Windows Triaging with Powershell — Part 2: Artifacts Collection

The current blog is in continuation of Part 1 of Windows Triaging with Powershell. Part 1 described how the Powershell functions can be used to parse the Windows Event Logs. As part of this blog post, we will explore the important artifacts present in the Windows OS, where they can be found, and how we can collect them all using Powershell.

Forensic and Incident Response teams would benefit greatly from this approach to gather artifacts as quickly as possible. “The tasks performed are based on the fact that the team found particular Windows machine in Power-On state and are able to run and perform some scripting functions on Powershell.”

For the analysis of collected artifacts, I’ll also point out some open-source tools that are easy to use and can help with the analysis of all those files.

Note: Not only Powershell, some of the CMD commands will also be used for the collection procedure. CMD commands will be called within Powershell itself.

Let’s get started.

What is Windows Management Instrumentation (WMI)?

WMI is infrastructure for Management data and operations on Windows-based OS. We can write WMI scripts or application to automate administrative tasks on remote computers as well.

We can check all the available WMI classes with Powershell using command:

Get-WmiObject -List *

List of WMI Classes Available

We’ll be using a number of WMI classes within our script. Along with WMI classes, we’ll be discussing about several built-in commands of Powershell which will help in Information gathering process.

What is RFC 3227?

In the collection procedure, I’ll be referring to RFC 3227 that defines the principles during capturing Volatile Information and in what order, the volatile information is to be captured.

You can check out the Guidelines for Evidence Collection and Archiving here:

Based on RFC 3227, the artifacts that we’ll be focusing on to collect:

  • Registers, Cache
  • Routing Table, Arp Cache, Process Table, Kernel Statistics, Memory
  • Temporary File Systems
  • Disk
  • Remote Logging and Monitoring data that is relevant to system in question
  • Physical Configuration, Network Topology
  • Archival Media

Apart from this, what all other information that is available in system for e.g. Browser History, Jump Lists, Connected USB Info, Logs etc. we’ll be looking to those artifacts as well.

What are the important Artifacts that we’ll be focusing in the Windows OS?

In this blog, tested operating system is Windows 11. With release of Windows 11, it is not much different from Windows 10 in terms of where the artifacts are located. Some of the important artifacts that this blog focus on:

  • Running Processes & Services
  • Network Related Information
  • Autostart Items
  • Thumbnails & IconCache Database
  • Hotfix or Updates Information
  • USB Logs
  • Users and groups
  • Collecting Temporary, Prefetch data
  • Jump Lists & Lnk Files
  • ShellBags Info
  • SMB Info
  • List of Installed Applications
  • Windows Defender Logs
  • Windows Notification Database
  • Windows Cortana Database

Not to worry, I’ll mention the location path for some of the above mentioned artifacts which any reader can manually check.

Getting started with Collection

Note: Advised to run the commands with Administrative privileges if possible, as that would provide more information as compared to User privileges

Running Processes and Services

Whether be Incident Response, Forensics or even Malware analysis, running Processes and Services are one of the important artifacts that any investigator would first grab the information about. Run the following command in your Powershell window:

Get-Process

Output for GetProcess

Get-Process comes with some flags as well to filter out the output based on requirement. Let’s say, if I want to look over all the processes associated with firefox, then the command would be

Get-Process -Name firefox

Output for Get-Process -Name firefox

One of the important feature that I noticed in Powershell is display of attributes. As of now, we are able to see “Handles, NPM, PM, WS, CPU, Id, ProcessName”. But there are other attributes as well that can be of use in terms of investigation and analysis. Type the following command in Powershell window and let’s look at the output

Get-Process | Select-Object * | Format-Table -AutoSize -Wrap

Output for the above command

From the output, some of the important attributes to look at would be “Priority, PagedMemorySize, PrivateMemorySize, VirtualMemorySize and TotalProcessorTime”. To make the task more easy, we can save the output in CSV with the help of the below command

Get-Process | Select-Object * | Export-Csv E:\Get-Process.csv -NoTypeInformation -Encoding UTF8 -Force

CSV file for Get-Process

The CSV can be of great use, as this provides you with list of columns for e.g., Path of the executable as well as StartTime are mentioned that are helpful in Incident Response and Malware investigation as well. Also CSV file provides you with filtering feature that would help in analysis as well.

Similarly, to get the all the information about the services, type the following command in Powershell window

Get-Service

Output for command Get-Service

We can do more filtering based on the status. Let’s say, if we want the services for which the status is Running, then our command would be:

Get-Service | Where-Object {$_.Status -eq ‘Running’}

Output for Get-Service | Where-Object {$_.Status -eq ‘Running’}

As we saved the output for Get-Process, similarly we can save the output for Get-Service in CSV format that will provide us with some more attributes related to each service

Get-Service | Select-Object * | Export-Csv E:\Medium_Part-2\Get-Service.csv -NoTypeInformation -Encoding UTF8 -Force

CSV Output for Get-Service | Select-Object *

Network Parameters

A number of modules are present within powershell for capturing different Network information.

