0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

Merge pull request #482 from TalebQasem/patch-37 

Update README.md
This commit is contained in:
Carlos Polop 2022-09-18 11:19:42 +02:00 committed by GitHub
parent e2e2d58eee f7cd25bb45
commit 8c2ef25e2f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 82 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

161
forensics/basic-forensic-methodology/windows-forensics/README.md
View File

@ -20,31 +20,31 @@
In the path `\Users\<username>\AppData\Local\Microsoft\Windows\Notifications` you can find the database `appdb.dat` (before Windows anniversary) or `wpndatabase.db` (after Windows Anniversary).
Inside this SQLite database you can find the `Notification` table with all the notifications (in xml format) that may contain interesting data.
Inside this SQLite database, you can find the `Notification` table with all the notifications (in XML format) that may contain interesting data.
### Timeline
Timeline is a Windows characteristic that provides **chronological history** of web pages visited, edited documents, executed applications...\
The database resides in the path `\Users\<username>\AppData\Local\ConnectedDevicesPlatform\<id>\ActivitiesCache.db`\
This database can be open with a SQLite tool or with the tool [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) **which generates 2 files that can be opened with the tool** [**TimeLine Explorer**](https://ericzimmerman.github.io/#!index.md).
Timeline is a Windows characteristic that provides **chronological history** of web pages visited, edited documents, and executed applications.
### ADS/Alternate Data Streams
The database resides in the path `\Users\<username>\AppData\Local\ConnectedDevicesPlatform\<id>\ActivitiesCache.db`\. This database can be opened with an SQLite tool or with the tool [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) **which generates 2 files that can be opened with the tool** [**TimeLine Explorer**](https://ericzimmerman.github.io/#!index.md).
Files downloaded may contain the **ADS Zone.Identifier** indicating **how** was **downloaded** (from the intranet, Internet...) and some software (like browser) usually put even **more** **information** like the **URL** from where the file was downloaded.
### ADS (Alternate Data Streams)
Files downloaded may contain the **ADS Zone.Identifier** indicating **how** it was **downloaded** from the intranet, internet, etc. Some software (like browsers) usually put even **more** **information** like the **URL** from where the file was downloaded.
## **File Backups**
### Recycle Bin
In Vista/Win7/Win8/Win10 the **Reciclye Bin** can be found in the folder **`$Recycle.bin`** in the root of the drive (`C:\$Reciycle.bin`).\
When a file is deleted in this folder are created 2 files:
In Vista/Win7/Win8/Win10 the **Recycle Bin** can be found in the folder **`$Recycle.bin`** in the root of the drive (`C:\$Reciycle.bin`).\
When a file is deleted in this folder 2 specific files are created:
* `$I{id}`: File information (date of when it was deleted}
* `$R{id}`: Content of the file
![](<../../../.gitbook/assets/image (486).png>)
Having these files you can sue the tool [**Rifiuti**](https://github.com/abelcheung/rifiuti2) to get the original address of the deleted files and the date it was deleted (use `rifiuti-vista.exe` for Vista Win10).
Having these files you can use the tool [**Rifiuti**](https://github.com/abelcheung/rifiuti2) to get the original address of the deleted files and the date it was deleted (use `rifiuti-vista.exe` for Vista Win10).
```
.\rifiuti-vista.exe C:\Users\student\Desktop\Recycle
@ -54,8 +54,9 @@ Having these files you can sue the tool [**Rifiuti**](https://github.com/abelche
### Volume Shadow Copies
Shadow Copy is a technology included in Microsoft Windows that can create **backup copies** or snapshots of computer files or volumes, even when they are in use.\
These backups are usually located in the `\System Volume Information` from the roof of the file system and the name is composed by **UIDs** as in the following image:
Shadow Copy is a technology included in Microsoft Windows that can create **backup copies** or snapshots of computer files or volumes, even when they are in use.
