Finding Insider Threats: Digging Deeper

Join the forum discussion here.

View the webinar on YouTube here.

Read a full transcript of the webinar here.
Julie: Hi everyone. Thanks for joining today’s webinar, Finding Insider Threats: Digging Deeper. My name is Julie O’Shea and I’m Product Marketing Manager here at Black Bag.

Before we get started, there are a few notes we’d like to review. We are recording this webinar, so we’ll share an on-demand version once the webinar is complete. If you have any questions, please submit them in the Questions window, and we will answer them throughout or in our Q&A at the end of the webinar.

I’m excited to introduce our speakers today, Dr Vico Marizale and Matt McFadden. Dr Vico Marizale is our Senior Digital Forensic Researcher here at BlackBag, where he is responsible for R&D and supporting all of our software offerings. He holds a PhD in Digital Forensics, and over the years has done forensics and general cybersecurity work, in open-source tools, and delivered presentations and trainings at numerous venues across the US and internationally.

Matt McFadden is the Director of Training here at BlackBag. After 17 years in law enforcement, Matt honorably retired as a police sergeant from the Clovis police department in California. For 13 years, Matt conducted digital forensic investigations and supervised their department’s high-technology crime team. He has provided expert testimony in state and federal courts for digital evidence examined in child exploitation, murder cases, fraud, and other crimes. Matt holds several industry-recognized certifications in digit forensics and incident response.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Thanks for joining us today, Matt and Vico. Matt, if you’re ready, I will hand the reins over to you to get started.

Matt: Yeah. Thank you, Julie, and thanks, everyone for attending. We’re excited about today’s webinar. We’re going to move ahead here.

A lot of things are going on in our industry, and one of them that’s going on in that our forensic tools are making our analysis easier for us. As examiners, this is great, we love it. But there is a warning here – who’s in charge? Is it the software or is it the human? It’s kind of going to be both, with what we do, but the tools are making for an easier analysis. Now, it’s not going to happen all the time, but this has potential to put us in a point where we go, “Nah, I don’t need to know that, because the tool’s doing it for me.” And this can follow into something where it leads us to feel that we don’t have to understand it. And we really have to step back and look at this, to go, “Is our tool helping our analysis or is it replacing our need to know?” And it should not be replacing our need to know, because if we’re allowing ourselves to have a lesser understanding, we’re not going to have those skills that we need to investigate.

And we’re going to review some scenarios here, but it’s linking things together, and piecing it together, to actually dig deeper than the findings. We don’t want the tool to provide us something and say, “Well, that’s it. I can’t go beyond this.” This investigator skill makes all the difference in your cases, and we’re going to cover this as we proceed. We’re going to cover just about two to three minutes of file system basics here, we’re going to move into a couple of investigative scenarios, and then Vico’s going to take us on an even deeper dive into some really cool additional artefacts and newer ones out there.

Reviewing our file systems – these are the base of what everything stands on. This … it tracks many required things in the computers we use. It tracks administrative information, such as names, dates, times, and where this stuff starts, where is our data. We have items that track the allocation of these storage blocks or allocation blocks or clusters, and it stores which ones are not being tracked or used. The last thing it does is: is our file all together, are these allocation blocks all stacked together, are contiguous, are they broken up? And does that need to be tracked as well.

So, just moving through the three Windows-based file systems that we come across a lot: FAT32 is one of them that’s still out there. It stores its admin information in the directory entry, it’s a 32-byte directory entry, and we get the filename there, we get dates, created, last accessed and modified, and then we get where the allocation block or the first one starts, and then it’s tracked from there. In the file allocation table, what we call the FAT … or in FAT32, we get FAT1 and FAT2, the backup of it … but this file allocation table, it’s going to track our cluster allocation of where this stuff is, and are these blocks available to use or not use. The file fragmentation is also tracked. It’ll point us, whether to consecutive clusters or if they’re broken up all over the place.

The other one out there is ExFAT. ExFAT uses, instead of one 32-byte directory entry, it uses three primary ones. There’s a bunch of secondaries – I think it can support up to like 19 – but we get three with each file that we see. The first one out there is a file directory entry. That little type code is the hex value 85 that we see on disk, but inside the file directory entry, we get our dates and times, in MS-DOS Date/Time format, it’s where this information is stored.

The second primary directory entry is called the Stream Extension directory entry. Again, the type code – in there, the big thing we get is the first cluster or starting cluster, and we also get a marker for is it tracking any fragmentation. In ExFAT, if it’s not fragmented, it doesn’t really see a need to track it, because it’s going to say, “Here is where it starts, and just track on down to cluster that are all online with each other or contiguous.”

The third is the filename directory entry, and this one’s pretty simple. The filename directory entry stores our filename. You see it in the graphic here, this is where it holds. So, as far as our cluster allocation, it’s similar to the FAT a little bit. We get a file allocation table one that you see here, where my cursor is, with the FAT1. We don’t have a backup FAT inside FAT32. But in as far as tracking which clusters are used or not, we have something called ALLOC_BITMAP.

Now, the last file system. I told you this would be short, the file system reviews. We get NTFS. And we’re going to cover this one … and the reason why I’m covering this is it’s going to come into play in our investigation here. In NTFS, each record, file [filters], they all have a base MFT record. They have one. It can overflow with these attributes into another one, but each one has a base MFT record. So, if I create a file, it may get record number … these records are numbered. It may get record number, say, 100. And it’ll give a sequence number, saying, “Hey, your record #100, you got sequence ID1,” or sequence #1. Now, if I delete this file, this MFT record space becomes available, it can be reused, and a new record is entered, but it still is record #100, but it’ll say “Not sequence #1, your record #100, sequence #2.” And it’s going to escalate up. And this comes into play in our investigation scenario here.

You see across the graphic here, you see how we have an MFT record header, we have a … the sequence number is there. We get … the file system ID is there. We get all kinds of good information. Standard information attribute, filename attribute, we get dates and times. Obviously, the filename attribute … we might have, we could have two, it’s going to have the filename. And then, in our data attribute, we get where the data is stored. Is it inside this record or outside the record? Is it resident, non-resident? If it’s non-resident, it points us out to the start cluster and where those clusters are.

