certainly i'll say does realize that he or she should not be grabbing those cookies right but instead they decide to do so anyway and this is largely because the dog may feel like he or she can get away with it we we can you know go deeper if we want to talk about the way a dog thinks and

everything else but but work with me here now the same could be said for malicious actors these actors are consistently trying to gain access to a network on a daily basis every second of the day and when they gain said access they're looking to set a foothold for follow-on actions do they know what they're doing is wrong absolutely do they care absolutely not so they're looking at the prize as opposed to the uh uh what's gonna happen um should they get caught which brings us to the next part right inevitably when a malicious actor is doing anything on a system much like uri who has an innocent tone in working on a computer there's artifacts that are

being left that are being developed on a machine and where a malicious cyber actor can see them they may seek to wipe or clean up those artifacts now in some cases they may not wipe or clean up those artifacts and you know for them it's like who cares but uh when they do it makes it a little bit difficult for us the defender to be able to illuminate and highlight such activity and then what steps that they actually take now i bring that point up as we talk about this picture because in my fictitious world the dog would have snatched the whole plate of cookies in the cookies and the plate would have smashed on the

floor the dog would be trying to clean up right and inevitably no matter how well he or she thinks they did they're gonna leave you know crumbs uh on the floor there might be parts of the plate although broken up under the cupboard or when the plate splattered it went to a different part of the kitchen that one may not think to clean up around or you know with uh afterwards but nonetheless they have cleaned up and they feel pretty good about it or they feel whatever is left their uh their owner is not going to be able to see that brings us to again the malicious cyber actors right um no matter what they clean up there's always an artifact

that we can find unless we just straight up destroy the machine the real thing is us as cyber security professionals we need to be illuminated or made known that an event or incident took place for us to then want to go deeper to do such analysis when and when we get to that point of analysis well what is it that we're talking about we're talking about actually doing forensics right and in this forensics when you look at a number of organizations or entities in this space they all define forensics differently when i look at words on a screen but largely when i look at the the the meaning or the output um of how they define forensics they're all saying

the same right and when we think of forensics we're essentially thinking of how are we going to collect do analysis and present our findings in such a way that paints a story or a sequence of events and that brings us to well the forensics process and when we think about the forensics process well there's a number of them out there but i like to look to something objective in this case we'll use the national institute of standard technology nist namely 800-86 and this breaks it down into four categories collection examination analysis and reporting well from the collection standpoint we're gonna look to identify any potential source of data and acquire data from these data sources this method was gonna

is gonna be done in such a way that is forensically sound so if we're called upon to defend our analysis um then we can certainly ensure that there's no holes in what we did for somebody to uh to call us out on it that that brings us to the examination aspect well this is where we look to not only assess but also extract the relevant pieces of information from our collected data this data may involve by us or the data that we do analysis on may involve us trying to bypass mitigate operating system or application features that obscure data or code from us right we don't want that such things like data compression encryption or access control mechanisms

from an analysis standpoint well this is where and and really at the point that we've already extracted that relevant data and this is where we are actually doing our true analysis go figure the analysis stage contains the analysis right and this is where we're studying we're analyzing the data to draw conclusions from it right and we want to make sure we're doing this in a methodical way so we reach an appropriate conclusion without skipping over information this analysis should help to identify the relevant aspects of what we're charged with doing and what we're charged with either answering right so our analysis should seek to answer specific uh questions often we'll be able to correlate data

amongst multiple sources that we would have collected finally that brings us to the reporting aspect this is where we get to um not only report if you will but this is where we get to present our findings of our analysis we're going to present this in such a way where it's easily digestible for the techies but also speaks in terms that leadership can understand now with all that being said we're not going to focus on all of them for the purpose of this talk we're only going to focus on those three collection examination and analysis and the artifact that i'm speaking of is going to span all three so let's really paint the situation here right um we find

ourselves in a suspected intrusion has occurred um the customer when we're called upon lacks the event firewall application logs heck any logs at large the ids isn't working and packet captures uh what's a packet capture now from that perspective what have the malicious actors done well they've not only removed their malware but they cleaned or wiped any tracks that they um are aware of that would be indicative of something or someone being there now where does that leave us well that leaves us with the only clues that we have or whatever is not um stomped on by the customer because as you know when things are deleted they're not actually deleted from disk uh right out the gate

