Search Results

Hey there, tech detectives! If you're digging into USB devices on Windows 7 to 10, here's a handy guide to help you gather all the important details. Let's get started! 1. Vendor, Product, Version Path: SYSTEM\CurrentControlSet\Enum\USBSTOR Vendor: Product: Version: 2. USB Unique Serial Number ID Path: SYSTEM\CurrentControlSet\Enum\USB USB Unique Serial Number ID: 3. Vendor-ID (VID) and Product-ID (PID) Path: SYSTEM\CurrentControlSet\Enum\USB --> Perform search for UB S/N VID: PID: 4. Volume GUIDs Path: SYSTEM\MountedDevices -->Search Serial Number in drive letter VolumeGUID: 5. Drive Letter Path: SYSTEM\MountedDevices --> Search for Volume GUID in drive letter Drive Letter: Or NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\RecentDocs -> Perform Search for Volume Name Or Perform Shortcut (LNK) file analysis-> Perform Search for Volume Name Drive Letter= 6. Volume Name Path: SOFTWARE\Microsoft\Windows Portable Devices\Devices --> Search USB serial number an match with volume name Volume Name: Drive Letter (VISTA ONLY): 7. Volume Serial Number Path: SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt --> Search volume name/Serial Number. Convert Serial number to hex value for link analysis. Volume Serial Number (HEX): 8. User of USB Device Path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -->Search for GUID User: 9. First Time Device Connected Path: C:\Windows\inf\setupapi.dev.log -->Search unique serial number Time/Timezone: SYSTEM\CurrentControlSet\Enum\USBSTOR\ Ven Prod_ Version\USB iSerial #\Properties\ {83da6326-97a6-4088-9453-a1923f573b29} \0064 ->Value= Windows 64-Bit Hex Value timestamp - Use DCodeDate 10. Last Time Device Connected Path: SYSTEM\CurrentControlSet\Enum\USB\VID_XXXX&PID_YYYY -->Search serial number Time/Timezone: or NTUSER//Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{GUID} -> Perform search for Device { GUID} Time/Timezone = SYSTEM\CurrentControlSet\Enum\USBSTOR\ Ven_Prod_ Version\USB iSerial #\Properties\ {83da6326-97a6-4088-9453-a1923f573b29}\0066 ->Value= Windows 64-Bit Hex Value timestamp - Use DCodeDate 11. Time Device Removed SYSTEM\CurrentControlSet\Enum\USBSTOR\ Ven Prod_ Version\USB iSerial #\Properties\ {83da6326-97a6-4088-9453-a1923f573b29}\0067 ->Value= Windows 64-Bit Hex Value timestamp - Use DCodeDate Tips for Timestamps For Windows 64-bit Hex Value timestamps, use DCodeDate to decode them. There you go! Keep this guide handy, and you'll be a USB forensics whiz in no time. Happy investigating! Akash Patel

In the realm of digital forensics, collecting and analyzing artifacts from various system paths is crucial for uncovering valuable information. Here, A pdf related comprehensive list of paths where key artifacts can be collected from Windows systems. These artifacts can provide insights into user activities, system events, and potential security incidents. Click Me for file: These paths and artifacts are critical for digital forensics professionals when investigating user activities, system events, and potential security incidents on Windows systems. By collecting and analyzing data from these locations, investigators can uncover a wealth of information to support their investigations. Akash Patel

