OLE structured storage, Registry as log file, 124

OpenOffice, 19, 245

for case notes, 281

OpenSaveMRU key, user hives, 150–151

OpenSavePidMRU key, user hives, 150–151

Open-source tools (general)
See also specific tools

analysis system set-up, 24

convergence, 19–20

pre-infection intelligence collection, 173–174

suggested reading, 24

timeline creation, 225–226

Operational logs

characteristics, 91

WLAN-AutoConfig example, 92f

Oracle, VirtualBox, 61

Order of volatility, definition, 11

OSession.evt, timeline creation on XP, 233–234

P

P2P, See Peer-to-peer (P2P) file sharing

PaaS, See Platform-as-a-service (PaaS)

Packed, malware detection, 193–195

Packed files

malware detection, 193–195

PEiD example, 193–194

Packet sniffers, incident response data collection, 41

Pagefile

Event Log records, 86–87, 89–90

Registry keys, 52

ParentIDPrefix value, device mapping, 126

Parse.pl script, 245

Parse::Win32Registry Perl module, 282

Parsing, 77, 79, 84–85, 95, 100, 196

Android devices, 116

Apple products, 115

application files, 111–118

AV logs, 88

Event Logs, 5, 86–87, 88, 92–93, 94

events file creation, 244b

events into timeline, 243–246

index files, 96–97

Internet history, 203

iPod Touch backups, 115

jump lists, 107–108, 109, 109

LNK files, 106–107

Log2timeline framework, 213

malware persistence mechanism, 175–176

malware propagation mechanism, 173–174

MFT, 77

NTFS $I30 Index Attributes, 85

NTOSBOOT, 100

prefetch files, 97–98, 181, 238–239

Recycle Bin, 72–73

Registry analysis, 135, 137–138, 158, 203, 239

scheduled tasks, 102

shellbags, 154, 155

Skype logs, 113–114

timeline analysis, 213–214, 225, 247, 248–249

timeline creation, 225, 228, 230, 231–232, 234, 234, 245

timeline creation on Windows, 8, 234

timeline data volume, 243–246

virtual memory, 176

VSCs, 162–163

WFP, 196

Windows Event Logs, 236

Parsing into timeline, 243–246

Partition table

timeline creation, 228, 230, 232–233

via FTK Imager, 231f

Patent Pending, 86

Patient 0, 174

Payment card industry (PCI)

Data Security Standards (DSS), 47

incident response example, 31

timeline analysis, 219, 220

PCI, See Payment card industry (PCI)