the pointer associated with where that data is at is on this is actually uh removed so as things are continuously being done on the disk uh that information could be um overwritten right so this is where time is of essence now we understand at that point we feel like okay well this is gonna be a long day week what have you and our mood well not so good okay but as true professionals cyber security professionals we are constantly thinking about how can we prove this prove or or do something outside the box and as we understand what our goal is we find other ways to achieve it and this brings us to the actual artifact itself that we're going

to talk about this is the system resource utilization monitor and you may be asking well what's this this system resource utilization monitor that i'll refer to as a shrum from from this point forward well essentially it is uh an artifact first seen in windows eight yogis qatar actually is the one who um first found it brought it to light so we thank him for that his analysis his research has really set the stage for a lot of this uh the actual shrub survey or database rather is part of the diagnostic policy service so if we want to stop um writing to the database we can actually affect the service which then precludes the writing to actually take place

now this whole thing collects statistics on network connections windows applications services and applications as a whole this is great because when we think about an actor being on a system we understand that on disk binaries are going to be executed processes are going to be created and terminated at some point we also recognize that an actor is generally or may not in some cases most cases be interactively on the system um so they're gonna have to traverse some form of network connection and this is where the strum database actually helps us as well now this whole thing is going to be stored in an extensible storage engine sitting in a system 32 and historically speaking we

can go back roughly 30 to 60 days within this database there's a number of tables in the tables with how much data they contain uh certainly varies okay so on our system um we're gonna be in system root and we'll see within system 32 sru we'll see the shrew data or shrump database um listed as srudb.dat now looking at the screenshot we see a number of other items there as well those are transaction logs um that are associated with the database if we want to get a copy of it well on a live system we're not going to be able to because the system is or that database is actually locked by the operating system think of

it kind of like registering hives right on disk they sit in system 32 config however when that system boots those hives on this get loaded into memory same kind of principle here all right so when we're looking at it from a gui perspective well when we're in task manager and we go to the app history tab we're seeing information that is being fed from the strum database okay we're showing the statistics on applications this does it for apps and desktop applications but by default we only see the apps if we want to change that we'll be able to go option show history for all processes what can we do with this well we not only see the binary that's

executing we see how much time it's had uh as far as processing time we see the network traffic associated with it as a whole um if we see uh where the binary is on disk not from this view however if we were to right click any of them and select properties we would be able to see that now in a case where you see uninstalled processes well that just insinuates that the process itself or excuse me the binary itself no longer exists in the place in which it executed or it may not exist on disk right so that's just what it tells us now moving from that perspective well we start to look at um how the data is

collected and while there's dlls associated with the service the dlls when they catch and write this data they're gonna it's gonna be stored in the registry and it gets written to the actual database once every hour or on system shutdown once every hour or upon system shutdown now from that perspective where in the registry is going to be stored well we see that location there as well and we can navigate out there and see that information all right so this little chart helps to tie together a couple of things when we go look at that registry location that was on the previous slide we'll see the strum extension and under there we'll see keys these keys will be named um

what we see there the app timeline provider uh windows network data usage all that good stuff and for each one we'll have a dll that is associated with it that is being loaded and doing the capturing for each one of those extensions when we look at the database the database doesn't have these extensions in a nomenclature that we understand instead it has the gui so i took the guide listed in the database and married it up with the extension listed in the registry and then the last column all the way to the right i tried to put a a nomenclature that was easily digestible readable under understood by most now you'll see some that are

unknown and this is largely because i don't know and documentation about this database and how it really works is scarce so it's a continuous thing to understand and learn more about it the other big thing i want to highlight here is the last one the srudb id map table well there's certain data in these tables that are essentially blobs blobs of data not human readable and within the id map table you can think of it as a lookup table okay so the lookup table is going to have a subset of information that we'll then be able to make sense of and then translate it and replace the blob with that normal data we're going to have to

do that ourself and i'll talk about a couple of ways that we can do that but for the purpose of this talk these are the five tables excuse me uh yeah tables that we're gonna focus on right four of them are focused on data that we can glean and then the fifth one is kind of that lookup table that we need to be able to make sense of some of that documentation or some of that data that we find in the database all right so that id map table again we're going to find a blob and that map table contains three columns so three properties an id type id index and id blob i'll focus on

