Lab 9.3 — Windows Forensic Investigation

Lab Overview

The Scenario

WIN-ENDPOINT-01 was compromised in a targeted attack. Labs 9.1 and 9.2 established the evidence collection and identified executed malicious tools. Now you need to answer the bigger questions:

• How did the attacker establish persistence? (Registry analysis)
• What did the user do before and during the compromise? (User activity timeline)
• Did the attacker use a web browser? (Browser artifacts)
• Was data exfiltrated to a USB device? (USB history)
• What's the complete story? (Attack narrative)

Part 1: Registry Analysis — Persistence Mechanisms

Why the Registry Matters

The Windows Registry is the single most information-rich artifact source in forensics. Attackers use it to:

• Establish persistence (Run keys, services, scheduled tasks)
• Store configuration (malware settings, C2 addresses)
• Leave traces (MRU lists, typed URLs, search history)

Key Registry Locations for Persistence

Collecting Registry Persistence Artifacts

1. Open Velociraptor Web UI → select WIN-ENDPOINT-01
2. Create a new collection: Windows.Persistence.PermanentWMIEvents
3. Create another collection: Windows.Sys.StartupItems
4. Create another collection: Windows.System.TaskScheduler

Analyzing Persistence

For each persistence mechanism found, document:

PERSISTENCE ANALYSIS
════════════════════
Type: [Run Key / Service / Scheduled Task / WMI Event]
Location: [full registry path or task path]
Value: [executable path or command]
Created: [timestamp if available]
Suspicious?: [Y/N + reasoning]

Red flags to watch for:

• Run key entries pointing to C:\Temp\, C:\Users\Public\, or AppData\ paths
• Services with UNKNOWN publisher or binary paths outside System32\
• Scheduled tasks that execute PowerShell with encoded commands
• WMI event subscriptions (often used for fileless persistence)

Click to enlarge

Part 2: User Activity Timeline

Background Activity Moderator (BAM/DAM)

BAM tracks execution of programs by each user. This is separate from Prefetch (system-wide) — BAM shows which USER ran which program.

1. Collect: Windows.Registry.BAM
2. Analyze results for:
   • Programs executed by the compromised user account
   • Programs executed by SYSTEM (may indicate privilege escalation)
   • Timestamps that correlate with your Prefetch/Amcache timeline from Lab 9.2

UserAssist — GUI Program Execution

UserAssist records every program launched via Windows Explorer (double-click, Start Menu):

1. Collect: Windows.Forensics.UserAssist
2. Analyze results for:
   • Programs the user explicitly launched (vs. automated/scripted execution)
   • Run counts and last execution times
   • Focus time (how long the application window was in focus)

RecentDocs — Recently Accessed Files

1. Collect: Windows.Forensics.RecentApps
2. Analyze results for:
   • Documents opened around the time of compromise
   • File types that suggest data staging (ZIP, RAR, 7z archives)
   • Files accessed from unusual locations

USER ACTIVITY TIMELINE
══════════════════════
Time (UTC)     | User          | Action                    | Source
---------------|---------------|---------------------------|-------
[timestamp]    | [username]    | Launched [program]        | UserAssist
[timestamp]    | [username]    | Opened [document]         | RecentDocs
[timestamp]    | SYSTEM        | Executed [program]        | BAM

Part 3: Browser Forensic Artifacts

Why Browser Artifacts Matter

Browsers record everything: sites visited, files downloaded, credentials cached, form data submitted. Attackers use browsers to:

• Download additional tools
• Access webmail to exfiltrate data
• Log into cloud services with stolen credentials
• Research the internal network

Collecting Browser History

1. Collect: Windows.Applications.Chrome.History (for Chromium-based browsers)
2. Also collect: Windows.Applications.Chrome.Extensions (malicious extensions)

Analyzing Browser Artifacts

BROWSER FORENSIC ANALYSIS
══════════════════════════
Browser: [Chrome / Edge / Firefox]
Profile: [Default / specific profile name]

HISTORY (Suspicious Entries)
Time (UTC)     | URL                              | Title                 | Visit Count
---------------|----------------------------------|-----------------------|------------
[timestamp]    | [URL]                            | [page title]          | [count]

DOWNLOADS
Time (UTC)     | File Name          | Source URL                     | Save Path
---------------|--------------------|--------------------------------|----------
[timestamp]    | [filename]         | [download URL]                 | [local path]

