The Forensic World of Windows 10 Updates

Transcription

1 The Forensic World of Windows 10 Updates Alissa

2 IT security professionals can quickly become extinct if they don t continually update their skills as new technologies emerge SANS Cybersecurity Professional Trends Survey

3 Forensics & Windows 10 Updates Highlights Evolution of Windows 10 Process Hierarchy Changes Windows Artifact Changes Memory Structure Obfuscation Memory Management Changes

4 Desktop Market Share - Oct 2018 Windows Versions (% of Desktop Share) Windows XP 5% Windows 8.1 6% Windows 8 1% Windows 7 Windows 7 48% Windows 10 Windows 8.1 Windows 10 40% Windows XP Windows 8 Oct 2018 netmarketshare.com

5 Windows 10 Features (by Update) Initial Release Start Menu (again ) Cortana Personal Assistant Notifications Center Microsoft Edge Browser More Authentication Options Distribution Updating Methods (Peer-to-Peer) Secure Kernel Later Versions (*Note: MS has stated WinVersion will not increment from Win10) Windows Subsystem for Linux - WSL (Creator s Update - Redstone 2) Dictation, Sets, Nearby Sharing (April 2018 Update - Redstone 4) Timeline (April 2018 Update - Redstone 4) Continuum for Phones WindowsInk Clipboard History (Oct 2018)

6 Windows 10 Versions (by Update) Windows 10 Version History -

7 Baselining Windows 10 Processes 7

8 Advantages of Baselining: Know Normal, Find Evil Efficient Hunting and Faster Detection Identifies Anomalous network/host/account activity Document Baseline Configurations > SAVE $$ Zero to Hero Faster Better informed external IR support Faster response/remediation Decreased cost of engagement

9 Windows 10 Processes Know Normal, Find Evil

10 Windows 10 Processes Know Normal, Find Evil BUILD 14393

11 Windows 10 Processes Know Normal, Find Evil BUILD 17134

12 Windows 10 Processes Memory Compression Store Process (as of 17063) Memory Compression Process Parent Process: Number of Instances: Start Time: Description: SYSTEM One Upon boot A minimal process whose address space is used to hold compressed pages

13 Windows 10 Processes Registry Process Registry Process Parent Process: Number of Instances: Start Time: Description: SYSTEM One Upon boot A minimal process whose address space is used to hold data on behalf of the kernel and optimize memory management for registry

14 Changes in Process Hierarchy Know Normal, Find Evil Secure Kernel - analogous to System process Memory Compression - minimal process Skydrive.exe = OneDrive.exe lsm.exe no longer in the process list LSAiso.exe (virtualized process containing credentials with use of Credential Guard) Cortana processes - remindersserver.exe, remindersapp++ taskhost.exe (win7) -> taskhostex.exe (Win8) -> taskhostw.exe (Win10)

15 Which Version of Windows?

16 Process Hierarchy In Review cmd.exe & conhost.exe (Vista & Win7)

17 New Process Hierarchy cmd.exe & conhost.exe (as of Win8) powershell.exe & conhost.exe (as of Win8)

18 Edge Browser Hierarchy $ vol.py -f win10_cmd.dmp --profile=win10x64 pstree Edge Browser launched by svchost.exe All Edge processes run in user session

19 Edge Browser Hierarchy

20 Edge Related Processes Process browser_broker.exe Microsoft_Edge.exe Description A special broker process that brokers access to various resources that the sandbox processes cannot access directly UWP app browser Runtime_Broker.exe A generic broker process that brokers access to various resources for all UWP apps ApplicationFrameworkHost.exe A process that handles UI windows creation for all UWP apps Smartscreen.exe Windows Defender anti-phishing, anti-malware browser feature (unified as of 1703) 20

21 Core Artifacts Shift in Windows 10 21

22 Interpretation of OS Install Date HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate Install Date used to be a cornerstone of forensic investigations. Meaning has shift as Windows 10 updates, when installed, are changing InstallTime value

