Digital Forensics – Triage

Triage

The term “triage” originally comes from the medical field and describes a situation in which, due to limited resources, a classification of patients is performed. The purpose of classification is to ensure that, given limited resources, care can be provided with minimal harm to each individual patient.

In terms of digital forensics, this term takes on a different meaning. Translated from English, it also means selection, and this is exactly what is done in a “triage collection.” Only the most important artifacts are saved for a forensic examination in order to save resources and to be able to start the analysis quickly. This enables a timely initial assessment of the security incident.

Relevant artifacts for a forensic analysis

To perform a forensic triage, relevant artifacts must be collected and secured.

Artifacts collected in this phase depend on the software used, the operating system, and the type of incident. In this article, we will look at artifacts that should always be collected during an incident on a Windows-based system to get the best possible picture of what happened.

Attackers or malicious software often use the Windows registry as a persistence mechanism or as a repository for payloads. Typically, Windows stores configuration data here, similar to the /etc directory on Linux-based operating systems. The Windows Registry is a distributed data base and consists of several files, so-called Hives, which are stored distributed on the system. The most important parts can be found in the following directory:

C:\Windows\System32\Config

Here the following files are of particular interest:

– DEFAULT

– SAM

– SECURITY

– SYSTEM

– COMPONENTS

– if applicable, transaction logs with the extension *.log

Another hive included in the Windows registry is the Amcache. This stores information about the App Compatibility Interface, for example when an application is to be started in “Windows 7 mode”. With the App Compat Cache, Microsoft wants to achieve backwards compatibility of applications and Windows versions. From a forensic perspective, the valuable data here is the last executions of applications (including the first execution, installation date or deletion date), from which path they were executed and the SHA1 hash provided.

Related to this hive, there is also the SHIM cache, which additionally records whether an application was actually executed.

The hive for the Amcache is located at the following location:

C:\Windows\AppCompat\Programs\Amcache.hve

C:\Windows\AppCompat\Programs\Amcache.hve.log*

Once a meaningful audit policy has been rolled out on the systems, the Windows event logs reveal a great deal of valuable information. Therefore, the individual event log files, which are available in EVTX format for current Windows versions, should also be backed up. By analyzing them, temporal sequences and user actions can be correlated with other artifacts. The event log files are located in the following directory:

C:\Windows\System32\winevt\logs

The following files are especially important here:

– System.evtx

– Application.evtx

– Security.evtx

Other files in this folder should also be backed up, as log rotation may overwrite relevant entries.

Another valuable artifact in Windows-based systems installed with the NTFS file system is the Master File Table (MFT). It contains the metadata and locations for all files on the system in an index. Analysis of the MFT can provide information about deleted files that were on the system at a previous time. So-called file carving can recover such files if necessary and make them available for analysis.

The Master File Table is located at the following location:

C:\$MFT

Scheduled tasks are often used by attackers for persistence or delayed execution of malicious code. Scheduled tasks always trigger as soon as the trigger stored there applies. They can ensure that a new infection can take place even after the malicious software has been removed.

These tasks are stored in the form of scripts at the following locations:

C:\Windows\Tasks\

C:\Windows\System32\Tasks\

To speed up the start of a program, Windows uses prefetch files. When an application is executed for the first time, Windows creates a prefetch entry. This contains, among other things, an execution counter, the application name and the timestamp of the last execution. Additionally the Prefetch entry contains the path, from which the application was started.

Prefetch files are located in the directory:

C:\Windows\Prefetch

Windows Error Reporting (WER) is a service which is available from Windows XP. This service creates entries in the Windows Event Log as well as wer files, which can be used for improved troubleshooting. The wer files contain error codes, module names and version numbers. These can be valuable for analysis if, for example, malware fails during execution or causes services or programs to crash.

The WER files are located on the file system in the following folder:

C:\ProgramData\Microsoft\Windows\WER\

In addition to all these very deep system artifacts, there are also simple file paths which are typically used by attackers for filing. The following is a list of the typical ones:

- C:\Windows\temp\

- C:\Users\

- C:\Users\<Username>\AppData\

In addition to these artifacts, which are found statically on the file system, there is also volatile data, which would be lost after a reboot of the system. If the system has not yet been restarted, an image of the working memory may well contain a lot of important information. If possible, this should be created at the time of the backup and included in the analysis, since it contains, for example, existing network connections or running processes.

If the individual case involves a virtualized infrastructure, a system image can also be provided via the hypervisor and thus definitely simplify the entire acquisition, although the storage requirement for the backup is significantly higher.

Conclusion

Not all artifacts have been considered in detail in this article. The goal of triage of a system is to be able to make a timely statement about the degree of compromise.

In general, a process should be created for the case of emergency that at least secures the presented artifacts and makes them available for analysis. This can speed up the analysis and the associated recovery phase.

Some of the artifacts listed cannot be backed up manually via Explorer. As a service provider, SECUINFRA can provide full support in the creation of suitable incident response processes and the required technology, in addition to the analysis and management of the incident.

Share post on:

XING
Twitter
LinkedIn

SECUINFRA Falcon Team • Autor

Digital Forensics & Incident Response experts

In addition to the activities that are the responsibility of customer orders, the Falcon team takes care of the operation, further development and research of various projects and topics in the DF/IR area.

> all articles
Cookie Consent with Real Cookie Banner