'SECURITY/Forensic'에 해당되는 글 32건

  1. [자료] 리눅스 포렌식 cheat sheet
  2. [Tool] 레지스트리 자동분석 도구
  3. [자료] Win10 ActivitiesCache.db, AMCACHE
  4. [자료] Linux ProcDump
  5. [자료] 윈도우즈 아티팩트
  6. [자료] Live Response: Collecting Volatile Data
  7. [자료] 포렌식 실습 이미지
  8. [자료] sysmon을 활용한 분석
  9. [Tool] Android Forensic Tools - Andriller
  10. [Tool] Hidviz

[자료] 리눅스 포렌식 cheat sheet


[Tool] 레지스트리 자동분석 도구


[자료] Win10 ActivitiesCache.db, AMCACHE



[자료] Linux ProcDump


[자료] 윈도우즈 아티팩트


This week I have been working a case where I was required to identify users on a Windows Server 2003 system who had knowledge of, or had run, a particular unauthorised executable. As such, I found myself wracking my brain for all the user attributable artifacts which evidence program execution (on an OS I hadn't analysed for a short while).

Furthermore, David Cowen in his recent Sunday Funday Challenge over at HECFBlog had posed a similar question regarding evidence of execution. With that as my motivation, I set about to document different artifacts which can be used to evidence program execution (both user attributable and otherwise) as available in various different versions of Windows.

I should highlight up front that some really fantastic blog posts from Harlan CarveyAndrea FortunaCorey Harrell and Mary Singh gave me a significant leg up. This isn't my first time reading any of those posts and I'm sure it wont be my last. A myriad of other posts assisted in confirming details of specific artifacts and I have referenced those below. The main focus of this post, and particularly the associated table of artifacts, is to serve as a reference and reminder of what evidence sources may be available on a particular system during analysis.

On to the main event. The table below details some of the artifacts which evidence program execution and whether they are available for different versions of the Windows Operating System.

Too Small?... It's a hyperlink!

Cells in Green are where the artifact is available by default, note some artifacts may not be available despite a Green cell (e.g. instances where prefetch is disabled due to an SSD)

Cells in yellow indicate that the artifact is associated with a feature that is disabled by default but that may be enabled by an administrator (e.g. Prefetch on a Windows Server OS) or added through the application of a patch or update (e.g. The introduction of BAM to Windows 10 in 1709+ or back-porting of Amcache to Windows 7 in the optional update KB2952664+)

Cells in Red indicate that the artifact is not available in that version of the OS.

Cells in Grey (containing "TBC") indicate that I'm not 100% sure at the time of writing whether the artifact is present in a particular OS version, that I have more work to do, and that it would be great if you could let me know if you already know the answer!

It is my hope that this table will be helpful to others. It will be updated and certainly at this stage it may be subject to errors as I am reliant upon research and memory of artifacts without having the opportunity to double check each entry through testing. Feedback, both in the form of suggested additions and any required corrections is very much appreciated and encouraged.

Summary of Artifacts

What follows below is brief details on the availability of these artifacts, some useful resources for additional information and tools for parsing them. It is not my intention to go into detail as to the functioning of the artifacts as this is generally already well covered within the references.


Prefetch has historically been the go to indication of process execution. If enabled, it can provide a wealth of useful data in an investigation or incident response. However, since Windows 7, systems with an SSD installed as the OS volume have had prefetch disabled by default during installation. With that said, I have seen plenty of systems with SSDs which have still had prefetch enabled (particularaly in businesses which push a standard image) so it is always worth checking for. Windows Server installations also have Prefetch disabled by default, but the same applies.

The following registry key can be used to determine if it is enabled:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher
0 = Disabled
1 = Only Application launch prefetching enabled
2 = Only Boot prefetching enabled
3 = Both Application launch and Boot prefetching enabled



It should be noted that the presence of an entry for an executable within the ShimCache doesn't always mean it was executed as merely navigating to it can cause it to be listed. Additionally Windows XP ShimCache is limited to 96 entries all versions since then retain up to 1024 entries.

ShimCache has one further notable drawback. The information is retained in memory and is only written to the registry when the system is shutdown. Data can be retrieved from a memory image if available.



Programs executed via Explorer result in MUICache entries being created within the NTUSER.DAT of the user responsible.


Amcache / RecentFileCache.bcf

Amcache.hve within Windows 8+ and RecentFileCache.bcf within Windows 7 are two distinct artifacts which are used by the same mechanism in Windows to track application compatibility issues with different executables. As such it can be used to determine when executables were first run.