These backups are usually located in the `\System Volume Information` from the root of the file system and the name is composed of **UIDs** shown in the following image:
![](<../../../.gitbook/assets/image (520).png>)
@ -71,7 +72,7 @@ The registry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS` also con
### Office AutoSaved Files
You can find the office autosaved files in : `C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\`
You can find the office autosaved files in: `C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\`
## Shell Items
@ -84,37 +85,45 @@ Windows **automatically** **creates** these **shortcuts** when the user **open,
* Win7-Win10: `C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\`
* Office: `C:\Users\\AppData\Roaming\Microsoft\Office\Recent\`
When a folder is created, a link to the folder, to the parent folder and to the grandparent folder is also created.
When a folder is created, a link to the folder, to the parent folder, and the grandparent folder is also created.
These automatically created link files **contain information about the origin** like if it's a **file** **or** a **folder**, **MAC** **times** of that file, **volume informatio**n of where is the file stored and **folder of the target file**.\
This information can be useful to recover those files in case they were removed.
These automatically created link files **contain information about the origin** like if it's a **file** **or** a **folder**, **MAC** **times** of that file, **volume information** of where is the file stored and **folder of the target file**. This information can be useful to recover those files in case they were removed.
Also, the **date created of the link** file is the first **time** the original file was **first** **used** and the **date** **modified** of the link file is the **last** **time** the origin file was used.
To inspect these files you can use [**LinkParser**](http://4discovery.com/our-tools/).
In this tools you will find 2 set of timestamps: **FileModifiedDate**, **FileAccessDate** and **FileCreationDate**, and **LinkModifiedDate**, **LinkAccessDate** and **LinkCreationDate**. The first set of timestamp references the **timestamps of the link file itself**. The second set references the **timestamps of the linked file**.
In this tools you will find **2 sets** of timestamps:
You can get the same information running the Windows cli tool: [**LECmd.exe**](https://github.com/EricZimmerman/LECmd)
- **First Set:**
1. FileModifiedDate
2. FileAccessDate
3. FileCreationDate
- **Second Set:**
1. LinkModifiedDate
2. LinkAccessDate
3. LinkCreationDate.
The first set of timestamp references the **timestamps of the file itself**. The second set references the **timestamps of the linked file**.
You can get the same information running the Windows CLI tool: [**LECmd.exe**](https://github.com/EricZimmerman/LECmd)
```
LECmd.exe -d C:\Users\student\Desktop\LNKs --csv C:\Users\student\Desktop\LNKs
```
In this case the information is going to be saved inside a CSV file.
In this case, the information is going to be saved inside a CSV file.
### Jumplists
These are the recent files that are indicated per application. It's the list of **recent files used by an application** that you can access on each application.
These are the recent files that are indicated per application. It's the list of **recent files used by an application** that you can access on each application. They can be created **automatically or be custom**.
They can be created **automatically or be custom**.
The **jumplists** created automatically are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\`.\
The jumplists are named following the format `{id}.autmaticDestinations-ms` where the initial ID is the ID of the application.
The **jumplists** created automatically are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\`. The jumplists are named following the format `{id}.autmaticDestinations-ms` where the initial ID is the ID of the application.
The custom jumplists are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestination\` and they are created by the application usually because something **important** has happened with the file (maybe marked as favorite)
The **created time** of any jumplist indicates the **first time the file was accessed** and the **modified time the last time**.
The **created time** of any jumplist indicates the **the first time the file was accessed** and the **modified time the last time**.
You can inspect the jumplists using [**JumplistExplorer**](https://ericzimmerman.github.io/#!index.md).
@ -142,7 +151,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
### Registry Information
[Check this page to learn](interesting-windows-registry-keys.md#usb-information) which registry keys contains interesting information about USB connected devices.
[Check this page to learn](interesting-windows-registry-keys.md#usb-information) which registry keys contain interesting information about USB connected devices.