First, I would like to mention about the all-in one tool that is Get-NetView. The tool collects a in-depth information about the system and network related information. Data that is collected via Get-NetView:

  • Environment (OS, Hardware, Domain, Hostname etc.)
  • Physical, Virtual, Container, NICs
  • Network Configuration, IP Addresses, MAC Addresses, Neighbors, Routes
  • Physical Switch Configuration, QOS policies
  • Virtual Machine Configuration
  • Virtual Switches, Bridges, NATs
  • Device Drivers
  • Performance Counters
  • Logs, Traces, etc.
  • System and Application Events

For further information about the tool, you can check out from the below provided link:

After you have installed the tool in Powershell, run the following command in Powershell window

Get-NetView -OutputDirectory

After you run the command, this would take some time to gather all the information but absolutely a worth tool for collecting information. The output you will get would be like this after the execution of the tool is completed

Powershell Output for Get-NetView
Collected artifacts inside the Output Directory by Get-NetView

Coming back to basics, there are certain commands that you may find useful for collection of network related information.

Get-NetAdapter gets the basic network adapter properties. By default only visible adapters are returned. We can pass the command with -IncludeHidden flag to display all the available Network Adapters of the system

Get-NetAdapter Output

Get-NetConnectionProfile gets connection profile associated with one or more physical network adapters. A connection profile represents a network connection.

Get-NetConnectionProfile Output

Netsh is most used command in network configuration as it display the network configuration of the system and also allows to modify the same. While netsh can also be used to display “Wi-Fi” related information from the system.

(netsh wlan show profiles) | Select-String “\:(.+)$” | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | % {(netsh wlan show profile name=”$name” key=clear)} | Select-String “Key Content\W+\:(.+)$” | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ SSID=$name;PASSWORD=$pass }} | Format-Table -AutoSize

The above command will allow to display all the connected Wi-Fi and their passwords as well.

ipconfig command which is generally used for displaying the IP address can also be used for displaying DNS information about the system with /displaydns flag.

ipconfig /displaydns

ipconfig /displaydns output in Powershell

Users & Groups Info

Get-WmiObject command is used to invoke WMI classes.

Win32_UserAccount class contains information about user account on computer system running Windows.

Get-WmiObject -Class Win32_UserAccount

Win32_UserAccount output

Other than Win32_UserAccount, Get-LocalUser & Get-LocalGroup can also be used to get the information about the active users and groups on the system.

Get-LocalUser | Select Description, Enabled, FullName, UserMayChangePassword, PasswordRequired,LastLogon,Name,SID

Output for Get-LocalUser

Get-LocalGroup | Select-Object *

Output for Get-LocalGroup

Autostart Modules

Win32_StartupCommand is a class defined in Get-WmiObject module that provides us with the information on startup applications. Write the following command in Powershell window to display the startup items

Get-WmiObject -Class Win32_StartupCommand

Output for Get-WmiObject -Class Win32_StartupCommand

With use of Select-Object piped with the above command, let’s save the output in CSV and get some more information on the startup items

Get-WmiObject -Class Win32_StartupCommand | Select-Object PSComputerName,User,__RELPATH,Command,Name | Export-Csv <Path for Csv file> -NoTypeInformation -Force -Encoding UTF8

With CMD also, we can get the autostart items by the use of following command:

wmic startup get caption,command

Thumbnails & IconCache Database

Thumbnails and IconCache store the icons that are displayed when we set the layout of the explorer to medium, large icons (Thumbnails view). Let’s look at the below screenshot of the content view inside the Explorer

Large Icons view inside Explorer Window

All the files and directories have some kind of icon related to each one of them. These are stored inside the Thumbnails & IconCache database. Likewise, if we have set this type of setting inside the Pictures folder, then content of each picture is displayed without even opening it. All this data is stored inside that database.

