Daily Blog #581: Forensic Lunch Test Kitchen 12/28/18 Syscache Applocker and Server 2012

December 28, 2018, 9:22 pm

≫ Next: Daily Blog #582: Solution Saturday 12/29/18

≪ Previous: Daily Blog #580: Applocker and Windows 10

$

0

0

Hello Reader,
         Tonight we booted up a server 2012 VM which is in line with Windows 8.1 looking to see if we could find a syscache hive with and without applocker configured. So far no such luck but we will keep trying.

If you want to watch the video you can do so here:

---

Daily Blog #582: Solution Saturday 12/29/18

December 29, 2018, 6:46 pm

≫ Next: Daily Blog #583: Sunday Funday 12/30/18

≪ Previous: Daily Blog #581: Forensic Lunch Test Kitchen 12/28/18 Syscache Applocker and Server 2012

$

0

0

Hello Reader,
         Well no winner this week, I may have pushed a bit far in a holiday week. Tomorrow is the first contest for the new year and we will all have a fresh start.

The Challenge:
On server 2008 r2 how would the following be seen in the syscache and what was logged:
1. Powershell empire agent
2. Meterpeter
3. Mimikatz

The winning answer:
None! I'll make sure to cover this in the test kitchen

Daily Blog #583: Sunday Funday 12/30/18

December 30, 2018, 2:02 pm

≫ Next: Daily Blog #584: New Years Eve 2018

≪ Previous: Daily Blog #582: Solution Saturday 12/29/18

$

0

0

Hello Reader,
      This will be the first Sunday Funday for 2019 since when the submissions are received and judged the winner will be announced in 2019. Let's see what your system monitoring/debugging skills are like.

The Prize:
$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 1/4/19 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:

What processes update the Syscache.hve file on Windows Server 2008 R2?

Daily Blog #584: New Years Eve 2018

January 1, 2019, 12:17 am

≫ Next: Daily Blog #585: Happy new year 2019

≪ Previous: Daily Blog #583: Sunday Funday 12/30/18

$

0

0

Hello Reader,
      I'm writing this in 2019 as we had way too much fun on new years eve. I haven't gotten to bed yet so I think this counts as a daily blog still. Tomorrow i'll post my hopes for the new year of DFIR work but in this post I just want to say thank you.

Thank you to all of you who read this.
Thank you to all of you who watch the forensic lunch.
Thank you to all of you who watch the test kitchen.
Thank you to all of you who stop by and just say hi.

Without you I would be just talking to myself and likely not be anywhere near as productive in my research as I have been in 2018. So I'm looking forward to next year and with your help make 2019 an even better year.

So Happy New Year Reader, I wish all the best for you and your families in the coming year. 

Daily Blog #585: Happy new year 2019

January 2, 2019, 9:02 pm

≫ Next: Daily Blog #586: Forensic Lunch Test Kitchen Server 2019 Shimcache Srum Syscache

≪ Previous: Daily Blog #584: New Years Eve 2018

$

0

0

Hello Reader,
        New years eve was great and new years day proved to be full of family activities so I missed a day of blogging. I hope you enjoyed your holiday as well, if you had one, and let's talk DFIR new years resolutions.

Here are mine:

• To continue daily blogging throughout 2019
• To build out the test kitchen to include all major windows versions
• To find a way to engage more of you in the test kitchen
• To join the #DFIRFit movement
• To really focus on those community events that make a difference
• To make a calendar for a year of Forensic Lunch's and schedule guests so you can watch the ones you want
• To work with Devon Ackerman to get more of my content categorized into Aboutdfir.com
• To push out some new projects with Matt Seyer
• To build even more elaborate DFIR CTFs for all of you to play
• To boldly go... where many other investigators have gone by continuing to validate and expand artifacts
• To find a way to get OSX on to the test kitchen
• To figure out how to reach more people in the DFIR community
• To keep up with the podcast version of the Forensic Lunch

What are yours?

Daily Blog #586: Forensic Lunch Test Kitchen Server 2019 Shimcache Srum Syscache

January 3, 2019, 7:48 pm

≫ Next: Daily Blog #587: Forensic Lunch Test Kitchen 1/4/19 Server 2019 Amache

≪ Previous: Daily Blog #585: Happy new year 2019

$

0

0

Hello Reader,
      Tonight we extended our search to see if the Syscache hive came back to life by looking into Windows Server 2019, Here is what we learned:

• No Syscache hive by default in Server 2019
• There is a SRUM database by default in Server 2019
• There is an Amcache hive by default in Server 2019
• There is still no Preftech in Server 2019
• Shimcache showed an interesting behavior that we need to regression test back versions of Windows where executables viewed in the Explorer GUI only got entered into the Shimcache hive when they were viewable and/or highlighted in the GUI Window
• Executables not yet viewed in the GUI window scroll were not present in the Shimcache

You can watch the video here:

Daily Blog #587: Forensic Lunch Test Kitchen 1/4/19 Server 2019 Amache

January 4, 2019, 9:09 pm

≫ Next: Daily Blog #588: Solution Saturday 1/5/19

≪ Previous: Daily Blog #586: Forensic Lunch Test Kitchen Server 2019 Shimcache Srum Syscache

$

0

0

Hello Reader,
     Tonight we continued our exploration of Server 2019 with a look into how Amcache is behaving on it.