The last thing here is just a quick snapshot. This is a screenshot of Blacklight and this is me clicking on a record or a file, and then I click the Record tab, and you can see Blacklight is really going to parse out the data structure here, automatically is going to overlay a template, and I have my data structure on the right.

So, let’s start our investigative scenario now. Our investigation – this is a scenario in our upcoming Windows class that’s going to be released soon. We’ve got a guy working for a government agency, he’s working in a secure building. And he goes over to his colleague’s desk, just to see if he wants to go to lunch, and his colleague has a laptop open. The laptop shouldn’t be in this facility. He closes the laptop real quick and says, “Hey, I got to go to lunch,” and he takes off really fast. His buddy is like, “This is weird.” So he reports it, finds out the laptop shouldn’t be in this building, and we end up starting an investigation as to what’s going on with this guy that scurried out the door to lunch, is there something suspicious here? So, we’ve pulled his desktop and we’re now analyzing it.

Now, we’re not going to throw you into Shell Bags without a quick explanation, like what are they? And here’s where they’re stored, we’ve got the path here, it’s under the user profile … oops, get my cursor gone there. We have a user profile, app data local, Microsoft, Windows, and USRClass.dat. The USRClass.dat is registry, it’s where Microsoft lately has been putting a lot of data in. And in the USRClass.dat, burrow on down, and you get into the [sub-keys] of BagMRU and Bags.

BagMRU is up on the upper left graphic here on the screen, and what we see is you see the 01, you have the computer number of 10, but then 2, 3, and then, below that, in each of the numbers, you see like a subfolder of 0, 1, 2, 3, 4, 5, and in those you would see a 0, 1, 2, whatever. This is kind of a representation of the folder structure. Now, Shell Bags is … shell represents like the window, and then bag is what we call a node slot or it’s … think of a bag … it’s a bag that holds the shell or window information. And each of them has and points to its settings. So, you see here on the 0, 1, 2, 3, 4, 5 that we see the payload and outgoing and mimi and BitComet. Those are folders, and those folders are all in this #3 folder over on the left, and we’d have to click in there to find out what it is.

Now, the MRUListEx is most recently used, it’s a list, and across the green line here, you see the 03, and 05, and 04 that I’ve marked out in the black little rectangle highlights. That’s the number for the window above, of the most recently used, like #3, indicates that the outgoing was the most recently opened folder, and so on.

The last item is the node slot. You see the node slot up at the top, and you see node slot data 7. Inside that … basically, that decodes to the bag, and here’s where our bags are stored. So, we would go for this folder #3, we’d go over and look at the node slot 7, and we get a lot of things, of how was this window … what are the settings? What was the icon size? How was it sorted? Maybe where was it at? All the settings for the window.

Looking at it, we’re going to go look, and we’re going to see how it parses it inside of Blacklight here. I’m under System, ShellBags, and I’ve got a bunch of folders. And in your case investigation, you’re just going to start navigating around and look. And Blacklight is able to take this ShellBag information and rebuild this folder structure here for us. And I’m just scanning around, looking, and we know we got our guy who scurried out the door, and what’s going to be something that is going to indicate our interest as an investigator. Right now, the word ‘extract’ – that’s not good, right? We’re thinking, could this guy be stealing something? Extract – I don’t know, it’s not looking good right now. It’s just kind of popping up on my radar here.

So, you can see right here, here’s the bag path. We can see … remember that number structure, 03, and the structure down to where it’s stored. There’s our node slot, 81. Get dates and times associated. And then over here, we get some really good information about this folder, or the ShellBag data about the folder. It may be on disk, it may have been deleted by now. Got a little BEEF0004 signature here, and that gets some data. And if I want to look at it, I can click here, and there I see my extract, it’s really good, navigating you right to the data. And I get in to see the MFT entry number, 113218 with the sequence ID of number 5.

I’m going to go chase this down – 113218, sequence ID 5, I’m going to go see if this is still present on the drive. Of course, I’ve been doing this before. We have a bunch of … tons of filters that can help you. But I’m going to go in and get this back to where I had it, 113218, and I’m going to click Filter, and it’s going to go out and query across, and yup, there’s my extract folder, still on the file system. So, now I kind of want to look at this and see what it looks like within context to what’s on disk. I’m going to go reveal, right-click it and Reveal, and Reveal in File Browser. BlackLight’s going to prompt me here to say, “Hey, you want to go on this volume?” I’m going to say yeah.

And now I’m out there on the file system. I can see it in context. So, Extract [13:25], I’ve got some daily logs here, got a file, this is interesting. I got some satellite intel, and our guy is working for the United States Space Force, an upcoming agency that should be coming out. But if I scroll down to the zip directory here, and I’m seeing satellite intel, Exosphere, Thermosphere, I’m seeing some things, I’m really wondering why this is in a compressed archive. Like, is this normal, is this not?

You can see BlackLight does really well, and it’s parsing out, I can just go to the data structure and actually look at the structure of the zip archive too. But I’m not going to get into that at the moment. Inside of our other folder here, we find another folder, in Extract, we have some captures. And these are looking like pictures, so let’s look at these. These are kind of looking like it’s captures of like a desktop or window, somebody maybe taking screenshots or something here. This is kind of leading us to … I had some supporting slides here … but it’s kind of leading us to what’s capturing this stuff, what’s going on. So, we want to ask ourselves, what could have captured these files? What we want to do is we want to validate … we’ve got our extract folder, and we want to validate quickly that we do have the right one, remember file system ID 113218, remember our sequence number was 5, and the metadata, we can validate the number 5 there. So, we’re on the right track. But we want to get down to what is creating these capture files.