What to look for:

• Downloads of hacking tools (mimikatz, PsExec, netcat, Cobalt Strike)
• Visits to file-sharing sites (pastebin, file.io, mega.nz) — data exfiltration
• Visits to webmail services during off-hours
• Visits to IP addresses instead of domain names (direct C2 communication)
• Search queries related to "how to disable antivirus" or "privilege escalation"

Part 4: USB Device History

Why USB History Matters

USB devices are the most common physical data exfiltration method. Windows records every USB device ever connected, including:

• Device manufacturer and model
• Serial number (unique identifier)
• First and last connection times
• Drive letter assigned

Collecting USB History

1. Collect: Windows.Forensics.Usb
2. Review the results for all USB storage devices

Analyzing USB Artifacts

USB DEVICE HISTORY
══════════════════
Device             | Serial Number    | First Connected    | Last Connected     | Drive Letter
-------------------|------------------|--------------------|--------------------|------------
[manufacturer]     | [serial]         | [timestamp UTC]    | [timestamp UTC]    | [letter]

Red flags:

• USB devices connected for the first time during the compromise window
• USB connections that coincide with large file access in RecentDocs
• Multiple USB devices connected in rapid succession (attacker swapping drives)
• USB connection followed immediately by disconnection (quick copy-and-go)

Part 5: Building the Complete Attack Narrative

Correlation Methodology

Now combine ALL your findings from Labs 9.1, 9.2, and 9.3 into a single narrative:

Click to enlarge

1. Initial Access: How did the attacker get in? (Browser downloads? Phishing? Remote exploit?)
2. Execution: What tools did they run? (Prefetch/Amcache from Lab 9.2)
3. Persistence: How did they maintain access? (Registry from Part 1)
4. Discovery: What did they look for? (User activity from Part 2, browser from Part 3)
5. Collection: What did they stage for exfiltration? (RecentDocs, file access)
6. Exfiltration: How did they get data out? (USB from Part 4, browser uploads)
7. Anti-Forensics: Did they try to cover tracks? (Missing artifacts, cleared logs)

Write Your Attack Narrative

ATTACK NARRATIVE — WIN-ENDPOINT-01
═══════════════════════════════════
Case ID: IR-2026-[today's date]
Examiner: [your name]

EXECUTIVE SUMMARY
─────────────────
[3-5 sentences summarizing the entire incident]

DETAILED TIMELINE
─────────────────
Phase 1 — Initial Access ([time range])
  Evidence: [specific artifacts]
  Finding: [what happened]

Phase 2 — Tool Deployment ([time range])
  Evidence: [specific artifacts]
  Finding: [what tools were used]

Phase 3 — Persistence ([time range])
  Evidence: [specific artifacts]
  Finding: [how they maintained access]

Phase 4 — Discovery & Lateral Movement ([time range])
  Evidence: [specific artifacts]
  Finding: [what they explored]

Phase 5 — Data Collection & Exfiltration ([time range])
  Evidence: [specific artifacts]
  Finding: [what was stolen and how]

Phase 6 — Anti-Forensics ([time range])
  Evidence: [specific artifacts — or absence of expected artifacts]
  Finding: [cleanup attempts]

INDICATORS OF COMPROMISE
────────────────────────
- IP Addresses: [list]
- File Hashes (SHA1): [list from Amcache]
- File Paths: [attacker tool locations]
- Registry Keys: [persistence mechanisms]
- USB Devices: [serial numbers]

RECOMMENDATIONS
───────────────
1. [Containment action]
2. [Eradication action]
3. [Recovery action]
4. [Lessons learned]

Deliverable Checklist

Before completing the lab, ensure you have:

• Persistence Analysis — all identified persistence mechanisms with registry paths and values
• User Activity Timeline — BAM, UserAssist, and RecentDocs correlated by timestamp
• Browser Forensic Analysis — suspicious history entries, downloads, and search queries
• USB Device History — all devices with connection times and correlation to file access
• Complete Attack Narrative — 6-phase timeline with evidence citations for each phase
• Indicators of Compromise — IPs, hashes, paths, registry keys, USB serials

What's Next

In Lab 9.4 — Memory Forensics, you'll analyze a memory dump using Volatility to find malware that never touched disk — process injection, in-memory shellcode, and hidden network connections that only exist in RAM.