Here is what we learned:

• Amcache is still scanning the desktop for executables and adding them to the Amcache when the Application experience scheduled task runs, even if the executable was never run
• Like Server 2008 R2 Amcache is including the contents of the Desktop directory for executions and executables
• Server 2019 appears to be storing command line executions! This is a very different behavior than we've seen before and requires more testing

You can watch the video here:

Daily Blog #588: Solution Saturday 1/5/19

January 5, 2019, 9:58 pm

≫ Next: Daily Blog #589: Sunday Funday 1/6/19

≪ Previous: Daily Blog #587: Forensic Lunch Test Kitchen 1/4/19 Server 2019 Amache

$

0

0

Hello Reader,
       Sometimes you have a winning entry that exceeds all of your expectations. This week is that week for me. Maxhim Suhanov has come through with some pretty thorough testing to show what processes write to the Syscache hive and what dll's reference it. This is great work and I look forward to trying out the application registry monitoring method he found.

The Challenge:

What processes update the Syscache.hve file on Windows Server 2008 R2?

The Winning Answer:

Maxim Suhanov

https://dfir.ru/2019/01/04/what-writes-to-the-syscache-hive/

---

Daily Blog #589: Sunday Funday 1/6/19

January 6, 2019, 9:15 pm

≫ Next: Daily Blog #590: No Country for Old Unicorns

≪ Previous: Daily Blog #588: Solution Saturday 1/5/19

$

0

0

Hello Reader,
         We had some great submissions last week and hopefully this will be the trend for the new year. Let's keep the pace with this weeks challenge

The Prize:
$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 1/11/19 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
Server 2019 got SRUM, what if any differences are there between SRUM on Windows 10 and SRUM on Server 2019?

Daily Blog #590: No Country for Old Unicorns

January 7, 2019, 12:50 pm

≫ Next: Daily Blog #591: SANS Jeddah March 2019

≪ Previous: Daily Blog #589: Sunday Funday 1/6/19

$

0

0

Hello Reader,
      Well the need to resurrect Unicorns in Office 365 appears to finally be coming to an end. According to the latest Office 365 updated feature notes the default mailbox auditing permissions we all hoped would be there are finally rolling out to everyone.  This means that in

TLDR: Office365 starting 2/1/19 (that's from the action required date on the notice) will start logging all individual mailbox actions for access of mail items into the MailItemsAccessed log but not the Unified Audit Log at this time. The MessageBind action is going away. I just checked my own Office365 deployment and the feature hasn't rolled out to me yet, once it does I'll post about it here and talk about how to pull the data.

From the Updated Feature message:

"To ensure that you have access to critical audit data to investigate security incidents in your organization, we’re making some updates to Exchange mailbox auditing. After this change takes place, Exchange Online will audit mail reads/accesses by default for owners, admins and delegates under the MailItemsAccessed action.

  This message is associated with Microsoft 365 Roadmap ID: 32224.

How does this affect me?

The MailItemsAccessed action offers comprehensive forensic coverage of mailbox accesses, including sync operations. In February 2019, audit logs will start generating MailItemsAccessed audit records to log user access of mail items. If you are on the default configuration, the MailItemsAccessed action will be added to Get-mailbox configurations, under the fields AuditAdmin, AuditDelegate and AuditOwner. Once the feature is rolled out to you, you will see the MailItemsAccessed action added and start to audit reads. This new MailItemsAccessed action is going to replace the MessageBind action; MessageBind will no longer be a valid action to configure, instead an error message will suggest turning on the MailItemsAccessed action. This change will not remove the MessageBind action from mailboxes which have already have added it to their configurations. Initially, these audit records will not flow into the Unified Audit Log and will only be available from the Mailbox Audit Log. We’ll begin rolling this change out in early February, 2019. If you are on the default audit configuration, you will see the MailItemsAccessed action added once the feature is rolled out to you and you start to audit reads.

What do I need to do to prepare for this change?

There is no action you need to take to derive the security benefits of having mail read audit data. The MailItemsAccessed action will be updated in your Get-Mailbox action audit configurations automatically under AuditAdmin, AuditDelegate and AuditOwner. If you have set these configurations before, you will need to update them now to audit the two new mailbox actions. Please click Additional Information for details on how to do this. If you do not want to audit these new actions in your mailboxes and you do not want your mailbox action audit configurations to change in the future as we continue to update the defaults, you can set AuditAdmin, AuditDelegate and AuditOwner to your desired configuration. Even if your desired configuration is exactly the same as the current default configuration, so long as you set the AuditAdmin, AuditDelegate and AuditOwner configurations on your mailbox, you will preclude yourself from further updates to these audit configurations. Please click Additional Information for details on how to do this. If your organization has turned off mailbox auditing, then you will not audit mail read actions."

Daily Blog #591: SANS Jeddah March 2019

January 8, 2019, 9:50 pm

≫ Next: Daily Blog #592: Syscache and SHA 16bit hashes

≪ Previous: Daily Blog #590: No Country for Old Unicorns

$

0

0

Hello Reader,
            Are you in the Middle East? If so I'm to Jeddah Saudi Arabia for the first time to teach SANS FOR500 Windows Forensics:
https://www.sans.org/event/jeddah-march-2019/course/windows-forensic-analysis

If you like any of the things I write about or show here on the blog you will love this 6 day class as we go deep into Windows Forensics from Windows Vista through Windows 10 along with some talk about Windows Server.