Well, a lot of us would go, okay, there’s that Windows thing, that Snipper or Snipping Tool or whatever that is, right? And sure enough, that’s a candidate. You can get your Windows going and fire up the Snipping Tool, and the standard default save is Capture with a capital C. So, that’s matching what we’re seeing here. These are PNGs, but you can easily change the file extension there. So, how comfortable are we at this point, saying Snipping Tool did this? Well, I’m not going to be too comfortable, just by a hunch. So, we need to investigate. We got to get back on our knowledge of what shows evidence of program execution?

Okay, well, BlackLight does a good job of parsing a lot of things for us. I can go under Actionable Intel and User Assist. Okay, let me click over here and talk about User Assist real quick. User Assist is stored in the NTUSER.DAT, there’s your path there. And this data is not stored plain text, it’s stored in encrypted ROT13, [right on table] 13, it’s shifting characters to the right, and it’s what we call a mono-alphabetic cypher, real simple, and BlackLight is able to decrypt this for us. I’m able to view it here, and right here under our nose is Snipping Tool. And I get it showing that it’s launched, I got the user name, USSF-JKreese, I get a count of 10, and I get a date and time here, that’s going to help me track. This is a nice piece of evidence.

By itself, it’s not a ton, but we want to lay it out related to things. So, we’re looking at a user, we’ve got a username populated here by BlackLight, but where does this come from? Well, if we look at our artefact here, BlackLight is great, because you always go down to the source, down here at the bottom, you see it’s USSF-JKreese profile, and it’s in his NTUSER.DAT. That’s where it’s pulling this user name from. So, I’m attributing this to a user. And I kind of want to lay these out against what we know already. So, let’s go [17:03] User Assist. Our date and time is there, and then we have our information from our ShellBag data, and the suspicious files that we found that are captured. So, if we track it, we end up on January 24th at 2:17 Eastern Time at 01 second. About nine seconds later, we get another folder that’s created on the file system. We get a ShellBag entry created for that folder, and then, subsequently, within the next couple, two, three minutes, these captures are created. So, we have Snipping Tool being launched, this folder being created, and now the captures are starting to take place within three minutes.

Now, the answer is how do we feel now? I’m feeling much more confident saying yeah, snipping tool is the one that was likely used to create these capture files. Now, one other question to throw at us is why is the Shell Bag … this is created two seconds later than the folder, which is on the file system. These come up in court a lot – [if you’re a lawyer], “Why is this after? Is that normal?” Well, in this case, yes, the Shell Bag data is created once the folder is open. There’s been studies showing other things that I haven’t seen any evidence of that, but when you open this folder, the Shell Bag data is going to be written, and two seconds later, it’s written to disk. So, it is in line with how the act of the folder being created and opened a couple of seconds later.

Alright, moving on to another scenario here, and still the same investigation, but we’re going to look at prefetch now. And our goal is – remember, we’re trying to move beyond our findings, not just what the tool tells us, let’s investigate this. So, prefetch – again, we’re going to throw you out and say, “Here’s prefetch. I found this in prefetch.” Well, what does it mean? And that’s the big thing that we need to grasp and understand, so we kick in our investigative skill here.

[18:56] see Windows Prefetch. The name – there’s the application name, dot exe, dash PrefetchHash – we’ll talk about that dot – pf. In the background here, you see the structure. I kind of laid it out in the grey background there. We’re not really going to get into it, but you need to know there’s a structure to it, and it’s changed – I’ll let Vico talk about that. He’s diving into some of this cool stuff.

So, out on the drive, we’re going to find a notepad, prefetch. I’m going to take you back here, and this is easy, under Actionable Intel, and Prefetch is parsed right here. I can sort by name. A lot of things might jump out at us here, right? As investigators, going, “Ooh! Ooh! Look at that!” But I’m going to scroll us down and focus us in on Notepad. Now, it’s loading all this data, and we’ll talk about what this means in a second, but I can end up getting folder paths, and I can get the name. Now, this NOTEPAD.EXE is not the name of the prefetch. The name of the prefetch is populated down here, I have NOTEPAD.EXE, and there’s my prefetch hash. This hash represents … it’s basically a hash of the device-based path, from where this application or executable was launched. So, if I launch Notepad from another location, it would have the same name except for this hash value, it would be different. And that would be an indication of: ooh, it’s been launched from somewhere else. And you may want to go and investigate that.

We found this, and we can sort through and find some files, that what does this mean? What does this mean? What do these files mean? What do these folders mean? Well, back over here again, we got to ask ourselves this question – the prefetch is basically a mechanism by which, when the application launched, Notepad, and Notepad is telling the cache manager, memory manager to say, “Hey, listen, Windows, I need this file, I need that file, you got to get all this stuff loaded up for me.” So, Windows is smart, and it’s going to take a note, and it’s going monitor, specific with applications, it’s going to monitor that application for ten seconds and go, “Hmm, what does it need here?”

And that’s what we’re seeing, is this list of data that it’s needing to pull and load into memory. So, next time Notepad launches, Windows goes, “Oh, here’s that guy Notepad. This is what he needs, because I wrote it down in my last list. Let’s get this up in memory for him.” And then Notepad is like, “Wow, Windows, you’re great! You loaded this stuff for me, I can run a lot more efficiently.”

Well, the cool side of the investigator aspect of it is we can use prefetch and look into it, and see what this application is loading as a resource. Not that it’s specifically accessed, but the last time it was launched, it needed this. So, going back and looking at it … I’m just sorting by name here. That’s jumping out at me. I got a … that reg file. Okay, I want to scan … ASECURITY, what’s that about? And then, I got a couple of text files. This could be normal or not, but we want to investigate those too. So, I’m going to start up here, and we’re going to take our investigation after this – aSecurity.reg.

First question is does it exist on the file system? So, we’re going to do that Reveal – we could – and go over, but I’m saving time with some screenshots here. And we do find it on our drive, and we find this data for it. Now, looking at this data, we need to ask ourselves, what is this? A lot of you will recognize, yeah, this is a reg file, right? It’s in the proper format of reg file, where we’re either exporting a portion of Windows registry or we have a file we’ve modified, we’re going to execute it with reg in it, and we’re going to launch it and do these changes.

