SlideShare a Scribd company logo

Windows Forensic 101

Download as PPTX, PDF
Digit Oktavianto
Digit Oktavianto

The document discusses Windows forensic analysis fundamentals. It covers forensic artifacts including volatile artifacts like memory and process information, and non-volatile artifacts like the Windows file system, registry hives, and event logs. It discusses Windows process genealogy, the Windows registry including important hive locations, and common Windows artifacts related to program execution, deleted files, network activity, file access, account usage, external devices, browsing history, and file downloads. The presentation aims to provide an overview of Windows forensic analysis and correlating artifact information to build timelines and answer questions about system activity.

Related slideshows

The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
1 of 27
Jakarta, Indonesia Windows Forensic 101 FORKRIPT TALKS Badan Siber dan Sandi Negara 22 Juli 2021 Digit Oktavianto @digitoktav https://threathunting.id 22/7/2021 https://blueteam.id/
Jakarta, Indonesia https://blueteam.id/ T1033 : System Owner/User Discovery  Infosec Consulting Manager at Mitra Integrasi Informatika  Co-Founder BlueTeam.ID (https://blueteam.id)  Born to be DFIR Team  Community Lead @ Cyber Defense Community Indonesia  Member of Indonesia Honeynet Project  Opreker and Researcher  {GCIH | GMON | GCFE | GICSP | CEH | CSA | ECSA | ECIH | CHFI | CTIA | ECSS} Certifications Holder 2 12/12/2020 22/7/2021
Jakarta, Indonesia •Windows Forensic Analysis Fundamental •Forensic Artifacts •Windows Process genealogy •Windows Registry •Windows Artifacts https://blueteam.id/ Agenda 3 12/12/2020 22/7/2021
Jakarta, Indonesia • Understanding OS, Applications, Network. • Evidence Created • User Generated Activity • System Activity • Analytical Thinking • Problem Solving Skills • Require Analysis • Not only doing the data extraction • 5W, 1H 22/7/2021 https://blueteam.id/ Analysis Process in Cyber Investigation
Jakarta, Indonesia • Proper analysis is not simply about : • Finding artifacts, Documents, Pictures, Video, Executable Files • Recovering Deleted Data • Reconstruct Email Communication • Checking the entries from Event Log • Analysis require understanding of how the evidence can help the forensic investigator to answer the question, and correlate the data. For example : • Browsing history from user and downloaded files from the browser forensic • Opening Download directory • Executing the files just downloaded • Network communication to external domain and ip This is analysis…. Correlate the information that you get with your hypotheses, and answering the question what actually happened on that machine • Focus on question need to be answered : • Building solid timeline analysis • Focus on detailing facts based on your finding 22/7/2021 https://blueteam.id/ Windows Forensic Analysis Fundamental
Jakarta, Indonesia • Memory • Process • Network Related Artficats • etc Volatile Artifact • Windows File System • Windows Registry Hive • Windows Event Log • Prefetch • Volume Shadow Copy • etc Non-Volatile Artifacts 22/7/2021 https://blueteam.id/ Forensic Artifacts
Jakarta, Indonesia 22/7/2021 https://blueteam.id/ Windows Process Genealogy (13cubed)
Jakarta, Indonesia • “Central Database Repository” of Windows System • The database contains most of the settings for OS, Programs, Hardware and Network, User Account. • The content give you information like : profiles of each user, the applications installed on the computer, what hardware exist on the system, program executed by user, browsing activity of users, the last shut down time of computer, etc. 22/7/2021 https://blueteam.id/ Windows Registry
Jakarta, Indonesia • C:WindowsSystem32config 22/7/2021 https://blueteam.id/ Windows Registry
