What to do after hack? 5 unusual places where you can find evidence

In this episode, we’ll show HOW and WHERE find evidence of hack. These 5 places might not be your first choice when you start investigation… and that’s exactly why you should check them first.

What to do after hack? I would like to show you interesting places in Windows OS where you can have a look in order to find the post-login information, details about what kind of software was running and which files were opened, also some data from NTFS Journal and also a couple of other interesting places which can indicate that something goes wrong. So, where to have a look when stepping into the investigation.

Place 1: The profile list

What is the first place? Well, the first place, which is maybe quite natural to check, is the profile list. It shows, of course, what kind of users were logging on to the certain box, but that is not really true because the only thing we see over here are profile folders.

What to do after hack

Now, what about if we list SIDs from the registry? Are we able to spot different types of SIDs of the users that were previously logging on here? That list is more interesting. It gets a little bit longer. By opening this registry path: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\, we are able to list also the details regarding the history of what kind of profiles were created here.

What to do after hack

One of the new users that we see that we couldn’t see before is a user hacker. This is the place where we can find quite interesting data regarding the history of the profiles. Of course, someone could be smarter and delete this data from the registry totally, but this is something that is worth checking.

Place 2: The Prefetch

Another place that is worth checking is (of course!) Prefetch. Prefetch is system-wide and can be asked to spot what kind of different types of executables were running in the following operating system. Here are some examples in my Prefetch folder:

What to do after hack

Basically, Prefetch files are in the C:\Windows\Prefetch. Whenever we’ve got a PF file, the last date on the file is the one that indicates the last time the file was actually ran was. Now, I can say that I was running WinWord on the 17th of October.

What to do after hack

I am going to show you now what is really interesting here.

Introducing CQPrefetchParser

For analysis, I am going to use our tool: CQPrefetchParser. CQPrefetchParser takes as a parameter a prefetch file to analyze. Eventually, we can specify only the directory that contains the prefetch files. We can also specify the /out where we are able to decompress the PF file. We will use the basic setting here where we will specify the file and then we will specify -a to analyze. Let’s do that.

Want to test CQPrefetchPraser? You can download it here:

CQPreferchParser shows very nicely all the interesting paths that were related with that particular prefetch file. It also shows modules, the different types of DLLs that were loaded when this particular executable was running.

What to do after hack

Also, a cool part of it is that you can see a part of the execution history, like how many times notepad.exe was executed and what was the last time I had it opened.

What to do after hack

Place 3: Automatic destinations: Spotting Files Opened By A Software

The next thing that I want to show you is related to something that we call automatic destinations. Automatic destinations contain the history of all the interesting files that were ever used, for example, text files, that we were opened by Notepad.

What to do after hack

We can connect to C:\Users\ Paula\ AppData\Roaming\Microsoft\Windows\Recent\Automatic Destinations, and if I choose 9B 9C and so on, that is actually the automatic destinations file for Notepad, because these values are all defined for the known software. These identifiers are known, so you can have a reference to any predefined software we can find within the automatic destinations and the identifier they fall under.

What to do after hack

Let’s have a look at Notepad. If I click, for example, the first one, what you can see is that I’ve got some type of files being opened. We can spot a much more, of course, if you dig in further.

Of course, not every software that you are using gets known, so then you just need to browse through all of the automatic designations, but some of the identifiers are already pre-defined. As we mentioned, 9B 9C and so on, signifies Notepad.

Place 5: USN Journal

That’s it. The last one that I want to show you is related with NTFS Journal, or USN Journal, which contains the whole history of files being changed.

For the following you can use the script below:

Password: CQUREAcademy#123!

First of all, what we are going to do is to display files metadata. I am displaying right now file hash for these files, and I am grouping them. By running this command, we can clearly see that all of these files are the same.

Of course, over here I am able to spot as well what the last write time is, and we can see that these are all the same. We’ve got 1.txt, 10.text, and so on. These are all the same.

What to do after hack

What I want to show you is that when we, for example, run Get-Member for the options that we’ve got related to time to work on the files, we’ve got here creation time, last access time, and last write time. Take a look below.

What to do after hack

We’ve got get and set, which clearly indicates that this is not something that we should rely on since we can set creation time, last access time, and last write time. What’s my point? Basically, we are able to change one of those files and let’s have a look what is going to be the setup.

Let me show you one thing in the folder.

What to do after hack

As you can see, all these files are the same. What I can do right now is change content for one file. After changing, one file gets a date from 2016. What I will now overwrite that data:

What to do after hack

Now all the other files should be exactly the same as 1.txt. For each file, we are changing the last write time, creation time, and last access time, to that particular time. Let’s have a look at the result. As you see, all of my files right now are from the current date. This is something that we cannot rely very strongly on because as you see, this is something that can be changed.

What to do after hack

If we move further, what we are able to see from the historical perspective, and I am going to use, for example, for that purpose fsutil, we are able to read information about the journal. For that, I am going to use fsutil usn readjournal for the F drive, and that gives us a very nice but quite long output about what kind of changes were made on the disk. Of course, that’s a lot of information. On the Internet, you can find a lot of different types of parsers that can help you to parse that data.

What to do after hack

What we can spot over here is that file 430.txt, which we had its basic info changed. Here from fsutil usn readjournal, we are able to see the file that someone worked on. Of course, more information can be spotted using a little bit more professional journal analyzer, but I wanted to show you a free option that can at least indicate that something was done with this file. In the worst case, you can stream this data into a text file and then search for the file name and see if this file was in any matter touched. This is usn journal that we are able to analyze.

Does solving a cyber-crime sound like fun to you?  Take the next step into forensics with Paula J.  with her CyberBytes virtual training.