As i’m sure i’ve mentioned before, event logs are a great source of evidence when performing incident response. In particular, lateral movement can be one of the hardest things to identify when investigating network based intrusions.
Event ID 1024 in log file Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx is an event that can sometimes be overlooked and it relates specifically to ActiveX controls in remote desktop.
In built ActiveX controls allow an administrator to configure the RDP user experience by providing scriptable interfaces and can allow embedding RDP ActiveX control in web pages and configuring URL security zones, as a couple of examples.
Event ID 1024 which contains the following message:
“RDP ClientActiveX is trying to connect to the server (IP.ADDRESS OR HOSTNAME)”
Whether IP or hostname display here, will depend on what is entered in “Computer” files in the GUI for remote desktop.
This event ID appears (in testing) to be generated when a user initiates an RDP connection using the RDP client MSTSC.exe in Windows by pressing ‘connect’.
The great thing is, event 1024 entries will be created whether a session is connects or not.
This means while an attacker may not have successfully connected via RDP to another computer, we may still see evidence of their attempts. This log may also persist longer than other logs too, where a Security log may only cover a days worth of activity, you may find months worth of evidence in this log.
When paired with 4648 Security events and other remote computer RDP logs, this can show both attempted or successful connection and authentication to a remote (target) computer.
FTK Imager is renowned the world over as the go-to forensic imaging tool. While working in law enforcement I was always obsessed with ensuring I had captured the ‘golden forensic image’ which for obvious reasons, is still ideal and gives you all that unallocated spacey goodness.
But…
Modern day forensics and IR require answers. Quick!
As we all know, things have moved on quite rapidly from grabbing an image of a dead box and leaving it processing in your tool of choice over the weekend. This is mainly due to the issue that most units have; backlogs, lack of time and urgency to produce results. Whether it’s management in Law Enforcement looking for the silver bullet ‘Find Evidence’ button in Axiom (no digs at Magnet but please put that back in :)) or the large corporations incident responder needing to analyse hundreds of endpoints for one specific artefact.
Now, I’m not saying FTK Imager is about to answer either of those questions for you but there are some handy functions which I had never used until recently.
Custom content images in FTK Imager allow the analyst to add an evidence item and build a logical image (AD1… sorry XWF users) containing only files of their choosing.
This can be handy for a few reasons.
Perhaps time to capture evidence is limited.
This could involve accessing a users laptop remotely while it is only attached to the network for a short time. This may not be lawfully permitted in your country.
You could have been given a computer with no PSU and need to acquire evidence from it before the battery dies (as I once had to do in the back of a $380 taxi journey).
In the law enforcement world, there are any other numbers of reasons why you may be tight on time.
You have strict instructions on what to acquire.
You might only have legal permission to or have been asked to only extract specific files types.
You are capturing evidence from a shared computer and are only allowed to extract files specific to a user account due to legal privilege.
Here are some simple ways around some of these problems using FTK Imager, presuming you are working with Windows computers or existing images.
Custom Content Image by File Type
FTK Imager allows the use of Wild Cards to filter and find specific files stored on the file system. This is a great feature if you are looking for a file by name*, extension or batch of files with similar names.
* Noting that files by name may not meet all matching files in the way that hashing will.
Wild Card Syntax:
? = Replaces any single character in the file name and extension
* = Replaces any series of characters in a file name and extension
| = Separates directories and files
Wild Card Filters:
Users|*|NTUSER.dat
Users|*|Documents|*.doc
Users|*|Downloads|Evidence ?.pdf
Windows|Prefetch|*
1: Start by browsing to your custom content item.
2: Then right-click and select add to “Custom Content Image”.
3: You can manually add custom content by selecting “New” using the wildcard option or “Edit” existing custom content.
*As far as I’m aware, there is not an option to save your custom content as a template.
(Please let me know if you do, as I currently just use a text file as a template for files of interest for varying investigation types)
Creating Content Image by User SID
As previously mentioned, your scope may be limited due to shared computer use and while this may not be of too much importance for law enforcement, files belonging to a user may be marked as privileged by civil court orders.
We can use FTK Imager to create an image of only files owned by a specific users SID, the process is just as we defined previously but upon creating the custom content image you need to select the tick box to “Filter by File Owner”.
Once you have selected this, you will be presented with the respective file owners and their SID’s on the system.
Collection for Incident Response
The last instance where these methods may be useful is if you have a handful of workstations where you need to collect some very specific files or artefacts from. I tend to use a text file as a template. Although this works, it is a bit clunky and slow.
There are a great many other commercial and open source tools which can already perform these tasks extremely well, such as f-response, X-Ways Forensic, GRR and so on. This option also doesn’t really work for incident response at scale but if you’re stuck without your commercial tools or have a very targeted approach for collections from a few computers, then this could work for you.
FTK Imager also comes in a lite flavour which doesn’t require any installation. 🙂
As you may be aware, there is already a plethora of forensic tools available for producing system timelines, all with their own capabilities and some with limitations. From Sleuth Kits FLS/Mactime, Plaso/Log2timeline, XWF, Axiom, Encase and more recently Timeliner for Volatility. I’m sure many more have performed this function to varying degrees over the years but Microsoft hasn’t been one, until now.
Last patch Tuesday, Microsoft released Windows 10 update (1803) which has brought along a number of new features including a new Timeline function, which allows users to look back in time at their previous activities.
This got me thinking.
A built-in Windows utility which shows linear recent activity (within thirty days) on a computer system and runs under user context.
Very interesting… Let’s take a look!
File Creation/Opening
First I had to find out where Windows tracks all of this activity. A simple keyword search for a sample document name ‘This is a test document.docx’ exposed the following file as a potential area of interest:
Now, SQL is not my forte so I had a pretty rudimentary poke around by parsing it out to csv to see what I could find. The database file contains a number of tables and of initial interest, I would highlight the ‘Activity’ and ‘Activity_PackageID’ tables for a first look to interrogate this file.
Windows 10 Timeline
In the ‘Activity’ table under ‘AppID’, Microsoft Word can be seen as the application used to open the file.
From the ‘Payload’ entry you can identify further display options for the Timeline entry, including ‘Word’ and the display text being the filename.
Timestamps
Other notable entries found in the Activities Cache database are the associated timestamps. For our test document mentioned above, you can see the following timestamps which are stored in Unix format within the ActivitiesCache.db file:
Last Modified: Tue, 1 May 2018 20:28:18
Expiration Time: Thu, 31 May 2018 20:28:18
Start Time: Tue, 1 May 2018 20:28:18
Last Modified on Client: Tue, 1 May 2018 20:28:18
After some testing, I identified that the expiration time is as expected, thirty days from the entry start time. The timestamps do not appear to be updated after a file is deleted although the deleted file will remain visible in the Timeline (presumably for up to thirty days or when the database is purged). Timestamps do not appear to be updated within a twenty-four hour period, after modification to files.
Program Execution
The ‘Activity_PackageID’ table contains entries for applications which include paths for executables, executable names and also the expiration time for these entries. This activity not only shows applications that were executed within the last 30 days but by backdating the expiration timestamp, you may be able to identify a time when that application was run and by which user. This can obviously be correlated with other artefacts such as prefetch.
This is just some initial testing and there is a wealth of further information in this file which will need further analysis to decode fully. It’s certainly nice to see some new functionality in Windows which not only serves a meaningful purpose for the end user but also provides examiners with another artefact showing user interaction, web browsing activity, program execution, file opening and creation.
Update:
Eric Zimmerman has written a tool now to parse this database and you can find that along with all his other amazing tools, here:
Salt Forensics 