Windows System

Forensics
Module 1: Windows Forensics
Foundations
Module 1: Windows Forensics Foundations

• Learning Objectives
– Learning to pay attention to detail
– Understanding the adversary
– Understanding the Cyber Kill Chain
Attention to Detail
Attention to Detail

• Digital forensics requires attention to detail first and foremost.

All other skills depend on this:
– You can’t recognize the difference between normal and not normal if
you are not sufficiently attentive.
– Your adversary is counting on you overlooking the details of their
activities.
– Your adversary is expecting you to look past them at least once.
– And that is usually enough for you to ignore them, or lose sight of
them.
Three Key Attentive Skills

• The three key areas of this skill for a forensic analyst are:
– Observational skills
o Situational awareness
– Active listening skills
o Paying attention to others
– Analytical skills
o Applying good reasoning and judgement
Observational Skills

• You need to be mindful of your surroundings at all times.

– What are you seeing?
– Why are you seeing what you are seeing?
• Mindfulness is critical to observation.
– Are you looking at the right thing?
– Or is there something adjacent that is more important?
• Key areas for practice:
– Look for details around you. Try it now! What can you notice that you hadn’t
thought to observe?
– When working through a problem take notes! Write things down so you don’t
forget them.
– Be in the moment, here and now.
Active Listening Skills

• Forensic science isn’t purely technical. Layers 8 & 9 drive it all.

• Before you engage in the bits and bytes there will be initial discussions
with people who know more about the situation than you do.
– You need to not only hear what they are saying, but try to understand the concerns
they don’t have words for.
– Chances are they are very stressed out by something they don’t understand.
• You need to try to understand what they don’t.
– Active listening builds on observation.
– Non-verbal cues are important too.
Analytical Skills

• Analytical thinking builds on observation and listening.

• It requires that you:
– Identify what’s most likely to be most important.
– Gather further information about the thing you’ve identified.
o Correlate events if possible
o Investigate if causality can be determined
– Be willing to abandon any hypotheses that don’t work out.
Understanding the Adversary:
The Cyber Kill Chain and TTPs
Understanding the Adversary

• Your adversary is not malware.

• Your adversary is a human.
• Humans work from personal motivation.
• To understand your adversary you need to figure out:
– What they want
– How they plan to get it
– What they’re doing towards their ends
• You also have to keep in mind that humans make mistakes!
– You already know one mistake they’ve made…
The Cyber Kill
Chain
Reconnaissance

• Largely based on open-source intelligence (OSINT).

• If done well, it doesn’t involve meaningful interaction with the actual
target.
– Light web browsing for obvious leads
– Heavy interrogation elsewhere
– Email harvesting
– Social media interrogation
• Can’t usually be detected initially
• Can potentially be inferred later in the campaign
Weaponization

• May require some interaction with the target

– Active rather than passive reconnaissance
– Port probing for target verification
• Could involve novel exploit development
• Coupling exploit with payload
• Also not a detectable phase, though inferences might be made later.
Delivery

• First detectable phase, though almost always missed initially

• Typically chosen to be as covert as possible
– Spear phishing
– Bulk phishing too
– Watering hole
– USBs still
– Frontal assault
Exploitation

• Earliest likely detectable phase

• Commonly a 2nd stage execution
– Particularly if the delivery is via a buffer overflow
• Contains the functionality to continue the campaign
• Escalation is the goal
Installation

• Escalation to gain privilege

• Should be noisy enough to be noticed
– Requires both system and network instrumentation
– Requires active monitoring
• Achieving the necessary persistence
– Surviving the reboot at a minimum
– Requires active system modification
• Always results in behavioral change
Command & Control (C2)

• Necessary to maintain ownership of new asset

• Two main forms:
– Outbound persistent connections
– Outbound beaconing
• Both are entirely detectable
• Must be “north/south” (crossing a perimeter)
Actions on Objectives

• Very likely “east/west” (lateral movement)

• Much less likely to traverse instrumentation in most organizations
• Still very detectable based on behavioral changes
• Adversary likely has “hands on keyboard” access at this point
Tactics, Techniques, and Procedures

• Note that neither “T” is for “tools”.

– “Script kiddies” (s’kidiots) may be bound by particular tools or
exploits.
– More dangerous adversaries are tool agnostic.
– Consequently tool-based detection tends to fail most often.
• Behavior-based detection can be a huge win.
– We will revisit network-based behavioral detection
– We will focus on log analysis (EVTX)
Module Quiz