Microsoft-Windows-TaskScheduler (200/201)

The Microsoft-Windows-TaskScheduler log file (specifically events 200 and 201), can evidence the starting and stopping of and executable which is being run as a scheduled task.


LEGACY_* Registry Keys

Applicable to Windows XP/Server 2003 only, this artifact is located in the System Registry Hive, these keys can evidence the running of executables which are installed as a service.


Microsoft-Windows-Application-Experience Program-Inventory / Telemetry

Both of these system logs are related to the Application Experience and Compatibility features implemented in modern versions of Windows.

At the time of testing I find none of my desktop systems have the Inventory log populated, while the Telemetry log seems to contain useful information. I have however seen various discussion online indicating that the Inventory log is populated in Windows 10. It is likely that my disabling of all tracking and reporting functions on my personal systems and VMs may be the cause... more testing required.


Background Activity Monitor (BAM)

The Background Activity Monitor (BAM) and (DAM) registry keys within the SYSTEM registry hive, however as it records them under the SID of the associated user it is user attributable. The key details  the path of executable files that have been executed and last execution date/time

It was introduced to Windows 10 in 1709 (Fall Creators update).


System Resource Usage Monitor (SRUM)

Introduced in Windows 8, this Windows features maintains a record of all sorts of interesting information concerning applications and can be used to determine when applications were running.



In Windows 10 1803 (April 2018) Update, Microsoft introduced the Timeline feature, and all forensicators did rejoice. This artifact is a goldmine for user activity analysis and the associated data is stored within an ActivitiesCache.db located within each users profile.


Security Log (592/4688)

Event IDs 592 (Windows XP/2003) and 4688 (everything since) are recorded within the Security log on process creation, but only if Audit Process Creation is enabled.


System Log (7035)

Event ID 7035 within the System event log is recorded by the Service Control Manager when a Service starts or stops. As such it can be an indication of execution if the associated process is registered as a service.



Within each users NTUSER.DAT the UserAssist key tracks execution of GUI applications.



The RecentApps key is located in the NTUSER.DAT associated with each user and contains a record of their... Recent Applications. The presence of keys associated with a particular executable evidence the fact that this user ran the executable.



Implemented in Windows 7, Jumplists are a mechanism by which Windows records and presents recent documents and applications to users. Located within individual users profiles the presence of references to executable(s) within the 'Recent\AutomaticDestinations' can be used to evidence the fact that they were run by the user.



The RunMRU is a list of all commands typed into the Run box on the Start menu and is recorded within the NTUSER.DAT associated with each user. Commands referencing executables can be used to determine if, how and when the executable was run and which user account was associated with running it.


AppCompatFlags Registry Keys



Various Anti-Virus, Intrusion Detection and Endpoint Detection and Response (EDR) solutions may provide evidence of program execution. It is recommended to identify and analyse any associated logs and note that some logging may be centralised.

Repeating the appeal earlier in this post, feedback, suggested additions and corrections are very welcome!

[자료] Live Response: Collecting Volatile Data


[자료] 포렌식 실습 이미지


'SECURITY > Forensic' 카테고리의 다른 글

[자료] 윈도우즈 아티팩트  (0) 2018.10.27
[자료] Live Response: Collecting Volatile Data  (0) 2018.08.15
[자료] 포렌식 실습 이미지  (0) 2018.03.08
[자료] sysmon을 활용한 분석  (0) 2017.10.11
[Tool] Android Forensic Tools - Andriller  (0) 2017.06.16
[Tool] Hidviz  (0) 2017.05.08

[자료] sysmon을 활용한 분석


[Tool] Android Forensic Tools - Andriller


Andriller - is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. It has other features, such as powerful Lockscreen cracking for Pattern, PIN code, or Password; custom decoders for Apps data from Android (and some Apple iOS) databases for decoding communications. Extraction and decoders produce reports in HTML and Excel (.xlsx) formats.

Basic Setup

Andriller is a cross-platform application for Microsoft Windows and Ubuntu Linux. The Windows lightweight setup installer only requires Microsoft Visual C++ 2010 Redistributable Package (x86) installed, USB drivers for your Android device, and a web browser for viewing results. Ubuntu version needs the "android-tools-adb" package installed. Simple.