In the realm of cybersecurity, incident response (IR) is a critical function that helps organizations detect, mitigate, and recover from security incidents. A robust incident response strategy requires access to various logs and data sources, which provide insights into potentially malicious activities. Key Logs for Incident Response When responding to an incident, one of the first steps is to gather logs for egress connections. These logs are vital because they serve as filter points for all traffic leaving the environment, helping to identify command and control (C2) points and compromised internal systems. The primary sources of egress connection logs include: Firewall Logs: These logs capture all outbound connections, providing a comprehensive view of egress traffic. Firewalls are configured to monitor and control the flow of network traffic based on predetermined security rules. DNS Logs: DNS logs are powerful tools for detecting malicious traffic. They can reveal domains and IP addresses associated with known malware and botnets. Comparing DNS logs with known bad domain lists can quickly highlight potential threats. Web-Filtering Device Logs: Web proxies and content filters restrict access to objectionable content and can detect malicious outbound traffic. These logs help identify access to known bad domains and suspiciously long URLs used by malware for C2 or payload delivery. The Power of DNS Data DNS data can be instrumental in detecting malicious activities within an environment. Traditional antivirus solutions may fail to detect certain well-known malicious programs, but DNS logs can still reveal their presence. Here are some reasons why DNS data is so valuable: Static Domains: Many botnets and C2 channels use relatively static domains, making it easier to track them through DNS logs. Comparison with Blacklists: Tools like dns-blacklists.py allow responders to compare DNS server caches with lists of known malicious IPs and domains, such as those provided by Malware Domain List. This helps quickly identify compromised systems. Utilizing Web Proxy Content Filters Most enterprises deploy web proxy content filters to manage and restrict employee access to various websites. These devices are not only useful for enforcing internet usage policies but also serve as potent tools during incident response. Here’s how: Identifying Known Bad Actors: Web proxy logs can be checked against updated blacklists to identify access to known malicious IPs and domains. Analyzing URL Lengths: Malware often uses long, encoded URLs for C2 communication or payload delivery. While legitimate sites also use long URLs, combining this indicator with other signs of compromise can be effective. Reviewing User Agent Strings: Anomalies in user agent strings, such as outdated versions or unexpected operating systems, can indicate the presence of malware. Detecting Beaconing Activity Modern malware often uses intermittent beaconing to communicate with C2 servers, rather than maintaining a persistent connection. Detecting this type of activity requires analyzing connection logs from egress firewalls that perform Network Address Translation (NAT). Regular or irregular intervals in outbound connections can indicate beaconing behavior. Pulling Data from Multiple Systems In an enterprise environment, gathering data from multiple systems simultaneously is crucial for a comprehensive incident response. The Windows Management Instrumentation Command-line (WMIC) tool can be used to collect software inventory across multiple systems efficiently. Here’s an example command: C:\> wmic /node:@systems.txt product get name, version, vendor /format:csv > SoftwareInventory.txt This command retrieves the software inventory from all systems listed in systems.txt, providing a detailed overview of installed software, which is essential for identifying vulnerable or unauthorized applications. Conclusion Effective incident response relies on leveraging various data sources to detect and mitigate threats. By utilizing firewall logs, DNS logs, and web-filtering device logs, responders can gain critical insights into malicious activities. Akash Patel

In the realm of cybersecurity, responding to incidents promptly and effectively is crucial. This detailed guide covers best practices in incident response, focusing on identification, containment, and eradication. Failure to Take Complete Notes: The most common error incident handlers make is failing to take comprehensive notes. Detailed documentation is essential for understanding the incident and for legal purposes. Forensics Imaging: Critical Importance: A good forensic image is crucial. Without it, you risk the data's integrity and admissibility in court. System Backups: Often, systems haven't been backed up in years, making forensic imaging vital for preserving irreplaceable data. Tools: Use tools like dd for bit-by-bit imaging on UNIX and Windows. Tools like Google Rekall and Volatility Framework are excellent for memory analysis. Cryptographic Hashes: These validate that the evidence remains unchanged since collection. Write Blockers: Usage: Prevent write operations to disks, preserving the state of evidence. Available in hardware and software forms. Practicality: Not always feasible, especially for live systems. Drive Duplicators: Advantages: Faster imaging and on-the-fly hash calculation. Ideal for frequent imaging tasks. Disk Size Consideration: Storage Needs: The storage drive should be at least 10% larger than the original to account for file system overhead and metadata. Short-term Containment Goals: Stop Attack Progress: Prevent further damage without altering the impacted system. Keep Drive Image Intact: Until a backup is made. Methods: Network Isolation: Disconnect network access or power to the impacted system. Switch Port Isolation: Control switch infrastructure to isolate the impacted machine. VLAN Isolation: Place the system on an isolated VLAN for continued communication without infection spread. DNS Alteration:*********************Important and useful method*************************** Redirect Traffic: Change DNS records to point to a secure machine, mitigating attack based on IP address. Long-term Containment Actions: Patching: Apply patches to the system and neighboring systems. Intrusion Prevention: Insert IPS or in-line Snort/Suricata. Routing Changes: Null routing and firewall rules. Account Management: Remove attacker accounts and shut down backdoors. Eradication Preparation: Temporary Solutions: Implement solutions to maintain production while preparing for eradication. Eradication Protection Techniques: Firewall/Router Filters: Apply appropriate filters. System Relocation: Move the system to a new name/IP address.******Very useful********** DNS Changes: Change DNS names to avoid further attacks.******Very useful********** Vulnerability Analysis: System and Network Analysis: Perform detailed vulnerability assessments. Port Scanning: Use tools like Nmap for network scanning. Vulnerability Scanners: Tools like Nessus, OpenVAS, Rapid7 NeXpose, and Qualys help identify vulnerabilities. Attack Patterns: Multiple Machines: Attackers often exploit multiple machines using the same methods. Search for related vulnerabilities across the environment. Conclusion Effective incident response involves strategic containment, and thorough eradication. By adhering to these best practices, organizations can significantly enhance their resilience against cyber threats and ensure a swift recovery from incidents. Akash Patel