When I teach FOR500 I fill the day with practical demonstrations of how and why things work so you can understand the scope of any artifact, its limitations and how you can rely on it.

Since my last time in the Middle East I've learned even more about Windows artifacts and I hope you will come out to spend a week with me and go in-depth into Windows Forensics and learn how to solve the toughest cases. We will go beyond the book and into the state of the art of whats possible today. 

Daily Blog #592: Syscache and SHA 16bit hashes

January 9, 2019, 9:51 pm

≫ Next: Daily Blog #593: Forensic Lunch Test Kitchen 1/10/19 Windows 10 Userassist

≪ Previous: Daily Blog #591: SANS Jeddah March 2019

$

0

0

Hello Reader,
          Tonight I'm applying my Syscache research in some casework and while testing things out I realized something that I don't think was properly documented before. The Syscache SHA-1 hashes appear to be base16 hashes not base32 hashes. So before you begin looking for that malicious executable make sure you've generated the correct hash!

Daily Blog #593: Forensic Lunch Test Kitchen 1/10/19 Windows 10 Userassist

January 10, 2019, 8:46 pm

≫ Next: Daily Blog #594: Forensic Lunch Test Kitchen 1/11/19 Server 2008 R2 Syscache Mimikatz

≪ Previous: Daily Blog #592: Syscache and SHA 16bit hashes

$

0

0

Hello Reader,
         Tonight I changed the course of our testing in a slight detour, ok maybe a hard right, over to Windows 10 because I remembered an artifact that has been bugging me. The UserAssist artifact that has been a friend of mine since 2002 (I wrote about it in 2004 in the first hacking exposed computer forensics) seems to have had a change in behavior starting in Windows 8. Suddenly we had values showing up in the UserAssist with a run count of 0 and no last execution time. So to remedy this I decided to start some testing and here is what we learned:

• Running a Modern app will update the run count and the execution time
• Running a desktop app will update the run count and the execution time
• The focus count is still unreliable
• The focus time is still unreliable
• Rebooting does not zero out the values in the UserAssist keys
• Some entries in the UserAssist CEBFF guid specifically appear to not get updated as other versions of the same program do (process hacker in this example)
• Some things don't get updated run counts or execution times, so far Microsoft Edge and Cortana appear to behave that way

More testing is needed so we can determine what is effecting the expected behavior.

You can watch the video here:

Daily Blog #594: Forensic Lunch Test Kitchen 1/11/19 Server 2008 R2 Syscache Mimikatz

January 11, 2019, 8:56 pm

≫ Next: Daily Blog #595: Solution Saturday 1/12/19

≪ Previous: Daily Blog #593: Forensic Lunch Test Kitchen 1/10/19 Windows 10 Userassist

$

0

0

Hello Reader,
  Tonight on request from a viewer we are looking to see what Mimikatz leaves behind in the Syscache hive on Windows Server 2008 R2.

Here is what we learned:

• The Syscache hive did not appear to log the 64 bit mimikatz executable from the first execution
• It did log the 32 bit mimikatz executable on first execution
• It did log the 64 bit mimikatz executable on the desktop
• It did not appear to log the 64 bit mimikatz executable in the documents directory
• The sha-1 16 bit hashes were correctly searched by Virustotal identifying mimikatz

We are going to leave the VM running over the weekend to see if the other 64 bit executables show up, see you next week. In the mean time tomorrow come back to see this weeks Sunday Funday winner with the new contest posted this Sunday.

You can watch the video here:

Daily Blog #595: Solution Saturday 1/12/19

January 12, 2019, 9:26 pm

≫ Next: Daily Blog #596: Sunday Funday 1/13/19

≪ Previous: Daily Blog #594: Forensic Lunch Test Kitchen 1/11/19 Server 2008 R2 Syscache Mimikatz

$

0

0

Hello Reader,
        I had two great submissions this week and one of them surprised me because it was from my own fellow g-c'er Matt Seyer. Matt won this weeks competition because he took one step farther in his testing to show not only what the new tables in the Server 2019 SRUM database meant, he also showed where to go in the registry to get the answer.

The Winning Answer:
Matt Seyer (@forensic_matt)

Sunday Funday Submission

The Challenge

Server 2019 got SRUM, what if any differences are there between SRUM on Windows 10 and SRUM on Server 2019?

Methodology

Compare the SRUM database schemas of a Windows 10 system and Server 2019. The most obvious differences should appear in the database schemas. Because the SRUM database uses the Extensible Storage Engine (ESE) format, we should work directly with the ESE database itself and not use tools that interpret its data into a different format (many tools will convert the ESE to SQLite). Because SRUM uses Extensions that are recorded in the SOFTWARE hive, the SOFTWARE hive should also be checked for differences.

Windows Versions Used

The following versions were used for generating the data in this research.

Server 2019 Version: Windows Server 2019 Standard (Desktop Experience)

Windows 10 Version: Windows 10 Enterprise

Table Differences

The following table schemas are resolved with a script (srum_schema.py) that uses pyesedb and yarp to resolve SRUM data. pyesedb allows us to work with the ESE format and yarp allows us to work with Registry and take transaction logs into account.