Default location where the Thumbnails and Iconcache database is stored inside Windows

\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Explorer

You can use ThumbsViewer to view the collected files. Link for the same is provided below:

As an investigator, we can copy all these files in a forensic manner. First create the hash for all these .db files and then recursively copy to our specified folder. The process to create hash before copying the files is provided in Part1 of the Windows Triaging with Powershell, for which the link is provided below:

After creating the hash, the output hash file would look like this:

Hash created for Thumbnails and Iconcache files

With Powershell, now we can recursively copy all the available files inside the \AppData\Local\Microsoft\Explorer folder

Get-ChildItem C:\Users\$env:USERNAME\AppData\Local\Microsoft\Windows\Explorer\ -Recurse | Copy-Item -Destination <Destination Path>

Hotfix or Updates Information

In case of Malware Analysis or Incident Response, updates information plays a key role to identify the updatedclear features if they are genuine, latest versions or any malicious update file was uploaded inside the system. To view the Hotfix information, write the following command in Powershell window

Get-HotFix

Another command to get the Windows Updates log is Get-WindowsUpdateLog. The Get-WindowsUpdateLog cmdlet merges and converts Windows Update .etl files into a single readable WindowsUpdate.log file. Write the following command the get the updates log to use desired directory

Get-WindowsUpdateLog -LogPath directory_path\Updates.log

Windows Update Log

Connected USB Information

USB logs are an important artifact as to know if any malicious incident has been performed via external device or to get a kind of sense that any sensitive file is copied to any external drive.

USB logs are maintained at Registry Location:

HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR

To get the list of connected USB devices, write the following command in the Powershell Window:

Get-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*’ | Select-Object FriendlyName,PSPath

As the timestamps are not provided with this command cause the timestamps are provided inside Windows Event Logs for each connected USB device. But after some searching I found one Powershell program that is able to do it. I’ll not be able to display the whole program, but you can check out the program from the below link:

Now, if you copy this program inside Powershell ISE and run the same, we can retrieve the timestamps of each connected USB device as displayed in the below screenshot

Collecting the Temporary Files

Temporary File is created to temporarily store information in order to free memory for other purposes. For e.g. whenever we are downloading a file from Internet, there are two options for downloading, Open As or Save As. The “Open As” downloaded files are stored in Temp folder of the system.

Following are the locations of Temp folder:

C:\Users\%USERPROFILE%\AppData\Local\Temp

C:\Windows\Temp

C:\Windows\SystemTemp

Similar to collection of Thumbnails, we can create hash of all the files present in the aforementioned directories and copy these items recursively to our specified folder. Command to perform the same is mentioned below:

Get-ChildItem -Path C:\Windows\Temp -Recurse | Copy-Item -Destination Destination_Path

Get-ChildItem -Path C:\Windows\SystemTemp -Recurse | Copy-Item -Destination Destination_Path

Get-ChildItem -Path C:\Users\$env:USERNAME\AppData\Local\Temp -Recurse | Copy-Item -Destination Destination_Path

Collecting Prefetch Files

In Forensic aspect, Prefetch files can reveal when applications were last accessed and how many times the application was run. These files can be used to extract timestamp and other resources consumed when the file executes.

Default location for the Prefetch files:

C:\Windows\Prefetch

Similar command can be used to copy all the prefetch files after hash for all the files is generated

Get-ChildItem -Path C:\Windows\Prefetch -Recurse | Copy-Item -Destination Destination_Path

To examine the files, we can use Prefetch Viewer, an open-source tool by nirsoft. Link for the same is provided below

Collecting Jump List & LNK Files

Jump Lists are simply lists of recent used files associated with program that is pinned in the taskbar or Start Menu. Often, users pin files to the taskbar for which an entry is created inside the Windows system.

Shortcut files that we seen on our Desktop, those files are often referred as Link files. In addition to these LNK files, the OS automatically creates LNK file when user open non-executable file or document. Information gathered from the LNK file:

  • Original file system path where target file is stored
  • Timestamps for both target file and LNK file
  • Size of target file
  • System Name, Volume Name, Volume Serial Number and sometimes the MAC address

Jump Lists and Lnk files can be used to analyse the recent activity of the user.

C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

We can recursively copy the items from the above mentioned location with Powershell and open the files in open-source tool “JumpListsView”. Link for the tool is provided below:

To get the .lnk files, write the below command in Powershell window

Get-WmiObject -Class Win32_ShortcutFile | Select-Object PSComputerName,Name,CreationDate,Encrypted,InstallDate,LastAccessed,Target | Format-List

Collecting ShellBags

Shellbags store user preference for GUI folder within the explorer. If ever made change to folder and returned to that folder to find new preferences intact, then Shellbags were in action.

These are can be used to reconstruct user activities, but information is available only for folders that have been opened and closed in Windows Explorer at once. We can also identify when folder was last visited or last updated.

Shellbags locations in Windows Registry:

HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

To get the values from the above mentioned Registry paths, type the following commands in the Powershell window

Get-ChildItem ‘Registry::HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\’ -Recurse > Path_for_txt.txt

For further information on Shellbags, you can check out this SANS blog:

SMB Info

Server Message Block (SMB) allows devices to perform number of functions for each other via local network. For e.g., Network can be used as a File sharing service between computers connected on a Local network.