If we want to check, slide down here, we look … there’s Regedit prefetch, and we can look to see did it load aSecurity.reg [22:29]? Yes, it did. Okay, so Regedit is playing with our buddy here, aSecurity.reg. So, what we have here is this in the HKEY_CURRENT_USER of the NTUSER.dat, we have Software, Microsoft, Windows, CurrentVersion, Run.

Now, again, what is this? We got to ask our selves and know this stuff. This is a very common [22:49] location. It’s one of the most common ones. So, when this user logs in, it’s going to kick their … load the registry and go, “Hey, run these things.” So, it has a couple of items called Windows Security Firewall, Windows Security, and it’s launching in those paths that you see, a file called Barrier.bat and Sentry.bat, two batch files. And even more suspicious, it’s running them silently. Hmm. What’s going on here?

Okay, well, if we hop out to the registry – we just go to System Registry in BlackLight, navigate on down to our CurrentVersion, Run, our auto-run location, sure enough, this is in the NTUser.dat. It’s been written. So, now this is … it’s loaded, ready to go. So, now we want to ask ourselves, what’s in these batch files? What are they doing? And we go out to the file system, we look at them, and here we get the context for the data inside. Now, Barrier.bat has this text, NetSh Advanced firewall set allprofiles state off. I’ve used NetSh a lot. I can’t say I’ve really used it a lot for the firewall, but this is basically a command where we’re trying to kick off all profiles, kill the firewall. Sentry.bat, it looks like it’s adding a reg entry here to the Windows Defender, under the software hive, and we’ve got a DisableAntiSpyware value being entered, with a reg dword 1, meaning yes, disable anti-spyware.

So, basically Barrier.bat trying to drop our barrier, Sentry.bat is trying to drop our sentry. Is this normal on a user’s computer? [chuckles] It’d be hard for us to find a scenario where that’s the case. So now, we’re going, “Aaah …” This is … something’s really weird, going on with this system.

We can also look to see what else is going on. We have another one called JumpList. Go out there, it’s right here amongst all your program execution artefacts. I love this. And you can go on down to Notepad. Now, if you guys remember JumpList, JumpLists are Windows 7 where you right-click on an application, it shows you your most recently run, it’s basically a collection of link files, it’s stored in pretty much the link file location. I’m going to go to Notepad, and there we have a corroborating entry showing Notepad was opening aSecurity.reg.

So, this is kind of piecing this together. If we look at all of it here, we pop up our aSecurity.reg file, with our dates. We see that the file hits the system at 9:36:32, Eastern, we see within that minute, 15 seconds later, Notepad is accessing it, and then we have it modified, likely saved to the drive. So, really telling a story here, with our investigation, about what’s going on.

Now, one more little chase here. We’re going to go after this OUT.TXT file from the prefetch. So, back [in the app] to our prefetch, we found Notepad, right, and we found aSecurity. But we also found this file here, which is the OUTGOING, and this is the folder, and then we have OUT.TXT enter here a couple of times. We have the folder paths, this is the volume, the volume [25:59] and then we have a volume serial number here. Now, this one, we likely don’t have, because this is looking like an external type drive, OUTGOING, OUT.TXT, but we’re going to investigate that a little further, and then we have this one.

So, we’re going to go chase this location, but we want to take a little note of this volume serial number, 5056a672. Put that in your short-term memory. But we’re going to go out here, we’re going to look at these locations for our OUT.TXT file. Well, we go out there, and our OUT.TXT is no longer present. It doesn’t exist in the location where the Notepad was accessing it. So, now what do we do? Where else can we look? What else can we rely on? This is where we got to use our brains and our investigative and our forensic skill to go, “Hmm. Okay, well, let’s look here.”

Walk in another evidence item: USNJRNL. USNJRNL updates sequence number journal, file system artefact, it’s going to log … it works for the file system, but it works for applications too, to note updates to the master file table records for these entries, and it’s going to log them down. So, here, what I did is went into the system’s system logs, in USNJRNL and BlackLight, I did a CTRL+F or Command+F, depending on what system you’re using, and I typed in “OUT.TXT”. It’s going to light it up yellow for me, and now I’m going, “Hmm.”

Okay, I got an out.txt entry showing me that it was on the file system, but then I got that link file too. So, what does that tell us? We track that path to the right and we see, well, it’s in, a user profile, app data, roaming, Microsoft, Windows, Recent … out.txt.lnk is telling us, yeah, the out.txt was open, a recent link file was created for it. We’re going to come back and visit that for a second. But even better, the USNJRNL is telling us a little history of the file across the file system, is that it is now named $R, random characters, dot txt. This is within the Recycle Bin – from Vista on, the Recycle Bin naming convention that happens to files. So, let’s go out there and look.

Now, back to BlackLight, Actual Intel, File Knowledge. We have our Trash Items populated for us. This is not the Recycle Bin, this is BlackLight’s parsing [that], which is nice – it’s going to decode the $I file for our related recycled file. So, we see our out.txt, we track it across, we see the original path, and then we get a deleted date and time. So, it kind of helps us piece this together here. Now, we go open up our out.txt file, because that’s big. Is this just an innocuous file or what is up with this out.txt? Does it really mean something for our case? Well, we open it up and we see this. So, now we’re going, “Oh, boy …”

You guys and gals out there that have worked incident response, any type case, and have seen this, you’re going, “Oh, boy.” This is basically a text dump of all the user profile passwords in their hashed form. This is not good. So, what now? Now what do we do? We found it – now what do we do?
Well, a lot of questions are surfacing now, because we got a lot of stuff we need to look at. What created this file? If I go to USNJRNL, I got a lot of mimi entries, mimilib, this is coming back to mimicats, which is a known credential dumping tool. But let’s track it a little bit with the timeline here, with what we know. Our out.txt on the file system, in the recycler, we got dates and times, and we have our link file right below that. And we have our USNJRNL. So, let’s track it. File gets created on a file system. 10:50:46, matches our USNJRNL. Our link file, it ends up on our file system, being opened as well.