the id type if the type is going to be um one well that insinuates that the data that's in the blob column is an actual uh base64 encoded string so we can um uh make sense of it by decoding it right and that's going to be the same thing if it's 0 1 or 2. now if this value of 3 for id type then the blob on that same row is going to be a sid and we'll be able to reverse that process to illuminate that set but this is where the id map table is hugely important or else we're just going to have data that we can't do anything with okay so to get after this developed a

powershell script to to really make sense of this information for me so highlighted or circled in orange this is where i'm checking to see if the data equals three and if so i'm going to start my conversion process to bring it back to an actual sid all right and you'll see in red this is where i'm converting the blob where it was three from hex to bytes and then in green then i'm actually converting the bytes to the raw set now i i've said before that if it's 0 1 or 2 then it's going to be a base 64 encoded um string if you will and all we got to do is decode that so

if it's not a 3 for id type well it's gonna be zero one or two and then in the blue this is where i'm just decoding that base64 encoded shrink all right now looking at those four tables one of them is network connectivity this is where we we start to dive into what does that do for me well some of the available information in there is the application that was executed the user id network interface type wireless profile holy crap yeah if it was hooked up to wireless we can get the ssid and it will be in there as well now we'll have to use the software hide from the registry to be able to um

translate that but yes we can get it we can get the connection time and the total connected time for that connection forensically speaking i now have the time frame associated with an application i won't be able to get the the true time but i have a time frame i'll be able to get the user who executed it a potential location of the device specifically if i know where specific ssids are right i'm in an organization and we for some reason have wireless in our organization and each floor has its own ssid or it says starbucks or something like that um off of you know a particular area all right that just kind of helps us or we might

be able to look to something like wiggle to be able to help pinpoint that the connection duration was it short was it a short burst what was it and are these connections unusual or not is this indicative of something that uh other people in our organization uses or is this a one-off is this something indicative that this user that persona or this workstation uses or is that a one-off that brings us to network data usage from a gui perspective again in task manager we'd be able to look at this from performance the big difference here is this doesn't have connection start time or the total connect time but it starts to give us a lot of the same

data from the previous one a big difference here is we get the bytes sent and the bytes received holy cow so i may have a process we'll call it nando.exe and i'm thinking that that is malware no longer exist on this and when i look at the byte set and bytes received i'm seeing a substantial amount of bytes being sent out that could be indicative or x fill right that's a game changer for us we get things like the timeline or the time frame the application executed just like the other one uh we get potential of indication of the x-fil like i just talked about that's a big game-changer we also get the location or being able

to kind of figure out if it's unusual in perspective but looking at both of those this is data that's already being collected and it's on by default whoa all right so that brings us to application resource usage this starts to get to the application so we see application the user said how much it's in the foreground or background for cycle time network bytes read and write context switches that helps us with the time frame of the application the user that executed it right at least the sid and then we'll be able to take that and translate it uh we could do that in the registry if it's local or we could do that uh within ad

if we need to go um within the domain and we start to highlight again potential x fill of data based upon um how much data is uh being uh written or being sent in and out now this also corresponds to task manager within app history as well and then lastly we have the application timeline this is going to focus on a lot of stuff that the previous one for application of resource usage focused on but we also get um duration in the span we also get the total bytes associated with the connection right um however it's not broken down by read and write like the other one this may be able to help us find things

like i don't know crypto miners actually executing on our system and like the other one we'll find this in um application history right so we see a hodgepodge of that information shown there for us so now we start to see this well what are the tools that we can use to parse this data well you have an in-script parser that yogishi the person who did the initial research and found majority of this um created and he's got links out there however the links are dead and if you want to get that in square parser you need to go back to the way back machine and to be able to retrieve it if we're using an n-script parser you guessed it

we need to be using in case this is going to work off an offline uh system offline analysis now we also have velociraptors esc parser this is a endpoint cyber security solution open source free in nature there's that's going to allow us to do online analysis of of this database now this is going to require that you're using the endpoint cyber security solution so if your organization is not using it well i wouldn't say go get this just for that but if you are using it it's your lucky day you also have shrum dump which requires an external binary it works off of live and offline um databases so that's good but if you're in an organization that

