How can forensic investigators collect volatile and non-volatile information from Windows systems?
Before getting into the “how” let us make sure we understand the “what”
Volatile Information is information that is easily modified/lost when a system is rebooted or shut down. It is important to investigators because it can help create a timeline of a security incident and identify the user(s) responsible. Volatile data is located within registers, cache, and RAM.
Some examples of volatile information include:
System time
Logged-on user(s)
Network Information
Open files
Network Connections
Network status
Process information
Process-to-port mapping
Process memory
Mapped drives
Shares
Clipboard contents
Service/driver information
Command history
Because the tools being used to collect volatile information can modify memory themselves, it is imperative that an investigator first duplicate the memory of the target before beginning to extract volatile data.
Onto the how of Volatile information.
System Time
Can be extracted by using the date /t & time /t commands or with the use of the net statistics server command. Alternatively, the GetSystemTime function can be utilized. The GetSystemTime function is arguably more accurate because it will give information on all logged-in members as well as the month, day, year, weekday, hour, minute, seconds, and milliseconds.
Logged-On Users
Achieved using the PsLoggedOn tool as well as the logonsessions tool.
Open Files
Achieved using the net file command and/or the NetworkOpenedFiles utility.
Network Information
Since an intruder will generally try to discover other systems after gaining initial access to a network, NetBIOS will add the connection to a table. Because of this, we can use the nbtstat command-line utility to view name-to-IP address mappings. Other things an investigator should check would be header information, sessions information, IDS/IPS, firewall, server, and application logs, check other protocols in use such as secure file transfers, network packets, and port scan results.
Network Connections
The reason an investigator would want to check network connections is to see a logged attacker, IRCbot communication, and worms. This can be accomplished using the Netstat command.
Process Information
Process information allows an investigator to verify if there are any malicious processes running on a system. It can be accomplished using the Task Manager, Tasklist command, Pslist utility, Listdlls, and handle utility.
Process-to-Port Mapping
This is done to allow an investigator to trace a process to the port it is running on. Netstat can be used for this purpose.
Process Memory
Similar to Process Information, this is inspected to check for any suspicious/malicious processes running on the system. There are a few tools for this purpose, including; Process Explorer, ProcDump, and Process Dumper.
Network Status
Investigators will check the network status of a system to see if the system is connected to a wireless access point and what the IP address in use is. This information can confirm whether or not an access point is legitimate or not. The tools used would be Ipconfig, PromiscDetect, and Promqry.
Print Spool Files
The print spooler creates temporary folders which contain printing tasks. Sometimes an attacker will print sensitive documents. Sometimes the print spooler itself can be vulnerable and be a path for potential privilege escalation. An investigator will want to look over this information. Since the files within the spooler folders contain metadata, an investigator would want to use tools such as Free Hex Editor, and UCCHECK to ensure there is no foul play.
Clipboard Contents
Clipboard as we all know is memory that stores data for future use. (Copy/Paste) Clipboard contents should be checked. Although obvious. Sometimes attackers slip up.
Service/Driver Information
Services and drivers automatically start when a system is booted. This makes it an ideal place to create a persistent threat, and therefore must be analyzed. The best bet to accomplish this analysis is tools such as the tasklist command-line tool.
Command History
An investigator can check what commands have been used on a system using the doskey /history command.
Locally Shared Resources
Using the net share command an investigator can check all resources that are shared locally on a system.
Non-volatile information is acquired during static data acquisition. Non-volatile information can be used to recover lost/deleted data, browser history, connected devices, and so on. Non-volatile information is not disturbed when a system is shut down or restarted. It usually resides on the hard disk. Other locations for its storage would be DVDs, thumb drives, smartphones, and so on. Examples include Email, Word documents, spreadsheets, and “deleted files”.
File Systems
Can be verified using the dir /o:d command. By doing so an investigator is able to examine when an OS was installed, service packs, patches, and sub-directories that are set to automatically update. An investigator would put the most attention towards files that are most recent. (If the attack is believed to have been recently executed/accessed. Dormant attacks may be hidden further back!) Within the file system, an investigator can check file system data, content data, metadata, and application data.
ESE Database File
ESE stands for Extensible Storage Engine. It is used by multiple Microsoft-managed software packages. It is known as JET Blue. ESE can be investigated with tools such as ESEDDatabaseView. Files contained in the ESE database files include;
contacts.edb
WLCalendareStore.edb
Mail.MSMessageStore
WebCacheV24.dat/WebCachev01.dat
Mailbox Database.edb/Public Folder Database.edb
Windows.edb
DataStore.edb
spartan.edb
Windows Search Index Analysis
Uses the ESE data storage to store data. This information is contained within the Windows.edb. An investigator would parse this information to search for artifacts pertaining to deleted data, damaged disks, encrypted files, event bounding, and so on.
Detecting Externally Connected Devices to the System
An attacker will connect an external storage device to a system with the aim of storing/stealing information from the target system. An investigator will need to check for this. To do so, tools such as DriveLetterView and DevCon can be utilized.
Slack Space
Slack space is the part of a hard drive that can contain data from a deleted file, or simply unused space by a currently allocated file. Non-contiguous file allocation will leave more trailing clusters, thus leaving more slack space. Slack space data can be read by reading an entire cluster and may be accomplished with tools such as DriveSpy.
Hidden Partition Information.
A hidden partition simply means a logical section of a disk that cannot be accessed by the operating system. Within a hidden partition, there may be files, folders, confidential data, or system backups. Hidden partitions may be examined with tools like find & mount.
Windows Thumbnail Cache
Windows Vista and beyond store thumbnails of graphic files at C:\User\[User Profile]\AppData\Local\Microsoft\Windows\Explorer. By analyzing this information it is possible to obtain original filenames, dates and times, and EXIF data. This information can be used as “graphical evidence”.
Other Non-Volatile Information
Other non-volatile information that should be examined includes web browser cache, cookies, and temporary files.
In conclusion, investigators are faced with quite the daunting task, but with a little bit of know-how, the ability to search what is unknown, and an understanding of the tools necessary for the job, the task at hand becomes much more attainable!
Promotion: Join my Discord Server to get your hands-on awesome courses, news, and all kind of cybersecurity stuff.
Discord link: https://discord.gg/ZmCmkw2enz
