In this chapter, the following recipes will be covered:
- Parsing prefetch files
- A series of fortunate events
- Indexing internet history
- Shadow of a former self
- Dissecting the SRUM database
In this chapter, the following recipes will be covered:
Microsoft Windows is one of the most common operating systems found on machines during forensic analysis. This has led to a large effort in the community over the past two decades to develop, share, and document artifacts deposited by this operating system for use in forensic casework.
In this chapter, we continue to look at various Windows artifacts and how to process them using Python. We will leverage the framework we developed in Chapter 8, Working with Forensic Evidence Container Recipes to process these artifacts directly from forensic acquisitions. We'll use various libyal libraries to handle the underlying processing of various files, including pyevt, pyevtx, pymsiecf, pyvshadow, and pyesedb. We'll also explore how to process prefetch files using struct and a file format table of offsets and data types of interest. Here's what we'll learn...
Recipe difficulty: Medium
Python version: 2.7
Operating system: Linux
Prefetch files are a common artifact to rely on for information about application execution. While they may not always be present, they are undoubtedly worth reviewing in scenarios where they exist. Recall that prefetching can be enabled to various degrees or disabled based upon the value of the PrefetchParameters subkey in the SYSTEM hive. This recipe searches for files with the prefetch extension (.pf) and processes them for valuable application information. We will only demonstrate this process for Windows XP prefetch files; however, be aware that the underlying process we use is similar to other iterations of Windows.
Recipe Difficulty: Hard
Python Version: 2.7
Operating System: Linux
Event logs, if configured appropriately, contain a wealth of information useful in any cyber investigation. These logs retain historical user activity information, such as logons, RDP access, Microsoft Office file access, system changes, and application-specific events. In this recipe, we use the pyevt and pyevtx libraries to process both legacy and current Windows event log formats.
This recipe requires the installation of five third-party modules to function: pytsk3, pyewf, pyevt, pyevtx, and unicodecsv. Refer to Chapter 8, Working with Forensic Evidence Container Recipes for a detailed explanation of installing...
Recipe Difficulty: Medium
Python Version: 2.7
Operating System: Linux
Internet history can be invaluable during an investigation. These records can give insight into a user's thought process and provide context around other user activity occurring on the system. Microsoft has been persistent in getting users to use Internet Explorer as their browser of choice. As a result, it is not uncommon to see internet history information present in index.dat files used by Internet Explorer. In this recipe, we scour the evidence file for these index.dat files and attempt to process them using pymsiecf.
This recipe requires the installation of four third-party modules to function: pytsk3,...
Recipe Difficulty: Hard
Python Version: 2.7
Operating System: Linux
Volume shadow copies can contain data from files that are no longer present on the active system. This can give an examiner some historical information about how the system changed over time and what files used to exist on the computer. In this recipe, we will use the pvyshadow library to enumerate and access any volume shadow copies present in the forensic image.
This recipe requires the installation of five third-party modules to function: pytsk3, pyewf, pyvshadow, unicodecsv, and vss. Refer to Chapter 8, Working with Forensic Evidence Container Recipes for a detailed explanation on installing the pytsk3 and pyewf...
Recipe Difficulty: Hard
Python Version: 2.7
Operating System: Linux
With the major release of popular operating systems, everyone in the cyber community gets excited (or worried) about the potential new artifacts and changes to existing artifacts. With the advent of Windows 10, we saw a few changes (such as the MAM compression of prefetch files) and new artifacts as well. One of these artifacts is the System Resource Usage Monitor (SRUM), which can retain execution and network activity for applications. This includes information such as when a connection was established by a given application and how many bytes were sent and received by this application. Obviously, this can be very useful in a number of different scenarios. Imagine having this information on hand with a disgruntled employee who uploads many gigabytes of data on their last day using...