Windows Forensics Cookbook E-Book

BIRMINGHAM - MUMBAI

Windows Forensics Cookbook

Copyright © 2017 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: August 2017

Production reference: 1030817

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78439-049-5

www.packtpub.com

Credits

Authors

Oleg Skulkin

Scar de Courcier

Copy Editor

Juliana Nair

Reviewer

Igor Mikhaylov

Project Coordinator

Judie Jose

Acquisition Editor

Meeta Rajani

Proofreader

Safis Editing

Content Development Editor

Devika Battike

Indexer

Aishwarya Gangawane

Technical Editor

Manish Shanbhag

Graphics

Kirk D'Penha

Production Coordinator

Aparna Bhagat

About the Authors

Oleg Skulkin is a digital forensic enthusional (enthusiast and professional) from Sochi, Russia. Having more than 5 years of experience, he solves lots of different cases involving digital evidence for the Ministry of Internal Affairs of Russia. Also, you can find his articles both in Russian and foreign magazines. Finally, Oleg is a very active blogger, and he updates Cyber Forensicator's blog daily.

Scar de Courcier is Senior Editor at digital forensics website Forensic Focus. She also works as an independent consultant on online and offline child protection projects. In her spare time, she enjoys swimming, pretending she lives on the USS Voyager, and hanging out with her cat.

About the Reviewer

Igor Mikhaylov has been working as a forensic examiner for 20 years. During this time, he has visited a lot of seminars and training classes by top digital forensic companies (such as Guidance Software, AccessData, and Cellebrite) and forensic departments of government organizations of the Russian Federation. He has experience and skills in computer forensics, incident response, cell phone forensics, chip-off forensics, malware forensics, data recovery, digital images analysis, video forensics, and big data, etc. He has written three tutorials on cell phone forensics and incident response for Russian forensic examiners.

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.comand as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Customer Feedback

Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://www.amazon.com/dp/1784390496/.

If you'd like to join our team of regular reviewers, you can e-mail us at [email protected]. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!

Table of Contents

Preface

What this book covers

What you need for this book

Who this book is for

Sections

Getting ready

How to do it…

How it works…

There's more…

See also

Conventions

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

Digital Forensics and Evidence Acquisition

Introduction

Why Windows?

Windows file system

Identifying evidence sources

Ensuring evidence is forensically sound

Writing reports

Digital forensic investigation - an international field

What can we do to make things easier for ourselves in the meantime?

Challenges of acquiring digital evidence from Windows systems

Windows Memory Acquisition and Analysis

Introduction

Windows memory acquisition with Belkasoft RAM Capturer

Getting ready

How to do it…

How it works…

See also

Windows memory acquisition with DumpIt

Getting ready

How to do it…

How it works…

See also

Windows memory image analysis with Belkasoft Evidence Center

Getting ready

How to do it...

How it works...

See also

Windows memory image analysis with Volatility

Getting ready

How to do it...

How it works...

See also

Variations in Windows versions

Getting ready

How to do it...

There is more...

Windows Drive Acquisition

Introduction

Drive acquisition in E01 format with FTK Imager

Getting ready

How to do it...

How it works...

See more

Drive acquisition in RAW format with dc3dd

Getting ready

How to do it...

How it works...

See also

Mounting forensic images with Arsenal Image Mounter

Getting ready

How to do it...

How it works...

See also

Windows File System Analysis

Introduction

NTFS Analysis with The Sleuth Kit

Getting ready

How to do it...

How it works...

See also

Undeleting files from NTFS with Autopsy

Getting ready...

How to do it...

How it works...

See also

Undeleting files from ReFS with ReclaiMe File Recovery

Getting ready

How to do it...

How it works...

See also

File carving with PhotoRec

Getting ready

How to do it...

How it works...

See more

Windows Shadow Copies Analysis

Introduction

Browsing and copying files from VSCs on a live system with ShadowCopyView

Getting ready

How to do it...

How it works...

See also

Mounting VSCs from disk images with VSSADMIN and MKLINK

Getting ready

How to do it...

How it works...

See also

Processing and analyzing VSC data with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Windows Registry Analysis

Introduction

Extracting and viewing Windows Registry files with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Parsing registry files with RegRipper

Getting ready

How to do it...