you have to jump through all kinds of hoops to be able to use binaries that aren't approved order some type of accreditation process that may not work for your organization we also have shrum e command that's going to require an external binary as well and it works for offline analysis we have esc database viewer and that's going to be a portable executable requiring yet another external binary and it's going to be offline in nature now the five that i've talked about thus are they're great tools and they do exactly what's needed your environment would dictate which of the five if any you'll use which brings me to my last one invoke shrum dump now invoke shrum

dump is something that i created and it works on pure powershell i say pure this one.net in the background but really what i'm trying to highlight is you don't need anything additional aside from a windows machine where shrum uh the trump database would actually be that's gonna be windows specific this allows us to dump the contents of this to excel sheets or workbooks so that way we can do our analysis from that we could do it off a live or an offline machine if we're doing it off a live machine we're going to need admin rights that's no different than the other tools that i talked about they also need admin rights if we're doing it off a live

machine this is going to help us normalize and translate fields within the database with other tables specifically that id map table that i talked about where i can i certainly translate that and guess what if you feed it the software hive it will also pull up that ssid i mentioned and put that in your output making this a one-stop shop for you to be able to really do your analysis

sorry gotta get ahead of myself here all right so with that that brings us to our data uh translation interpretation right these timestamps are gonna be in utc utc we're talking 64-bit file time only format and that's one of the things that we're going to have to translate so here's a couple of line of code where we can translate that using powershell and that's what's being done in our code there the network interfaces aspect well that's going to be in such a format that we'll need to translate as well there's some bit shifting some ending that we'll have to do to make that useful and then guess what the sids i talked about that i also have to translate that

as well so those are the big things that have to be translated interpreted within the database for us to be able to make sense of it now if we want to copy the database well we have a couple of options if we're doing offline analysis we don't need any special tools we mount it using whatever our forensics tool set of choices that gives us access to that disk if we're talking about online and we want to copy it well we could use something like ftk imager we can do volume shadow copies to get it we can download hobo copy to our machine we can use robocopy or you could do the method that i did where i utilize uh powershell now

when you're running invoke strongdump it's going to not only regardless if you're doing live or offline but for the purpose of this i'll say i did live it's going to copy uh that trump database and create a folder on the user's desktop called shrum and the date that's fully customizable you can create you can have it point to a different directory if you want to but if you don't feed it a directory by default that's where it goes and it copies it there and then as it parses the data in the database these excel documents are then stored in that same directory so as i go through this well what does that look like for us i

have an example here where that data is parsed and i have a time frame associated with my analysis and specifically i'm looking for one september one september i see netcat being executed as we see um covered in red there and then the next column we see the sid okay again we don't have the actual user we can get that information but now we have the sid um that previously was a blob of data it's translated into something that we can uh read from a human perspective and we can um look within the registry or in ad to uh understand um what the what user that is we see a couple of other things such as the duration the

span so that's great but right after that i start to see stuff like who am i task list command ipconfig net sh um arp reg now i'm not saying all these commands are malicious right they have a legitimate use they're part of the operating system but it almost seems like netcat happened um i want to see what type of how much data was uh was sent and received i'll get to that in a second and then we see a series of commands that could be indicative of an actual survey taking place on the machine okay that's interesting that brings us to actual network connectivity and when i look at network connectivity in this instance i was unable to get the actual

application in the user sid but because i have the time frame associated with it well i can look in that perspective and i see that the machine was connected to a ssid called fbi surveillance now i think somebody's trolling me here but nonetheless i have the actual um ssid also in the next column after that i see the connected time how long it's been connected and i see the connected start time okay well that's super helpful because then i get to a point where i look at the actual network data and i see netcat actually was sending bytes over the wire i then see the sid associated with it again that time frame this is being

written once an hour again i see that it was off of the fbi surveillance and although i've cut some of the the properties off the columns i at least captured the byte sent and the bytes received so uh not a whole lot sent um not necessarily a whole lot received but certainly it did communicate over the wire and i am concerned with that so now i've taken essentially data that didn't really prove anything to me i didn't even have a good a place to do analysis and i at least have this this is immutable at the moment so um an attacker step on this is not going to be so easy but given this and really what we can glean