### setupapi
@ -158,19 +167,19 @@ Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about whe
### Plug and Play Cleanup
The 'Plug and Play Cleanup' scheduled task is responsible for **clearing** legacy versions of drivers. It would appear (based upon reports online) that it also picks up **drivers which have not been used in 30 days**, despite its description stating that "the most current version of each driver package will be kept". As such, **removable devices which have not been connected for 30 days may have their drivers removed**.\
The 'Plug and Play Cleanup' scheduled task is responsible for **clearing** legacy versions of drivers. It would appear (based upon reports online) that it also picks up **drivers which have not been used in 30 days**, despite its description stating that "the most current version of each driver package will be kept". As such, **removable devices which have not been connected for 30 days may have their drivers removed**.
The scheduled task itself is located at C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup, and its content is displayed below:
![](https://2.bp.blogspot.com/-wqYubtuR\_W8/W19bV5S9XyI/AAAAAAAANhU/OHsBDEvjqmg9ayzdNwJ4y2DKZnhCdwSMgCLcBGAs/s1600/xml.png)
The task references 'pnpclean.dll' which is responsible for performing the cleanup activity additionally we see that the UseUnifiedSchedulingEngine field is set to TRUE which specifies that the generic task scheduling engine is used to manage the task. The Period and Deadline values of 'P1M' and 'P2M' within MaintenanceSettings instruct Task Scheduler to execute the task once every month during regular Automatic maintenance and if it fails for 2 consecutive months, to start attempting the task during.\
**This section was copied from** [**here**](https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html)**.**
The task references 'pnpclean.dll' which is responsible for performing the cleanup activity additionally we see that the UseUnifiedSchedulingEngine field is set to TRUE which specifies that the generic task scheduling engine is used to manage the task. The Period and Deadline values of 'P1M' and 'P2M' within MaintenanceSettings instruct Task Scheduler to execute the task once every month during regular Automatic maintenance and if it fails for 2 consecutive months, to start attempting the task during the emergency Automatic maintenance. **This section was copied from** [**here**](https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html)**.**
## Emails
The emails contains **2 interesting parts: The headers and the content** of the email. In the **headers** you can find information like:
Emails contain **2 interesting parts: The headers and the content** of the email. In the **headers** you can find information like:
* **Who** send the emails (email address, IP, mail servers that has redirected the email)
* **Who** sent the emails (email address, IP, mail servers that have redirected the email)
* **When** was the email sent
Also, inside the `References` and `In-Reply-To` headers you can find the ID of the messages:
@ -179,7 +188,7 @@ Also, inside the `References` and `In-Reply-To` headers you can find the ID of t
### Windows Mail App
This application saves the emails in HTML or text. You can find the emails inside subfolders inside `\Users\<username>\AppData\Local\Comms\Unistore\data\3\`. The emails are saved with `.dat` extension.
This application saves emails in HTML or text. You can find the emails inside subfolders inside `\Users\<username>\AppData\Local\Comms\Unistore\data\3\`. The emails are saved with the `.dat` extension.
The **metadata** of the emails and the **contacts** can be found inside the **EDB database**: `\Users\<username>\AppData\Local\Comms\UnistoreDB\store.vol`
@ -190,16 +199,16 @@ The **metadata** of the emails and the **contacts** can be found inside the **ED
When Exchange servers or Outlook clients are used there are going to be some MAPI headers:
* `Mapi-Client-Submit-Time`: Time of the system when the email was sent
* `Mapi-Conversation-Index`: Number of children message of the thread and timestamp of each message of the thread
* `Mapi-Conversation-Index`: Number of children messages of the thread and timestamp of each message of the thread
* `Mapi-Entry-ID`: Message identifier.
* `Mappi-Message-Flags` and `Pr_last_Verb-Executed`: Information about the MAPI client (message read? no read? responded? redirected? out of the office?)
In the Microsoft Outlook client all the sent and received messages, contacts and calendar data is stored in a PST file in:
In the Microsoft Outlook client, all the sent/received messages, contacts data, and calendar data are stored in a PST file in:
* `%USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook` (WinXP)
* `%USERPROFILE%\AppData\Local\Microsoft\Outlook`
The registry path `HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messagin Subsystem\Profiles\Outlook` indicates the file that is being used.
The registry path `HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook` indicates the file that is being used.