How it works...

See also

Recovering deleted Registry artifacts with Registry Explorer

Getting ready

How to do it...

How it works...

See also

Registry analysis with FTK Registry Viewer

Getting ready

How to do it...

How it works...

See also

Main Windows Operating System Artifacts

Introduction

Recycle Bin content analysis with EnCase Forensic

Getting ready

How to do it...

How it works...

See also

Recycle bin content analysis with Rifiuti2

Getting ready

How to do it...

How it works...

See also

Recycle bin content analysis with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Event log analysis with FullEventLogView

Getting ready

How to do it...

How it works...

See also

Event log analysis with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Event log recovery with EVTXtract

Getting ready

How to do it...

How it works...

See also

LNK file analysis with EnCase forensic

Getting ready

How to do it...

How it works...

See also

LNK file analysis with LECmd

Getting ready

How to do it...

How it works...

See also

LNK file analysis with Link Parser

Getting ready

How to do it...

How it works...

See also

Prefetch file analysis with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Prefetch file parsing with PECmd

Getting ready

How to do it...

How it works...

See also

Prefetch file recovery with Windows Prefetch Carver

Getting ready

How to do it...

How it works...

See also

Web Browser Forensics

Introduction

Mozilla Firefox analysis with BlackBag's BlackLight

Getting ready

How to do it...

How it works...

See also

Google Chrome analysis with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Microsoft Internet Explorer and Microsoft Edge analysis with Belkasoft Evidence Center

Getting ready

How to do it...

How it works...

See also

Extracting web browser data from Pagefile.sys

Getting ready

How to do it...

How it works...

See also

Email and Instant Messaging Forensics

Introduction

Outlook mailbox parsing with Intella

Getting ready

How to do it...

How it works...

See also

Thunderbird mailbox parsing with Autopsy

Getting ready

How to do it...

How it works...

See also

Webmail analysis with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Skype forensics with Belkasoft Evidence Center

Getting ready

How to do it...

How it works...

See also

Skype forensics with SkypeLogView

Getting ready

How to do it...

How it works...

See also

Windows 10 Forensics

Introduction

Parsing Windows 10 Notifications

Getting ready

How to do it...

How it works...

See also

Cortana forensics

Getting ready

How to do it...

How it works...

See also

OneDrive forensics

Getting ready

How to do it...

How it works...

See also

Dropbox forensics

Getting ready

How to do it...

How it works...

See also

Windows 10 mail app

Getting ready

How to do it...

How it works...

Windows 10 Xbox App

Getting ready

How to do it...

How it works...

Data Visualization

Introduction

Data visualization with FTK

Getting ready

How to do it...

How it works...

Making a timeline in Autopsy

Getting ready

How to do it...

How it works...

See also

Nuix Web Review & Analytics

Getting ready

How to do it...

How it works...

See also

Troubleshooting in Windows Forensic Analysis

Introduction

Troubleshooting in commercial tools

Troubleshooting in free and open source tools

Troubleshooting when processes fail

Soundness of evidence

It wasn't me

It was a virus / I was hacked

Your process is faulty

Legal and jurisdictional challenges

False positives during data processing with digital forensics software

Taking your first steps in digital forensics

Academia

Corporate

Law enforcement

How do I get started?

Advanced further reading

Books

Websites

Twitter Accounts

Preface

Windows Forensics Cookbook covers recipes to overcome challenges and carry out effective investigations easily on a Windows platform. You will begin with a refresher of Digital Forensics and Evidence Acquisition, which will help you to understand the challenges faced while acquiring evidence from Windows systems. Next, you will learn how to acquire Windows memory and analyze Windows systems with modern forensic tools. The book will also cover more in-depth elements of forensic analysis, such as how to analyze data from Windows system artifacts, parsing data from the most commonly-used web browsers and email clients, and effective reporting in digital forensic investigations.

You will learn how Windows 10 is different from previous versions and how you can overcome the specific challenges it brings. Finally, you will learn how to troubleshoot issues that arise while performing digital forensic investigations.

By the end of the book, you will be able to carry out forensic investigations efficiently.