PDE, See Physical Disk Emulator (PDE) module

PDF files, initial infection vector, 172–173

Peer review, 293–294

Peer-to-peer (P2P) file sharing

applications, 268

initial infection vector, 172

seeded sites, 207–208

PEiD tool

packed file malware detection, 193

UI example, 193f

usage tips, 194

Yara project, 194

Perl Package Manager (PPM), 232b

Perl script listing

Assoc.pl, 144–145

Bodyfile.pl, 230, 235

Devclass.pl, 136–137

Evt-parse.pl, 88, 233–234, 235

Evtrpt.pl, 87, 234, 244b

Evtxparse.pl, 236

Ftkparse.pl, 231–232

Legacy.pl, 140–141

Mbr.pl, 202, 202f

Mft.pl, 80

Mountdev.pl, 134–135, 136

Mp2.pl, 135, 137

Msis.pl, 143

Parse.pl, 244b, 245

Port_dev.pl, 137–138

Pref.pl, 98–99, 100, 238

Recbin.pl, 95

Regdiff.pl, 162b

Regtime.pl, 239–240, 248

Rip.pl, 164, 240

Tln.pl, 240, 241f, 241f, 248, 248f

Usbdevices.pl, 136

Usbstor.pl, 135, 136

Userassist2.pl, 241, 242

Userassist_tln.pl, 158b, 240

Perl scripts, 233–234, 235–236

analysis system set-up, 24

coding skills, 203

DateTime module, 232b

diff, 162b

direct artifacts, 13

Event Log file extraction, 87

Event Log file parsing, 88

Event Log records, 89–90

events file additions, 248f

events file creation, 244b

events into timeline, 244b, 245

“.exe” files, 212

file system tunneling example, 84

gmtime() function, 222

INFO2 file extraction, 95

Internet activity analysis, 205–206

jump list parsing, 109, 109

LEGACY_IMDISK LastWrite time, 140–141

Log2timeline framework, 213

MBR infectors, 201, 202, 202f

memory scraper, 176

MFT analysis, 80

module installation, 232

prefetch file parsing, 98–99

Registry analysis, 164

Registry data and TLN creation, 239–242

Software hive application analysis, 142–143, 144–145

time stomping example, 82

timeline creation, 230, 232, 238, 240, 241f, 241f, 244

timeline creation on Windows, 8, 235–236, 236

timeline creation on XP, 233–235

USB device analysis, 135, 135–136, 138

USB external drive analysis, 135

UserAssist, 158

WiFi geolocation mapping, 146b–147b, 147

Windows Event Log parsing, 95

Perl2Exe, 13

Persistence mechanism (malware), 177

as artifacts, 179

file infection, 176

file system startup locations, 177–178

malicious DLL, 177

memory scraper, 176

multiple mechanisms, 178

“nearby” systems, 178

networked environments, 178

overview, 175–179

Registry, 175–176

scheduled tasks, 177

W32/Crimea, 177

PEView tool, 208

PGPDisk volume, MountedDevices key, 130, 130f

Phishing attacks, training for, 173b

PhishMe.com, 173

Photos, 159–160

Physical Disk Emulator (PDE) module, 60

Physical memory

F-Response, 44–45, 57–58

incident preparation questions, 32

incident response, 42

Registry analysis, 120–121, 163–164

virtualization, 22

Pillion, Martin, 177–178

Pirc, John, 172

Platform-as-a-service (PaaS), 21

Plugin Browser, Registry analysis, 164, 165f

Pogue, Chris, 7

Point of contact (PoC), incident preparation, 29

Poison Ivy RAT, 197

Portable executable (PE) files

compile times, 199–200

MBR infectors, 200

packed, malware detection, 193–195

W32/Crimea, 177

PPM, See Perl Package Manager (PPM)

Prefetch files
See also Application prefetching

application file prefetching, 97

as artifacts, 181

data exfiltration, 181

file analysis, 97–100

incident response data collection, 44

indirect artifacts, 14

installed AV applications, 186

metadata, 98–99

NTOSBOOT-BOODFAAD.pf, 100

parsing, 98f

purpose, 97

Registry analysis, 203

speculation issues, 12–13

SSD drives, 98

timeline analysis, 218

timeline creation, 238–239

Vista, 100

PrefetchParameters key, 97

Previous Versions shell extension, 51, 51f

Process Monitor (ProcMon), 14

Process Registry key (XP), 5–6

ProDiscover

analysis system set-up, 24

dropdown menu example, 205f

Internet History Viewer, 205f

Jump List Viewer, 109, 110f

Mount Shadow Volume, 71f, 72f

time stamp display, 77

VSC access, 9

VSCs in acquired images, 71–73, 72f

VSCs on live systems, 56

Windows 7 .job file, 102f

ProDiscover Basic Edition (BE), 24, 66b, 68

ProDiscover Incident Response Edition (IR)

Internet activity analysis, 204

time stamp display, 77, 78f

VSCs in acquired images, 71

VSCs on live systems, 56

ProfileGuid value, NetworkList, 147

ProfileList subkey, timeline analysis, 223–224

Profiles key, NetworkList, 147

Propagation mechanism (malware)

malware artifacts, 182

malware characteristics, 174–175

ProScript, analysis system set-up, 23

Psexec.exe, interesting artifact searches, 90

PSExecSvc service, malware detection, 206

Pwdump7.exe, Registry analysis, 122

Python script listing

AnalyzeMFT.py, 80

Indxparse.py, 85

Python scripts

analysis system set-up, 24

Android device application files, 116

cache.wifi parsing, 116

coding skills, 203

NTFS $I30 Index Attributes, 85

Registry Decoder, 165

$SIA and $FNA extraction, 80, 82

Yara project, 194

Q

Questions

incident preparation, 30–33

“triage worksheet,”, 31b–32b

QuickTime (Apple), 266

malware persistence mechanism, 177

R

.rar files, 277–278

RAT, See Remote administration tool (RAT)

Rcmd.exe, 90

RDP, See Remote Desktop Protocol (RDP)

ReadyBoost, 132, 138, 255–256

RecentDocs key, 104, 159, 223, 281

RecoveryStore..dat, 264

Recycle Bin, 24, 95, 95, 95f

bypassing, 94b

file analysis, 94–97

index file, 96f

malware detection, 206–207

Vista, 96

Windows, 8, 96f

Windows XP, 95

RegEdit.exe, See Registry Editor tool (RegEdit.exe)