Jakarta, Indonesia • HKCR - Contains information about the correct program opens when executing a file with Windows Explorer. • HKCU - Contains the profile about the user that is logged on. • HKLM - Contains system-wide hardware settings and configuration information. • HKU - Contains all user profiles that exist on the system. • Also contains information about the type of hardware installed , default settings of softwares and desktop configurations. These informations is used for all users who log on to this computer. • HKCC - Contains information about the hardware profile used by the computer start up. 22/7/2021 https://blueteam.id/ Windows Registry
Jakarta, Indonesia 22/7/2021 https://blueteam.id/ Windows Registry https://www.slideshare.net/TahaYILMAZ2/windows-registry-forensics-68473349
Jakarta, Indonesia • Windows Artifacts Analysis based on Evidence of : • Program Execution • Deleted File or File Knowledge • Network Activity / Physical Location • File / Folder opening • Account usage • External Device / USB Usage • Browser usage • File Download 22/7/2021 https://blueteam.id/ Windows Forensic 101
Jakarta, Indonesia • UserAssist • Last-VisitedMRU • RecentApps • Shimcache • Background / Desktop Activity Moderator (BAM / DAM) • Amcache • Jump Lists • System Resource usage Monitor • Records 30 to 60 days of historical system performance. Applications run, user account responsible for each, and application and bytes sent/received per application per hour. • Prefetch • Windows 10 Timeline (Win + TAB) 22/7/2021 https://blueteam.id/ Windows Artifact – Program Execution NTUSER.DAT Hive SYSTEM Hive
Jakarta, Indonesia • Search - WordWheelQuery • Last-VisitedMRU • Thumbscache • Thumbnails of pictures, office documents, and folders exist in a database called the thumbcache. Each user will have their own database based on the thumbnail sizes viewed by the user (small, medium, large, and extra-larger) • Thumbsdb • Hidden file in directory where images on machine exist stored in a smaller thumbnail graphics. thumbs.db catalogs pictures in a folder and stores a copy of the thumbnail even if the pictures were deleted. • Windows Recycle Bin • IE|Edge file:// 22/7/2021 https://blueteam.id/ Windows Artifact – Deleted File or File Knowledge NTUSER.DAT Hive
Jakarta, Indonesia • Timezone (SYSTEM Hive) • Cookies (Browser) • Network History (SOFTWARE Hive) • WLAN Event Log • Microsoft-Windows-WLAN-AutoConfig Operational.evtx • 11000 – Wireless network association started • 8001 – Successful connection to wireless network • 8002 – Failed connection to wireless network • 8003 – Disconnect from wireless network • 6100 – Network diagnostics (System log) • Browser Search Terms • System Resource Usage Monitor (SRUM) (SOFTWARE Hive) • Records 30 to 60 days of historical system performance. Applications run, user account responsible for each, and application and bytes sent/received per application per hour. 22/7/2021 https://blueteam.id/ Windows Artifact – Network Activity / Physical Location
Jakarta, Indonesia • Open / Save MRU • ShellBags • Last-Visited MRU • Recent Files • Shortcut (LNK) Files • IE|Edge File:// • Jump Lists • Prefetch • Office Recent Files 22/7/2021 https://blueteam.id/ Windows Artifact – File / Folder Opening
Jakarta, Indonesia • Last Login (SAM Hive) • Last Password Change (SAM Hive) • Logon Types • Success Logon Event ID 4624 in Windows Event Log • LogonType from 2 – 13 from Windows Event Log • RDP usage • Windows Event Log Security.evtx • Event ID 4778 – Session Connected/Reconnected • Event ID 4779 – Session Disconnected • Services Event • Windows Event Log System.evtx and Security.evtx • 034 – Service crashed unexpectedly • 7035 – Service sent a Start/Stop control • 7036 – Service started or stopped • 7040 – Start type changed (Boot | On Request | Disabled) • 7045 – A service was installed on the system (Win2008R2+) • 4697 – A service was installed on the system (from Security log) 22/7/2021 https://blueteam.id/ Windows Artifact – Account Usage • Authentication Events • Windows Event Log Security.evtx • Event ID Codes (NTLM protocol) • 4776: Successful/Failed account authentication Event ID Codes (Kerberos protocol) • 4768: Ticket Granting Ticket was granted (successful logon) • 4769: Service Ticket requested (access to server resource) • 4771: Pre-authentication failed (failed logon) • Success / Fail Logons • 4624 – Successful Logon • 4625 – Failed Logon • 4634 | 4647 – Successful Logoff • 4648 – Logon using explicit credentials (Runas) • 4672 – Account logon with superuser rights (Administrator) • 4720 – An account was created
Jakarta, Indonesia • Key Identification (SYSTEM Hive) • SYSTEMCurrentControlSetEnumUSBSTOR • SYSTEMCurrentControlSetEnumUSB • First / Last Times Connected • C:Windowsinfsetupapi.dev.log • User • NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2 • Pnp (Plug and Play) Events • System.evtx Windows Event Log • Event ID: 20001 – Plug and Play driver install attempted • Event ID 20001 – Timestamp, Device information, Device serial number, Status (0 = no errors) • Volume Serial number • SOFTWAREMicrosoftWindowsNTCurrentVersionENDMgmt • Drive Letter and Volume Name • Shortcut (LNK) Files 22/7/2021 https://blueteam.id/ Windows Artifact – External Device / USB Usage
Jakarta, Indonesia • History • Cache • Cookies • Session Restore • Google Analytics Cookies 22/7/2021 https://blueteam.id/ Windows Artifact – Browser Usage
Jakarta, Indonesia • Open / Save MRU • Email Attachments • Skype History • Browser Artifacts • Downloads • Firefox and IE has a built-in download manager application which keeps a history of every file downloaded by the user. This browser artifact can provide excellent information about what sites a user has been visiting and what kinds of files they have been downloading from them. • Firefox: Win7/8/10: • %userprofile%AppDataRoamingMozilla FirefoxProfiles<random text>.defaultdownloads.sqlite • Internet Explorer: IE8-9: %USERPROFILE%AppDataRoamingMicrosoftWindows IEDownloadHistory • Internet Explorer: IE10-11: %USERPROFILE%AppDataLocalMicrosoftWindowsWebCache WebCacheV*.dat • AD Zone Identifier • Starting with XP SP2 when files are downloaded from the “Internet Zone” via a browser to a NTFS volume, an alternate data stream is added to the file. The alternate data stream is named “Zone.Identifier.” 22/7/2021 https://blueteam.id/ Windows Artifact – File Downloaded
Jakarta, Indonesia 22/7/2021 https://blueteam.id/ Critical Windows Log Review for Forensic Investigation https://medium.com/mii-cybersec/log-analysis-for-digital-forensic-investigation-e4a00f5a5c09
Jakarta, Indonesia • Service Created, New Service Installed, Service Start, Service Stop : Usually related on Persistence Mechanism • User Account Added, User Account Modified, Add User to Group : also related on persistence mechanism by attacker • Clear Event Log : Usually related on Covering the Tracks • Disable Firewall, Stop Security Services (such as AV, HIPS, other Endpoint Protection) : Related to Attacker activity for further movement • Terminal Service Session : Related to Remote Access Activity user • USB Log : Case incident like data theft, fraud, etc maybe need this kind of USB log to identify USB Storage access into system 22/7/2021 https://blueteam.id/ Critical Windows Log Review Quick Summary