The landscape of digital forensics is ever-changing, with tools and techniques continually evolving to meet the demands of modern investigations. One such recent addition to the arsenal of SRUM analysis tools is NirSoft's Network Usage View (NUV). Link:- https://www.nirsoft.net/utils/network_usage_view.html Introduction to NUV NUV, like many of NirSoft's offerings, is both free and user-friendly, designed to assist investigators in their triage efforts. Upon launching the tool, it defaults to displaying the host system information. However, it's versatile enough to be pointed to a mounted image for deeper analysis. Loading SRUM Data with NUV To load SRUM data from a specific image, such as the Donald Blake image, follow these steps: Access Advanced Options: From the menu bar, select "Options" and then choose "Advanced Options." Select External SRUMDB.dat: Under the "Load network usage data from:" dropdown menu, choose "External SRUMDB.dat database." Navigate to SRUM Database: Click the "..." button and browse to the location of the SRUM database on the mounted image. Analyzing SRUM Data with NUV Once the target SRUM database is loaded, NUV provides a snapshot of applications running each hour, the user responsible for each application, and the inbound and outbound network traffic per application, per hour. This data can be invaluable for understanding user activity and network behavior. What's Missing in NUV? While NUV offers a comprehensive view of network usage data, one notable omission is the network name to which the system was connected at a given time. However, this gap can be easily filled using additional tools like as per my preference esedatabaseview (And I have created a blog) Link Below:- https://www.cyberengage.org/post/examining-srum-with-esedatabaseview Conclusion NUV by NirSoft is a valuable addition to the toolkit of digital forensic analysts, streamlining SRUM analysis and providing quick access to essential network usage data. While it may not offer a complete picture on its own, when combined with other tools and techniques, it becomes a powerful asset in the quest for digital evidence. Akash Patel

In today's digital age, the significance of digital evidence in criminal investigations cannot be overstated. As technology evolves, so do the methods employed by criminals to cover their tracks. Enter the System Resource Usage Monitor (SRUM), a powerful tool that has become a game-changer in digital forensic investigations. Real-world Applications of SRUM. Corporate Espionage Investigations: Imagine a scenario where a corporate system is compromised. SRUM data can be instrumental in identifying applications covertly exfiltrating sensitive data to competitors or foreign entities, providing invaluable leads to investigators. Insider Threats: In cases involving employee misconduct, SRUM can document suspicious activities such as large-scale data transfers from the corporate network to personal devices. This data can pinpoint when and where data was accessed, aiding in establishing a timeline of events. Refuting Baseless Claims: SRUM has also proven its worth in the courtroom. In one case, SRUM data conclusively refuted claims that evidence had been planted on a seized computer, demonstrating that no unauthorized access had occurred post-seizure. Understanding SRUM What is SRUM? SRUM is an integral part of the Windows Diagnostic Policy Service (DPS), tracking various system performance metrics. Introduced with Windows 8, SRUM is enabled by default across all Windows versions, including Enterprise. Accessing and Managing SRUM Data Task Manager Insights: Users can get a glimpse of SRUM data through the Task Manager's "App history" and "Details" tabs, showcasing performance statistics and approximately 30 days of historical data. However, a mere click on "Delete usage history" doesn't erase SRUM data immediately, requiring further investigation into data retention and purging policies. Data Retention: While SRUM retains data for approximately 30 days, additional testing reveals that extended periods of system inactivity can lead to purging of older data. It's not uncommon to find up to 60 days of historical performance data in SRUM, making it a valuable resource for investigators. Key Takeaways SRUM offers a treasure trove of information to digital forensic analysts, including: Applications running at specific times User accounts associated with each application Network bandwidth usage per application Network connections, including dates, times, and connected networks Final Thoughts SRUM has revolutionized the way digital forensic investigations are conducted, offering a deeper insight into user activities and system performance. As technology continues to evolve, so will the tools and methods employed by both investigators and criminals. However, with tools like SRUM in their arsenal, investigators are better equipped than ever to uncover the truth and bring justice to those who seek to undermine it. Akash Patel

