Disk overview of Artifacts

Windows Registry:
Located on disk and in memory if the system is running. Located on disk if the system is offline
EVTX Logs:
Application/Function specific
SuperTimeline CSVs:
Disk image is run through FLS or log2timeline
Memory is run through Volatility timeliner
Combined and viewed through Timeline Explorer
Memory Analysis Outputs:
Volatility and its plugins
Rekall and its plugins
Fireeyes Redline
Artifacts that give evidence of execution:
Shimcache - Windows registry
Prefetch - Windows prefetch directory
Amcache - Windows registry
Windows User Assist (GUI Execution) - Windows registry
Bam - Windows registry
File Downloads:
Open/Save MRU - Windows registry
Email Attachments - Windows user directory
Browser Artifacts - Windows user app data
Downloads - Browser DBs and folders and Downloads folder

Amcache - evidence of execution

%%Run in elevates cmd-prompt %%
AmcacheParser.exe -f “C:\Windows\appcompat\Programs\Amcache.hve” –csv c:\temp\amcache

Prefetch - evidence of execution

Copy Prefetch Files to local machine in a folder with the target’s IP

FOR /F %i in (IPs.txt) do @mkdir .%i && copy /Y \%i\c$\Windows\prefetch*.pf .%i

Shimcache - evidence of execution

%%Run in elevates cmd-prompt BUT CAN ALSO BE RUN AS USER %% AppCompatCacheParser.exe –csv c:\temp\shimcache

Windows Link Files

Officially referred to as shortcut files
A link file has is own macb timestamps, embedded in the lnk file itself are the created modified access times of the originating file itself. These are the times as they existed on the source file when the link was created. If all the timestamps are the same it indicates that the user has only interacted once. Should the user interacted with the file again the modified and access timestamps will be updated. Could be any number of accesses you will only ever no its been access twice.

• Raw linear sample (dd)
• Hibernation file (from Windows 7 and earlier
• Crash dump file
• VirtualBox ELF64 core dump
• VMware saved state and snapshot files
• EWF format (E01)
• LiME format
• Mach-O file format
• HPAK (FDPro)
• Firewire
• QEMU virtual machine dumps

Frequently used Volatility Modules

pslist: Shows the active processes.

cmdline: Reveals the command-line parameters for processes.

netscan: Checks for network links and available ports.

malfind: Looks for possible harmful code added to processes.

handles: Examines open resources.

svcscan: Displays services in Windows.

dlllist: Lists the dynamic-link libraries loaded in a process.

hivelist: Identifies registry hives stored in memory.

You can find documentation on Volatility here:

Volatility v2: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference

Volatility v3: https://volatility3.readthedocs.io/en/latest/index.html

Good practice to pipe many of the volatility plugins into a text file |tee pluginname.out

When using the tee command the system will no longer output the text in colour. To preserve colour simply install expect Then lead commands with unbuffer.

Volatility3 Windows

There is alot of crossover between Volatility2 and Volatility3. I have recently moved to using Volatility3 mainly and thus began tracking notes seperately or directly referencing differences.

python vol -f <path to memory file> windows.module.module

if you specify the plugin name as just windows it will show all additional plugins that can be run.

windows.info - shows information about the dump and the machine

windows.pslist - shows processes running in memory

command can be piped into | more for easier processing.

if you wanna see a particular process for file pipe output to | Select-String

vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles ‑‑pid <PID>

Vol 3’s ‘memmap’ with –dump maps and dumps regions, useful for detailed forensics. vol.py -f “/path/to/file” -o “/path/to/dir” windows.memmap ‑‑dump ‑‑pid <PID>

Listing DLLs helps spot injected code, like malware hiding in legit processes. Unusual DLLs might point to infection.

Both versions list loaded DLLs for a PID, but Vol 3 is profile-free and faster.

Volatility 2:

vol.py -f “/path/to/file” ‑‑profile <profile> dlllist -p <PID>

Volatility 3:

vol.py -f “/path/to/file” windows.dlllist ‑‑pid <PID>

Module Breakdowns

Registry

Hive List

You’d use hive list commands to find registry hives in memory, which store system settings malware often tweaks these for persistence. This could show changes to startup keys that launch malicious software on boot.

‘hivescan‘ scans for hive structures. ‘hivelist‘ lists them with virtual and physical addresses.

Volatility 2:

vol.py -f “/path/to/file” ‑‑profile <profile> hivescan

vol.py -f “/path/to/file” ‑‑profile <profile> hivelist

Volatility 3:

vol.py -f “/path/to/file” windows.registry.hivescan The scan output highlights hive locations in memory.

vol.py -f “/path/to/file” windows.registry.hivelist This lists the registry hives with their paths and offsets for further digging.

Printkey

Printkey is used for viewing specific registry keys and values..

Without a key, it shows defaults, while -K or –key targets a certain path.

Volatility 2:

vol.py -f “/path/to/file” ‑‑profile <profile> printkey

vol.py -f “/path/to/file” ‑‑profile <profile> printkey -K “Software\Microsoft\Windows\CurrentVersion”

Volatility 3:

vol.py -f “/path/to/file” windows.registry.printkey

vol.py -f “/path/to/file” windows.registry.printkey ‑‑key “Software\Microsoft\Windows\CurrentVersion”