You can open the PST file using the tool [**Kernel PST Viewer**](https://www.nucleustechnologies.com/es/visor-de-pst.html).
@ -207,9 +216,7 @@ You can open the PST file using the tool [**Kernel PST Viewer**](https://www.nuc
### Outlook OST
When Microsoft Outlook is configured **using** **IMAP** or using an **Exchange** server, it generates a **OST** file that stores almost the same info as the PST file. It keeps the file synchronized with the server for the l**ast 12 months**, with a **max file-size of 50GB** and in the **same folder as the PST** file is saved.
You can inspect this file using [**Kernel OST viewer**](https://www.nucleustechnologies.com/ost-viewer.html).
When Microsoft Outlook is configured **using** **IMAP** or using an **Exchange** server, it generates an **OST** file that stores almost the same info as the PST file. It keeps the file synchronized with the server for the **last 12 months**, with a **max file-size of 50GB** and in the **same folder as the PST** file is saved. You can inspect this file using [**Kernel OST viewer**](https://www.nucleustechnologies.com/ost-viewer.html).
### Recovering Attachments
@ -224,14 +231,13 @@ You may be able to find them in the folder:
## Thumbnails
When a user access a folder and organised it using thumbnails, then a `thumbs.db` file is created. This db **stores the thumbnails of the images** of the folder even if they are deleted.\
in winXP and WIn8-8.1 this file is created automatically. In Win7/Win10, it's created automatically if it's accessed via an UNC path (\IP\folder...).
When a user accesses a folder and organised it using thumbnails, then a `thumbs.db` file is created. This db **stores the thumbnails of the images** of the folder even if they are deleted. In WinXP and Win 8-8.1 this file is created automatically. In Win7/Win10, it's created automatically if it's accessed via a UNC path (\IP\folder...).
It is possible to read this file with the tool [**Thumbsviewer**](https://thumbsviewer.github.io).
### Thumbcache
Beginning with Windows Vista, **thumbnail previews are stored in a centralized location on the system**. This provides the system with access to images independent of their location, and addresses issues with the locality of Thumbs.db files. The cache is stored at **`%userprofile%\AppData\Local\Microsoft\Windows\Explorer`** as a number of files with the label **thumbcache\_xxx.db** (numbered by size); as well as an index used to find thumbnails in each sized database.
Beginning with Windows Vista, **thumbnail previews are stored in a centralized location on the system**. This provides the system with access to images independent of their location and addresses issues with the locality of Thumbs.db files. The cache is stored at **`%userprofile%\AppData\Local\Microsoft\Windows\Explorer`** as several files with the label **thumbcache\_xxx.db** (numbered by size); as well as an index used to find thumbnails in each sized database.
* Thumbcache\_32.db -> small
* Thumbcache\_96.db -> medium
@ -253,21 +259,22 @@ The files containing the registry are located in:
* %windir%\System32\Config\*_DEFAULT\*_: `HKEY_LOCAL_MACHINE`
* %UserProfile%{User}\*_NTUSER.DAT\*_: `HKEY_CURRENT_USER`
From Windows Vista and Windows 2008 Server upwards there are some backups of the `HKEY_LOCAL_MACHINE` registry files in **`%Windir%\System32\Config\RegBack\`**.\
From Windows Vista and Windows 2008 Server upwards there are some backups of the `HKEY_LOCAL_MACHINE` registry files in **`%Windir%\System32\Config\RegBack\`**.
Also from these versions, the registry file **`%UserProfile%\{User}\AppData\Local\Microsoft\Windows\USERCLASS.DAT`** is created saving information about program executions.
### Tools
Some tools are useful to analyzed the registry files:
Some tools are useful to analyze the registry files:
* **Registry Editor**: It's installed in Windows. It's a GUI to navigate through the Windows registry of the current session.
* [**Registry Explorer**](https://ericzimmerman.github.io/#!index.md): It allows to load the registry file and navigate through them with a GUI. It also contains Bookmarks highlighting keys with interesting information.
