Digital Forensics Investigation using OS Forensics (Part1)

Digital Forensics Investigation using OS Forensics (Part1)

About OSForensics

OSForensics from PassMark Software is a digital computer forensic application which lets you extract and analyse digital data evidence efficiently and with ease. It discovers, identifies and manages ie uncovers everything hidden inside your computer systems and digital storage devices.

OSForensics ia a self capable and standalone toolkit which has almost all the digital forensics capabilities including Data acquisition , extraction, analysis, email analysis, data imaging, image restoration and much more.

In this article we will cover all the major capabilities of OSForensics for digital forensics investigations.

Undiscovering OSForensics

To start with open OSForensics , we can see the OSForensics window open .

On the left hand side are the main options/ capabilities of OSforensic we will be talking about in details.

Please note that the start option highlights the main tools. Features of OFS which are widely used the same options can also be accessed through the tabs on the left pane.

The first option is Manage Case :

Whatever task/operation we want to perform in OSF , it is always advisable to create a case for that. Creating a case is also helpful to distinguish multiple processes / operations from one another and also act as a container of the work done which is also helpful in future reference.

To Create a new case click on Create Case icon in start option or new case button in Manage case option and provide all the relevant details related to the case. Also note the location where we want to save the case

Enter all the details and click on OK , we can see the case getting listed. If are working on more than one case at a time or we have multiple cases listed on OSF we need to select which case we need to work on . To do this select the case and click on load case , we will see a green check mark against the case which is presently loaded.

We can delete any case or import a case from already created case.

For this article we will be working on NPFJeane case, it is a demo case (E01) of which we will be doing forensics investigation. (This will be our evidence, we can do the same with any other data or computer disk).To add the evidence to our case click on add device

Select the image file and browse for the Evidence file and click open.

All the partitions in the acquired image will get listed. Select the partition and click OK.

The evidence will get added and evidence name will get displayed. If required we can change the display name.

Once successfully added the evidence will get listed as shown below.

File Search

This option is used to search any particular file name, to search any particular file we can simply give the file name and browse for the drive, directory or any other location we need to search.

There is a preset option we can use this to select any particular file category

Also we can filter/refine the file search by changing the configuration settings, to do so click on the config button and change the settings as required.

Click on OK and in file search window enter the filename and click on search, Depending on the data volume The search will take a little time and will display the results . In our search we have searched the term “Sale” and this will show all the files who have the term “resume” in their name.

WE can also view the searched files in thumbnails

And timeline view. Timeline view will show a bar graph representation of that keyword on the basis of time and keyword count.

This ends the file search.

Create Index / Indexing

Index search is a more deep and refined search and also very vital for forensic investigations.

The most intuitive method for keyword searching is to provide a single keyword, and search for occurrence of that keyword within our data/evidence. To achieve this objective the best way is to create an index of the drive/directory within which we need to perform a search. An index is simply a list of offsets for occurrences of required keywords. Indexing allows to search within the contents of many files /drive/directory /image file at once.

In OSF we can either indexed on the predefined files types

Or can create a customised template

We can select the extensions we need to search on, skip any file or folder by specifying its name or by limiting the file size. Customize the template and click OK

Customize the template and click OK. Click on next and proceed to Step 2. Here we need to select the drive or directory we want to index and select the indexing option from the drop down as shown below and click on OK.

The image, drive or folder selected will get listed, (we can add multiple drives/directories) for indexing.

Click on next and proceed to step 3

Now we will get a view of the drives we are indexing along with the extensions that will be indexed. If everything is as per requirement click “Start Indexing” else click the “Back” button to make any changes.

Indexing will start and depending on the data it will take some time for the indexing to complete.

Initially Pre scan is performed and immediately after Pre-Scan indexing will start automatically.

Once indexing is complete, we will get a popup with indexing finished message.

WE can also check index log to check the status /result of indexing and any error that the system may have occur during indexing.

Search Index

Above we have indexed the drive for keyword searching, now we will actually search for the keywords in the indexed drive/directory.

To start with click on search index.

We can see all the drive we have indexed in a drop down

 We can either enter the keywords we want to search one by one in “Enter Search Word” tab click on search and will get the result on the screen.  WE have searched for the keyword “Sales”, inside our evidence and can see all the files containing the word Ethical.