Now, we go over here, and we look at our trash items, and we find that our out.txt ends up getting moved to the Recycle Bin at the same time and second as another application called PwDump7.exe. So, we’re going, “Aha!” Maybe PwDump is responsible – this is a known credential dumping tool, along with libeay.dll, all these items that are related to it. So, this is kind of pointing at PwDump as a player.

Now, another item here goes back to our file system. Remember our MFT record and sequence numbers. Look at the USNJRNL jump here. We have out.txt.lnk that has an MFT record with a sequence number of 7, and it changes to a new MFT record. If we go over to the right here, we see file close … or close, file delete. We see a new one being created. So, this is telling me something’s going on with this link file. Something changed. So, I’m going to go out there and look at my link files. Again, I can go to File Knowledge, and I can click on Link Files and find those, but I got a screenshot here for you, where I have out.txt.lnk targeting the out.txt file, and it’s showing it was opened on a removable drive now. There’s our 5056-A672 that we found in our prefetch, and it’s stored in an outgoing file. So, where’s our data now?

Yeah, [laughs] this isn’t looking good. It looks like Notepad looked at this in our volume from our prefetch, and now it’s been copied over to a removable device, it was looked at again, and who knows where it’s at now? So we’ve got some issues here.

We notice a couple of other things as we wrap up. We got some torrents that showed up in our Trash Items that we stumbled across. And that’s the nature of investigations, is you keep tripping on things – “Ooh, I need to go investigate that.” “Oh, I need to go investigate that too.” Well, torrents are out there, and if we go look at the torrent file real quick … you ever done this in a case where you look, and you go, “Oh man, the tool’s not working. I hit hex and I don’t see anything.” Or we look over here and we see it’s zero bytes. What’s up with that?

So, I go investigate my torrent file further, using the jump list, and I see 010Editor has accessed my torrent file. So, why would they be using a hex editor to access a torrent file? Could they have used this and deleted all my data from it? The suspect covering up their tracks. Well, that’s what happened here.

One last thing – it’s about two or three slides – is a memory dump. Just investigate and show you what BlackLight can do for you, this is a memory dump of just a [DDE] … a lot of free programs will dump out your memory from your systems there. That’s why it’s very important to collect. You see uTorrent.exe. We get the library sockets, handles, all kinds of start time, process ID, apparent process ID, path, parameters, all kinds of goodness. But focusing in on the sockets that this uTorrent process opened, I see it actually was listening out here on a port for uTorrent. This was the port that, when I set all this evidence up, that’s what I set for it to be listening for. And even better, we get handles. Handles is like a pointer to a place and object in memory or something that it’s relying upon, the process. And this process, uTorrent, bam! It’s just dropping us right in the middle of all of our satellite intel. And these were sourced to make our torrent file and were seeding these files through a torrent network.

So, just a quick recap: As you can see how all of these things, just chasing Shell Bags, chasing prefetch, you can see how it just leads and spiderwebs out to all these things we can chase.

I’m going to pause right here. Julie, I know you may jump in to see if there’s any questions. And we’re going to quickly turn over to Vico here, if there’s … see what we got.

Julie: Yeah. I wanted to ask one question that came in before we switch over to Vico. What if I don’t find any prefetch files?

Matt: Okay, prefetch is … it’s typically going to be running, you can disable it by the registry and turn it off. That’s an option. There’s research out there that I’ve heard … I had a colleague actually, who was assisting in a case that had a system of an SSD. And there was no prefetch. I’ve actually tested systems with SSDs on them, and I’ve not seen the prefetch automatically turning off, but I’ve heard talk of that. But it’s weird though – all the systems I’ve tested, and I put in an SSD in multiple ones, I’ve never seen a prefetch automatically turn off. So, I wonder if there’s a setup program with SSDs that you’d run and say, “Hey, why don’t we just turn this registry value to not do prefetch?”

Also, did the bad guy or bad girl do … in this case, did they go in to see Windows prefetch and just delete anything? That’s completely a possibility too. So, you always got to ask yourself … and it’s good knowing how it functions, so you can analyze it to go, “Is this normal or is this abnormal activity?”

But I’ll turn over to Vico here, and he’s going to give us some really good stuff and dive in even deeper with some of these artefacts and some really good new stuff here. All yours, Vico.

Vico: Thanks. Get a little set up over here … Alright. Making some progress. Alright, so Matt did a fantastic job taking us on a little tour of some artefacts that you’ve certainly seen and used before, but really kind of seeing what we can squeeze out of them information-wise. And in doing that – just to have a brief recap – he’s showed us that we have an insider doing some naughty things, doing some things that we think are suspicious and some that’s just outright bad. He’s using torrents applications to access malicious files, he’s using Notepad to access malicious files, taken screen captures, he’s exfiltrating credentials, all kinds of nasty stuff. So, what we’re going to do from here is look at some newer artefacts that you may or may not be leveraging in your cases, and even if you are, we might have some new, interesting details that you can use to, again, help you dig a little bit deeper into the artefacts and not just stare at the basics.

First is the Background Activity Moderator, or Background Activity Monitor sometimes we see it as. A process execution artefact, started in Windows 10 1709, so that’s the fall release of 2017. It exists in the system hive, the path you see up here, and also, the second path here, although the second path looks like it didn’t start being populated until 1809, so be sure that your tools are updated to see where things are. Again, it’s good to have a firm grasp of where these things should be and when.

It’s in the system hive, so it’s not really attached to a user, but they were nice enough to put the SID of the user and then the name of the application and then the date that the application was run. So, this is an artefact that you can use to add context to the things that we already seen in previous slides, from Matt.

What does it look like in the registry? In the upper left over here, you can see that we’ve selected the band user settings, and then there’s a set of SIDs for keys, and we select one of the SIDs. And then, on the right, you see the values for the key, one of which is regedit. The value … data for that key is highlighted down below, and if when we look on the data interpreter on the right, we can see that this is clearly a Windows file time, which is the execution time of the application.