* [**Registry Explorer**](https://ericzimmerman.github.io/#!index.md): It allows you to load the registry file and navigate through them with a GUI. It also contains Bookmarks highlighting keys with interesting information.
* [**RegRipper**](https://github.com/keydet89/RegRipper3.0): Again, it has a GUI that allows to navigate through the loaded registry and also contains plugins that highlight interesting information inside the loaded registry.
* [**Windows Registry Recovery**](https://www.mitec.cz/wrr.html): Another GUI application capable of extracting the important information from the registry loaded.
### Recovering Deleted Element
When a key is deleted it's marked as such but until the space it's occupying is needed it won't be removed. Therefore, using tools like **Registry Explorer** it's possible to recover these deleted keys.
When a key is deleted it's marked as such, but until the space it's occupying is needed it won't be removed. Therefore, using tools like **Registry Explorer** it's possible to recover these deleted keys.
### Last Write Time
@ -275,8 +282,9 @@ Each Key-Value contains a **timestamp** indicating the last time it was modified
### SAM
The file/hive **SAM** contains the **users, groups and users passwords** hashes of the system.\
In `SAM\Domains\Account\Users` you can obtain the username, the RID, last logon, last failed logon, login counter, password policy and when the account was created. In order to get the **hashes** you also **need** the file/hive **SYSTEM**.
The file/hive **SAM** contains the **users, groups and users passwords** hashes of the system.
In `SAM\Domains\Account\Users` you can obtain the username, the RID, last login, last failed logon, login counter, password policy and when the account was created. To get the **hashes** you also **need** the file/hive **SYSTEM**.
### Interesting entries in the Windows Registry
@ -288,29 +296,27 @@ In `SAM\Domains\Account\Users` you can obtain the username, the RID, last logon,
### Basic Windows Processes
in the following page you can learn about the basic Windows processes to detect suspicious behaviours:
On the following page you can learn about the basic Windows processes to detect suspicious behaviours:
{% content-ref url="windows-processes.md" %}
[windows-processes.md](windows-processes.md)
{% endcontent-ref %}
### Windows RecentAPPs
### Windows Recent APPs
Inside the registry `NTUSER.DAT` in the path `Software\Microsoft\Current Version\Search\RecentApps` you can subkeys with information about the **application executed**, **last time** it was executed, and **number of times** it was launched.
### BAM
### BAM (Background Activity Moderator)
You can open the `SYSTEM` file with a registry editor and inside the path `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}` you can find the information about the **applications executed by each user** (note the `{SID}` in the path) and at **what time** they were executed (the time is inside the Data value of the registry).
### Windows Prefetch
Prefetching is a technique that allows a computer to silently **fetch the necessary resources needed to display content** that a user **might access in the near future** so resources can be accessed in less time.
Prefetching is a technique that allows a computer to silently **fetch the necessary resources needed to display content** that a user **might access in the near future** so resources can be accessed quicker.
Windows prefetch consist on creating **caches of the executed programs** in order to be able to load them faster. These caches as created as `.pf` files inside the path: `C:\Windows\Prefetch`.\
there is a limit of 128 files in XP/VISTA/WIN7 and 1024 files in Win8/Win10.
Windows prefetch consists of creating **caches of the executed programs** to be able to load them faster. These caches as created as `.pf` files inside the path: `C:\Windows\Prefetch`. There is a limit of 128 files in XP/VISTA/WIN7 and 1024 files in Win8/Win10.
The file name is created as `{program_name}-{hash}.pf` (the hash is based on the path and arguments of the executable). In W10 these files are compressed.\
Note that the sole presence of the file indicates that **the program was executed** at some point.
The file name is created as `{program_name}-{hash}.pf` (the hash is based on the path and arguments of the executable). In W10 these files are compressed. Do note that the sole presence of the file indicates that **the program was executed** at some point.
The file `C:\Windows\Prefetch\Layout.ini` contains the **names of the folders of the files that are prefetched**. This file contains **information about the number of the executions**, **dates** of the execution and **files** **open** by the program.