Base Tables

After reviewing SRUM’s base set of tables (tables not in the extensions), they appear to remain the same across Windows 10 and Server 2019.

Windows 10	Server 2019 Desktop Experience	Status
--------------------------------------- Table: MSysObjects --------------------------------------- ObjidTable -> INTEGER_32BIT_SIGNED Type -> INTEGER_16BIT_SIGNED Id -> INTEGER_32BIT_SIGNED ColtypOrPgnoFDP -> INTEGER_32BIT_SIGNED SpaceUsage -> INTEGER_32BIT_SIGNED Flags -> INTEGER_32BIT_SIGNED PagesOrLocale -> INTEGER_32BIT_SIGNED RootFlag -> BOOLEAN RecordOffset -> INTEGER_16BIT_SIGNED LCMapFlags -> INTEGER_32BIT_SIGNED KeyMost -> INTEGER_16BIT_UNSIGNED LVChunkMax -> INTEGER_32BIT_SIGNED Name -> TEXT Stats -> BINARY_DATA TemplateTable -> TEXT DefaultValue -> BINARY_DATA KeyFldIDs -> BINARY_DATA VarSegMac -> BINARY_DATA ConditionalColumns -> BINARY_DATA TupleLimits -> BINARY_DATA Version -> BINARY_DATA SortID -> BINARY_DATA CallbackData -> LARGE_BINARY_DATA CallbackDependencies -> LARGE_BINARY_DATA SeparateLV -> LARGE_BINARY_DATA SpaceHints -> LARGE_BINARY_DATA SpaceDeferredLVHints -> LARGE_BINARY_DATA LocaleName -> LARGE_BINARY_DATA	--------------------------------------- Table: MSysObjects --------------------------------------- ObjidTable -> INTEGER_32BIT_SIGNED Type -> INTEGER_16BIT_SIGNED Id -> INTEGER_32BIT_SIGNED ColtypOrPgnoFDP -> INTEGER_32BIT_SIGNED SpaceUsage -> INTEGER_32BIT_SIGNED Flags -> INTEGER_32BIT_SIGNED PagesOrLocale -> INTEGER_32BIT_SIGNED RootFlag -> BOOLEAN RecordOffset -> INTEGER_16BIT_SIGNED LCMapFlags -> INTEGER_32BIT_SIGNED KeyMost -> INTEGER_16BIT_UNSIGNED LVChunkMax -> INTEGER_32BIT_SIGNED Name -> TEXT Stats -> BINARY_DATA TemplateTable -> TEXT DefaultValue -> BINARY_DATA KeyFldIDs -> BINARY_DATA VarSegMac -> BINARY_DATA ConditionalColumns -> BINARY_DATA TupleLimits -> BINARY_DATA Version -> BINARY_DATA SortID -> BINARY_DATA CallbackData -> LARGE_BINARY_DATA CallbackDependencies -> LARGE_BINARY_DATA SeparateLV -> LARGE_BINARY_DATA SpaceHints -> LARGE_BINARY_DATA SpaceDeferredLVHints -> LARGE_BINARY_DATA LocaleName -> LARGE_BINARY_DATA	Both table schemas match.
--------------------------------------- Table: MSysObjectsShadow --------------------------------------- ObjidTable -> INTEGER_32BIT_SIGNED Type -> INTEGER_16BIT_SIGNED Id -> INTEGER_32BIT_SIGNED ColtypOrPgnoFDP -> INTEGER_32BIT_SIGNED SpaceUsage -> INTEGER_32BIT_SIGNED Flags -> INTEGER_32BIT_SIGNED PagesOrLocale -> INTEGER_32BIT_SIGNED RootFlag -> BOOLEAN RecordOffset -> INTEGER_16BIT_SIGNED LCMapFlags -> INTEGER_32BIT_SIGNED KeyMost -> INTEGER_16BIT_UNSIGNED LVChunkMax -> INTEGER_32BIT_SIGNED Name -> TEXT Stats -> BINARY_DATA TemplateTable -> TEXT DefaultValue -> BINARY_DATA KeyFldIDs -> BINARY_DATA VarSegMac -> BINARY_DATA ConditionalColumns -> BINARY_DATA TupleLimits -> BINARY_DATA Version -> BINARY_DATA SortID -> BINARY_DATA CallbackData -> LARGE_BINARY_DATA CallbackDependencies -> LARGE_BINARY_DATA SeparateLV -> LARGE_BINARY_DATA SpaceHints -> LARGE_BINARY_DATA SpaceDeferredLVHints -> LARGE_BINARY_DATA LocaleName -> LARGE_BINARY_DATA	--------------------------------------- Table: MSysObjectsShadow --------------------------------------- ObjidTable -> INTEGER_32BIT_SIGNED Type -> INTEGER_16BIT_SIGNED Id -> INTEGER_32BIT_SIGNED ColtypOrPgnoFDP -> INTEGER_32BIT_SIGNED SpaceUsage -> INTEGER_32BIT_SIGNED Flags -> INTEGER_32BIT_SIGNED PagesOrLocale -> INTEGER_32BIT_SIGNED RootFlag -> BOOLEAN RecordOffset -> INTEGER_16BIT_SIGNED LCMapFlags -> INTEGER_32BIT_SIGNED KeyMost -> INTEGER_16BIT_UNSIGNED LVChunkMax -> INTEGER_32BIT_SIGNED Name -> TEXT Stats -> BINARY_DATA TemplateTable -> TEXT DefaultValue -> BINARY_DATA KeyFldIDs -> BINARY_DATA VarSegMac -> BINARY_DATA ConditionalColumns -> BINARY_DATA TupleLimits -> BINARY_DATA Version -> BINARY_DATA SortID -> BINARY_DATA CallbackData -> LARGE_BINARY_DATA CallbackDependencies -> LARGE_BINARY_DATA SeparateLV -> LARGE_BINARY_DATA SpaceHints -> LARGE_BINARY_DATA SpaceDeferredLVHints -> LARGE_BINARY_DATA LocaleName -> LARGE_BINARY_DATA	Both table schemas match.
--------------------------------------- Table: MSysObjids --------------------------------------- objid -> INTEGER_32BIT_SIGNED objidTable -> INTEGER_32BIT_SIGNED type -> INTEGER_16BIT_SIGNED	--------------------------------------- Table: MSysObjids --------------------------------------- objid -> INTEGER_32BIT_SIGNED objidTable -> INTEGER_32BIT_SIGNED type -> INTEGER_16BIT_SIGNED	Both table schemas match.
--------------------------------------- Table: MSysLocales --------------------------------------- Type -> INTEGER_8BIT_UNSIGNED iValue -> INTEGER_32BIT_SIGNED Key -> BINARY_DATA	--------------------------------------- Table: MSysLocales --------------------------------------- Type -> INTEGER_8BIT_UNSIGNED iValue -> INTEGER_32BIT_SIGNED Key -> BINARY_DATA	Both table schemas match.
--------------------------------------- Table: SruDbIdMapTable --------------------------------------- IdType -> INTEGER_8BIT_UNSIGNED IdIndex -> INTEGER_32BIT_SIGNED IdBlob -> LARGE_BINARY_DATA	--------------------------------------- Table: SruDbIdMapTable --------------------------------------- IdType -> INTEGER_8BIT_UNSIGNED IdIndex -> INTEGER_32BIT_SIGNED IdBlob -> LARGE_BINARY_DATA	Both table schemas match.
--------------------------------------- Table: SruDbCheckpointTable --------------------------------------- ProviderId -> GUID CheckpointId -> INTEGER_32BIT_SIGNED NextIncId -> INTEGER_32BIT_SIGNED SeqNumber -> BINARY_DATA RecordSet -> LARGE_BINARY_DATA	--------------------------------------- Table: SruDbCheckpointTable --------------------------------------- ProviderId -> GUID CheckpointId -> INTEGER_32BIT_SIGNED NextIncId -> INTEGER_32BIT_SIGNED SeqNumber -> BINARY_DATA RecordSet -> LARGE_BINARY_DATA	Both table schemas match.