from it at large you may be thinking well this is the answer to all my problems and i'm here to tell you yes but no it's not right and i recall being um on a ransomware case where we caught it left of the boom if you will where the attacker gained access they moved laterally all over the network brute forcing their way around and they laid down so many or not so many a number of implants right and the av products that was in this network it was capturing when their implant was beaking out and bringing down a different stage and writing it to disk that av product was misconfigured so although it was captured and taken off of this we didn't

have artifacts in the av product to see what it is and i didn't know that what was going on at the time however when i looked in the strong database i was able to see holy crap this guy downloaded a million of these things right and then we were able to then dig a little bit deeper to understand av product had actually done its job and it was poorly um configured so that way we couldn't actually see it however we seen everything that touched disk and this guy was just trying his poor heart out now i don't know we would have seen it elsewhere because of our position and when we had get called in

to this incident all right so if you think this is the holy grail if you will and i'm telling you it's certainly nice but not everything well what's the bad part here's some limitations and concerns the database stores up to 30 to 60 days this isn't gonna get you years back right if you think about something like solar winds well you know 30 to 60 days didn't do you good right because we're talking um a large scale of months right the data is written to the database every 60 minutes or when the system is shut down so that's a limitation and documentation is certainly scarce right you have some research by a couple of individuals that are out there but

largely you're not going to find a whole lot about it all right so if you're on the other side of the fence and you're like well hey how do i how do i circumvent this well i like to use the pyramid of pain from an opposite perspective and kind of point it like this well we've already said that there's a service associated with this so if we disable the service that's going to be certainly easy right off the gate for us to mitigate this and then going up the pyramid here we can delete the stage data in the registry now we might have an edr that's going to illuminate that and to be able to delete within the

registry we need to have a certain level of right same thing about stopping that service so our access and really what we have available to us may vary and shape what we're going to be able to do we could terminate the threads associated with this service that's running in the context of of these of a process right that allows us to still have the process and everything running with the service but the actual threats or handles within it would be terminated and those were the ones that are really doing the work so now we start to invade any edr that may be running in this organization and then lastly if we're lucky enough and position ourselves in such a space we

can operate solely in memory which kind of precludes this from being a thing at all all right so where does that leave me now that leads me to future work well what is it that i want to do i really want to get after parsing the rest of the tables and turning those unknowns to gnomes i want to add a sid look up capability in there so i'm not just providing you the sid instead i'm providing you the actual user as well and there's so many other tables and information that can be gleaned i want to be able to translate other aspects of the database to make this a a thing that you look to first as

opposed to a thing that you think of when nothing else is available all right so that brings me kind of to the end however you may have noticed that i used some powershell magic to get after this and as you know powershell is built in to all windows machines and is now cross-platform and available on mac and linux so this is a good time for you to learn powershell because you were able to see kind of what i was able to do with it all right and a couple of ways that you can do that well you can look to a site that me and some friends put together called under the wire it was first

developed in 2015 we have 75 interactive challenges they're linear in nature so you're going to do one after the other to date over 190 000 unique people have played under the wire from 78 countries it's this platform really focuses on the core aspects of learning the language and when you think you've honed your skills there well then i challenge you to do posh hunter pashtun or something i developed back in 2017 this contains 90 challenges all interactive as well defense and offensive focus again blue and red team focus and they're non-linear so you can jump around i'm gonna give you a virtual machine and some tasks you'll complete those tasks you'll then submit those answers and

you'll get points this gives you the perspective or really puts you in the perspective of somebody who's utilizing powershell offensively or somebody who's going to utilize powershell defensively at any rate you're going to walk away a better position individual with all that being said that brings me to the end now if you're interested in the copy of this presentation it'll be hanging out there on my website as you see before you if you want to get a hold of invoke trump dump well luckily the government didn't tie his hand on that so i have that out there on my github where you can go and download it and use it to your heart's content if

you want to connect because maybe you and i speak the same language well let's do that let's do that on twitter and you see my handle there and with that i appreciate everything the b-side charlotte folks have done to put this on this year this isn't my first year certainly won't be my last this is such a great conference and i hope you're enjoying yourself thank you