@ -333,9 +339,9 @@ You can access this information using the tool [**CrowdResponse**](https://www.c
### SRUM
**System Resource Usage Monitor** (SRUM) **monitors** the **resources** **consumed** **by a process**. It appeared in W8 and it stores the data en an ESE database located in `C:\Windows\System32\sru\SRUDB.dat`.
**System Resource Usage Monitor** (SRUM) **monitors** the **resources** **consumed** **by a process**. It appeared in W8 and it stores the data in an ESE database located in `C:\Windows\System32\sru\SRUDB.dat`.
It gives the information:
It gives the following information:
* AppID and Path
* User that executed the process
@ -345,7 +351,7 @@ It gives the information:
* Connection duration
* Process duration
This information is updated every 60mins.
This information is updated every 60 mins.
You can obtain the date from this file using the tool [**srum\_dump**](https://github.com/MarkBaggett/srum-dump).
@ -362,7 +368,7 @@ The cache stores various file metadata depending on the operating system, such a
* File Full Path
* File Size
* **$Standard\_Information** (SI) Last Modified time
* Shimcache Last Updated time
* ShimCache Last Updated time
* Process Execution Flag
This information can be found in the registry in:
@ -381,7 +387,7 @@ You can use the tool [**AppCompatCacheParser**](https://github.com/EricZimmerman
The **Amcache.hve** file is a registry file that stores the information of executed applications. It's located in `C:\Windows\AppCompat\Programas\Amcache.hve`
**Amcache.hve** records the recent processes that were run and lists the path of the files thats executed which can then be used to find the executed program. It also record the SHA1 of the program.
**Amcache.hve** records the recent processes that were run and list the path of the files that are executed which can then be used to find the executed program. It also records the SHA1 of the program.
You can parse this information with the tool [**Amcacheparser**](https://github.com/EricZimmerman/AmcacheParser)
@ -389,7 +395,7 @@ You can parse this information with the tool [**Amcacheparser**](https://github.
AmcacheParser.exe -f C:\Users\student\Desktop\Amcache.hve --csv C:\Users\student\Desktop\srum
```
The most interesting CVS file generated if the `Amcache_Unassociated file entries`.
The most interesting CVS file generated is the `Amcache_Unassociated file entries`.
### RecentFileCache
@ -410,14 +416,14 @@ You can find them in the registry under `SYSTEM\ControlSet001\Services`. You can
The installed applications can be found in `\ProgramData\Microsoft\Windows\AppRepository\`\
This repository has a **log** with **each application installed** in the system inside the database **`StateRepository-Machine.srd`**.
Inside the Application table of this database it's possible to find the columns: "Application ID", "PackageNumber", and "Display Name". This columns have information about pre-installed and installed applications and it can be found if some applications were uninstalled because the IDs of installed applications should be sequential.
Inside the Application table of this database, it's possible to find the columns: "Application ID", "PackageNumber", and "Display Name". These columns have information about pre-installed and installed applications and it can be found if some applications were uninstalled because the IDs of installed applications should be sequential.
It's also possible to **find installed application** inside the registry path: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\`\
And **uninstalled** **applications** in: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deleted\`
## Windows Events
Information that appears inside Windows events:
Information that appears inside Windows events are:
* What happened
* Timestamp (UTC + 0)
@ -425,9 +431,8 @@ Information that appears inside Windows events:
* Hosts involved (hostname, IP)
* Assets accessed (files, folder, printer, services)
The logs are located in `C:\Windows\System32\config` before Windows Vista and in `C:\Windows\System32\winevt\Logs` after Windows Vista.
Before Windows Vista the event logs were in binary format and after it, they are in **XML format** and use the **.evtx** extension.
The logs are located in `C:\Windows\System32\config` before Windows Vista and in `C:\Windows\System32\winevt\Logs` after Windows Vista.
Before Windows Vista, the event logs were in binary format and after it, they are in **XML format** and use the **.evtx** extension.