Also we can upload the keywords we want to search in a text file and upload it, this option is suitable if we want to search multiple keywords at same time.

We have created a text file named key.txt with three keywords and saved it on desktop.

To upload this file click on “Use Word List File” and upload the above referred file

We can see the result of the keywords in the screen along with the total number of hits of each keyword in the indexed directory, under history Tab.''

Double click on the keyword in the list and all the files containing that particular keyword will get listed under file tab.

This ends the Indexing and search under indexing.

For more on OSForensics wait for the next article.

Post Exploitation on Windows PC (System Command)

This article is about Post Exploitation on the Victim’s System using the Windows Command Line. When an Attacker gains a meterpreter session on a Remote PC, then he/she can enumerate a huge amount of information and make effective changes using the knowledge of the Windows Command Line.

Requirement

Attacker: Kali Linux

TarObtain: Window PC

To execute this, we will first Obtain the meterpreter session of the Remote PC which you can learn from here. After gaining the session, escalate its privileged to Administrator which you can learn from here.

Now to access windows command line, type ‘shell’ in the meterpreter shell.

Let’s Start!!

Obtain User Details and its Privileges

After gaining the meterpreter shell or windows command line, before doing any work. It is important to know the current user. This command is usually used to verify that the account that we were trying to access is the one we got. This can be simply done using the command whoami.

To increase our reach, we will an option in “whoami” command:

[/all]: To show all the details about the user.

Example: whoami /all

As seen below we have username, SID and local group details

We also Obtain details about the privileges that are enabled or disabled to the user we are currently logged on.

Obtain the System Info

This command helps us enumerate lots of information regarding the system like hostname, domain, time zone and much more.

Example: systeminfo

We can sort the basic system details such as (Manufacturer, Build, and Model) of the victim’s System using findstr.

Example: systeminfo | findstr System

As shown in the below screenshot we have the Boot Time, Manufacturer, Model, Type, Directory and Language of the Victim’s System.

We can Obtain the location (as close as the country) of victim’s System using systeminfo.

Here we are using findstr with systeminfo to filter the systeminfo results.

Example: systeminfo | findstr Time

As shown in the below screenshot we have the Time Zone (UTC+05:30), so we can say that the victim’s System is in “INDIA”.

Obtain Memory Details (Physical, Virtual, In Use, Free)

We can Obtain the basic memory details of the victim’s System using systeminfo.

Here we are using findstr with systeminfo to filter the systeminfo results.

Example: systeminfo | findstr Memory

As shown in the below screenshot we have the Total Physical Memory 3.5 GB out of which 1.6 GB is available, we are also Obtainting Virtual Memory Details.

Obtain the List System Drivers

We can display a list of all installed device drivers on the victim’s system and their properties through the command called driverquery.

Example: driverquery

Obtain the List of Kernel Drivers

We can the list of Kernel Drivers on the victim’s System using driverquery.

Here we are using findstr with driverquery to filter the driverquery results.

Example: driverquery | findstr Kernel

As seen below we have obtained a list of kernel drivers which can be used to get the direct exploits to the Victim’s System.

Obtain the List of File System Drivers

We can the list of File System Drivers on the victim’s System using driverquery.

Here we are using findstr with driverquery to filter the driverquery results.

Example: driverquery | findstr “File System”

Display Info about a Particular Service

We can obtain information about a particular service using sc command. Here we are using following options with sc command:

[query] to Obtain the names of a service.

Syntax: sc query [service name]

Example: sc query wuauserv

Obtain the list of Active Tasks

We can obtain information about running tasks using tasklist command.

This command shows the name of the task running along with the Process ID (PID), Session Name, Session Number and Memory Usage.

Syntax: tasklist

We can sort the output of tasklist according to the modules using the following options of tasklist command:

[/m]: To specify the Modules in Tasklist

But we will have to mention the module which is to be used to sort the Tasklist.

Syntax: tasklist /m [Module Name]

Example:  tasklist /m ntdll.dll

Here we can see all the tasks linked with ntdll.dll module.

Killing Tasks

We can kill tasks on the Victim’s System using a command called taskkill.