What this book covers

Chapter 1, Digital Forensics and Evidence Acquisition, will give you a brief overview of digital forensics as a science, and will cover the basics of digital evidence acquisition, examination and reporting.

Chapter 2, Windows Memory Acquisition and Analysis, will guide you through Windows memory acquisition with Belkasoft RAM Capturer and DumpIt. After you will learn how to analyze memory images with Belkasoft Evidence Center and Volatility.

Chapter3, Windows Drive Acquisition, will guide you through the acquisition of the main source of Windows forensic artifacts hard and solid state drives. You will learn how to create forensic images with FTK Imager and DC3DD, and also how to mount them with Arsenal Image Mounter.

Chapter4, Windows File Systems Analysis, will guide you through the analysis of the most common Windows filesystem, New Technology File System or NTFS, with the Sleuth Kit. Also, you will learn how to recover deleted files from both NTFS and its descendant, ReFS, using Autopsy, ReclaiMe Pro, and PhotoRec.

Chapter5, Windows Shadow Copies Analysis, will show you how to browse and copy files from VSCs with ShadowCopyView. Also you will learn how to mount these copies with VSSADMIN and MKLINK, and analyze their data with Magnet AXIOM.

Chapter6, Windows Registry Analysis, will show you how to extract data from the Windows Registry with Magnet AXIOM and the RegRipper. Also, you will learn how to recover deleted Registry artifacts with the Registry Explorer.

Chapter 7, Main Windows Operating System Artifacts, will introduce you to the main Windows forensic artifacts, including the Recycle Bin items, Windows Event Logs, LNK files, and Prefetch files. You will learn how to analyze these artifacts with EnCase Forensic, Rifiuti2, Magnet AXIOM, FullEventLogView, EVTXtract, LECmd, Link Parser, PECmd, and Windows Prefetch Carver.

Chapter 8, Web Browser Forensics, will guide you through the analysis of the most popular Windows web browser with BlackBagBlackLight, Magnet Axiom, and Belkasoft Evidence Center. Also, you will learn how to extract browser data from a paging file.

Chapter 9, Email and Instant Messaging Forensics, will show you how to analyze artifacts of the most popular Windows email clients Microsoft Outlook and Mozilla Thunderbird, and the instant messaging application Skype. Also, you will learn how to extract webmail artifacts from a forensic image.

Chapter 10, Windows 10 Forensics, will introduce you to Windows 10—specific artifacts, such as Cortana, the Mail app, Xbox app, and notifications. You will learn where the data is stored, its format, and how to extract and analyze it.

Chapter 11, Data Visualization, will show you how to make your forensic reports even better with data visualization techniques. You will learn how to use these techniques in Forensic Toolkit (FTK), Autopsy, and Nuix.

Chapter 12, Troubleshooting in Windows Forensic Analysis, will teach you how to solve problems with your forensic software, both commercial and free/open source; show you what to do if processes fail, why its important to analyze false positives, give you recommendations on your first steps in digital forensics; and provide a nice list of sources for further reading.

What you need for this book

The following software is required for this book:

Arsenal Image Mounter

Autopsy

Belkasoft Evidence Center

Belkasoft RAM Capturer

BlackBagBlackLight

dc3dd

DumpIt

EnCase Forensic

EVTXtract

FTK

FTK Imager

FullEventLogView

Intella

LECmd

Link Parser

Magnet AXIOM

Nuix

PECmd

PhotoRec

ReclaiMe Pro

Registry Explorer

RegRipper

Rifiuti2

ShadowCopyView

SkypeLogView

The Sleuth Kit

Volatility

Windows Prefetch Carver

Most of the commercial tools from this list have trial versions available for downloading for free. Download links are provided in the chapters.

Who this book is for

If you are a forensic analyst and incident response professional who wants to solve computer forensics investigations for the Windows platform, then this books is for you.

Sections

In this book, you will find several headings that appear frequently (Getting ready, How to do it, How it works, There's more, and See also).

To give clear instructions on how to complete a recipe, we use these sections as follows:

Getting ready

This section tells you what to expect in the recipe, and describes how to set up any software or any preliminary settings required for the recipe.

How to do it…

This section contains the steps required to follow the recipe.

How it works…

This section usually consists of a detailed explanation of what happened in the previous section.