Today marks the beginning of an exciting new chapter in my professional journey as I join Ankura as Cybersecurity Incident response, Associate. The start of a new job is always an important milestone. I am eager to contribute to the success of Ankura and to work with my new colleagues to achieve our common goals. This is just the beginning, and I look forward to sharing more about my experiences and learnings in the coming months. Thank you for being part of my journey, and stay tuned for more updates as I navigate this new and exciting chapter! Akash Patel

In today's digital landscape, cyberattacks are an ever-present threat. It's essential to have a robust remediation plan to ensure attackers are eradicated and system integrity is restored. Recently, I developed a comprehensive set of remediation steps for various operating systems, including Windows, Linux, and macOS. These steps are designed to help you recover from an attack and strengthen your defenses against future threats. By following these detailed steps, you can effectively remove attackers from your systems, restore security, and mitigate the risk of future incidents. Thoroughness and vigilance are key to a successful incident response and recovery. For more detailed steps , please refer to the comprehensive guide I created: Download the Full Remediation Guide I appreciate your feedback and any additional recommendations you may have to enhance these remediation steps. Together, we can ensure robust security and integrity for our systems. Akash Patel

In previous blogs, I've delved into the intricacies of incident response, providing comprehensive information and theories. However, theory without practical implementation often leaves one questioning where to start. That's why, something to bridge this gap - a set of checklists and cheat sheets designed to aid incident response professionals attached below. The Incident Response Checklist. Understanding the right questions to ask during an incident is crucial. For this reason, incident response checklist attached below. This checklist covers an array of critical questions tailored to incident scenario. You can find the detailed checklist in by clicking below link and also in the 'Key Notes' tab on my blog. It's even available in the 'Resume' section for your quick access. Here's the link to access it. For Checklist Click Me Windows Investigation Cheat sheet. I've also developed a Windows investigation cheat sheet that simplifies endpoint analysis. This cheat sheet is a handy resource that assists in navigating through endpoint-related scenarios. You can find the cheat sheet in by clicking below link and also in the 'Key Notes' tab on my blog. It's even available in the 'Resume' section for your quick access. Here's the link to access it. For CheatSheet Click me By combining these resources, I believe that a blend of theory and practical tools is key to effective incident response. Thank you for your continued engagement. Feel free to explore the resources, and I hope they prove valuable in your incident response endeavors. Thank you Akash Patel