Taskkill requires either one of two things:

1.       Process Id

2.       Task Name

Here we are going to use [/f] option in taskkill, it enables the Taskkill to forcefully kill the tasks.

Killing the Tasks using the Process ID

Syntax: taskkill /f /pid [Process id of Task]

Example: taskkill f /pid 7236

Killing the Tasks using the Task Name

Syntax: taskkill /f /im “[Task Name]”

Example: taskkill /f /im “Taskmgr.exe”

Start or Stopping Services

We can start a service or some backdoor without the knowledge of the Victim using sc command.

Here we are using following options with sc command:

[start] to start a service.

Syntax:sc start [Service Name]

Example: sc start TeamViewer

As you can see in the below image the service has started.

We can also stop a service using sc command.Here we are using following options with sc command:

[stop] to start a service.

Syntax:sc stop [Service Name]

Example: sc stop TeamViewer

As you can see in the below image the process Stopped

List all the logs on the System

We can obtain a list of all the logs on a system using wevtutil command. Here we are using following options with wevtutil command:

[el] to List log names.

Example: wevtutil el

Clear a specific logon the System

We can clear a specific log on a system using wevtutil command. Here we are using following options with wevtutil command:

[cl] to List log names.

Syntax: wevtutil cl [log name]

Example: wevtutil cl System

Find all the Hard Disk/Storage Partitions on a System

While penetration testing a Remote PC, knowledge of all the Hard Disk or Storage Devices and Partitions is essential so that we can sweep all the partitions and Storage Devices in hope to find data of any particular importance.

This can be done using fsutil command. Here we are using following options with fsutil command:

[fsinfo] to view file system info.

[drives] to list all drives.

Example: fsutil fsinfo drives

As you can see below that the Victim System has 4 Hard Disk Partitions C, D, E and F

Delete all logs on a System

While penetration testing a remote pc, it is essential to remove the trace of youractivities, so we need to remove the evidence of our presence which can be found in log files.

The entire Log file has a .log extension so we are going to sweep the System Directory for files with extension .log and delete them with del command.

Note: Use this command with the path set to System Directory (In my case it is C:\)

Here we are using following options with del command:

[/a] to select files based on attributes.

[/s] to select System Files (/s is an attribute so it is to be used after /a)

[/q] to use Quiet Mode (It doesn’t ask if Ok to delete on global wildcards)

[/f] to force delete the read only files

Syntax:del [Directory]\*.log /a /s /q /f

Example: del \*.log /a /s /q /f

As you can see in the below screenshot the process of detecting and deleting the files with .log extension has started.

Manage Local Users

While penetration testing a remote PC, it is important to obtain the list of Local Users so that attacker can gain infomation about the various users assigned to that particular system.

This can be done using net command. Here we are using following options to be used with net command:

[-user] to display the list of local users

Example: net user

It is always advantageous to add a user in the Local Groups so that attacker can perform certain tasks on that system.

This can be done using net command. Here we are using following options with net command:

Syntax:net user [logon_name] [password] /add

Example: net user hacker pass123 /add

Many times, we come across a situation where we will have to perform certain administrative tasks, so we will add the user we created to the Administrative local group

Here we are using following options to be used with net command:

[-localgroup] to select the list of local groups

Syntax: net localgroup administrators [logon_name] /add

Example: net localgroup administrators hacker/add

In the above example, I have added a user in the local administrators group named as hacker. We can verify using the “net user” command

Now, during the clean-up process it is important to delete the local user created.

This can be done using net commandHere we are using following options with net command:

Syntax: net user [logon_name] /del

Example: net user hacker /del

Here you can see that I have used net command to add a user, making it a member of administrator local group and then deleting that user.

Display the List of all Scheduled Tasks

While penetration testing a remote PC, it is necessary to know the scheduled tasks to plan the attacks accordingly to further penetrate the Victim’s System. This can be done using schtasks.

We can sort schtasks so as to obtain a better readable format i.e. in a List Format.

Here we are using following options with schtasks command:

[/query]to display all scheduled tasks

[/fo] to specify the format of the Output (In this case we use List)

[/v] to use verbose mode

Example: schtasks /query /fo LIST /v