BlackLight will parse this stuff out for you in a sortable, filterable kind of way. It’ll also show you the source file and all the other things, like we’ve seen with the other artefacts that are offscreen. If we blow some of this stuff up … So, on the top, we can see that the user executed BitComet, so we saw some torrent activity with uTorrent, but he also tried BitComet a little earlier in the morning. That was at 9:15 on the 25th. And then, must have been unsatisfied, and then switched over to uTorrent about 20 minutes later. Ran the installer and then ran the torrent application itself. Also of note, not highlighted in that second picture is the 010Editor probably being installed.

As we move on down, we can see another execution time for Notepad, which we know was used to do bad things. Irfan Viewer, which is an image viewer, which may be of use to us, since the user was exfiltrating pictures of satellite imagery. And then, also Snipping Tool. So, we saw that that was used, and again, this is just another set of data that you can use in your investigations to add more context.

RecentApps – another process execution artefact, but with a little bit more interesting stuff to it. Stands for Recent Applications, and it’s a really interesting name. What do we get? You get an executable idea, which we’ll see what that is, and/or the path of the executable, the last run time, and the total run count. So, this sounds a little bit like User Assist. But you can also get files that were accessed by that application, including the path, [shortened] display name, and the time that that particular file was accessed by that application.

Where is this app? It’s in the NTUser hive, so we can attach this to a user at Microsoft, Windows, CurrentVersion, Search, RecentApps, and a GUID, and then each of those GUIDs can potentially have a subkey of recent items with its own set of GUIDs, which will be the items that were accessed by that particular application.

What does it look like in the [raw] registry? You see that we’ve got, in the upper left, the Recent Apps key has a bunch of subkeys and we select one of them, and we can see an app ID of BlackLight. This is potentially from one of my research machines, launch counts. The app path is blank here, but that happens a lot of the time, for … it’s not a cause for concern. And then a last access time, where, if we select it, BlackLight will show us the actual bytes, and if we decode the bytes over on the right, we can see that again, this is the time that this particular application was executed.

If we go down a couple of entries, we see another application – this time we’re looking at VLC being run. We see that it has an app ID and an app path, and a launch count and a last accessed time, just like before. The difference here is that this particular guy has a Recent Items subkey with a [GUID] underneath it. And if we look at that guy, then we’ll see in addition to type and points, which we don’t care about for the moment, the path of the file that was accessed, a display name for the file that was accessed, and then a last accessed time. We want to make sure and not think that that might be the last accessed time for that image file. It’s really just the time that that was accessed by VLC. It’s kind of a misnomer.

So, BlackLight shows it to us just like this, again, the key path, app ID, launch count, path, the times are there too. All that sort of fun stuff, so we can see that … Microsoft Edge was used to open these things, up top. Windows Photos was used to open HEIC file. VLC was used to open a movie file. This is all interesting stuff, again, to add more context and to see more file accesses timed by application, by user.

You might have noticed that none of these particular examples for recent apps have anything to do with the scenario that Matt talked about in the first half of this talk. It’s because Recent Apps looks like it has stopped working, as of Windows 1709 or so. So, it’s good to know that if you don’t see data past a certain point, that’s not necessarily a bad thing. It’s just been turned off, but you can still see data in there from versions before that.

On that note, I want to beat on this for a little bit – especially with Windows 10 putting out new revisions about every six months or so, these applications, these artefacts are changing more and more, and changing faster and faster. So, prefetch is now compressed, which most tools will un-compress it and parse it for you just fine, but when it comes down to you wanting to go down to the bits and bytes and look and verify your results, now the file is compressed, so you’re kind of out of luck a little bit in that respect. The Amcache was introduced in Windows 8, significantly changed in Windows 10, and then the changed versions in Windows 10 was backported to Windows 7, causing dizzying issues. Even more dizzying, it’s not even related to the Windows version, it’s related to the version of the DLLs that are running on the machine. If anybody hasn’t read [43:09]’s Amcache paper, you should absolutely go read it.

ShimCache has changed over time, USB device tracking changes constantly, but some of the newer changes are that there’s a new place in the registry where device connections are stored for things that use the StorePort driver, like for larger USB devices there’s a new event log ID, 1006, that can give you device insertions and removals, and also things like the DBR and MBR of the drive that was inserted. It can have all kinds of interesting information in them.

The point of which is it’s kind of … you need to be super aware. Things are changing more rapidly and more artefacts are discovered. And having a deeper knowledge of what should be around and what shouldn’t be around. If your tool misses a thing, is it because the thing isn’t there anymore or because the tool missed the thing? It’s super important to know.

The next thing we’re going to talk about is a bit of a doozy. We’re only going to be able to get through a small bit of what this thing can do for you. It’s the Windows Activity Timeline, introduced in Windows 10. In case you don’t know what it is, at the beginning, the clip, the little icon I have the arrow pointing to on the bottom, this shows up on the desktop. It’s a timeline of what the user has been doing, so you can go back and continue something that you’d been doing. It also lets us go and look at what the user has been up to. It can be called the Activity Cache, because the file is called the activities cache. The Windows Timeline, some of the APIs refer to it as an activity feed. So, you’ll see all of these words, they all really mean the same thing.

It’s really used, for users, to make things easier to remember what they were doing previously. The background here – it also allows activities to be picked up across devices, so that you can be editing documents on one device, move somewhere else, edit it on another device pretty seamlessly. You can get between 3 and 30 days of history depending on some settings, which we’ll talk about in a minute. You may be wondering what exactly you get, what’s in there, why do we care? It can list applications that were run, and – this is kind of important and interesting – specific times and numbers of seconds when the user was actively engaged with that particular application. It can get URLs that a web browser was [touching] or files that were accessed by applications, and way more stuff that there’s just never enough time to talk about.