Introduction: In the world of digital forensics, thorough memory acquisition and disk encryption detection are essential steps in uncovering valuable evidence. This guide will walk you through the process of memory acquisition, tools used and the importance of considering disk encryption before proceeding with forensic analysis. Step 1: Memory Acquisition For Live Systems: Utilize tools like FTK Imager or USB tools such as MagnetForensics RamCapture, Belkasoft Live RAM Capturer, or DumpIT. For Dead Systems: Capture hiberfil.sys (containing compressed RAM) and pagefil.sys, as well as MEMORY.DMP if available. Tools like Kape and Redline can assist in memory acquisition, while WinPMEM and Volatility are invaluable for memory analysis. Step 2: Checking for Disk Encryption Consider Encryption: Assess the possibility of disk encryption before shutting down or removing a hard drive. Use Encrypted Disk Detector (EDD): Scan local physical drives for encryption signatures, including TrueCrypt, PGP, Bitlocker, and more. https://www.magnetforensics.com/resources/encrypted-disk-detector/ EDD Functionality: EDD provides information about accessible encrypted volumes, aiding decision-making in incident response scenarios. Note:- that EDD does not scan for files within encrypted containers; its focus is on detecting mounted encrypted volumes. Incident Response Use: EDD helps quickly identify encrypted volumes without intrusive actions, guiding the need for live acquisition. EULA Acceptance: Users may need to accept an End User License Agreement (EULA) when using EDD; bypass this prompt by creating a shortcut with the "/accepteula" switch. Step 3: Image RAM and Create Triage Image Use FTK Imager to capture memory and create a triage image for initial analysis. Step 4: Capture Essential Forensic Data Collect critical artifacts such as $MFT, $Logfile, registry hives (SAM, SYSTEM, SOFTWARE, DEFAULT, NTUSER.DAT, USRCLASS.DAT), event logs (*.evtx), log files, .lnk files, .pf files, Pagefile.sys, Hiberfile.sys, RECENT folder contents, and the user's APPDATA folder. (I have already created a complete guide of Collection of artifacts) (Please do check out under Resume tab in my website) Conclusion: Memory acquisition and disk encryption detection are fundamental steps in Windows forensics, enabling investigators to uncover valuable evidence and insights Akash Patel

Today, I'm excited to share a fascinating blog post written by one of my dearest friends, Jaye V from ConnectWise. In this insightful piece, Jaye delves into the intricate world of cybersecurity, focusing on the elusive threat of "Active Directory Replication from Non Machine Account + Mimikatz DC Sync.” Link :- https://medium.com/syntheticvoid-security/how-to-not-overlook-important-windows-event-ids-during-threat-anlaysis-and-learning-about-mimikatz-cef23e251553 LinkedIn Profile :- https://www.linkedin.com/in/jaye-v-2a11191b9/ The Revelation: Jaye's blog sheds light on a sophisticated cyber threat that often goes undetected amidst the vast expanse of Active Directory operations. By dissecting the nuances of "Active Directory Replication from Non Machine Account + Mimikatz DC Sync,” Jaye unveils the hidden dangers lurking within our network infrastructure. Join the Conversation: I urge you all to dive into Jaye's insightful blog post and join the conversation surrounding Active Directory security. By sharing our experiences and insights, we can collectively enhance our cybersecurity posture and stay ahead of emerging threats. Don't miss out on this enlightening read! Akash Patel

As I sit down to write this blog post, my heart is filled with a mix of emotions. Today marks the end of an incredible chapter in my life as I bid farewell to ConnectWise. Reflecting on my time here, I am overwhelmed with gratitude for the opportunities, challenges, and memories that have shaped me into the professional I am today. Throughout my journey, I've had the privilege of working alongside some of the brightest minds in the industry. From brainstorming sessions to late-night incidents handlings, each moment has been a testament to the power of teamwork and camaraderie. I want to take this opportunity to express my heartfelt appreciation toAkshay Khade, Niraj kushwaha, Omkar Kadam, Shruti Jadhav, Jaye V, Benjamin Hafner, Kartik thever, Ramansh Sharma, Komal Patil, DIPTI PARVE, Devyani Itware, Sharvari Ghadi, Mihir Sukhatankar and list goes on..... for their unwavering support, guidance, and friendship. As I embark on a new chapter in my career, I carry with me the lessons learned and the memories shared during my time at ConnectWise. While I may be leaving this chapter behind, I am excited about the opportunities that lie ahead and the chance to continue learning and growing in new ways. To my ConnectWise family, thank you for everything. Your passion, dedication, and commitment to excellence have left a lasting impression on me, and I will always cherish the memories we've created together. Though my journey with ConnectWise may be coming to an end, I am confident that our paths will cross again. Until then, I wish you all continued success, happiness, and fulfillment in your endeavors. https://www.linkedin.com/in/akash-patel-097610202/ Akash Patel