You are currently viewing Windows Forensic 2 Investigation

Windows Forensic 2 Investigation

TryHackMe | Windows Forensics 2

IMPORTANT NOTES

NTFS – Master File Table

Like the File Allocation Table, there is a Master File Table in NTFS. However, the Master File Table, or MFT, is much more extensive than the File Allocation Table. It is a structured database that tracks the objects stored in a volume. Therefore, we can say that the NTFS file system data is organized in the Master File Table. From a forensics point of view, the following are some of the critical files in the MFT:

$MFT

The $MFT is the first record in the volume. The Volume Boot Record (VBR) points to the cluster where it is located. $MFT stores information about the clusters where all other objects present on the volume are located. This file contains a directory of all the files present on the volume.

$LOGFILE

The $LOGFILE stores the transactional logging of the file system. It helps maintain the integrity of the file system in the event of a crash.

$UsnJrnl

It stands for the Update Sequence Number (USN) Journal. It is present in the $Extend record. It contains information about all the files that were changed in the file system and the reason for the change. It is also called the change journal.

MFT Explorer

MFT Explorer is one of Eric Zimmerman’s tools used to explore MFT files. It is available in both command line and GUI versions. We will be using the CLI version for this task.

1- Parse the $MFT file placed in 

C:\users\THM-4n6\Desktop\triage\C\ and analyze it. What is the Size of the file located at 

.\Windows\Security\logs\SceSetupLog.etl

49152

and then open it with EZviewer

2- What is the size of the cluster for the volume from which this triage was taken?

4096

3- How many times was gkape.exe executed?

2

PECmd.exe -d C:\Users\THM-4n6\Desktop\triage\C\Windows\prefetch –csv ..\ResultsEvidenceofExec ****then the results can be seem with EZViewer

4- What is the last execution time of gkape.exe

12/01/2021 13:04

found in the same csv file from before

5- When Notepad.exe was opened on 11/30/2021 at 10:56, how long did it remain in focus?

00:00:41

WxTCmd.exe -f C:\Users\THM-4n6\Desktop\triage\C\Users\THM-4n6\AppData\Local\ConnectedDevicesPlatform\L.THM-4n6\ActivitiesCache.db –csv C:\Users\THM-4n6\Desktop\Results **** Once we the in focus part we know the are referring to Windows 10 timeline database. We just run the command use the csv file vewers (EZViewer) and finally carefully look at the columns where the duration shows and ofcourse matching the question timeline

6- What program was used to open C:\Users\THM-4n6\Desktop\KAPE\KAPE\ChangeLog.txt?

Notepad.exe

JLECmd.exe -d C:\Users\THM-4n6\Desktop\triage\C\Users\THM-4n6\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations –csv C:\Users\THM-4n6\Desktop\Results Once you noticed the “what program was used question I knew it I needed to get the Windows Jump List. Then, in the column AppIDDescription it says Notepad 64-bit,

7- When was the folder C:\Users\THM-4n6\Desktop\regripper last opened?

12/1/2021 13:01

JLECmd.exe -d C:\Users\THM-4n6\Desktop\triage\C\Users\THM-4n6\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations –csv C:\Users\THM-4n6\Desktop\Results Keywords, folder last opened

8- When was the above-mentioned folder first opened?

12/1/2021 12:31

usign the same csv file obtained form JLECmd.exe command run previosuly