There's more…

This section consists of additional information about the recipe in order to make the reader more knowledgeable about the recipe.

See also

This section provides helpful links to other useful information for the recipe.

Conventions

In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, path names, dummy URLs, user input, and Twitter handles are shown as follows: "So in our case, it'sD:\Belkasoft Memory Forensics Test."

Any command-line input or output is written as follows:

volatility_2.6_win64_standalone.exe -f X:stuxnet.vmem

--

profile=WinXPSP3x86 malfind -p 868 --dump-dir

X:Stuxnet

New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "The first pane displays information about detected shadow copies, including name, Explorer path, Volume path, Created Time, and so on."

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the color images of this book

We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from https://www.packtpub.com/sites/default/files/downloads/WindowsForensicsCookbook_ColorImages.pdf.

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.

To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.

Piracy

Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at [email protected] with a link to the suspected pirated material.

We appreciate your help in protecting our authors and our ability to bring you valuable content.

Questions

If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.

Digital Forensics and Evidence Acquisition

In this chapter, well cover the following recipes:

Identifying evidence sources

Acquiring digital evidence

Ensuring evidence is forensically sound

Writing reports

Digital forensic investigation: an international field

Challenges of acquiring digital evidence from Windows systems

Introduction

Digital forensics is an expansive term that can cover a multitude of subject areas. Broadly speaking, it refers to the investigation of crimes committed on, or with the use of, a computing device. Several years ago, this may have only been applicable to cases in which an investigator was looking at financial fraud, intellectual property theft, or similar cases where computers are, by definition, necessary in order to commit the crime.

In today's world however, the proliferation of digital devices is such that even a crime that seems to be unrelated to computing—a house burglary where jewellery is stolen, for example, or the abduction of a child walking home from school—can involve a whole host of digital evidence.

Digital evidence refers to anything relevant to an investigation that can be found on a digital device. Increasingly, digital devices can refer to almost anything around us - not only computers and phones, but also cars, televisions, refrigerators, and heating systems.

Digital forensics as a discipline does not deal solely with solving crimes. HR matters in companies, private or civil cases, as well as day-to-day data recovery, can all fall under the digital forensics bracket. It is reasonable to state, therefore, that not only is digital forensics a huge field, it is also expanding. For this reason, in this book, we have decided to focus on one particular aspect of digital forensics: the forensic analysis of Windows operating systems.

Why Windows?

We could have chosen any number of operating systems as the subject of this book, not to mention the myriad smartphones and other connected devices that crop up in digital forensic investigations. Windows is, however, a popular choice of operating system for the average computer user, and for businesses — recent figures from NetMarketShare indicate that Windows takes up over 88% of the market. The following diagram demonstrates the market share of Windows as opposed to Mac, Linux, and other operating systems.

Regardless of whether you're working in law enforcement, in a digital forensics corporation, as an academic researcher in the field, or for yourself as a freelance investigator, the chances are that at some point you will come up against Windows systems.

Our goal in writing this book is to create a kind of cookbook, allowing you to dip in and out and use the recipes to aid in your investigations.

The range of available operating systems and programs that are frequently run on Windows machines makes it difficult to provide a full guide. This is particularly when we take into consideration the recent overhaul resulting in Windows 8, Windows 8.1, and Windows 10, which refer to programs as applications and look somewhat different from earlier versions both forensically and from a user experience point of view. To the best of our ability, we have tried throughout this book to highlight the most salient points in investigation and to discuss the broad implications of the changes in more recent versions.

Windows file system

Windows machines use NTFS, which used to stand for New Technology filesystem, although the acronym has now become obsolete. All versions of Windows run on NTFS as default.

The main thing to remember about NTFS is that everything is a file. The idea behind the filesystems creation was that it would be easily scalable, as well as being secure and reliable at all levels. This does present some unique challenges for forensic investigation and administrative usage, however knowing that any file can be located anywhere on the system makes it challenging to understand precisely what one is looking at when analyzing a machine.

The Master File Table (MFT) is the basis of the filesystem. In here, we find all the relevant information concerning files. It is worth noting that the first entry in the MFT is an entry that refers to the MFT itself, which can confuse people who are new to Windows filesystem analysis.