Jakarta, Indonesia • https://www.malwarearchaeology.com/cheat-sheets/ The URL above provides a variety of detailed information about the intricacies of the Log on the Windows Platform. You can get very valuable information there. The website author also includes a mapping between Windows Log with MITRE ATT&CK Framework where the ATT&CK is a Framework that studies TTPs (Tactic, Technique, and Procedure) from threat actors, so this makes it easier for investigators to understand how the thinking about the patterns are commonly used by Threat Actor, and where the source log / log location can be used as a reference for analyzing TTPs used by threat Actors • https://www.ultimatewindowssecurity.com/ The above website is one of the author’s reference sources related to Event ID Widows. As we all know, there are a lot of Windows Event IDs and types for each of these Event IDs, so for those of you who have difficulty memorizing or often forgot for some Windows Event IDs that may not appear in the common log in the Windows Event Viewer, you can use that website as reference. The website above can be used as a reference to learn in more detail about the Windows Event ID and also they provides information in the form of a Cheat Sheet to pay attention to some Windows Event IDs that often correlate with the activities of threat actors / security incidents. • https://www.jpcert.or.jp/english/pub/sr/ir_research.html The URL above is the research from the JP CERT Team (Japan Computer Emergency Response Team) regarding the detection of Lateral Movement from Threat Actors using Event Logs. The research published by JP CERT is very interesting, especially focusing on the use of tools and TTPs used by threat actors when conducting Lateral Movement 22/7/2021 https://blueteam.id/ Windows Event Log for Forensic Investigation Reference
Jakarta, Indonesia • https://github.com/JPCERTCC/LogonTracer 22/7/2021 https://blueteam.id/ JP CERt Tools Logon Tracer
Jakarta, Indonesia • Evidence Acquisition • FTK Imager • Belkasoft RAM Capturer • KAPE • Brimorlabs • Comae • Evidence Analysis • Arsenal Image Mounter • Autopsy / The Slueth Kit • Eric Zimmerman Tools FTW!!! https://ericzimmerman.github.io • Sysinternals Tools • Plaso (Log2Timeline) • OSForensics (Comemrcial) • Volatility • Wireshark • Event Log Explorer • Nirsoft Tools https://www.nirsoft.net/ • Didier Steven’s Tools https://blog.didierstevens.com/my-software/ • All Useful Tools in SANS SIFT Workstation VM! 22/7/2021 https://blueteam.id/ Windows Forensic Tools
Jakarta, Indonesia • 13Cubed Video Series on Youtube (https://www.youtube.com/channel/UCy8ntxFEudOCRZYT1f7ya9Q) • Professor Ali Hadi https://www.ashemery.com/ • DFIR Diva https://dfirdiva.com/ • https://thisweekin4n6.com 22/7/2021 https://blueteam.id/ Reference
Jakarta, Indonesia THANK YOU Q & A https://blueteam.id/ 35 12/12/2020 22/7/2021

More Related Content

Windows Forensic 101

  • 1. Jakarta, Indonesia Windows Forensic 101 FORKRIPT TALKS Badan Siber dan Sandi Negara 22 Juli 2021 Digit Oktavianto @digitoktav https://threathunting.id 22/7/2021 https://blueteam.id/
  • 2. Jakarta, Indonesia https://blueteam.id/ T1033 : System Owner/User Discovery  Infosec Consulting Manager at Mitra Integrasi Informatika  Co-Founder BlueTeam.ID (https://blueteam.id)  Born to be DFIR Team  Community Lead @ Cyber Defense Community Indonesia  Member of Indonesia Honeynet Project  Opreker and Researcher  {GCIH | GMON | GCFE | GICSP | CEH | CSA | ECSA | ECIH | CHFI | CTIA | ECSS} Certifications Holder 2 12/12/2020 22/7/2021
  • 3. Jakarta, Indonesia •Windows Forensic Analysis Fundamental •Forensic Artifacts •Windows Process genealogy •Windows Registry •Windows Artifacts https://blueteam.id/ Agenda 3 12/12/2020 22/7/2021
  • 4. Jakarta, Indonesia • Understanding OS, Applications, Network. • Evidence Created • User Generated Activity • System Activity • Analytical Thinking • Problem Solving Skills • Require Analysis • Not only doing the data extraction • 5W, 1H 22/7/2021 https://blueteam.id/ Analysis Process in Cyber Investigation
  • 5. Jakarta, Indonesia • Proper analysis is not simply about : • Finding artifacts, Documents, Pictures, Video, Executable Files • Recovering Deleted Data • Reconstruct Email Communication • Checking the entries from Event Log • Analysis require understanding of how the evidence can help the forensic investigator to answer the question, and correlate the data. For example : • Browsing history from user and downloaded files from the browser forensic • Opening Download directory • Executing the files just downloaded • Network communication to external domain and ip This is analysis…. Correlate the information that you get with your hypotheses, and answering the question what actually happened on that machine • Focus on question need to be answered : • Building solid timeline analysis • Focus on detailing facts based on your finding 22/7/2021 https://blueteam.id/ Windows Forensic Analysis Fundamental
  • 6. Jakarta, Indonesia • Memory • Process • Network Related Artficats • etc Volatile Artifact • Windows File System • Windows Registry Hive • Windows Event Log • Prefetch • Volume Shadow Copy • etc Non-Volatile Artifacts 22/7/2021 https://blueteam.id/ Forensic Artifacts
  • 8. Jakarta, Indonesia • “Central Database Repository” of Windows System • The database contains most of the settings for OS, Programs, Hardware and Network, User Account. • The content give you information like : profiles of each user, the applications installed on the computer, what hardware exist on the system, program executed by user, browsing activity of users, the last shut down time of computer, etc. 22/7/2021 https://blueteam.id/ Windows Registry
  • 9. Jakarta, Indonesia • C:WindowsSystem32config 22/7/2021 https://blueteam.id/ Windows Registry
  • 10. Jakarta, Indonesia • HKCR - Contains information about the correct program opens when executing a file with Windows Explorer. • HKCU - Contains the profile about the user that is logged on. • HKLM - Contains system-wide hardware settings and configuration information. • HKU - Contains all user profiles that exist on the system. • Also contains information about the type of hardware installed , default settings of softwares and desktop configurations. These informations is used for all users who log on to this computer. • HKCC - Contains information about the hardware profile used by the computer start up. 22/7/2021 https://blueteam.id/ Windows Registry
  • 11. Jakarta, Indonesia 22/7/2021 https://blueteam.id/ Windows Registry https://www.slideshare.net/TahaYILMAZ2/windows-registry-forensics-68473349
  • 12. Jakarta, Indonesia • Windows Artifacts Analysis based on Evidence of : • Program Execution • Deleted File or File Knowledge • Network Activity / Physical Location • File / Folder opening • Account usage • External Device / USB Usage • Browser usage • File Download 22/7/2021 https://blueteam.id/ Windows Forensic 101
  • 13. Jakarta, Indonesia • UserAssist • Last-VisitedMRU • RecentApps • Shimcache • Background / Desktop Activity Moderator (BAM / DAM) • Amcache • Jump Lists • System Resource usage Monitor • Records 30 to 60 days of historical system performance. Applications run, user account responsible for each, and application and bytes sent/received per application per hour. • Prefetch • Windows 10 Timeline (Win + TAB) 22/7/2021 https://blueteam.id/ Windows Artifact – Program Execution NTUSER.DAT Hive SYSTEM Hive
  • 14. Jakarta, Indonesia • Search - WordWheelQuery • Last-VisitedMRU • Thumbscache • Thumbnails of pictures, office documents, and folders exist in a database called the thumbcache. Each user will have their own database based on the thumbnail sizes viewed by the user (small, medium, large, and extra-larger) • Thumbsdb • Hidden file in directory where images on machine exist stored in a smaller thumbnail graphics. thumbs.db catalogs pictures in a folder and stores a copy of the thumbnail even if the pictures were deleted. • Windows Recycle Bin • IE|Edge file:// 22/7/2021 https://blueteam.id/ Windows Artifact – Deleted File or File Knowledge NTUSER.DAT Hive
  • 15. Jakarta, Indonesia • Timezone (SYSTEM Hive) • Cookies (Browser) • Network History (SOFTWARE Hive) • WLAN Event Log • Microsoft-Windows-WLAN-AutoConfig Operational.evtx • 11000 – Wireless network association started • 8001 – Successful connection to wireless network • 8002 – Failed connection to wireless network • 8003 – Disconnect from wireless network • 6100 – Network diagnostics (System log) • Browser Search Terms • System Resource Usage Monitor (SRUM) (SOFTWARE Hive) • Records 30 to 60 days of historical system performance. Applications run, user account responsible for each, and application and bytes sent/received per application per hour. 22/7/2021 https://blueteam.id/ Windows Artifact – Network Activity / Physical Location
  • 16. Jakarta, Indonesia • Open / Save MRU • ShellBags • Last-Visited MRU • Recent Files • Shortcut (LNK) Files • IE|Edge File:// • Jump Lists • Prefetch • Office Recent Files 22/7/2021 https://blueteam.id/ Windows Artifact – File / Folder Opening
  • 17. Jakarta, Indonesia • Last Login (SAM Hive) • Last Password Change (SAM Hive) • Logon Types • Success Logon Event ID 4624 in Windows Event Log • LogonType from 2 – 13 from Windows Event Log • RDP usage • Windows Event Log Security.evtx • Event ID 4778 – Session Connected/Reconnected • Event ID 4779 – Session Disconnected • Services Event • Windows Event Log System.evtx and Security.evtx • 034 – Service crashed unexpectedly • 7035 – Service sent a Start/Stop control • 7036 – Service started or stopped • 7040 – Start type changed (Boot | On Request | Disabled) • 7045 – A service was installed on the system (Win2008R2+) • 4697 – A service was installed on the system (from Security log) 22/7/2021 https://blueteam.id/ Windows Artifact – Account Usage • Authentication Events • Windows Event Log Security.evtx • Event ID Codes (NTLM protocol) • 4776: Successful/Failed account authentication Event ID Codes (Kerberos protocol) • 4768: Ticket Granting Ticket was granted (successful logon) • 4769: Service Ticket requested (access to server resource) • 4771: Pre-authentication failed (failed logon) • Success / Fail Logons • 4624 – Successful Logon • 4625 – Failed Logon • 4634 | 4647 – Successful Logoff • 4648 – Logon using explicit credentials (Runas) • 4672 – Account logon with superuser rights (Administrator) • 4720 – An account was created
  • 18. Jakarta, Indonesia • Key Identification (SYSTEM Hive) • SYSTEMCurrentControlSetEnumUSBSTOR • SYSTEMCurrentControlSetEnumUSB • First / Last Times Connected • C:Windowsinfsetupapi.dev.log • User • NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2 • Pnp (Plug and Play) Events • System.evtx Windows Event Log • Event ID: 20001 – Plug and Play driver install attempted • Event ID 20001 – Timestamp, Device information, Device serial number, Status (0 = no errors) • Volume Serial number • SOFTWAREMicrosoftWindowsNTCurrentVersionENDMgmt • Drive Letter and Volume Name • Shortcut (LNK) Files 22/7/2021 https://blueteam.id/ Windows Artifact – External Device / USB Usage
  • 19. Jakarta, Indonesia • History • Cache • Cookies • Session Restore • Google Analytics Cookies 22/7/2021 https://blueteam.id/ Windows Artifact – Browser Usage
  • 20. Jakarta, Indonesia • Open / Save MRU • Email Attachments • Skype History • Browser Artifacts • Downloads • Firefox and IE has a built-in download manager application which keeps a history of every file downloaded by the user. This browser artifact can provide excellent information about what sites a user has been visiting and what kinds of files they have been downloading from them. • Firefox: Win7/8/10: • %userprofile%AppDataRoamingMozilla FirefoxProfiles<random text>.defaultdownloads.sqlite • Internet Explorer: IE8-9: %USERPROFILE%AppDataRoamingMicrosoftWindows IEDownloadHistory • Internet Explorer: IE10-11: %USERPROFILE%AppDataLocalMicrosoftWindowsWebCache WebCacheV*.dat • AD Zone Identifier • Starting with XP SP2 when files are downloaded from the “Internet Zone” via a browser to a NTFS volume, an alternate data stream is added to the file. The alternate data stream is named “Zone.Identifier.” 22/7/2021 https://blueteam.id/ Windows Artifact – File Downloaded
  • 21. Jakarta, Indonesia 22/7/2021 https://blueteam.id/ Critical Windows Log Review for Forensic Investigation https://medium.com/mii-cybersec/log-analysis-for-digital-forensic-investigation-e4a00f5a5c09
  • 22. Jakarta, Indonesia • Service Created, New Service Installed, Service Start, Service Stop : Usually related on Persistence Mechanism • User Account Added, User Account Modified, Add User to Group : also related on persistence mechanism by attacker • Clear Event Log : Usually related on Covering the Tracks • Disable Firewall, Stop Security Services (such as AV, HIPS, other Endpoint Protection) : Related to Attacker activity for further movement • Terminal Service Session : Related to Remote Access Activity user • USB Log : Case incident like data theft, fraud, etc maybe need this kind of USB log to identify USB Storage access into system 22/7/2021 https://blueteam.id/ Critical Windows Log Review Quick Summary
  • 23. Jakarta, Indonesia • https://www.malwarearchaeology.com/cheat-sheets/ The URL above provides a variety of detailed information about the intricacies of the Log on the Windows Platform. You can get very valuable information there. The website author also includes a mapping between Windows Log with MITRE ATT&CK Framework where the ATT&CK is a Framework that studies TTPs (Tactic, Technique, and Procedure) from threat actors, so this makes it easier for investigators to understand how the thinking about the patterns are commonly used by Threat Actor, and where the source log / log location can be used as a reference for analyzing TTPs used by threat Actors • https://www.ultimatewindowssecurity.com/ The above website is one of the author’s reference sources related to Event ID Widows. As we all know, there are a lot of Windows Event IDs and types for each of these Event IDs, so for those of you who have difficulty memorizing or often forgot for some Windows Event IDs that may not appear in the common log in the Windows Event Viewer, you can use that website as reference. The website above can be used as a reference to learn in more detail about the Windows Event ID and also they provides information in the form of a Cheat Sheet to pay attention to some Windows Event IDs that often correlate with the activities of threat actors / security incidents. • https://www.jpcert.or.jp/english/pub/sr/ir_research.html The URL above is the research from the JP CERT Team (Japan Computer Emergency Response Team) regarding the detection of Lateral Movement from Threat Actors using Event Logs. The research published by JP CERT is very interesting, especially focusing on the use of tools and TTPs used by threat actors when conducting Lateral Movement 22/7/2021 https://blueteam.id/ Windows Event Log for Forensic Investigation Reference
  • 24. Jakarta, Indonesia • https://github.com/JPCERTCC/LogonTracer 22/7/2021 https://blueteam.id/ JP CERt Tools Logon Tracer
  • 25. Jakarta, Indonesia • Evidence Acquisition • FTK Imager • Belkasoft RAM Capturer • KAPE • Brimorlabs • Comae • Evidence Analysis • Arsenal Image Mounter • Autopsy / The Slueth Kit • Eric Zimmerman Tools FTW!!! https://ericzimmerman.github.io • Sysinternals Tools • Plaso (Log2Timeline) • OSForensics (Comemrcial) • Volatility • Wireshark • Event Log Explorer • Nirsoft Tools https://www.nirsoft.net/ • Didier Steven’s Tools https://blog.didierstevens.com/my-software/ • All Useful Tools in SANS SIFT Workstation VM! 22/7/2021 https://blueteam.id/ Windows Forensic Tools
  • 26. Jakarta, Indonesia • 13Cubed Video Series on Youtube (https://www.youtube.com/channel/UCy8ntxFEudOCRZYT1f7ya9Q) • Professor Ali Hadi https://www.ashemery.com/ • DFIR Diva https://dfirdiva.com/ • https://thisweekin4n6.com 22/7/2021 https://blueteam.id/ Reference
  • 27. Jakarta, Indonesia THANK YOU Q & A https://blueteam.id/ 35 12/12/2020 22/7/2021