← Back to Lessons

    blue-team

  • forensic analysis

  • reverse-engineering

  • windows logs

  • analytical thinking

Reverse Engineering in Crime - Skills that Define the Defensive Analyst

Fundamentals of Digital Forensic Analysis
Key Forensic Artifacts in Windows Systems
Essential Tools for Forensic Analysis
Event Log Analysis
Analysis of Password-Protected Files
Investigation Methodology
Common Compromise Patterns in Windows Systems

In the world of cybersecurity, when systems are compromised, a race against time begins. As a digital forensic analyst, your mission is to reconstruct the events of a security incident using only the "digital footprints" left by attackers. This discipline combines scientific methodology, deep technical knowledge, and deductive thinking to reveal the hidden truth in the data.

Digital forensic analysis not only seeks to answer what happened, but also how it happened, when it occurred, who did it, and why. Every file, every event log, every timestamp is a piece of the puzzle we must assemble to tell the full story of the incident.

Fundamentals of Digital Forensic Analysis

The Digital Chain of Custody

Before diving into analysis, it is crucial to understand that you are working with digital evidence. This means:

  • Integrity: Files must be kept intact and unmodified
  • Authenticity: It must be possible to verify that the evidence comes from the compromised system
  • Traceability: Every action performed on the evidence must be documented

Forensic Methodology

Forensic analysis follows a structured methodology:

  1. Preservation: Keep the evidence intact
  2. Identification: Catalog all available artifacts
  3. Extraction: Obtain relevant data from the artifacts
  4. Analysis: Interpret the extracted data
  5. Presentation: Document findings and conclusions

Key Forensic Artifacts in Windows Systems

Windows Event Logs

Event Logs are the "black box" of Windows systems. They contain detailed records of system activities:

Security Event Log

  • Event ID 4624: Successful logon
  • Event ID 4625: Failed logon attempt
  • Event ID 4648: Logon with explicit credentials
  • Event ID 4672: Special privileges assigned to new logon

System Event Log

  • Event ID 7045: New service installation
  • Event ID 1074: System restart/shutdown initiated by user

Application Event Log

  • Application errors and warnings
  • Software installation/uninstallation

Critical System Files

Prefetch Files

  • Location: C:\Windows\Prefetch\
  • Contain information about executed programs
  • Useful to determine which applications ran and when

Registry (Windows Registry)

  • Contains system and application configurations
  • Important keys:
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKLM\SYSTEM\CurrentControlSet\Services

Network Files

  • C:\Windows\System32\drivers\etc\hosts
  • Network configuration files

Timestamp Analysis

Timestamps are crucial for establishing the timeline:

  • Created: When the file was created
  • Modified: Last modification of the content
  • Accessed: Last access to the file
  • Changed: Last modification of metadata

Essential Tools for Forensic Analysis

Linux Command Line Tools

file

Identifies file type:

1file suspicious_file
2file *

strings

Extracts readable text strings:

1strings binary_file | grep -i password
2strings -n 8 binary_file  # Strings of at least 8 characters

xxd / hexdump

Hexadecimal visualization:

1xxd binary_file | head -20
2hexdump -C binary_file | less

grep

Pattern searching:

1grep -r "suspicious_pattern" .
2grep -i "error\|warning\|fail" logs.txt
3grep -E "192\.168\.[0-9]{1,3}\.[0-9]{1,3}" file.log

sort and uniq

Frequency analysis:

1cat access.log | cut -d' ' -f1 | sort | uniq -c | sort -nr

Event Log Analysis

Parsing Event Logs

1# Convert EVTX to readable format
2python evtx_dump.py Security.evtx > security_events.xml
3
4# Search for logon events
5grep -A 10 -B 5 "EventID.*4624" security_events.xml

Temporal Analysis

1# Extract timestamps and sort them
2grep -o "[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}" logs.txt | sort | uniq -c

Imports/Exports Analysis

1objdump -p file.exe | grep -E "(DLL|import|export)"

