Scheduled Tasks Log | XP: %SystemRoot%\SchedLgu.txt - 7: %SystemRoot%\Tasks\SchedLgu.txt | ||
---|---|---|---|
106 | Task Scheduled | ||
200 | Task Executed | ||
201 | Task Completed | ||
141 | Task Removed | ||
Logon Events | 528 | 4624 | Successful Logon |
529 | 4625 | Failed Logon | |
538 | 4647 / 4634 | Successful Logoff | |
540 | 4624 | Successful Network Logon | |
4672 | Successful Network Logon as Admin | ||
RDP | 21 | RDP logon success | |
24 | RDP user disconnected | ||
24 | RDP user reconnected | ||
1149 | RDP user authenticated | ||
Account Logon Events | 680 | 4776 | Successful / Failed account authentication |
672 | 4768 | TGT was issued (successful logon) | |
675 | 4771 | Pre-authentication failed (failed logon) | |
Rogue Local Account | 680 | 4776 | An account successfully authenticated |
540 | 4624 | Successful Network Logon immediately following | |
Share | 5140 | Share mount | |
Suspicious Services | 7034 | Service crashed unexpectedly | |
7035 | Service sent a Start/Stop control | ||
7036 | Service sent a started or stoped | ||
7040 | Start type changed (Boot | ||
Clearing Event Logs | 517 |
Image Path: No Image Path
Parent Process: No Parent Process
Number of Instances : One
User account: Local System
Start Time: At boot time
Image Path: %SystemRoot%\System32\smss.exe
Parent Process: System
Number of Instances : One master and another child per session exiting after session is created
User account: Local System
Start Time: Within seconds of boot time for the master instance
Image Path: %SystemRoot%\System32\wininit.exe
Parent Process: Created by an instane of smss.exe that exists (tools usually don't provide the parent process name)
Number of Instances : One
User account: Local System
Start Time: Within seconds of boot time
Image Path: %SystemRoot%\System32\taskhost.exe
Parent Process: services.exe
Number of Instances : One or more
User account: Multiple taskhost.exe processes are normal. Logged-on users and/or local services accounts
Start Time: Within seconds of boot time
Image Path: %SystemRoot%\System32\lsass.exe
Parent Process: wininit.exe
Number of Instances : One
User account: Local System
Start Time: Within seconds of boot time
Image Path: %SystemRoot%\System32\winlogon.exe
Parent Process: Created by an instane of smss.exe that exists (tools usually don't provide the parent process name)
Number of Instances : One or more
User account: Local System
Start Time: Within seconds of boot time for the first instance
Image Path: %SystemRoot%\System32\csrss.exe
Parent Process: Created by an instane of smss.exe that exists (tools usually don't provide the parent process name)
Number of Instances : Two or more
User account: Local System
Start Time: Within seconds of boot time for the first two instances (Session 0 and 1)
Note: cmd.exe history is stored in these processes' memory
Image Path: %SystemRoot%\System32\services.exe
Parent Process: wininit.exe
Number of Instances : One
User account: Local System
Start Time: Within seconds of boot time for the first two instances (Session 0 and 1)
Image Path: %SystemRoot%\System32\services.exe
Parent Process: services.exe
Number of Instances : Five or more
User account: Depends of the instance : Local System, Network Service or Local Service accounts
Start Time: Within seconds of boot time or later for services launched after boot
Note: On Win7+ all services bin are signed by Microsoft
Image Path: %SystemRoot%\System32\lsm.exe
Parent Process: wininit.exe
Number of Instances : One
User account: Depends of the instance : Local System
Start Time: Within seconds of boot time
Note: Handled terminal services including RDP and Fast user switching
Image Path: %SystemRoot%\explorer.exe
Parent Process: userinit.exe that exists (tools usually don't provide the parent process name)
Number of Instances : One per logged-on user
User account: logged-user
Start Time: Starts when the ownser's interactive session logon begins
http://digital-forensics.sans.org/media/poster_2014_find_evil.pdf
To-Do
File Download | Open/Save MRU | E-mail Attachments | Skype History | Index.dat/ Places.sqlite | Downloads.sqlite |
---|---|---|---|---|---|
