- Easy way to prove that a file was downloaded by a web browser, having only $UsnJrnl logs.In this article, I am showing you how you can determine if a file was downloaded by a web browser (like Chrome, Opera, Firefox etc.) without having a browser history and any other browser or network logs. It may be especially handy, when you are investigating the case, in which your suspect was using the …
- Stripped off ADS (Zone.Identifier) for files downloaded in the incognito/private mode.Recently people in our industry (DFIR) got excited, because web browsers started to track URLs used to download files in the ADS, along with ZoneID=3 (MOTW). The Zone.Identifier feature was first introduced in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 (source: https://www.digital-detective.net/forensic-analysis-of-zone-identifier-stream/). And indeed, it’s a very nice new (actually it …
- How long was the malicious PowerShell script active on the compromised machine?After long break I am here again, and this time I will show you very handy PowerShell logs that will help you understand how long the malicious PowerShell script was active on the infected device. The logs I am talking about can be found in the log file named Windows PowerShell.evtx. Probably you have seen …
Continue reading “How long was the malicious PowerShell script active on the compromised machine?”
- Artifacts that you have never analyzed before… namely ETL files.This article is for me like the cherry on top. I spent a lot of time checking how power history and power supply details can be used by DFIR analyst, and finally I found another source of useful information. Multiple times (during investigations that I was conducting), I encountered (either in $MFT or in $UsnJrnl) …
Continue reading “Artifacts that you have never analyzed before… namely ETL files.”
- Let me show you how to bite AutoIt scripts!At the beginning of this week, someone reached out to me asking if I can help him analyze one sample. I found out that the sample he asked me to review was created using AutoIt, so I thought that this is a great moment to create an article explaining: what AutoIt is and how you …
Continue reading “Let me show you how to bite AutoIt scripts!”
- The way to run the RunOnce key without any logons/reboots.Today I will share something that I have discovered some time ago. It is not something that will revolutionize your investigations, but sometimes can help you understand what happened on the system that you are investigating. What is more, it may be treated as a curiosity (personally I really like such things). So what am …
Continue reading “The way to run the RunOnce key without any logons/reboots.”
- Why do the battery use and the battery level matter during the investigation?My post today is a continuation of my recent article that you can find here. In the previous article, I shared a .Net tool that allows you to parse a SRUM database and extracts the battery information (battery level and timestamps). The output is saved to a CSV file – timeline, which uses TLN format. …
Continue reading “Why do the battery use and the battery level matter during the investigation?”
- Quick analysis of the Internet Download Manager history using RegRipper plugins.During my recent tests, I had an occasion to play with IDM tool (Internet Download Manager), which can be downloaded from this website. As a part of my tests, I reviewed the registry keys and values created by this tool and found out that there is a history for downloaded files. Simply saying, in NTUSER.DAT …
Continue reading “Quick analysis of the Internet Download Manager history using RegRipper plugins.”
- Battery charge level and its importance in forensics investigations.Few days ago, my brother Krystian Gajewski called me saying that his laptop’s battery seems to broken and it does not charge anymore. He also told me that used a Windows’s utility called powercfg.exe to get a report for the battery and based on that information he figured out when the battery stopped working (that …
Continue reading “Battery charge level and its importance in forensics investigations.”
- Can Windows Update fool you during the investigation?
Yes… it can. Recently, I observed that major windows updates modify or just delete some forensics artifacts, which DFIR analysts use on the regular basis. Based on my tests, Windows Update can: – delete Windows Event Logs– delete PREFETCH files– modify the LastWrite Time for NTUSER.DAT hives– clear information from setupapi.dev.log– and maybe even more …Continue reading “Can Windows Update fool you during the investigation?”