  • Automated data extraction and decoding
  • Data extraction of non-rooted without devices by Android Backup (Android versions 4.x)
  • Data extraction with root permissions: root ADB daemon, CWM recovery mode, or SU binary (Superuser/SuperSU)
  • Data parsing and decoding for Folder structure, Tarball files (from nanddroid backups), and Android Backup ('backup.ab' files)
  • Selection of individual database decoders for Android and Apple
  • Decryption of encrypted WhatsApp archived databases (msgstore.db.crypt to *.crypt12)
  • Lockscreen cracking for Pattern, PIN, Password
  • Unpacking the Android backup files
  • Screen captures of device display

Database Decoders

This feature allows importing individual App database files for automated parsing of the data. There are decoders mainly for Android and some for Apple iOS Apps. Once successfully decoded, reports will be shown your web browser. Databases can be exported from mainstream forensic tools, such as XRY, UFED Cellebite, Oxygen Forensic, and imported into Andriller for individual decoding. The output from Andriller offers cleaner output data.

For a full list of supported databases see button of this page, or see decoders section.

Data Extraction from Androids

Connect an Android device by a USB cable, have USB Debugging enabled; make sure the device drivers are installed.

First, select the [Output] directory where you wish extraction data to be saved to. Second, click [Check] to see if Andriller detected your connected device. You may wish Andriller to open the Report on extraction's completion, or ignore root permissions (would extract by the Android Backup method for Androids 4.x). To begin an extraction, hit [Go!] button to commence data extraction. Andriller should run, download any data, and decode it all at once.

Note 1: Android version 4.2.2+ requires to authorise the PC to accept RSA fingerprint. Please do so, and tick the box to remember for future.

Note 2: Devices with Superuser or SuperSU App require to authorise root access from an unlocked screen. Please grand permissions if requested.

Data Parsing

Folder Structure
This will parse folder structures from Android filesystems and will produce Andriller style reports. These could be exports of filesystem from raw image files, or from 'adb pull /data' extractions, or unpacked '.tar' files content.

Tarball Files
This will parse and decode nanddroid backup files such as 'data.tar' (including concatenated files), and will produce Andriller style reports. Nanddroid tarball backups are usually produced by custom recoveries, such as ClockWorkMod and TWRP.

Android Backup Files
This will parse and decode 'backup.ab' files, and will produce Andriller style reports.


After the data extraction finishes, all data is saved in the folder in the directory specified before extraction. The main index file of extraction is REPORT.html.It will contain the summary of the device examined, and will list any data extracted. From there, you can navigate to other data extracted, like SMS or Contacts. An excel REPORT.xlsx is also simultaneously produced, which contains all data in one file.

There will also be the following files and folders, which may be of interest:

db/ - folder where downloaded databases are extracted to
__backup__/ - folder where decoded databases are backed up before decoding
db/md5sums.txt - file containing MD5 hashes of the databases after they were downloaded, but before the content was decoded;
log-errors.txt - text file containing log of any downloading or decoding failures or errors;
backup.ab - if a backup method was used, the full backup file also will be stored in the directory;

Lockscreens Bypass

Andriller has the means of decoding pattern locks, and cracking PIN codes and Passwords.

Pattern, PIN and Password Cracking
These features require a little more processing power, so are best to be performed locally on your own machine. The methods are explained below.

Get Salt from...
Salt is an integer value, which is required for cracking the passwords. Salt can be positive as well as negative integers. The salt value can be obtained by parsing setting.db or locksettings.db files; when sucessfully fetched, the Salt value will be printed into the main terminal window.

Gesture Pattern Decoding

To decode a Pattern lock, click [Browse] and select the gesture.key file located at /data/system/gesture.key on your Android device.

Else, just submit the gesture pattern hash (hexadecimal string of the gesture.key file), and click [Decode].

When decoded, the pattern will be shown as a sequence list. When Pattern is filled, click [Draw] and the pattern displayed in a visualised form.

Right-click on the drawn pattern to save is as a PostScrip file.

Tip: if you wish to draw a pattern but don't have a gesture hash key or value, you can double-click on the disabled Pattern field, this will re-enable the field for editing. Enter the pattern in a form of a list, and click [Draw]. The pattern will be drawn, which can be saved as a file.

Lockscreen PIN code cracking

  1. Select start and max value of the PIN code. By default, the max value is set to 9999, increase if required.
  2. Enter the value of password.key file
  3. Enter the salt value as an integer.
  4. Press Start for cracking to begin

Once Start is clicked, a percentage progress will be displayed.

You can pause and resume cracking at any time. Last tried PIN will be shown just to let you know how far you've gone.

Also includes Samsung cracking, which uses different type of password hashing than other Android vendors.

Lockscreen Password cracking

  1. Click Browse and select a word list file (recommended word list files to download from here)
  2. Enter the value of password.key file
  3. Enter the salt value and an integer.
  4. Press Start for cracking to begin

Once Start is clicked, tried password will be displayed while cracking.