The location of the event files can be found in the SYSTEM registry in **`HKLM\SYSTEM\CurrentControlSet\services\EventLog\{Application|System|Security}`**
@ -435,26 +440,25 @@ They can be visualized from the Windows Event Viewer (**`eventvwr.msc`**) or wit
### Security
These event register the accesses and give information about the security configuration.\
they can be found in `C:\Windows\System32\winevt\Security.evtx`.
This registers the access events and gives information about the security configuration which can be found in `C:\Windows\System32\winevt\Security.evtx`.
The **max size** of the event file is configurable, and it will start overwriting old events when the maximum size is reached.
Events that are registered:
Events that are registered as:
* Login/Logoff
* Actions of the user
* Access to files, folders and shared assets
* Modification of the security configuration
Events related to the user authentication:
Events related to user authentication:
| EventID | Description |
| --------- | ---------------------------- |
| 4624 | Successful authentication |
| 4625 | Authentication error |
| 4634/4647 | log off |
| 4672 | Logon with admin permissions |
| 4672 | Login with admin permissions |
Inside the EventID 4634/4647 there are interesting sub-types:
@ -464,33 +468,32 @@ Inside the EventID 4634/4647 there are interesting sub-types:
* **5 (service)**: Service started by the Service Control Manager
* **6 (proxy):** Proxy Login
* **7 (Unlock)**: Screen unblocked using password
* **8 (network cleartext)**: User authenticated sendin clear text passwords. This event use to come from the IIS
* **9 (new credentials)**: It's generated when the command `RunAs` is used or the user access to a network service with different credentials.
* **8 (network cleartext)**: User authenticated sending clear text passwords. This event used to come from the IIS
* **9 (new credentials)**: It's generated when the command `RunAs` is used or the user access a network service with different credentials.
* **10 (remote interactive)**: Authentication via Terminal Services or RDP
* **11 (cache interactive)**: Access using the last cached credentials because it wasn't possible to contact the domain controller
* **12 (cache remote interactive)**: Login remotely with cached credentials (a combination of 10 and 11).
* **13 (cached unlock)**: Unlock a locked machine with cached credentials.
In this post you can find how to mimic all these types of login and in which of them you will be able to dump credentials from memory: [https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them](https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them)
In this post, you can find how to mimic all these types of login and in which of them you will be able to dump credentials from memory: [https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them](https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them)
The Status and sub status information of the event s can indicate more details about the causes of the event. For example take a look to the following Status and Sub Status Codes of the Event ID 4625:
The Status and sub status information of the events can indicate more details about the causes of the event. For example, take a look at the following Status and Sub Status Codes of the Event ID 4625:
![](<../../../.gitbook/assets/image (455).png>)
### Recovering Windows Events
It's highly recommended to turn off the suspicious PC by **unplugging it** to maximize the probabilities of recovering the Windows Events. In case they were deleted, a tool that can be useful to try to recover them is [**Bulk\_extractor**](../partitions-file-systems-carving/file-data-carving-recovery-tools.md#bulk-extractor) indicating the **evtx** extension.
It's highly recommended to turn off the suspicious PC by **unplugging it** to maximize the probability of recovering the Windows Events. In case they were deleted, a tool that can be useful to try and recover them is [**Bulk\_extractor**](../partitions-file-systems-carving/file-data-carving-recovery-tools.md#bulk-extractor) indicating the **evtx** extension.
## Identifying Common Attacks with Windows Events
### Brute-Force Attack
### Brute Force Attack
A brute-force attack can be easily identifiable because **several EventIDs 4625 will appear**. **If** the attack was **successful**, after the EventIDs 4625, **an EventID 4624 will appear**.
A brute force attack can be easily identifiable because **several EventIDs 4625 will appear**. If the attack was **successful**, after the EventIDs 4625, **an EventID 4624 will appear**.
### Time Change
This is awful for the forensics team as all the timestamps will be modified.\
This event is recorded by the EventID 4616 inside the Security Event log.
This is awful for the forensics team as all the timestamps will be modified. This event is recorded by the EventID 4616 inside the Security Event log.
### USB devices