Home

Awesome

Practical Windows Forensics

Provided by Blue Cape Security, LLC

<p align="center"> <img src="https://github.com/bluecapesecurity/bluecapesecurity/blob/main/BCS_banner.png" /> </p> <div align="center">

A quick DIY approach for performing a digital forensic analysis on a Windows 10 system

</div>

Links:

Steps TLDR:

Prerequisites:

Investigation Roadmap


Attack Scenario

The attack simulation script in this repo can be used to create a realistic compromise scenario on a Windows system. It leverages selected Atomic Red Team tests that simulate commonly observed techniques in real world attacks. The script PWF/AtomicRedTeam/ART-attack.ps1 first installs Invoke-AtomicRedTeam and then executes a number of techniques. The techniques executed in this script are highlited the MITRE ATT&CK framwork below.

Attack Script

Preparation

1 Prepare Target System

1.1) Download, install and configure a free Windows 10 Enterprise Evaluation VM from the Microsoft Evaluation Center

1.2) Execute the attack script on the target system

2 Disk and Memory - Data Acquisition

2.1) Pause (in VirtualBox) or Suspend (in VMWare) the VM and take a snapshot

2.2) Take an image of the VM memory

VMWare memory acquisition

VirtualBox memory acquisition

2.3) Take an image of the VM disk

VMWare disk image acquisition

VirtualBox disk image acquisition

2.4) Validate integrity of memory and disk images by creating SHA1 hashes and saving them in a text file along with the images.

Windows: Open PowerShell and navigate to the folder. Obtain hashes by executing: Get-FileHash -Algorithm SHA1 <file>

Mac/Linux: Open terminal and navigate to the folder. Obtain hashes by executing: shasum <file>

Forensic Analysis

3 Set up Your Forensic Workstation

3.1) Set up a forensic VM as outlined in the following link: https://bluecapesecurity.com/build-your-forensic-workstation/

4 Forensic memory and disk analysis

With the forensic workstation installed and the evidence acquired, we can now beginn with the analysis of the memory and disk images. Some of the forensic artifacts that we want to investigate are:

Happy forensicating!

Copyright © 2022 BlueCapeSecurity Cyber Security Skills Training & Career Coaching

Disclaimer: The material is for educational purposes only! I do not assume and hereby disclaim any liability to any party for any errors, disruptions, damages, or other negative consequences resulting from applying the information that I share.