You can pause and resume cracking at any time, just like with PIN cracking.

Also includes Samsung cracking, which uses different type of password hashing than other Android vendors.

Lockscreen Password brute force

  1. Select the maximum length of a password
  2. Select characters believed to have been used in the password. Select combinations of lower/upper case characters, digits, or custom characters.
  3. Enter the value of password.key file
  4. Enter the salt value and an integer.
  5. Press Start for cracking to begin

This cracking method cannot be paused/resumed like with other methods.

Decrypt Encrypted Databases

Andriller supports decryption of encrypted WhatsApp databases:


Plain Crypt (msgstore.db.crypt)

The encrypted database is automatically decrypted into an SQLite3 database. Browse and select the encrypted file, Andriller will decode to a new file in the same directory.

msgstore.db.crypt ==> msgstore.db

Crypt5 (msgstore.db.crypt5)

To successfully decrypt this type of database, an email address is required, which is synchronised with the Android device. Browse and select the encrypted file, you will be prompted to enter the email address. Once successful, it will decode to a new file in the same directory.

msgstore.db.crypt5 ==> msgstore.db

Crypt7,Crypt8 (msgstore.db.crypt7/msgstore.db.crypt8)

To successfully decrypt this type of database, an encryption key file is required for the following location:
'/data/data/com.whatsapp/files/key'  <-- absolute path
'apps/com.whatsapp/f/key'  <-- from Android backup
This file should be automatically extracted during normal Andriller extraction (root and AB), and saved in the 'db' folder of the extraction

Browse and select the encrypted file, you will be prompted to browse and select the key file next. Once successful, it will decode to a new file in the same directory.

msgstore.db.crypt7 ==> msgstore.db


Decode & Merge Multiple Database


This utility will decode multiple Facebook databases and produce combined messages on one report (without duplicates). This is useful if attempting to combine "threads_db2" databases from com.facebook.katana and com.facebook.orca applications directories.


This utility will decode multiple WhatsApp databases and produce combined messages on one report (without duplicates). Use recovered (from /data/data/com.whatsapp) and decrypted backup databases (such as decrypted msgstore.db.crypt8 from /sdcard/WhatsApp/Databases).



Andriller has a feature to unpack Android backup files from Android versions 4.x and above. 


Converts backup.ab file to Tarball.

backup.ab ==> backup.ab.tar

AB to folder

Converts and extracts backup.ab to a folder.

backup.ab ==> backup.ab_extracted/

Screen Capture

New Feature for Andriller - take screen captures.

  • Supports Android devices version 4.x and above.
  • Screen captures are saved at same resolution that the device display supports.
  • Generate a report from taken screen captures.
  • Add notes to taken captures.

Configurations (Preferences)

Configation preferences is located at File > Configurations

  • Default Output path - this is the location where Andriller defaults its OUTPUT location for extractions and database decoding.
  • Cracking update rate - for Lockscreen cracking, every this amount of passwords tried the Andriller window will update the progress. The lower the number, slower cracking performance will be. Samsung type cracking will be lower by factor of 1000 due to more complex password encoding used.
  • Offline mode - for every time Andriller starts it checks for the latest version. This step can be skipped by setting Andriller offline. This may speed up application's startup.
  • Window size - this set Andriller log window to "Small" (12 lines) or "Regular" (20 lines). Smaller window size are better fit on Netbooks and smaller resolution monitors.
  • Auto save log - when an extraction is complete, the items in the log will be automatically saved in the output folder under name "andriller.log".

[Tool] Hidviz


Hidviz is a GUI application for in-depth analysis of USB HID class devices. The 2 main usecases of this aplication are reverse-engineering existing devices and developing new USB HID devices.

USB HID class consists of many possible devices, e.g. mice, keyboards, joysticks and gamepads. But that's not all! There are more exotic HID devices, e.g. weather stations, medical equipment (thermometers, blood pressure monitors) or even simulation devices (think of flight sticks!).

'SECURITY > Forensic' 카테고리의 다른 글

[자료] sysmon을 활용한 분석  (0) 2017.10.11
[Tool] Android Forensic Tools - Andriller  (0) 2017.06.16
[Tool] Hidviz  (0) 2017.05.08
[자료] sysmon windows event collectinon  (0) 2017.03.16
[Tool] 파워쉘을 활용한 크롬 중요정보 획득  (0) 2017.03.15
[Tool] 시간 디코더  (0) 2016.03.21