Week of Data Dumps, Part 7 – registry

This one is not a surprise, I hope. Most of forensic artifacts come from either file- or Registry- oriented artifacts. Of course, there is a macOS&OS/X world out there, there is Linux, but in reality, lots of DFIR is still living inside the Microsoft world.

My 3R page lists a lot of interesting Windows Registry artifacts that I automagically pulled from Harlan Carvey’s regripper.

The file linked to this post shows a few more, either properly attributed… or not. After all, who has the TIME for all the analysis?!!! Still, hopefully it’s useful to some…

Week of Data Dumps, Part 6 – file names

This week is longer than I thought, so time to catch up… 🙂

This one is a mess, but sometimes a bit of a mess is not a bad thing. Useful for at least cherry-picking breadcrumbs in a vast amount of sandbox or EDR logs…

Yes… file names… we can love them, we can hate them, but many of them are so characteristic that it really would be a mistake to ignore them. Whether they are accessed for reading, writing, locking, or whatever else – we can pick up a lot of behavioral patterns from a simple fact these files are somehow targeted by a program that touches them…

On that note… I am not aware of any EDRs collecting attempts to open non-existing files, or other objects – this would be a nice detective feature to have available (I actually bet it’s in place just not available to customers). The ability to see what programs are attempting to use what objects, load non-existing libraries, create/open mutexes, semaphores, pipes, as well as ‘find’ and ‘search’ operations etc is something we all want to see more.

Here’s a relatively long list of file-related artifacts of any sort, sometimes with some loose ‘attribution’.