What OS versions? 1803 through 1903, no longer prerelease, since I spent some time this morning looking at the actual release – it is actually in the release. Just like ever other app, the format – it’s a database we’ll see, but the format changes just a little bit in every single version, just to keep us on our toes. It exists at the user, home directory, under AppData, Local, ConnectedDevicesPlatform, questionmark, ActivitiesCache.db, where the questionmark, the folder name there, changes depending on the type of user that’s logged in. So, if you log in with a local user account, that folder will be named L., like for me, L.vico. If you log in with a Microsoft ID, you’ll get this hex string that there’s a way in the registry to map it back to a string version of a Microsoft ID. Or if you’re using the Azure Activity Directory stuff, it’ll use a different folder name. So, you have to check all of these places. It is possible for the same user profile to have multiple of these things populated, so that’s something to be aware of.

File structure itself – it’s a SQLite database, it is WAL enabled, so the [write-ahead] log, if you’re using a tool to parse this, make sure that it’s parsing the log. Or if you export things and go stick it in a database tool, make sure you’re export the WAL as well.

The configuration is an issue here, and it’s a little squishy, for lack of a better word. There’s lots of different knobs to twist and turn to decide how many days of activity are going to be stored and whether it’s going to be synced across devices and a few other things. The defaults, early on, weren’t to share everything all the time. But the defaults are changing. Now, when you install Windows, the 1903 – and maybe on a previous version, but I know in 1903 – this is part of the installation process. So, it immediately asks you, “Hey, do you want to go ahead and let Microsoft sync your activity and store all this stuff?” And Yes is selected by default, so we can safely assume that users are just going to go OK. Which is good for us.

The structure of the database – there’s a handful of tables, this is probably the most important one. You can see that there are a lot of fields here, some of which we understand pretty well and some of which we don’t understand pretty well, mostly because some of them I’ve never actually seen populated. BlackLight will parse this for you again, with the same type of UI for everything else, sorting and filtering, and the source file and all the other fun stuff.

There are some important fields. This relates to activities that the user is engaged in. You have a start time and potentially an end time. You have an app ID, which is the app that generated the activity itself. An app activity ID … you’ll notice that a lot of these fields sound the same. It makes it frustrating a little bit to play with this stuff. The app activity ID is an application-specific identifier that usually relates to what the app was doing. It might have had a file open, and so you’ll have the file path in there, or it might have had a URL open, you might have that in there. Then the activity type, which is really important. An activity type of … there are more than just 5 and 6, but these are the ones we care about. Activity type 5 means the user opens an app, activity type 6 means that the user was actively engaged with the app right then. And then payload. Payload really relates mostly to how the tiles show up in the UI, but if you noticed before, the tiles in the UI can show the application name, can show a file that was opened, can show a website that was opened.

So, all of this stuff will be in there too. The Etag is also useful, because these activities in the database tables can be updated, and each time they’re updated, a global Etag thing is incremented for that activity. So, if you order by Etag, you can get an idea of how things happened in order, without having to rely on one of the many timestamps that are stored in the database.

So, how do we use this? If I want to know … like we knew the torrents applications were an interesting thing. First off, this is one row of output here – I’ve broken it up into two, so that we can kind of see it a little better. So if I want to know what torrents activity has been going on, I can look at app IDs, search for anything that has the word ‘torrent’ in it, sort this stuff by the Etag, and then start looking around. And what we see is some activity type fives and sixes.

The first row, the one that’s highlighted, we see the new torrent is running from the E drive, and then on the bottom we can see the exact time that it happened. Activity type 5 means that it was open. So, this is probably the installer for the file running. If we look at the second line, we see that now that uTorrent is running from the C drive, it’s another activity type 5, so the application has been opened. And if you look on the bottom, you can see the start time for the application. And the third line is an interesting – note that the activity type here is 6, it’s for the same application as in the previous slide, but if you look at the payload on the bottom, the type has user engaged, and it has active duration seconds, and a start time and an end time. This is telling you that this particular user who runs this database was using this particular application specifically at the start time and for 345 seconds. The next three lines are further interactions with the same program. This got me [a little excited, it was fun].

Okay, so after torrent stuff, we know that the user also used Notepad. So, we can again go look at things in the database that have a Notepad in the app ID. And again, if we sort by Etag, we’ll see a bunch of activity type 5 followed by activity type 6, over and over and over again, with start times and some end times. This particular one I have highlighted shows the payload below.

Payloads are [json blobs], so if you look at it pretty formatted down below, you’ll see that the app Notepad accessed this specific file, aSecurity.reg, which again we saw before – this is the one that inserted some malicious registry stuff on behalf of our suspect. So, you get that Notepad was used at a specific time, specifically to touch that file. And you also get some user … some interaction time after it. If you scroll through and look at the rest of these, you’ll also see that the user opened out.txt on the C drive with Notepad at 15:50:52, so just another corroborating result, that the user touched it. And just as interesting, the user opened it again after he moved it to the E drive, in the outgoing.txt folder. So, this out.txt had the password hashes in it. So, you can actually see the user opening Notepad and touching the file on the C drive, and then it having been moved to the E drive.

Snipping Tool usage – same thing. We can look for an app ID that says Snipping and see that the file is … in at least as far as the activity database is concerned, was opened once. We have one activity type 5, and then several activity type 6es – the user opened it and interacted with it several times. Unfortunately, if we look at payloads for all of these things, they look like the bottom picture, and we don’t see anything about the files that were accessed or created or touched or anything. That happens for some types of applications. It seems a little arbitrary at the moment. But we do know that this tool, by default, creates files that are called Capture and a number.

So, you can see here, if you go, instead of looking for Snipping Tool in the app ID, you can go look for Capture in the payload, and you’ll see that there are three entries that have Capture in the payload, one of them, the app display name is Photos, that’s the Windows Photos app. And accessing this file, Capture1.PNG. At the time listed on top. There are two more times these Capture files were accessed, with a different application this time around, using IrfanView. Capture2 was accessed and Capture3 was accessed. And since we have this, we know exactly what times these things were accessed, and we can go back and look … like right now, we have the activity type 5s, we can go back and find the 6es and see more interaction type things.