23 Evidence of Execution Key Forensic Artifacts Win10 Prefetch Stored using LZXPRESS Huffman stream compression Joachim Metz libscca project

24 AppCompatCache (Creator Edition- Redstone 2) Registry values that reveal Evidence of Execution, huge win for malware investigations Creater Edition changed the signature for the beginning of the Shimcache entries and the offset where the entries begin Posed a challenge to AppCompatCache parsing tools

25 XBOX integrations Unified Core & App Platform Xbox, Win10, Windows Phone, Windows on Devices have all been merged into one kernel Rekall s svcscan output

26 Windows 10 Memory Management 26

27 Data Compression in RAM Memory Management Changes Compression of infrequently used data stored in RAM Reduces the # of Reads/Writes Reduces Use of Memory by Apps

28 Fast Startup Upon Shutdown: Users are logged out Applications are closed Kernel memory (loaded drivers, etc) written to the hiberfil.sys Data is loaded back into RAM at boot

29 Windows 10 Pagefile Features Data is compressed prior to being written to the pagefile Faster to Write/Read from Hard Disk Encryption of Pagefile Pages written out to disk only 50% as often as previous versions of the OS

30 Memory Structure Obfuscation Windows 8+ (x64) Encrypted KDBG

31 Memory Structure Obfuscation Win8+(x64) Encrypted KDBG

32 Memory Structure Obfuscation Win10 kernel object header typeindex field Win10 has 48 Types of Kernel Objects

33 Memory Structure Obfuscation Win10 typeindex field Object Header s TypeIndex field Win10 uses address of object header and XORs with TypeIndex & nt!obheadercookie Changes how plugins like handles & object_tree identify kernel object type

34 Additional Windows 10 Artifacts 34

35 All Installed Apps Database StateRepository-Machine.srd SQLite DB Tracker for installation of system s Windows Store Apps (default and user installed) Located here: C:\ProgramData\Microsoft\Windows\AppRepository\

36 Background Activity Moderator (BAM) SYSTEM\CurrentControlSet\Services\bam\UserSettings Windows service that controls activity of background applications (Fall Creators Update)

37 RecentApps NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps Execution tracker of Applications by App GUID, includes run count & last run time AppID = Name of Application LastAccessTime = Last Execution Time in UTC File GUID Subkeys contain up to 10 files accessed by application screenshot from

38 Clipboard History (Oct 18) C:\Users\<userprofile>\AppData\Local\Microsoft\Windows\clipboard If enabled, allows user to save multiple items (including images) to clipboard Clipboard cleared upon logout, unless items are pinned Supports the syncing of clipboard history across Windows devices screenshot from

39 MACB time/date behaviors Based on research performed by O.Skulkin & I. Mikhaylov, NTFS time/date update behaviors have changed When a file is modified, the $SI & $FN time/date stamps update in Windows 10 (instead of just $SI as in previous Win versions) When a file is copied, both the $SI File Modified & Metadata Modified is preserved from the original

40 Windows Timeline Feature Analysis 40

41 Timeline (April 2018 Update - Redstone 4) Organizational productivity User Experience focused tool Allows easy access to Recent Docs, webpages from the last weeks/months Added as a feature of Task View Options can be set here: Settings>Privacy>Activity Database lives at this location: C:\Users\<profile>\AppData\Local\ConnectedDevicesPlatform\L.<profile>\ActivitiesCache.db

42 Timeline (April 2018 Update - Redstone 4) Windows Search Service must be enabled

43 Timeline (April 2018 Update - Redstone 4) Parsing ActivitiesCache.db Parse the ActivitiesCache.db with Eric Zimmerman s WxTCmd

44 Timeline (April 2018 Update - Redstone 4) Parsing ActivitiesCache.db Parse the ActivitiesCache.db with Eric Zimmerman s WxTCmd (Activities Table)

45 Does Clearing Activity History Clear the.db? Even after clearing Activity history via Settings, ActivitiesCache.db remains populated. 45

46