Extended Tables

The differences between Windows 10 and Server 2019 start appearing when looking at the “Extension” tables. See the section Resolving Extended GUIDs for more information on registered Extensions and their enumeration. It would appear that DLLs register the Extension and thus it is expected to see differences of these tables between systems depending on services or application that exist. That being said, let’s look at some common tables.

Windows 10	Server 2019 Desktop Experience	Notes
--------------------------------------- Table: {973F5D5C-1D90-4944-BE8E-24B94231A174} [Windows Network Data Usage Monitor] -- Extension Key Values from SOFTWARE hive -- : Windows Network Data Usage Monitor DllName: %SystemRoot%\System32\nduprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED InterfaceLuid -> INTEGER_64BIT_SIGNED L2ProfileId -> INTEGER_32BIT_SIGNED L2ProfileFlags -> INTEGER_32BIT_SIGNED BytesSent -> INTEGER_64BIT_SIGNED BytesRecvd -> INTEGER_64BIT_SIGNED		This is where things get interesting. The “Windows Network Data Usage Monitor” table does not seem to exist on my Server 2019 Standard fresh install. This has been a very useful table and is used by SrumMonkey to generate meaning full network data reports. Upon examining the Server 2019’s Windows\System32 folder, no ‘nduprov.dll’ exists. Though Server 2019’s table “{EEE2F477-0659-5C47-EF03-6D6BEFD441B3}” (SDP Network Provider) appears to be some what of a replacement for network byte usage. [Further down in table]
--------------------------------------- Table: {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} [Application Resource Usage Provider] -- Extension Key Values from SOFTWARE hive -- : Application Resource Usage Provider DllName: %SystemRoot%\System32\appsruprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED ForegroundCycleTime -> INTEGER_64BIT_SIGNED BackgroundCycleTime -> INTEGER_64BIT_SIGNED FaceTime -> INTEGER_64BIT_SIGNED ForegroundContextSwitches -> INTEGER_32BIT_SIGNED BackgroundContextSwitches -> INTEGER_32BIT_SIGNED ForegroundBytesRead -> INTEGER_64BIT_SIGNED ForegroundBytesWritten -> INTEGER_64BIT_SIGNED ForegroundNumReadOperations -> INTEGER_32BIT_SIGNED ForegroundNumWriteOperations -> INTEGER_32BIT_SIGNED ForegroundNumberOfFlushes -> INTEGER_32BIT_SIGNED BackgroundBytesRead -> INTEGER_64BIT_SIGNED BackgroundBytesWritten -> INTEGER_64BIT_SIGNED BackgroundNumReadOperations -> INTEGER_32BIT_SIGNED BackgroundNumWriteOperations -> INTEGER_32BIT_SIGNED BackgroundNumberOfFlushes -> INTEGER_32BIT_SIGNED	--------------------------------------- Table: {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} [Application Resource Usage Provider] -- Extension Key Values from SOFTWARE hive -- : Application Resource Usage Provider DllName: %SystemRoot%\System32\appsruprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED ForegroundCycleTime -> INTEGER_64BIT_SIGNED BackgroundCycleTime -> INTEGER_64BIT_SIGNED FaceTime -> INTEGER_64BIT_SIGNED ForegroundContextSwitches -> INTEGER_32BIT_SIGNED BackgroundContextSwitches -> INTEGER_32BIT_SIGNED ForegroundBytesRead -> INTEGER_64BIT_SIGNED ForegroundBytesWritten -> INTEGER_64BIT_SIGNED ForegroundNumReadOperations -> INTEGER_32BIT_SIGNED ForegroundNumWriteOperations -> INTEGER_32BIT_SIGNED ForegroundNumberOfFlushes -> INTEGER_32BIT_SIGNED BackgroundBytesRead -> INTEGER_64BIT_SIGNED BackgroundBytesWritten -> INTEGER_64BIT_SIGNED BackgroundNumReadOperations -> INTEGER_32BIT_SIGNED BackgroundNumWriteOperations -> INTEGER_32BIT_SIGNED BackgroundNumberOfFlushes -> INTEGER_32BIT_SIGNED	This table is utilized by appsruprov.dll (Application Resource Usage Provider) and its schema remains unchanged on Server 2019 Standard. This is a common table to utilize for most tools including SrumMonkey.