So, a lot of information, and it went really quickly. But kind of in summation, to wrap up, I hope we’ve stressed to you that some artefacts have been around for a while and are very well understood, and we’ve kind of got a wrap on those. And that’s great, that’s good, that we understand these things and the tools can do all the work for us, and it’s perfect. Others are either new or just complicated, and have links to many other artefacts, and just store way more information in them than most people know of or use. These things change over time, with Windows 10 they change really, really often. So, you have to constantly look. I’ll be spending a considerable amount of time looking at 1903 and trying to figure out what Microsoft changed on this.

Knowing some of these details of where these things should exist in different version or if they should exist in different versions, knowing that prefetch holds information about files that were opened, knowing that you can look at handles for a process in the memory viewer and see files that were opened, these things will aid your ability to really, really investigate. Which will help you get to [55:42] conclusions faster and hopefully with far greater confidence.

With that, I turn it back over to you, Julie.

Julie: Thanks, Vico. We’ve had a lot of great feedback and a lot of great questions come in already. People are really enjoying everything you guys have been presenting, so thank you. I’m going to go over a few questions that came in. And just so everyone knows, any that we don’t get to we will follow up with you individually.

Let’s start with: Should there always be Shell Bags on Windows systems?

Matt: I can jump in on that one. There should be. Granted, could someone go in and delete those registry data? Absolutely. But I believe it was Vista … definitely in XP, but I believe it was Vista where these started to appear. So, examining Windows 90 or ME, you’re probably not going to find it. But from Vista, XP on, you should be seeing those things. Some questions come up as far as retention of the data – I’ve not seen a real time where it times out and cleans up, but it’s something that might have to be tested further, but in all the cases I’ve looked at … you have the UsrClass.dat, the one I didn’t mention is you get also an NTUser.dat, which tends to be more system-type activity Shell Bag data, but you can find it in both locations.

Julie: Thanks, Matt. Do you get a new entry each time an executable is run or does it just update the last run time?

Vico: For which particular [57:26]? For [ban] and for recent apps, you only get the last run time. The only way you can get any kind of a history would be by looking at volume shadow copies or backups that have previous versions of those keys.

Matt: Yeah, and if that relates to prefetch, the prefetch files … to the testing I’ve done, is it’s going to update the prefetch file, so the pre … if the process is launched from the same location, that device-based path hash will remain the same, the creation date of the prefetch file will remain when it initially was launched, and it will be last updated or modified, that date will flash to show you when it was last done. So, it won’t create a new one if it’s launched from the same location.

Vico: But prefetch – correct me if I’m wrong – can hold multiple times that the program was run.

Matt: Yes. It can. The ladder … I can’t remember [where it switched], but it will … it definitely will do that, yes.

Julie: Great. That clarifies some things. Which versions of Windows support recent apps?

Vico: Early versions of Windows tend … I don’t know how early … through 1709. But it’s important to note there that I have a couple of machines that have been upgraded from before 1709 to the newest versions, and that stuff doesn’t get cleared out. So, you might have … if you’re interested in history from a year or two ago, that stuff is very likely still sitting there. If the machine has been updated, from a pre-1709 system.

Julie: Got it.

So, what kinds of activity can be synced across machines?

Vico: If you log in to … assuming syncing is turned on for the activity cache, if you log into multiple machines with the same Microsoft ID, then all of the activities that occur on each of those machines can be synced back and forth, including every application, everything that we saw. All of the application executions and file accesses. There’s even … if you turn the right know somewhere in the configuration, you can even find copy-paste data that can be synced across. You can actually open up one machine and start editing a Word document, and if everything is configured right, you can copy something from that Word document, like CTRL+C, and then go to a Word document on another machine you’re logged into, and paste that same text. That’s wicked cool.

Julie: That’s great.

How long does it take to get a working familiarity with all of these artefacts?

Matt: I can jump in that from the law enforcement side. [chuckles] It takes time. This is not a field you jump in and are instantly an expert. The tools help you, but it takes time. Year one goes by, and you’re like, “Okay, I got some stuff,” and year two and three goes by, and you go, “Woah, there’s a lot more stuff out here!”

I’m on my 19th year in this field, and my feet have still not touched the bottom of this pool. And if you think you’ve got it, there’s iOS upgrading, and Mac OS, and all kinds of devices and things changing all the time. So, the encouragement is take a look back at the road you’ve travelled, you realize, “Okay, I have picked up quite a bit.” But always be open to more stuff. And Vico, I’ll let you chime in on this one too if you want.

Vico: Yeah. If you didn’t know that you signed up for perpetual learning, like every single day, you’re in the wrong field. [laughs] I would say focus on the ones that you use, that you rely on the most often, and make sure you know those well, and then it’s a never-ending thing, to continue to have to learn new stuff.

Julie: And I know we are at the top of the hour, so finish up with one last question for you guys. Will BlackBag be offering any courses in Windows forensics coming up?

Matt: Affirmative. Keep your eyes out on our website. Probably around July. We’ve been heavy at work. Some of this stuff has been pulled right from that course. We’re focusing on very investigative-centered stuff. We’re going to give you the deep stuff, we’re going to give you the stuff you need to know, but we’re going to teach you to convert that into an investigative mindset, to find and to track the data and evidence that you need.

Julie: Excellent. Well, thank you, Matt and Vico. Thanks for walking us through how to use BlackLight to dig deeper in your investigations and how to find insider threats.

For anyone who submitted a question and we didn’t get a chance to answer it, someone will reach out, a member of our team will follow up with you individually. And also, as a reminder, we’ve had a few questions come in about this – we will be having this available on demand. So, we will send out the recording after this. If you’re interested in learning more about any of our products or services, please email the email address you see on the screen. And don’t forget to follow us on Twitter, Facebook, YouTube, and LinkedIn, and subscribe to our blog.

Thank you all again for joining, and have a great rest of your day.

End of Transcript

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles