Start Windows PowerShell (Run as Administrator)
Lists all the established TCP connections in the system and output to text file:
Get-NetTCPConnection –State Established >>D:\FolderName\FileName.txt
Gets IP route information from the IP routing table and output to text file:
Get-NetRoute >>D:\FolderName\FileName.txt
All the active processes output to text file:
Get-Process >>D:\FolderName\FileName.txt
Output Windows Event Log (Security Events) to Text Files:
Get-WinEvent -LogName "Security" >>D:\FolderName\FileName.txt
Outputs Startup Program to text File:
Get-CimInstance win32_service -Filter "startmode = 'auto'" >>D:\FolderName\FileName.txt
File Created Time and Modified Time – Export to Text:
Get-ChildItem -Recurse C:\FolderName | Select-Object Mode,CreationTime, LastWriteTime,Length,Name >>D:\FolderName\FileName.txt
Hash entire file content inside a folder using SHA256 and export to text file:
Get-Childitem -path "D:\FolderName" | Get-FileHash >>D:\FolderName\FileName.txt
Though Chrome-URL list is huge, I have selected few from the list which can be useful for Incident Responders to quickly gather information from Chrome Browser. (Just copy paste the URL)
chrome://media-engagement
(Displays the media engagement score and thresholds for all sites opened in the browser. The score is used to determine video auto-play with sound)
chrome://indexeddb-internals
(IndexedDB information in the user profile)
chrome://media-internals
(Media information is displayed)
chrome://net-export
(Capture network activity and save it to a file on the disk)
chrome://ntp-tiles-internals
(Displays information about the tiles on the New Tab page and the Top sites functionality)
chrome://predictors
(A list of auto complete and resource prefetch predictors based on past activities)
chrome://signin-internals
(Displays information about the signed in account(s) such as last sign-in details or validity)
chrome://site-engagement
(Display's an engagement score for all sites visited in the browser)
In this example, we are tracking changes in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"
-
Run PowerShell as admin and take 1st snapshot.
"dir -rec -erroraction ignore HKLM:\Software\Microsoft\Windows\CurrentVersion | % name > C:\HKLM_Snap_Before.txt" -
Take 2nd snapshot.
"dir -rec -erroraction ignore HKLM:\Software\Microsoft\Windows\CurrentVersion | % name > C:\HKLM_Snap_of_Date-$(get-date -f dd-MM-yyyy).txt" -
Compare 1st and 2nd.
"Compare-Object (Get-Content -Path C:\HKLM_Snap_Before.txt) (Get-Content -Path [Insert path and file name of 2nd Snapshot (remove square brackets too)])"
Although tools are available, this simple PS script is useful during remote collection and analysis.
Time Zone Information:
SYSTEM\CurrentControlSet\Control \TimeZoneInformation
Network Interfaces and Past Networks:
SYSTEM\CurrentControlSet\Services\Tcpip \Parameters\Interfaces
Autostart Programs:
NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Run
NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion \RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion \policies\Explorer\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SAM hive::
SAM\Domains\Account\Users
USB Device history:
USB device Volume Name:
SOFTWARE\Microsoft\Windows Portable Devices \Devices
Device identification (History)
SYSTEM\CurrentControlSet\Enum\USBSTOR
SYSTEM\CurrentControlSet\Enum\USB
First/Last Times:
SYSTEM\CurrentControlSet\Enum\USBSTOR \Ven_Prod_Version\USBSerial#\Properties {83da6326-
97a6-4088-9453-a19231573b29}####
0064=first connection
0066=last connection
0067=last removal
Bluetooth:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Devices
File / Folder Usage:
Recent Files:
NTUSER.DAT\Software\Microsoft\Windows
\CurrentVersion\Explorer\RecentDocs
Office Recent Files:
NTUSER.DAT\Software\Microsoft\Office\VERSION NTUSER.DAT\Software\Microsoft\Office\VERSION
\UserMRU\LiveID_####\FileMRU
ShellBags:
USRCLASS.DAT\Local Settings\Software\Microsoft \Windows\Shell\Bags
USRCLASS.DAT\Local Settings\Software\Microsoft \Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
Open/Save and LastVisited Dialog MRUs:
NTUSER.DAT\Software\Microsoft\Windows
\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
NTUSER.DAT\Software\Microsoft\Windows
\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Windows Explorer Address/Search Bars:
NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Explorer\TypedPaths
NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Explorer\WordWheelQuery
Execution:
UserAssist:
NTUSER.DAT\Software\Microsoft\Windows \Currentversion\Explorer\UserAssist{GUID}\Count
ShimCache:
SYSTEM\CurrentControlSet\Control\Session Manager \AppCompatCache
Background Activity Moderator (BAM)
Desktop Activity Monitor (DAM) (WIN8)
SYSTEM\CurrentControlSet\Services\bam\UserSettings{SID}
SYSTEM\CurrentControlSet\Services\dam\UserSettings {SID}
An important location in Windows to look for deleted records. Windows search index database forensics.
Analyse Windows.edb to parse normal records and recover deleted records.
Step 1 : (Stop SearchIndexer in order to copy windows.edb file):
Run PowerShell as Administrator and run this command:
Get-Process | Stop-Process | SearchIndexer
Select [A]
Step 2:
In PowerShell Copy the windows.edb file to an external drive or other location
copy C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb D:\FolderName
Step 3:
Download WinSearchDBAnalyzer by Jeonghyeon Kim (Get link from google)
History of Bluetooth Registry Entries to investigate (MAC address of connected bluetooth devices) After that use free utility called “Dcode” to convert windows timestamp to check date and time of the bluetooth device that was connected.
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Devices”
There are events that carry information about shell Items, network shares, apps that require privileges, RunKey information etc;
When the system boots up, it appears that this file is created and It's location is :
C:\Users<UserName>\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl.
You can use Tracerpt command-line utility that parses an ETL file's contents and saves them as a CSV or XML file that can be opened in Excel or any text editor.
Open CMD in the folder where ExplorerStartupLog.etl is copied and run this command from there:
“tracerpt ExplorerStartupLog.etl -of CSV”
Get hash of all files in a folder and export it to txt file using powershell. Run this command in powershell and remember to change the folder path.
You can change -Algorithm MD5 (to any other algorithm).
————
param (
$folders = @("C:\path\folder_name")
)
$allFiles = foreach($folder in $folders) {
Get-Childitem -path $folder -recurse |
select FullName,Name,Length |
foreach {
Ntds.dit file, an Active Directory database that maintains information about user objects, groups, and group membership. It contains the password hashes for all domain users. All data in Active Directory is stored in the file ntds.dit (by default located in C:\Windows\NTDS) on every domain controller.
ntdsxtract tool (google with this keyword to download the tool)
Filter by IP address: displays all traffic from IP, be it source or destination
ip.addr == 192.168.1.1
Filter by source address: display traffic only from IP source
ip.src == 192.168.0.1
Filter by destination: display traffic only form IP destination
ip.dst == 192.168.0.1
Filter by IP subnet: display traffic from subnet, be it source or destination
ip.addr = 192.168.0.1/24
Filter by protocol: filter traffic by protocol name
dns
http
ftp
arp
ssh
telnet
icmp
Exclude IP address: remove traffic from and to IP address
!ip.addr ==192.168.0.1
Display traffic between two specific subnet
ip.addr == 192.168.0.1/24 and ip.addr == 192.168.1.1/24
Display traffic between two specific workstations
ip.addr == 192.168.0.1 and ip.addr == 192.168.0.2
Filter by MAC
eth.addr = 00:50:7f:c5:b6:78
Filter TCP port
tcp.port == 80
Filter TCP port source
tcp.srcport == 80
Filter TCP port destination
tcp.dstport == 80
Find user agents
http.user_agent contains Firefox
!http.user_agent contains || !http.user_agent contains Chrome
Filter broadcast traffic
!(arp or icmp or dns)
Filter IP address and port
tcp.port == 80 && ip.addr == 192.168.0.1
Filter all http get requests
http.request
Filter all http get requests and responses
http.request or http.response
Filter three way handshake
tcp.flags.syn==1 or (tcp.seq==1 and tcp.ack==1 and tcp.len==0 and
tcp.analysis.initial_rtt)
Find files by type
frame contains “(attachment|tar|exe|zip|pdf)”
Find traffic based on keyword
tcp contains facebook
frame contains facebook
Detecting SYN Floods
tcp.flags.syn == 1 and tcp.flags.ack == 0
CertUtil in windows is mostly related to managing and viewing certificates, but very useful for getting hash value of any file using -hashfile subcommand.
Here’s the command. Try this out.
FOR /F %i IN ('wmic process where "ExecutablePath is not null" get ExecutablePath') DO certutil -hashfile %i SHA256 | findstr -v : >> output.txt
The Ntds.dit file is an Active Directory database that maintains information about user objects, groups, and group membership. It contains the password hashes for all domain users. All data in Active Directory is stored in the file ntds.dit (by default located in C:\Windows\NTDS) on every domain controller.
ntdsxtract is a framework to provide a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT). (Google for ntdsxtract tool)
Starting with Microsoft Windows 8, there is a new tool that allows you to track system resource utilisation over time, specifically process and network data. A mechanism called System Resource Usage Monitor (SRUM). It continuously records process-related information such as process owner, CPU cycles spent, data bytes read/written, and network data (sent/received).
The information is stored in the \Windows\System32\sru\ directory in a file named SRUDB.DAT. The file is in the Windows ESE (Extensible Storage Engine) database format.
A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet. Download a copy of srum-dump.exe (Google for MarkBaggett/srum-dump)