--------------------------------------- Table: {DA73FB89-2BEA-4DDC-86B8-6E048C6DA477} [Energy Estimation Provider] -- Extension Key Values from SOFTWARE hive -- : Energy Estimation Provider CapabilityFlags: 506 DllName: %SystemRoot%\System32\eeprov.dll Tier2MaxEntries: 168 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED BinaryData -> BINARY_DATA		Does not exist on Server 2019
--------------------------------------- Table: {DD6636C4-8929-4683-974E-22C046A43763} [Windows Network Connectivity Usage Monitor] -- Extension Key Values from SOFTWARE hive -- : Windows Network Connectivity Usage Monitor DllName: %SystemRoot%\System32\ncuprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED InterfaceLuid -> INTEGER_64BIT_SIGNED L2ProfileId -> INTEGER_32BIT_SIGNED ConnectedTime -> INTEGER_32BIT_SIGNED ConnectStartTime -> INTEGER_64BIT_SIGNED L2ProfileFlags -> INTEGER_32BIT_SIGNED	--------------------------------------- Table: {DD6636C4-8929-4683-974E-22C046A43763} [Windows Network Connectivity Usage Monitor] -- Extension Key Values from SOFTWARE hive -- : Windows Network Connectivity Usage Monitor DllName: %SystemRoot%\System32\ncuprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED InterfaceLuid -> INTEGER_64BIT_SIGNED L2ProfileId -> INTEGER_32BIT_SIGNED ConnectedTime -> INTEGER_32BIT_SIGNED ConnectStartTime -> INTEGER_64BIT_SIGNED L2ProfileFlags -> INTEGER_32BIT_SIGNED	Both table schemas match.
--------------------------------------- Table: {D10CA2FE-6FCF-4F6D-848E-B2E99266FA86} [WPN SRUM Provider] -- Extension Key Values from SOFTWARE hive -- : WPN SRUM Provider DllName: %SystemRoot%\System32\wpnsruprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED NotificationType -> INTEGER_32BIT_SIGNED PayloadSize -> INTEGER_32BIT_SIGNED NetworkType -> INTEGER_32BIT_SIGNED		Does not exist on Server 2019
--------------------------------------- Table: {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37} [Energy Usage Provider] -- Extension Key Values from SOFTWARE hive -- : Energy Usage Provider CapabilityFlags: 25 DllName: %SystemRoot%\System32\energyprov.dll LastLongTermUpdate: 131898800885695180 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED EventTimestamp -> INTEGER_64BIT_SIGNED StateTransition -> INTEGER_32BIT_SIGNED DesignedCapacity -> INTEGER_32BIT_SIGNED FullChargedCapacity -> INTEGER_32BIT_SIGNED ChargeLevel -> INTEGER_32BIT_SIGNED CycleCount -> INTEGER_32BIT_SIGNED ConfigurationHash -> INTEGER_64BIT_SIGNED		Does not exist on Server 2019
--------------------------------------- Table: {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}LT [Energy Usage Provider] -- Extension Key Values from SOFTWARE hive -- : Energy Usage Provider CapabilityFlags: 25 DllName: %SystemRoot%\System32\energyprov.dll LastLongTermUpdate: 131898800885695180 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED ActiveAcTime -> INTEGER_32BIT_SIGNED CsAcTime -> INTEGER_32BIT_SIGNED ActiveDcTime -> INTEGER_32BIT_SIGNED CsDcTime -> INTEGER_32BIT_SIGNED ActiveDischargeTime -> INTEGER_32BIT_SIGNED CsDischargeTime -> INTEGER_32BIT_SIGNED ActiveEnergy -> INTEGER_32BIT_SIGNED CsEnergy -> INTEGER_32BIT_SIGNED DesignedCapacity -> INTEGER_32BIT_SIGNED FullChargedCapacity -> INTEGER_32BIT_SIGNED CycleCount -> INTEGER_32BIT_SIGNED ConfigurationHash -> INTEGER_64BIT_SIGNED		Does not exist on Server 2019