To get the SMB Session info, write the following command in Powershell window

Get-SmbSession

To know the information on the content sharing, write any of the following command in the powershell window

Get-SmbShare

Get-WmiObject -Class Win32_ShareToDirectory

Win32_ShareToDirectory class relates a shared resource on the computer system and the directory to which it is mapped.

List of Installed Applications

To gather the list of Installed applications, there are a number of commands. But why not one command only? Everytime we install an application, that application has an entry with it’s Uninstaller that we see while removing it from the Control Panel.

But that is not the case with every application we are running inside the Windows system. Now with trend of portable applications, that do not require any installer, just plug-run terminology, those applications will not be listed inside the Control Panel.

Within the Registry, installed applications are found under the hive location

HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

Get Installed applications from the entries within Registry

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate

Get-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*” | Select-Object DisplayVersion,InstallDate,InstallLocation,InstallSource,Publisher,Version,DisplayName

Powershell provides 2 functions to get Installed application. Get-AppxPackage provides list of the app packages that are installed in a user profile.

Get-AppxPackage -AllUsers | Select-Object Name,PackageFamilyName

Similarly, Get-WmiObject query “Win32_Product” provides list of installed applications.

Get-WMIObject -Query “SELECT * FROM Win32_Product” | Select-Object Name,Caption,Version | Format-List

Windows Defender Logs

I suppose that every reader must be knowing the importance of Defender logs. Any malicious file introduced in the system, is detected by Defender and the antivirus creates a log for the same. Even for Incident Response team or Forensic team, this if of great interest.

Powershell provides a number of commands if your search in the powershell window

Commands related to Defender Module

Get-MpComputerStatus gets the status of antimalware software installed on the computer.

Output for Get-MpComputerStatus

But there is one Windows Event named “Microsoft-Windows-Windows Defender/Operational” which gathers the logs of all the WinDefender events. We’ll try to parse the same and see the output using the following command

Get-WinEvent -LogName “Microsoft-Windows-Windows Defender/Operational”

Let’s try to save the logs into CSV with more attributes with the following command and observe the output

Get-WinEvent -LogName “Microsoft-Windows-Windows Defender/Operational” | Select-Object ID,Level,Task,ProviderID,ProcessId,ThreadId,MachineName,UserId,TimeCreated,ActivityId,LevelDisplayName,Message | Export-Csv Path_to_Csv -NoTypeInformation -Force -Encoding UTF8

Within the CSV file, I applied the filter on LevelDisplayName for Warnings and that provided the list of threats defender has detected on the system.

Notification Database

Notifications on Windows can hold useful data. Through these notifications we can retrieve valuable details such as the text or content of the notification that was displayed to the user, the date and time when the notification was received, notification expiration date, and other details. This feature enables investigators to track and recover events on the user device even if the source has been deleted.

Default location for the notification database file on the Windows system:

C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Notifications

Notifications Database

First, copy the Notifications folder forensically to the desired location after creation of hashes of all the files. We can use SQLite DB Browser to view the .db file. Link for SQLite DB Browser:

Under the “Notification” table, you’ll find the Notifications as shown in the below screenshot

Cortana Database Info

If any reader is using Cortana to perform some operations, than there must some database created inside your Windows system. The deafult location for Cortana Database is

\Users\%USERNAME%\AppData\Local\Packages\Microsoft.Windows.Cortana.XXXXXXXX\

The contents of the database are stored in .edb extension database file. We can copy the contents forensically to our desired location and view the contents using tool ESEDatabase Viewer by Nirsoft.

Conclusion

Collection of Window artifacts is crucial and also important if found the system in Power-On state. Due to the volatile nature of the artifacts, it is necessary to collect as much information as possible according to their volatility described by the RFC-3227.

With the advanced functions of Powershell and scripting feature, the artifacts collection task can be done in minimal time allowing the investigator to do analysis procedure at ease. Further, the use of Open-Source tools for analysis can also be done to analyse the system from different angles as well.

Last & the major part of Windows system that remains is Registry. In the next part, I’ll mention about Windows Registry, what are the important Hive locations where an investigator can find important clues, and how Powershell can be used to extract those clues.

Until then, any comments or suggestions on this would be greatly appreciated to create some new content for the readers.

--

--

--

Cyber World

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Leetcode Series. No 079: Word Search

Time scheduling to trigger Jenkins job

Then Earl spoke up…

Static and dynamic libraries ©

Best Chrome Extensions for frontend developers and web designers

Solution for “Add and Search Word — Data structure design” LeetCode question

Stream Millions of events from your client to BigQuery in a Serverless way, Part #1

Know It All About Smoke Testing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aditya Pratap

Aditya Pratap

Cyber World

More from Medium

Suspicious Mshta Behavior on LetsDefend

Spelunking with the fundamental concepts of Splunk

spelunking splunk threathunting

How to Build a Happy SOC — Part 1

Wazuh And MISP Integration