RegIdleBackup key, 149f

as Registry information source, 162

scheduled tasks, 102, 149

values via WRR, 149f

Registry

camera image file analysis, 117

$FNA MFT record, 79

function, 120

installed AV applications, 186

as log file, 124

malware persistence mechanism, 175–176

malware write-ups, 190–192

MFT record, 77

nomenclature, 122–123

prefetch files, 97

ProDiscover Basic Edition, 24

RegEdit.exe view, 123f

RegIdleBackup task, 102

structure, 122b

task sheduling, 5

timeline analysis, 223

data sources, 215

timeline creation, 239–242

Registry analysis, 222

alternate sources, 162–164

browser analysis, 143b

current ControlSet, 126b

device mapping, 126b

DeviceClasses, 130b–131b

diff, 162b

driver events, 127b

EMDMgmt key, 138

EMDMgmt subkey values, 132f

evidence eliminators, 162b

expert tips, 222b

historical Registry data, 152b

malware detection, 203–204

memory, 163–164

MountedDevices key, 130f

overview, 119

Plugin Browser interface, 164, 165f

RegIdleBackup, 162

Registry Decoder, 165, 166f

Registry nomenclature, 122–123

Registry overview, 120

smart phones, 135

Software hive, 142–150, 142f

application analysis, 142–145

Classes subkeys, 144f

GUID key values, 149f

NetworkCards key, 148

NetworkCards12 key, 148f

NetworkList, 145–148, 147f

RegIdleBackup key values, 149f

scheduled tasks, 148–150

Tree subkeys, 149f

Unmanaged subkey values, 146f

WiFi geolocation mapping, 146b–147b

Wow6432Node key, 143f, 150b

System hive

basic considerations, 138–142

services, 139–141, 139f

testing for malware execution, 208

tools, 122, 164–166

U3-enabled devices, 125b

USB device analysis, 124–138

USB drive/disk signature, 134f

USB external drives, 134

USB subkeys, 129f, 129f

USB thumb drives, 125

USBStor and USB subkeys, 134f

USBStor device subkey properties, 127f

USBStor subkeys, 126f, 133b

user hives, 129f, 150–162

c6d3bf33.Windows.XP.Mode key, 161f

ComDlg32 subkeys, 151f

MUICache key, 157, 157f

shellbags, 152–156, 155f

tracking user activity, 154b

TypedPaths key, 161, 161f

UserAssist historical data, 160b

UserAssist subkeys, 158, 158–159

Virtual PC key, 160–161, 161f

WordWheelQuery, 151–152, 152f

XP Mode, 159b

virtualization, 163

volume GUID, 129f

VSCs, 162–163

Wow6432Node key, 143f

Registry data, 269

Registry Decoder, 165, 166f

Registry Editor tool (RegEdit.exe), 123f, 126

Registry hive files, 266

Registry hives

file analysis example, 76

idling processes, 30

incident response data collection, 44

Root key, 15

speculation issues, 12–13

structure, 122b

suggested reading, 64

System Restore Points, 50

timeline analysis, 219–220, 242–243

timeline analysis case study, 248

Windows version comparison, 5

Registry keys (general), 271, 271–272

artifacts, 179

Carbon Black, 39

deleted keys, 138

direct artifact, 13–16

early worms, 16–17

event parsing into timeline, 246

jump lists, 104–110

malware persistence mechanism, 175–176

prefetch files, 99–100

Recycle Bin bypass, 94

Registry as log file, 124

Registry nomenclature, 123

seeded sites, 207–208

time formats, 215

timeline analysis, 217–218, 222b, 224

unique, malware, 175–176

VSCs, 52–53, 63–64

Registry values (general)

Application Event Logs, 184

artifacts, 179

Registry as log file, 124

Registry nomenclature, 123

seeded sites, 207–208

RegRipper, 203–204, 259, 263, 282

analysis system set-up, 24

events file creation, 244b

LEGACY_IMDISK LastWrite time, 140–141

photos.pl plugin, 159

Registry analysis, 121–122, 164

Registry data and TLN creation, 240

smart phone, 135

Software hive application analysis, 142–143, 144–145

timeline analysis case study, 248

timeline creation, 230

USB device analysis, 138

USB external drive analysis, 135

UserAssist subkeys, 158

VSC access automation, 70

VSCs in acquired images, 63, 162–163

WordWheelQuery, 152

XPMode, 159b

RegRipper plugins, 240, 271–272

RegRipper shellbags, 156

Remote administration tool (RAT), 197

Remote Desktop Client, jump list parsing, 109

Remote Desktop Connection, jump list information, 107

Remote Desktop Protocol (RDP), 35, 221

Remote systems

jump list files, 106–107

VSC access

basic considerations, 58b–59b

F-Response, 57

ProDiscover, 56

Removal, VHD files, 91b–92b

Reporting, 275, 284–294

recemmendations, 291b

review process, 294b

Robocopy command, 63, 69–70

Root key

indirect artifact, 15

Windows services, 140

ZeroAccess, 15b

Rootkits

malware persistence mechanism, 175

MBR, 200–201

ZeroAccess, 15, 180

Rot-13 translation cipher, UserAssist subkeys, 158

Rpcall.exe, timeline analysis case study, 249

RSA, data breach, 2–3

Run key

malware artifacts, 181–182

malware persistence mechanism, 175–176

timeline analysis case study, 248

user hives, 150–151

Wow6432Node key, 150b

Russinovich, Mark, 196–197

S

Safari (Apple), malware persistence mechanism, 177

Safe Mode, malware persistence mechanism, 175–176

SAM hive

RegIdleBackup, 162

Registry analysis, 122

System Restore Points, 50

timeline analysis, 223–224

SAM Registry hive file, 282

SANS Investigative Forensic Toolkit (SIFT)

analysis system set-up, 22–25

incident response acquisition process, 43–44

Registry data and TLN creation, 239–240

usage example, 22b

VSCs in acquired images, 68b

Windows Event Log parsing, 93

Sbag.exe, 154, 154–155, 155f, 156

Sbag64.exe, 156

Sbag.exe tool, 154–155

SchedLgU.txt, 103–104

Scheduled Task Wizard, 101–104, 101f

Scheduled tasks, 101–102, 266

AppleSoftwareUpdate task, 101f

at.exe vs. schtasks.exe, 103

file analysis, 101–104

GUID key values, 149f

.job files, 206

malware detection, 206

non-user created, 101–102

RegIdleBackup key values, 149f

SchedLgU.txt, 103–104

Software hive, 148–150

timeline analysis data sources, 215

via schtasks.exe, 103

Windows, 5, 102, 103f

Windows 7 .job file, 102f

XP Scheduled Task Wizard, 101f

Schtasks.exe, 103

Schuster, Andreas, 93, 236

Secevent.evt, XP/2003 systems, 90

Security Event Logs, 233–234

events file creation, 244b

file analysis, 87

interesting artifact searches, 90

timeline analysis, 221

timeline approaches, 213–214

timeline creation on Windows, 8, 244

timeline creation on XP, 233–235

Ultimate Windows Security Event Log site, 88–89

Security hive

events file creation, 244b

RegIdleBackup, 162

timeline approaches, 213–214

Security identifier (SID)

malware detection, 206

Recycle Bin, 95

timeline analysis, 223–224

Win7 Recycle Bin, 96

Seeded sites, malware detection, 207–208

Serial number key, 128, 128

Serial numbers, 256

Servers, auditing functionality, 37–38

Service set identifier (SSID), 146

ServiceName value, NetworkCards key, 148

Services Event Log, characteristics, 91

Setup Event Log, characteristics, 91

7Zip, 24, 142

SHA-25 algorithm, scheduled tasks, 150

ShadowExplorer v0.8, interface example, 55f

Shannon, Matthew, 44–45, 57

Shell Items, 153

Shell link files, jump lists, 106

Shellbags, 10–11, 152–156, 155f, 156

Shellbags artifacts, 257

$SIA attributes, 80

SID, See Security identifier (SID)

SIFT, See SANS Investigative Forensic Toolkit (SIFT)

Sigcheck.exe tool, 195, 195f

Signatures, 256

Silberman, Pete, 17

Skype, 63–64, 113–114, 242

Skype History Viewer, 113–114

Skype Log View, 113–114, 114f

The Sleuth Kit (TSK) tools

ASCII timelines, 212–213

Event Log records, 89–90

MBR infectors, 201

SIFT VM usage example, 22

timeline creation, 227, 228

Smart phones

image file analysis, 116–118

ubiquitousness, 1–2

USB device analysis, 135

“Snapshots”, See Volume Shadow Copy (VSC)

Sniper Forensics (Pogue), 7

Software-as-a-service (SaaS), 21

Software hive, 142f

application analysis, 142–145

Classes subkeys, 144f

GUID key values, 149f

malware artifacts, 181–182

malware persistence mechanism, 175–176

NetworkCards key, 148

NetworkCards12 key, 148f

NetworkList, 145–148, 147f

Process Registry key, 5–6

RegIdleBackup, 162

RegIdleBackup key values, 149f

Registry analysis, 142–150

Registry Decoder, 165

scheduled tasks, 148–150

smart phone, 137–138

timeline analysis, 223–224

Tree subkeys, 149f

Unmanaged subkey values, 146f

USB device analysis, 132

via WRR, 142f

WiFi geolocation mapping, 146b–147b

Wow6432Node key, 143f, 150b

Software Registry hive

prefetch files, 99–100

VSC access automation, 124

Solid-state drive (SSD), 98

Source value, timeline analysis, 222–223

Spear phishing, definition, 173–174

Speculation, analysis principles, 12

SPPClients key, 53

SQL injection attacks, 173, 213–214

SQLite databases, 111, 115

Squid, Log2timeline framework, 213

Ssdeep hash, MBR infectors, 202

$STANDARD_INFORMATION attribute ($SIA)

file system tunneling example, 84–85

file/directory records, 77

Last Access Time, 78

time stamps, 77, 78

time stomping example, 83

timeline analysis, 215, 217–218, 224

timeline creation, 227–228

timestamping manipulation, 214–215

Start value, Windows services analysis, 139–140

Startup location, malware persistence mechanism, 177–178

Stevens, Didier, 158, 172–173

Sticky Notes files, Registry as log file, 124

Strings.exe

analysis system set-up, 24–25

Event Log records, 89–90

Registry structure, 122

Structured storage, Registry as log file, 124

Stuxnet malware, 150, 195–196

SubSeven Trojan, 8

Surfacing, VHD files, 91b–92b

Suspicious processes, Carbon Black log example, 39, 39f

Sutton, Willy, 172

Svchost.exe, malware detection, 203

Symantec antivirus (AV) products, 234

AV log time formats, 216

Event Logs, 87

malware characteristics, 172–173

malware detection, 177–178

MBR infectors, 200

timeline analysis, 222–223

timeline creation on XP, 233–235

Sysevent.evt, XP/2003 systems, 90

System Event Log, 233–234

driver events, 127b

malware detection, 206

timeline creation on Windows, 8, 244

timeline creation on XP, 233–235

System field, timeline analysis, 223

System hive

Bluetooth, 141

RegIdleBackup, 162

Registry analysis, 138–142, 139f

smart phones, 136, 138

time formats, 215–216

U3-enabled device analysis, 125

USB thumb drive, 131

VSC access automation, 124

System Properties dialog, 53f

System Registry hive, 203–204, 255

System Restore Points, 51, 51, 52, 266

indirect artifacts, 15–16

Registry Decoder, 165

system files, 51b

timeline analysis case study, 250

timeline analysis via visualization, 246

timeline data volume, 243b

VSS, 52

XP functionality, 50f

XP system “noisiness,”, 17–18

System time change, detecting, 264–265

System-level privileges

Internet activity analysis, 15, 204

scheduled tasks, 101–102

timeline analysis, 214–215, 223–224

SYSTEMTIME, 222

NetworkList, 147–148

Registry analysis, 222b

scheduled tasks, 102

time formats, 216

T

Tablet devices, ubiquitousness, 1–2

Task Scheduler

indirect artifacts, 15–16

SchedLgU.txt, 103–104

Software hive, 148–149

Windows, 8, 102, 103f

Windows version differences, 5

TaskCache\TasksGUID key, values example, 149f

TaskCache\Tree subkeys, via WRR, 149f

TechNet blog, 204

Temp directory

malware artifacts, 181–182

malware detection, 187–188, 206–207

VSCs and Registry keys, 52

Temporal proximity

definition, 30

timeline analysis, 218

Temporary files, Registry keys, 52

Temporary Internet Files (TIF), 100, 204

Terminal Server Client key, UserAssist subkeys, 160

Terminal Services, 269

jump list files, 107

Thomassen, Jolanta, 138

Threat intelligence, 272b

ThreatExpert.com, 5–6

Tilbury, Chad, 85

Time formats, timeline analysis, 215–217, 222

Time stamps, 77, 78, 78f, 79, 81

file system tunneling example, 84

file/directory records, 77

$FNA, 79

hypothesis testing, 81

jump list files, 106

Log2timeline framework, 213

NetworkList, 147–148

ProDiscover IR, 77

$SIA, 78

timeline analysis, 218, 222–223

values from other file, 82–83

Time stomping

definition, 82

example, 82–83

Timeline (TLN) analysis

analysis system set-up, 23

approaches, 213–214

basic concepts, 217–218

benefits, 219–221

case study, 247–250

data source volume issues, 243–244

data sources, 215, 222–223

description field, 224–225

events file additions, 248f

events file creation, 244

via event parsing, 243–246

formats, 221–225

granularity issues, 222

Log2timeline framework, 213–214

non-time-stamped data sources, 242

overview, 212–225

Registry analysis, 222b

system field, 223

time formats, 215–217, 222

user field, 222–223

UserAssist data, 158b

visualization, 246–247

Timeline (TLN) creation

Event Logs, 233–235

basic considerations, 233–238

sources, 235–236

Windows, 8, 235–238

Windows XP, 233–235

events file, 230

example, 228f, 229f

file system metadata, 227–233

image partition table, 231f

modular approach, 226

NTFS file times, 229–230

overview, 225–247

prefetch files, 238–239

Registry data, 239–242

Timestamping

expert tips, 215

timeline analysis data sources, 214–215

Timestomp.exe, 82, 215

TimeZoneInformation key, 222b

Tool validation myth-odology, analysis prinicples, 9–11

Tools, 156

Tools vs. process, analysis principles, 9

Training

incident preparation, 45–46

mock incidents, 45–46

phishing attacks, 173b

Triage checklist, 278–279

“Triage worksheet,”, 18, 31b–32b

TriForce, 85–86, 85–86

“Trojan Defense,”, 19–20, 172, 207

Trojan downloader, 175

Trojans

persistence mechanism, 177–178

Process Registry key, 5–6

scheduled tasks, 102

TrueCrypt encrypted volumes, 257

TrueCrypt volume, MountedDevices key, 130, 130f

Trusted advisor, incident response, 42

TypedPaths key, 161, 161f

TypedURLs key, 143b, 262–263

TZWorks, 80–81, 156

U

U3-enabled devices, Registry analysis, 125

Ultimate Windows Security Event Log site, 88–89, 90

UltraEdit, 24, 245

Unallocated space

data breach example, 76

Event Log records, 86–87, 89–90

MBR infectors, 201

Registry structure, 122

Unicode format

DestList stream, 107–108

prefetch file parsing, 98–99

Recycle Bin, 96–97

Uninstall key, 142, 150b

Unique instance ID key

device mapping, 126

iPod Touch, 136

LastWrite time, 128

vs. serial number, 128

smart phone, 135–136

USB device analysis, 126, 128, 132

USB external drive analysis, 134

USB thumb drive, 131

Unix, time formats, 216

Unmanaged subkey, values, 146, 146f

Unsurfacing, VHD files, 91b–92b

Update sequence number (USN), 85–86

USB device analysis, 132–133

checklists, 125b

current ControlSet, 126b

deleted Registry keys, 138b

device mapping, 126b

DeviceClasses, 130b–131b

driver events, 127b

EMDMgmt key, 138

EMDMgmt subkey values, 132f

MountedDevices key, 130f

overview, 124–138, 135

smart phones, 135

subkeys, 131

U3-enabled devices, 126b

USB subkeys, 129f, 129f

USBStor device subkey properties, 127f

USBStor subkey LastWrite times, 133b

USBStor subkeys, 126f

volume GUID, 129f, 131

USB devices, Windows shortcuts and, 255–257

USB external drives

analysis, 134

drive/disk signature, 134f

imaging, 4

incident response, 42–43, 44

Registry analysis, 124–125, 124–138

timeline analysis, 219

timeline creation, 231

USBStor and USB subkeys, 134f

USB key, 134

USB subkeys, 129f, 134f

USB thumb drive

initial infection vector, 173

Registry analysis, 124–125, 126b, 128

time stamp testing, 81

Windows 7 Registry, 131

USBStor key

device mapping, 126b

LastWrite time, 127

OS version comparison, 5

U3-enabled device analysis, 126b

USB external drive analysis, 134

USBStor subkeys

device properties, 127f

LastWrite time, 133b

USB external drive analysis, 134f

USB thumb drive, 131

via WRR, 126f

User accessed files, 257–260

User activity tracking, expert tips, 154b

User field, timeline analysis, 223–224

User hives

c6d3bf33.Windows.XP.Mode key, 161f

ComDlg32 subkeys, 151f

menuorder, 156–157

MUICache key, 157, 157f

Photos, 159–160

Registry analysis, 150–162

shellbag, 152–156, 155f, 156

tracking user activity, 154b

TypedPaths key, 161, 161f

UserAssist historical data, 160b

UserAssist subkeys, 158–159

Virtual PC, 160–161

Virtual PC key path, 161f

WordWheelQuery, 151–152, 152f

XPMode, 159b

UserAssist data, 271–272

UserAssist entries, 257

UserAssist information, 245

UserAssist key, 63, 242–243

UserAssist subkey data, 265

UserAssist subkeys, 120, 158–159

historical data, 160b

timeline analysis, 224

timeline analysis case study, 248

user hives, 158–159

XP Mode, 159b

USRCLASS.DAT hive, 154, 159

MUICache key, 157

shellbags, 154, 155

Software hive application analysis, 145

VSCs in acquired images, 162–163

USRCLASS.DAT hive file, 257, 259

UTC format, 222

event parsing into timeline, 245

file system tunneling example, 84

iPod Touch, 136

jump list files, 106

LEGACY_IMDISK LastWrite time, 140–141

MFT record, 77

NetworkList, 147–148

timeline analysis, 216, 222

USB external drive analysis, 135

UserAssist subkeys, 158

V

VHD, See Virtual hard drive (VHD)

Vhdmount, VSCs in acquired images, 61

Vhdtool.exe, 61, 73

Virtual hard drive (VHD), 74b, 271–272

expert tips, 91b–92b

image file formats, 73

multiple AV scans, 189–192

Registry analysis, 163

VSCs in acquired images, 61–65, 61f, 62f

Windows 8, 73

Virtual machine (VM)

analysis system set-up, 22

expert tips, 91b–92b

F-Response VSC demo set-up, 57

Virtual memory, direct artifacts, 13

Virtual PC (VPC)

concealing artifacts, 20–22

key, 161f

Registry analysis, 163, 163

user hives, 160–161

VSCs in acquired images, 61

Virtual private network (VPN), 35, 57

Virtual Server, VSCs in acquired images, 00003#p0405

VirtualBox (Oracle), 61

Virtualization

analysis concepts, 20–22

Registry analysis, 163

VirusTotal, 172–173, 202

Visualization, timeline analysis, 246–247

VMDK, See VMWare (.vmdk)

VMPlayer, 57, 65–66, 104, 104f

VMWare (.vmdk)

analysis system set-up, 24

Registry analysis, 163

VSCs in acquired images, 59–60, 65–68

VMWare Workstation, VSCs, 65, 67, 67f

Volatility Framework

hibernation files, 111

Registry analysis of memory, 163–164

Volume serial number, EMDMgmt key, 132–133

Volume shadow copies (VSCs), 257

Volume Shadow Copy Service (VSS)

implementation, 52

Registry Decoder, 165

Registry keys, 52

timeline analysis data sources, 242–243

tools vs. process, 9

Vista implementation, 51

Volume Shadow Copy (VSC)

access, 9

access automation, 68–71, 124–125

acquired images, 60, 60, 66b, 68b

batch files, 70

Diskpart command, 64b

example, 59f

image file formats, 73

LiveView, 60b

overview, 59–73

ProDiscover, 71–73, 71f, 72f, 72f

ProDiscover BE, 66

VHD method, 61–65, 61f, 62f

VMDKs and SIFT, 68

VMWare method, 65–68, 67, 67f

analysis system set-up, 23

definition, 50–53

historical Registry data, 152b

idling processes, 30

indirect artifacts, 15–16

live systems

basic considerations, 58b–59b

F-Response, 57–59, 58f

overview, 53–59

ProDiscover, 56

MUICache key, 157

Registry Decoder, 165

as Registry information source, 162–163

Registry keys, 52–53

ShadowExplorer v0.8 interface, 55f

system files System Restore Points, 51b

timeline analysis data sources, 215, 242–243

timeline analysis via visualization, 246

UserAssist historical data, 160b

Windows 8, 73–74

WMI class, 54

XP System Restore Points, 50f

Volume Shadow Service, 52–53

VPC, See Virtual PC (VPC)

VPN, See Virtual private network (VPN)

VSC, See Volume Shadow Copy (VSC)

VSS, See Volume Shadow Copy Service (VSS)

VSS key, 52

Vssadmin command, 54–55, 56, 62, 69

W

Wallet drives, See USB external drives

Walters, Aaron, 30, 218

WAPs, See Wireless access points (WAPs)

Warden, Pete, 114

Wardriving, WiFi geolocation mapping, 146

Warez server, intrusions, 17

Warnings

Application Event Logs, 184

at.exe vs. schtasks.exe, 103

device mapping, 126b

Googled malware information, 192

jump list parser, 109b

“knowing what to look for,”, 198

Last Access Time, 78b–79b

malware evolution, 180

memory scraper, 176

mixing protection mechanisms, 188

multiple persistence mechanisms, 180

Perl module installations, 232

Trojan defense, 172

USBStor subkey LastWrite time, 133b

VSCs on live systems, 58b–59b

Windows Event Log parsing, 237

WMI class, 54b

ZeroAccess, 15b

W32/Crimea, 177

Web history analysis, expert tips, 143b

Web proxy logs, 277

Web servers, 279

Web sites, initial infection vector, 173–174

Weg, Jimmy, 56, 65, 108

Wevtutil.exe, Event Log conversion, 93

WFA, See MiTeC Windows File Analyzer (WFA)

WFP, See Windows File Protection (WFP)

WiFi geolocation mapping, expert tips, 146b–147b

Window of compromise

antivirus log analysis, 112–113

compliance issues, 31b

Dr. Watson logs, 188

initial infection vector, 173

LEGACY_IMDISK LastWrite time, 140–141

timeline analysis, 219

Window Washer, 163b

Windows, 6

alternate Registry sources, 161

analysis system set-up, 22–25, 23

Apple product application files, 115

application prefetching, 181

Applications/Services logs, 91

Audit Policy settings, 38f

device mapping, 126b

driver events, 127b

Event Log conversion, 93

Event Log files, 5, 91f

Event Log metadata, 217

Event Log parsing, 237

Explorer shell searches, 5

F-Response VSC demo set-up, 57b

hibernation files, 110–111

historical Registry data, 152b

idling processes, 30

iPod Touch, 136

jump list parser, 109

jump lists, 104–110, 106, 107

Last Access Time, 78b–79b

live system VSCs, 53–54

Log Parser tool, 93

malware persistence mechanism, 177–178

MUICache key, 157

multiple AV scans, 189–192

NetworkList, 145–148, 147f

prefetch files, 97, 100

prefetch files and TLN creation, 238–239

Previous Versions shell extension, 51f

Recycle Bin, 96f

RegIdleBackup, 162

Registry, 120, 120

Volume Shadow Copies (VSCs), 120

Registry analysis, 122

Registry as log file, 124

Registry Decoder, 165

Registry hive files, 5

Registry keys, 52

scheduled tasks, 5, 102, 148–149

shellbags, 154, 155

smart phone, 135

Software hive application analysis, 143, 145

SSD drive prefetch settings, 98

Task Scheduler applet, 103f

timeline creation, 225, 227

U3-enabled device analysis, 125

USB device analysis, 124–125, 131

USB external drive analysis, 134

user hives, 150–151

virtualization, 20–22, 163

Virtual PC, 160

VMs, 91b–92b

VSCs, 50, 162–163

VSCs in acquired images, 60, 65, 72–73

Windows Defender logs, 186

Windows Event Logs, 90

WordWheelQuery, 151

Wow6432Node key, 150b

Windows 7, 153, 264, 267, 272–273

Event Log example, 91f

shellbags artifacts, 257

USB devices, 255–256

Windows 8

Photos, 159–160

shellbags artifacts, 257

USB devices, 255–256

VSCs, 73–74

Windows 2000, 77

Event Log files, 86–94

Log Parser tool, 237

Registry, 120

Registry hive files, 5

scheduled tasks, 101

$SIA, 77

time formats, 216

timeline analysis, 222–223

timeline creation, 227

Windows 2003, 265

application prefetching, 181

Event Log files, 5, 86–87

Last Access Time, 78b–79b

Log Parser tool, 93, 237

prefetch files, 97, 100

prefetch files and TLN creation, 238

SchedLgU.txt, 103–104

scheduled tasks, 102

Security Event Logs, 88–89

timeline analysis, 222–223, 224–225

Windows Event Log, 90

Windows 2008

analysis system set-up, 23

application prefetching, 181

Event Log files, 5

Event Log parsing, 237

live system VSCs, 53–54

prefetch files, 97

prefetch files and TLN creation, 238

Registry analysis, 122

scheduled tasks, 148–149

Security Event Logs, 88–89

Windows Backup, 51

Windows Defender, 186, 189–190

Windows Event Logs, 90

characteristics, 37

conversion, 93

example, 92f

file analysis, 90–93

Logparser tool, 92–93

parsing issues, 237

Perl-based parsing, 93

size limits, 37

smart phone, 135–136

timeline analysis, 222–223

USB device analysis, 124–125

USB external drive analysis, 135

UserAssist subkeys, 160

Windows 7 example, 91f

Windows Event Viewer, 88

Windows Explorer, 269

Windows Explorer shell

malware persistence mechanism, 177

searches in XP, 5

shellbags, 152–153

time formats, 215–217

time stamps, 77

TypedPaths key, 161, 161f

UserAssist subkeys, 158

VSCs in acquired images, 61–62

VSCs on live systems, 56

Win7 Recycle Bin, 96

Windows File Protection (WFP), 190–192, 196, 197f

Windows Local Group Policy, 178

Windows Management Instrumentation (WMI), 54b, 198–199

Windows Media Player, 144

Windows NT, 196–197

Windows Registry Forensics (Carvey), 64

Windows Registry Recovery tool, 282

Windows services, 134f

direct artifact, 13–16

direct vs. indirect artifacts, 14b–15b

F-Response, 44–45

interesting artifact searches, 90

Internet activity analysis, 204

Internet history information, 14b–15b

key values via WRR, 134f

malware-created, 179–180

memory scraper, 176

OS version comparison, 6

Registry keys, 5, 52

System hive analysis, 139–141

Windows shortcuts and USB devices, 255–257

Windows systems (general), 184–185

ADS manipulation tools, 196–197

analysis system set-up, 22–25

Apple product application files, 115

application prefetching, 97

auditing functionality, 37–38

Event Log analysis, 89

event parsing into timeline, 243–244

events file creation, 244b

file format diversity, 76

file system tunneling, 84

idling processes, 30

indepth malware detection techniques, 192–193

indirect artifacts, 14

initial infection vector, 173–174

logs and incident response, 36–41

malware persistence mechanism, 175–176

MFT records, 79

MRT, 184–185

multiple AV scans, 189–192

open source tools, 24

prefetch files, 97, 181

Registry, 120

Registry analysis checklists, 125b

Registry hive files, 5

shellbags, 152–153

Skype, 113

system “noisiness,”, 17–18

timeline analysis data sources, 215, 242

timeline analysis via visualization, 246

timeline creation, 227

timeline time formats, 222

time-stamped information, 215–216

tracking user activity, 154b

version differences, 4–6

VPN incident, 35

VSC access automation, 70

ZeroAccess, 15b

Windows Updates, 17–18, 91, 199–200

Windows Vista

ADS manipulation, 196–197

analysis system set-up, 23

application prefetching, 181

device mapping, 126b

Explorer shell searches, 5

jump list files, 106–107

Last Access Time, 78b–79b

live system VSCs, 53–54

log files, 5

Log Parser tool, 93, 237

NetworkList, 145–148

prefetch files, 97, 100

prefetch files and TLN creation, 238

Recycle Bin, 96

Registry analysis, 122

Registry Decoder, 165

Registry keys, 52

scheduled tasks, 148–149

Security Event Logs, 88–89

Task Scheduler, 5

timeline creation, 225

VSCs, 50, 162–163

VSCs in acquired images, 59f, 60, 72–73

VSS functionality, 51

VSS implementation, 9

Windows Defender logs, 186

Windows Event Logs, 90

WordWheelQuery, 151

Windows XP, 22, 71, 265

analysis system set-up, 22–25, 23

Apple product application files, 115

application prefetching, 181

Carbon Black log example, 39

device mapping, 126b

Dr. Watson logs, 188

Event Log analysis, 89

Event Log conversion, 93

Event Log files, 5, 86–87, 90

Event Logs, timeline creation, 233–235

event record format, 86f

Explorer shell searches, 5

hibernation files, 110–111

idling processes, 30

Last Access Time, 78b–79b

Log Parser tool, 93, 237

malware write-ups, 190–192

prefetch files, 97, 100

prefetch files and TLN creation, 238

Process Registry key, 5–6

ProDiscover IR, 71

Recycle Bin, 95, 95f

Registry, 120

Registry Decoder, 165

SchedLgU.txt, 103–104

Scheduled Task Wizard, 101f

scheduled tasks, 102

Security Event Logs, 88–89

shellbags artifacts, 257

Skype, 113

SIFT VM, 22

system files in System Restore Points, 51

system “noisiness,”, 17–18

System Restore Points, 50f

Task Scheduler, 5

time formats, 216

timeline analysis, 222–223, 224–225

timeline approaches, 213–214

timeline creation, 225

timeline data volume, 243b

user hives, 150–151

Virtual PC, 20–22

virtualization, 163

VMs, 91b–92b

VSCs, 50, 68

VSS implementation, 9, 50

Windows Defender logs, 186

Windows Event Logs, 90

Windows services, 139–140

WordWheelQuery, 151

Windows XP Mode, 160

C6d3bf33.Windows.XP.Mode key, 160, 161f

UserAssist subkeys, 159b

VM tips, 91b–92b

Virtual PC, 160

Windows XP SP3 system

file system tunneling example, 84

MRT log analysis, 184–185

time stomping example, 82–83

WinInet, 14, 204

Win32_ShadowCopy, 54

Wireless access points (WAPs), 145, 146, 147f, 223

WLAN-AutoConfig log, event example, 92f

WMI, See Windows Management Instrumentation (WMI)

Woan, Mark, 108

Word, See Microsoft Word

WordWheelQuery key, 5, 151–152, 152f

Worms, early Internet, 17–18

Wow6432Node key, 143, 143f, 150b

Write-blockers, hard drive imaging, 4

WRR, See MiTeC Windows Registry Recovery (WRR) tool

Writing, 284

case notes, 280

X

XML, See Extensible markup language (XML) format

XPMode, 159

Y

Yara project, malware detection, 194

Z

ZeroAccess rootkit, 15b, 180, 262

Zeus/ZBot, 177–178, 185