--------------------------------------- Table: {5C8CF1C7-7257-4F13-B223-970EF5939312} [App Timeline Provider] -- Extension Key Values from SOFTWARE hive -- : App Timeline Provider CapabilityFlags: 250 DllName: %SystemRoot%\System32\eeprov.dll Tier2MaxEntries: 168 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED Flags -> INTEGER_32BIT_SIGNED EndTime -> INTEGER_64BIT_SIGNED DurationMS -> INTEGER_32BIT_SIGNED SpanMS -> INTEGER_32BIT_SIGNED TimelineEnd -> INTEGER_32BIT_SIGNED InFocusTimeline -> INTEGER_64BIT_SIGNED UserInputTimeline -> INTEGER_64BIT_SIGNED CompRenderedTimeline -> INTEGER_64BIT_SIGNED CompDirtiedTimeline -> INTEGER_64BIT_SIGNED CompPropagatedTimeline -> INTEGER_64BIT_SIGNED AudioInTimeline -> INTEGER_64BIT_SIGNED AudioOutTimeline -> INTEGER_64BIT_SIGNED CpuTimeline -> INTEGER_64BIT_SIGNED DiskTimeline -> INTEGER_64BIT_SIGNED NetworkTimeline -> INTEGER_64BIT_SIGNED MBBTimeline -> INTEGER_64BIT_SIGNED InFocusS -> INTEGER_32BIT_SIGNED PSMForegroundS -> INTEGER_32BIT_SIGNED UserInputS -> INTEGER_32BIT_SIGNED CompRenderedS -> INTEGER_32BIT_SIGNED CompDirtiedS -> INTEGER_32BIT_SIGNED CompPropagatedS -> INTEGER_32BIT_SIGNED AudioInS -> INTEGER_32BIT_SIGNED AudioOutS -> INTEGER_32BIT_SIGNED Cycles -> INTEGER_64BIT_SIGNED CyclesBreakdown -> INTEGER_64BIT_SIGNED CyclesAttr -> INTEGER_64BIT_SIGNED CyclesAttrBreakdown -> INTEGER_64BIT_SIGNED CyclesWOB -> INTEGER_64BIT_SIGNED CyclesWOBBreakdown -> INTEGER_64BIT_SIGNED DiskRaw -> INTEGER_64BIT_SIGNED NetworkTailRaw -> INTEGER_64BIT_SIGNED NetworkBytesRaw -> INTEGER_64BIT_SIGNED MBBTailRaw -> INTEGER_64BIT_SIGNED MBBBytesRaw -> INTEGER_64BIT_SIGNED DisplayRequiredS -> INTEGER_32BIT_SIGNED DisplayRequiredTimeline -> INTEGER_64BIT_SIGNED KeyboardInputTimeline -> INTEGER_64BIT_SIGNED KeyboardInputS -> INTEGER_32BIT_SIGNED MouseInputS -> INTEGER_32BIT_SIGNED		Does not exist on Server 2019
--------------------------------------- Table: {7ACBBAA3-D029-4BE4-9A7A-0885927F1D8F} [vfuprov] -- Extension Key Values from SOFTWARE hive -- : vfuprov DllName: %SystemRoot%\System32\vfuprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED Flags -> INTEGER_32BIT_SIGNED StartTime -> INTEGER_64BIT_SIGNED EndTime -> INTEGER_64BIT_SIGNED Usage -> BINARY_DATA		Does not exist on Server 2019
	--------------------------------------- Table: {17F4D97B-F26A-5E79-3A82-90040A47D13D} [SDP Volume Provider] -- Extension Key Values from SOFTWARE hive -- : SDP Volume Provider CapabilityFlags: 0 DllName: %SystemRoot%\System32\sdprov.dll Tier2MaxEntries: 9000 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED Total -> INTEGER_64BIT_SIGNED Used -> INTEGER_64BIT_SIGNED	Does not exist on Windows 10
	--------------------------------------- Table: {841A7317-3805-518B-C2EA-AD224CB4AF84} [SDP Physical Disk Provider] -- Extension Key Values from SOFTWARE hive -- : SDP Physical Disk Provider CapabilityFlags: 0 DllName: %SystemRoot%\System32\sdprov.dll Tier2MaxEntries: 9000 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED SizeInBytes -> INTEGER_64BIT_SIGNED	Does not exist on Windows 10
	--------------------------------------- Table: {DC3D3B50-BB90-5066-FA4E-A5F90DD8B677} [SDP Cpu Provider] -- Extension Key Values from SOFTWARE hive -- : SDP Cpu Provider CapabilityFlags: 0 DllName: %SystemRoot%\System32\sdprov.dll Tier2MaxEntries: 9000 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED ProcessorTime -> INTEGER_64BIT_SIGNED	Does not exist on Windows 10
	--------------------------------------- Table: {EEE2F477-0659-5C47-EF03-6D6BEFD441B3} [SDP Network Provider] -- Extension Key Values from SOFTWARE hive -- : SDP Network Provider CapabilityFlags: 0 DllName: %SystemRoot%\System32\sdprov.dll Tier2MaxEntries: 9000 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED BytesInBound -> INTEGER_64BIT_SIGNED BytesOutBound -> INTEGER_64BIT_SIGNED BytesTotal -> INTEGER_64BIT_SIGNED	Does not exist on Windows 10 Seems like a replacement for the Windows 10 “Windows Network Data Usage Monitor” table. That being said, it lacks interface IDs.

