Digital Forensics

Windows Forensics

credit to: https://frsecure.com/blog/windows-forensics-execution/

  1. Files a user has recently accessed

    C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent

  2. Registry Hives

    HKCU\<User SID>\Software\Microsoft\Windows\CurrentVersion\

    • Explorer\

      • RecentDocs – Stores several keys that can be used to determine what files were accessed by an account. The MRUListEx key shows the order in which files were accessed.

      • TypedPaths – Shows items typed into the Windows Explorer bar by the user.

      • RunMRU – Records items typed into the Windows Run dialog by the user.

      • UserAssist – ROT-13 encoded names of GUI programs that have been run and the number of times each has run.

      • HKCU\SOFTWARE\Microsoft\Windows\Shell – Often referred to as Shellbags, this registry location (NTUSER.DAT) and the following one (UsrClass.dat) record whenever a user accesses a folder or zip file. They can be manually parsed, but using a tool like ShellBags Explorer by Eric Zimmerman can automate much of the work.

      • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\

        Run\ - used by attackers for persistence

Free Digital Forensics Software

  1. Eric Zimmerman Tools

    https://ericzimmerman.github.io/

  2. SANS SIFT

    https://digital-forensics.sans.org/community/downloads

  3. The Sleuth Kit Autopsy

    http://www.sleuthkit.org/autopsy/

  4. Oxygen Forensic Suite - Used for mobile phones

    https://www.oxygen-forensic.com/en/

  5. FTK Imager

    http://accessdata.com/product-download/ftk-imager-version-3.4.3

  6. Volatility - python script to analyze a memory dump.

    https://volatilityfoundation.org/

  7. RedLine by FireEye - used to get disk and memory capture of Windows targets

    https://fireeye.market/apps/211364

  8. Dirbuster - directory enumeration on web servers.

Blue Team/ Defender Essentials

Important Sites to Know

  1. MITRE ATT&CK- Knowldge base of adversary tactics, techniques, and procedures.

    https://attack.mitre.org/

  2. CISA - Cyber Security Advisories

    https://www.cisa.gov/news-events/cybersecurity-advisories

  3. Exploit DV -Current and old exploits

    https://www.exploit-db.com/

  4. NIST 800-53 - Security and Privacy controls for Information Systems and Organizations

    https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

  5. CVE Details - Database of Vulnerabilities

    https://www.cvedetails.com/

  6. CSA CCM - Cloud Controls Matrix

    https://cloudsecurityalliance.org/research/cloud-controls-matrix

  7. Mobile Security Framework - Upload an APK and scan it to see if its malicious.

    https://mobsf.live/

  8. Suricata with ELK- Used for scanning network traffic for malicious activity

    https://www.criticaldesign.net/post/how-to-setup-a-suricata-ips-elk-stack