Analysis of Password-Protected Files

Strategies to Find Passwords

  1. Context analysis: Look for clues in logs and related files
  2. Common patterns: Dates, IPs, usernames
  3. Correlated information: Combine data from multiple sources
1# Example of building passwords based on incident data
2# Common format: [data1]-[data2] or [data1][data2]
3
4# Extract dates from logs
5grep -oE "[0-9]{4}-[0-9]{2}-[0-9]{2}" logs.txt
6
7# Extract timestamps
8grep -oE "[0-9]{2}:[0-9]{2}:[0-9]{2}" logs.txt
9
10# Extract IP addresses
11grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" logs.txt
12
13# Combine and format data (generic example)
14IP="192.168.1.100"
15TIME="14:30:25"
16IP_FORMATTED=$(echo $IP | tr -d '.')
17TIME_FORMATTED=$(echo $TIME | tr -d ':')
18POSSIBLE_PASSWORD="${IP_FORMATTED}-${TIME_FORMATTED}"

Investigation Methodology

Phase 1: Initial Reconnaissance

  1. Catalog available evidence

    1find . -type f -exec file {} \; > file_catalog.txt

  2. Identify file types

    1find . -name "*.log" -o -name "*.evtx" -o -name "*.exe" -o -name "*.zip"

Phase 2: Temporal Analysis

  1. Create event timeline

    1find . -type f -exec stat --format="%Y %n" {} \; | sort -n > timeline.txt

  2. Correlate timestamps with suspicious activity

Phase 3: Content Analysis

  1. Examine event logs
  2. Analyze executable files
  3. Investigate compressed/encrypted files

Phase 4: Attack Reconstruction

  1. Initial access vector
  2. Privilege escalation
  3. Persistence
  4. Data exfiltration

Common Compromise Patterns in Windows Systems

Service Account Compromise

Typical indicators:

  • Service users (svc-*) with interactive activity
  • Connections from unusual geographic locations
  • Activity outside regular business hours
1# Search for service accounts
2grep -i "svc\|service" logs.txt
3
4# Identify atypical hours (example: early morning)
5grep -E "0[0-5]:[0-9]{2}:[0-9]{2}" logs.txt
6
7# Search for external connections
8grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" logs.txt | grep -v "^192\.168\|^10\.\|^172\."

Malicious Service Installation

Common patterns:

  • Services with names imitating legitimate services
  • Installation outside maintenance windows
  • Generic names like "Helper", "Service", "Manager"
1# Search for service installation
2grep -i "service.*install\|sc create\|new service" logs.txt
3
4# Search for suspicious service names
5grep -i "helper\|remote\|shell\|backdoor" logs.txt

Use of PowerShell for Attacks

Frequent techniques:

  • Downloading malicious files
  • Executing encoded commands
  • Bypassing execution policies
1# Detect PowerShell usage
2grep -i "powershell\|pwsh" logs.txt
3
4# Search for web downloads
5grep -i "download\|wget\|curl\|invoke-webrequest" logs.txt
6
7# Encoded commands (Base64)
8grep -i "encodedcommand\|-enc\|-e" logs.txt

Malware Execution in Unusual Locations

Suspicious locations:

  • Backup directories (\Backups\)
  • Temporary folders (\Temp\, \tmp\)
  • Script directories (\Scripts\)
  • Non-standard user folders
1# Search for execution in atypical locations
2grep -i "backup\|temp\|script\|public" logs.txt | grep -i "\.exe"
3
4# Search for executable files in general
5grep -E "\.(exe|dll|bat|ps1|vbs|js)" logs.txt

Remember, digital forensic analysis is both science and art. It requires patience, rigorous methodology, and creativity to connect the pieces of the puzzle. Every case is unique, and attackers constantly evolve their techniques. In the real world, the consequences of your forensic conclusions can have significant legal, financial, and reputational impact. Precision, impartiality, and rigor are fundamental.

"Data doesn't lie, but analysts can misinterpret it. The truth is in the details, and the details are in the methodology."