This key tracks files that have been opened or saved within a Windows shell dialog box | E-mail Attachments | Skype history | Not directly related to “File Download”. Details stored for each local user account. Records number of times visited (frequency) | Firefox has a built-in download manager application which keeps a history of every file downloaded by the user | |
XP: NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\ComDlg32\OpenSaveMRU | XP: %USERPROFILE%\Local Settings\Application Data\ Microsoft\Outlook | XP: C:\Documents and Settings<username>\Application\Skype<skypeusername> | XP: IE: %userprofile%\Local Settings\History\ History.IE5 FF: %userprofile%\Application Data\Mozilla\ Firefox\ Profiles.default\places.sqlite | XP: %userprofile%\Application Data\Mozilla\ Firefox\ Profiles.default\downloads.sqlite | |
Win7: NTUSER.DAT\Software\Microsoft\Windows,CurrentVersion\Explorer\ComDlg32\ OpenSavePIDlMRU | Win7: %USERPROFILE%\AppData\Local\Microsoft\ Outlook | Win7: C:\Users<username>\AppData\Roaming\ Skype<skypeusername> | Win7: IE: %userprofile%\AppData\Local\Microsoft\Windows\History\History.IE5 %userprofile%\AppData\Local\Microsoft\Windows\History\Low\History.IE5 FF: %userprofile%\AppData\Roaming\Mozilla\ Firefox\Profiles.default\places.sqlite | Win7: %userprofile%\AppData\Roaming\Mozilla\ Firefox\ Profiles.default\downloads.sqlite | |
The “*” key – This subkey tracks the most recent files of any extension input in an OpenSave dialog .??? (Three letter extension) – This subkey stores file info from the OpenSave dialog by specific extension | MS Outlook data files found in these locations include OST and PST files. One should also check the OLK and Content.Outlook folder, which might roam depending,on the specific version of Outlook used. | Each entry will have a date/time value and a Skype username associated with the action. | Many sites in history will list the files that were opened from remote sites and downloaded to the local system. History will record the access to the file on the website,that was accessed via a link. | Downloads sqlite will include: Filename, Size, and Type Download from and Referring Page File Save Location Application Used to Open File Download Start and End Times |
http://digital-forensics.sans.org/media/poster_fall_2013_forensics_final.pdf
File Rename | Local File Move | Volume File Move | File Copy | File Access | File Modify | File Creation | File Deletion |
---|---|---|---|---|---|---|---|
Modified – No Change | Modified – No Change | Modified – No Change | Modified – No Change | Modified – No Change | Modified – Change | Modified – Change | Modified – No Change |
Access – No Change | Access – No Change | Access – Change | Access – Change | Access – Change No Change on Vista/Win7 | Access – No Change | Access – Change | Access – No Change |
Creation – No Change | Creation – No Change | Creation – No Change | Creation – Change | Creation – No Change | Creation – No Change | Creation – Change | Creation – No Change |
Metadata – Changed | Metadata – Changed | Metadata – Changed | Metadata – Changed | Metadata – Changed | Metadata – Changed | Metadata – Changed | Metadata – No Change |
File Rename | Local File Move | Volume File Move | File Copy | File Access | File Modify | File Creation | File Deletion |
---|---|---|---|---|---|---|---|
Modified – No Change | Modified – Change | Modified – Change | Modified – Change | Modified – No Change | Access – No Change | Modified – Change | Modified – No Change |
Access – No Change | Access – No Change | Access – Change | Access – Change | Access – No Change | Access – No Change | Access – Change | Access – No Change |
Creation – No Change | Creation – No Change | Creation – Change | Creation – Change | Creation – No Change | Creation – No Change | Creation – Change | Creation – No Change |
Metadata – No Change | Metadata – Changed | Metadata – Changed | Metadata – Changed | Access – No Change | Access – No Change | Metadata – Changed | Metadata – No Change |
Operation is WriteFile
Operation is RegSetValue
Details containts Desired Access: Generic Write
List process related to port XXXX (bash)
$ process=`lsof -n -i4TCP:XXXX | grep -v COMMAND | cut -d' ' -f1` ; for i in $process; do ps aux | grep $i | cut -d' ' -f 39- ; done
List process related to port XXXX
$ process=\`sudo netstat -anp | egrep ":XXXX\s" | cut -d/ -f 1 | rev | cut -d' ' -f1 | rev\` ; for i in $process; do ps aux | grep $i | grep -v grep; done