The Windows Subsystem for Linux (WSL) is a great feature introduced in Windows 10.
Is a compatibility layer for running Linux binary executables natively on Windows 10, and allows the use of a rather real linux installation, without using a virtual machine.
Windows registry contains information that are helpful during a forensic analysis
Windows registry is an excellent source for evidential data, and knowing the type of information that could possible exist in the registry and location is critical during the forensic analysis process.
This key maintains a list of recently opened or saved files via Windows Explorer-style dialog boxes (Open/Save dialog box).
For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser are maintained.
Documents that are opened or saved via Microsoft Office programs are not maintained.
Whenever a new entry is added to OpenSaveMRU key, registry value is created or updated in
This key correlates to the previous OpenSaveMRU key to provide extra information: each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it.
The list of files recently opened directly from Windows Explorer are stored into
This key contains a listing of 25 recent URLs (or file path) that is typed in the Internet Explorer (IE) or Windows Explorer address bar: the key will only show links that are fully typed, automatically completed while typing, or links that are selected from the list of stored URLs in IE address bar.
Websites that are accessed via IE Favorites are not recorded, and if the user clears the URL history using Clear History via IE Internet Options menu, this key will be completely removed.
This key maintains the configuration of Windows virtual memory: the paging file (usually C:pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown.
This key contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when the computer shutdowns (by default, windows will not clear the paging file).
During a forensic analysis you should check this value before shutting down a suspect computer!
This key contains recent search terms using Windows default search.
There may be up to four subkeys:
5001: Contains list of terms used for the Internet Search Assistant
5603: Contains the list of terms used for the Windows files and folders search
5604: Contains list of terms used in the “word or phrase in a file” search
5647: Contains list of terms used in the “for computers or people” search
All programs listed in Control Panel>Add/Remove Programs correspond to one subkey into this key:
which is located under the respective device GUID subkey and in the binary registry value named Data.
This key is a point of interest during a forensic analysis: the key records shares on remote systems such C$, Temp$, etc.
The existence of ProcDump indicates the dumping of credentials within lsass.exe address space. Sc.exe indicates the adding of persistence such as Run keys or services. The presence of .rar files may indicate data exfiltration.
The history of recent mapped network drives is store into
This first key usually contains programs or components paths that are automatically run during system startup without requiring user interaction: malware usually leaves trace in this key to be persistent whenever system reboots.
RunOnce and RunOnceEx (only Win98/Me)
These keys identifies programs that run only once, at startup and can be assigned to a specific user account or to the machine:
Modification to this key requires administrative privilege.
This feature could be exploited to launch a completely different program under the cover of the initial program.
This key contains instruction to execute any .exe extension file:
Normally, this key contains one default value with data “%1” %*, but if the value’s data is changed to something similar to somefilename.exe “%1” %* , investigator should suspect some other hidden program is invoked automatically when the actual .exe file is executed.
Malware normally modify this value to load itself covertly
This technique apply to other similar keys, including:
A technique used by malware author to evade defenses and detection analysis of malicious processes execution
Process hollowing is a technique used by malware in which a legitimate process is loaded on the system solely to act as a container for hostile code.
How it works?
At launch, the legitimate process is created in a suspended state and the process’s memory is replaced with the code of a second program so that the second program runs instead of the original program.
The advantage is that this helps the process hide amongst normal processes better: Windows and process monitoring tools believe the original process is running, whereas the actual program running is different.
Detecting hollowed processes with Volatility
One common technique for detecting hollowed processes is by scanning allocated memory for segments that have the RWX protection setting.
If the attacker forgot to fix memory protection flags with VirtualProtectEx, we can find it easily.
A Volatility plugin called ‘malfind.py’ does this as part of its scanning: however, careful malware authors can easily avoid this by correcting protection settings after they are done writing to memory.
But, using volatility without any plugins we can dump processes to files and compare them with eachother or with their original file on the filesystem.
Mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software from operating properly.
So efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.
Get-ForensicVolumeBootRecord — gets the VolumeBootRecord from the first sector of the volume (parses $Boot)
Get-ForensicVolumeInformation — gets the $Volume file’s $VOLUME_INFORMATION attribute
Get-ForensicVolumeName — gets the $Volume file’s $VOLUME_NAME attribute
Get-ForensicFileSlack — gets the specified volume’s slack space
Get-ForensicMftSlack — gets the Master File Table (MFT) slack space for the specified volume
Get-ForensicUnallocatedSpace — gets the unallocated space on the specified partition/volume (parses $Bitmap)
Get-AlternateDataStream — gets the NTFS Alternate Data Streams on the specified volume
Get-ForensicEventLog — gets the events in an event log or in all event logs
Get-ForensicExplorerTypedPath — gets the file paths that have been typed into the Windows Explorer application
Get-ForensicNetworkList — gets a list of networks that the system has previously been connected to
Get-ForensicOfficeFileMru — gets a files that have been recently opened in Microsoft Office
Get-ForensicOfficeOutlookCatalog — gets a Outlook pst file paths
Get-ForensicOfficePlaceMru — gets a directories that have recently been opened in Microsoft Office
Get-ForensicOfficeTrustRecord — gets files that have been explicitly trusted within MicrosoftOffice
Get-ForensicPrefetch — gets Windows Prefetch artifacts by parsing the file’s binary structure
Get-ForensicRunKey — gets the persistence mechanism stored in registry run keys
Get-ForensicRunMostRecentlyUsed — gets the commands that were issued by the user to the run dialog
Get-ForensicScheduledJob — gets Scheduled Jobs (at jobs) by parsing the file’s binary structures
Get-ForensicShellLink — gets ShellLink (.lnk) artifacts by parsing the file’s binary structure
Get-ForensicSid — gets the machine Security Identifier from the SAM hive
Get-ForensicTimezone — gets the system’s timezone based on the registry setting
Get-ForensicTypedUrl — gets the Universal Resource Locators (URL) that have been typed into Internet Explorer
Get-ForensicUserAssist — gets the UserAssist entries from the specified volume
Get-ForensicWindowsSearchHistory — gets the terms that have been searched for using the Windows Search feature
Application Compatibility Cache
Get-ForensicAmcache — gets previously run commands from the Amcache.hve registry hive
Get-ForensicRecentFileCache — gets previously run commands from the RecentFileCache.bcf file
Get-ForensicShimcache — gets previously run commands from the AppCompatCache (AppCompatibility on XP) registry key
Get-ForensicRegistryKey — gets the keys of the specified registry hive
Get-ForensicRegistryValue — gets the values of the specified registry key
ConvertTo-ForensicTimeline — converts an object to a ForensicTimeline object
Get-ForensicTimeline — creates a forensic timeline
Copy-ForensicFile — creates a copy of a file from its raw bytes on disk
Get-ForensicChildItem — returns a directory’s contents by parsing the MFT structures
Get-ForensicContent — gets the content of a file from its raw bytes on disk
Invoke-ForensicDD — provides a bit for bit copy of a specified device
Download correct release from Github ( PowerForensicsv2 is the PowerShell v2 compliant version of PowerForensics).
Unzip the module into a directory in the PSModulePath (like C:Program FilesWindowsPowerShellModules) and import with Import-Module Powerforensics For more information about PSModulePath check out this article.