Resolving Extended GUIDs

As with Windows 10, Server 2019 maintains the SRUM extended GUIDs and format under the SOFTWARE registry key `Microsoft\Windows NT\CurrentVersion\SRUM\Extensions`. This key has multiple sub-keys which are the GUIDs. For each GUID key, the default value is the descriptor of the GUID. See below for example:

---

Daily Blog #596: Sunday Funday 1/13/19

January 13, 2019, 8:05 pm

≫ Next: Daily Blog #597: Tool Spotlight MD Viewer

≪ Previous: Daily Blog #595: Solution Saturday 1/12/19

$

0

0

Hello Reader,
          We've had a back to back great answers in this new year which I hope is just sitting the trend for the rest of 2019. We've bounced around a couple of topics but let's see if you can finish one out for all of us.

The Prize:
$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 1/18/19 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:

In Windows 10 what behavior appears to determine if a program will show up in the UserAssist entries with 0 run count versus actually tracking a run count and last execution date

Daily Blog #597: Tool Spotlight MD Viewer

January 14, 2019, 9:01 pm

≫ Next: Daily Blog #598: Forensic Lunch Test Kitchen 1/15/19 Syscache Mimikatz Server 2008 R2

≪ Previous: Daily Blog #596: Sunday Funday 1/13/19

$

0

0

Hello Reader,
          I was out late helping a friend so rather than a test kitchen tonight I'm going to do a tool highlight. David Dym our colleague at G-C Partners, LLC has written a number of tools we use like:

• ShadowKit
• MetaDiver
• SqliteDiver

and now he's come out with a new tool MDViewer or Meta Diver Viewer. 

MDViewer let's you quickly view all of the metadata of a file and is built on top of Apache Tika with the ability to drag and drop files on it to view not only metadata but also hex/strings and more. 

You can grab a copy here:

https://www.easymetadata.com/2019/01/mdviewer-1-0-initial-release/

Daily Blog #598: Forensic Lunch Test Kitchen 1/15/19 Syscache Mimikatz Server 2008 R2

January 15, 2019, 7:58 pm

≫ Next: Daily Blog #599: Forensic Lunch Test Kitchen 1/16/19 Syscache Server 2008 R2 Mimikatz

≪ Previous: Daily Blog #597: Tool Spotlight MD Viewer

$

0

0

Hello Reader,
       Tonight we returned to the test kitchen to try to solve the mystery of the Multiple mimikatz executables now showing up in the Syscache

Tonight we learned:

• Syscache does not appear to duplicate entries by hash
• We got some entries to appear without a hash
• We are giving the VM enough time to run its background processes to get the Syscache full written to with a new test tomorrow night
• The last write time does not appear to be updated when the program is executed again
• 64bit and 32bit executables are being recorded

You can watch the video here:

Daily Blog #599: Forensic Lunch Test Kitchen 1/16/19 Syscache Server 2008 R2 Mimikatz

January 16, 2019, 6:59 pm

≫ Next: Daily Blog #600: Windows 10 Search Artifacts are going to change again

≪ Previous: Daily Blog #598: Forensic Lunch Test Kitchen 1/15/19 Syscache Mimikatz Server 2008 R2

$

0

0

Hello Reader,
   Tonight we just had a short testing session (8 minutes of actual testing) were we checked in on last nights test. Here is what we learned:

• The time delay did not effect our results
• A shutdown/power on did not add a new entries
• The registry explorer and hasher entries still had no hash
• We still saw no entries for the other mimikatz executables

On the next broadcast we will be testing the same behavior in Windows 7 and parsing the whole MFT and Syscache rather than individual records to make sure we aren't missing anything.

You can watch the video here:

Daily Blog #600: Windows 10 Search Artifacts are going to change again

January 17, 2019, 7:43 pm

≫ Next: Daily Blog #601: Live registry triage and testing

≪ Previous: Daily Blog #599: Forensic Lunch Test Kitchen 1/16/19 Syscache Server 2008 R2 Mimikatz

$

0

0

Hello Reader,
            I saw this article over on the verge:
https://www.theverge.com/2019/1/16/18185490/microsoft-cortana-windows-10-search-changes

In this article they describe how Cortana is going to be separated from the search function. Currently we find the Windows 10 search artifacts in the NTUSER registry under the \software\microsoft\windows\current version\search. So keep an eye out for this change as we expect changes in how this data is stored and possibly new entries for cortana.

This is interesting since Cortana has been rapidly changing artifact wise and a return to more locally stored Cortana artifacts would be welcome.