In the field of digital forensics, investigating Windows systems is a crucial task for uncovering evidence and analyzing potential security incidents. Windows operating systems generate various event logs and artifacts that can provide valuable insights into user activities, process execution, and system changes. In this blog post, we will explore some essential event IDs, tools, and techniques that can aid in Windows forensic investigations. This is based on my Windows Forensics cheatsheet and is by no means an exhaustive list. Just things I've found very useful during Incident Response.
Event IDs for Investigation
4663 - Object Access
Event ID 4663 signifies an attempt to access an object on a Windows system. This event can be particularly useful in detecting file writes to disk. However, it's important to note that this event may not be enabled by default, so ensure proper configuration for effective monitoring.
4688 - Process Creation
Event ID 4688 is generated when a process is created on the system. Analyzing this event can provide valuable insights into the execution of malicious or suspicious processes. By examining process creation events, investigators can identify potentially malicious activities and track the execution flow within the system.
4697 - Service Installation
Event ID 4697 indicates the installation of a service in the system. This event can be helpful in identifying new services added to the system, which may have been used as a persistence mechanism by an attacker. By monitoring this event, forensic analysts can detect unauthorized or malicious service installations.
7045 - New Service Installation
Event ID 7045 is similar to Event ID 4697 but specifically focuses on the installation of new services in the system. By monitoring this event, investigators can identify recently installed services and scrutinize their purpose and potential impact on system security.
RDP Investigation
Remote Desktop Protocol (RDP) is widely used for remote administration and troubleshooting. However, it can also be exploited by attackers to gain unauthorized access to systems. To effectively investigate RDP-related events, refer to the excellent guide published by Ponder the Bits, available at Windows RDP-Related Event Logs: Identification, Tracking, and Investigation.
PowerShell Forensics
PowerShell is a powerful scripting language available on Windows systems. It can be misused by threat actors for various malicious activities. To enhance the visibility and logging capabilities of PowerShell, consider implementing the following techniques:
Script Block Logging
Enabling script block logging records blocks of code as they are executed by the PowerShell engine. This feature captures the full contents of code executed by an attacker, including scripts and commands. Script block logging can also capture de-obfuscated code, such as commands passed with PowerShell's -EncodedCommand argument or obfuscated using XOR, Base64, ROT13, encryption, etc. Script block logging events are recorded in Event ID 4104 and can be parsed using available scripts.
Transcription
PowerShell transcription creates a unique record of every PowerShell session, including all input and output. Transcripts are written to text files, organized by user and session. Transcription can provide valuable information about executed commands and their outputs. However, it's important to note that transcription records only what appears in the PowerShell terminal and may not include the contents of executed scripts or output written to other destinations like the file system.
Module Logging
Module logging records pipeline execution details as PowerShell executes, including variable initialization and command invocations. This logging mechanism can capture some details missed by other PowerShell logging sources, but it may not reliably capture all executed commands. Module logging events are written to Event ID 4103 and can be leveraged to gain further insights into PowerShell activities.
For more information on PowerShell forensics and enabling the mentioned logging techniques, refer to the FireEye blog post: Greater Visibility through PowerShell Script Block Logging.
Alternate Data Streams (ADS)
Alternate Data Streams (ADS) are a feature of the NTFS file system that allow additional data to be associated with a file. ADS can be leveraged by attackers to hide malicious code or data within legitimate files. To interact with ADS, PowerShell provides useful commands. For instance, running the following command retrieves the Zone.Identifier ADS of a file:
pwsh "Get-Content -Path 'C:\Path\To\File' -Stream Zone.Identifier"
To learn more about ADS and how to interact with them using PowerShell, refer to the PowerShell Cookbook recipe: Interact with Alternate Data Streams and the Malwarebytes blog post: Introduction to Alternate Data Streams.
Zone Identifiers are a specific type of ADS introduced in Windows XP SP2. They are created alongside files downloaded from the Internet or intranet and are used to identify the security zone from which a file originated. Understanding Zone Identifiers can provide insights into the trustworthiness of downloaded files. For a detailed analysis of Zone Identifiers, refer to the Cyber Forensicator article: Forensic Analysis of Zone Identifier.
WMI Forensics
Windows Management Instrumentation (WMI) is a powerful framework for system management and monitoring. During forensic investigations, WMI artifacts can provide valuable information about system configuration, executed queries, and potential misuse by attackers. Key areas to examine in WMI forensics include:
- C:\WINDOWS\system32\wbem\Repository\OBJECTS.DATA
- C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
- MOF Files
Analyzing these artifacts can aid in reconstructing the activities performed through WMI on the system and provide insights into potential security incidents.
CrowdStrike Quarantine Location
If your organization utilizes CrowdStrike for endpoint security, it's important to know the quarantine location for potential threats. The quarantine locations for Windows and Mac hosts are as follows:
- Windows Hosts: \Windows\System32\Drivers\CrowdStrike\Quarantine
- Mac Hosts: /Library/Application Support/CrowdStrike/Falcon/Quarantine
During forensic investigations, examining the quarantine location can help identify previously detected threats or malicious files.
Conclusion
Windows forensics plays a vital role in investigating security incidents, identifying malicious activities, and uncovering evidence. By leveraging the event IDs, tools, and techniques outlined in this blog post, forensic analysts can enhance their ability to detect, investigate, and respond to potential threats. Stay proactive and keep your Windows systems secure!