$I30 Parsers Output False Entries. Here's Why
In the README page of my tool, INDXRipper (Go check it out! It’s really cool), down in the “Limitations” section, I gave some warnings regarding the reliability of the tool: The tool may give false results. While false positives are rare, they are possible. Partially overwritten entries may not be found. If they are found, though, the tool may give you false information. These shortcomings apply to every $I30 parser, and in this post - I’ll explain why....
The Forensic Value of the (Other) WSH Registry Key
WSH (Windows Script Host) is an automation tool built into Windows, providing powerful scripting abilities. It was introduced in Windows 98, long predating .NET and PowerShell. Whilst being largely abandoned by system administrators, It is sometimes used by attackers to evade detection and obfuscate their infection chains. Typically, an attacker will drop a malicious script on disk - a .vbs, .js or a .wsf file, and then execute it using either the WScript or the CScript host....
The Mystery of the HeapLeakDetection Registry Key
I was working on a case the other day, when I first came across a rather interesting registry key, HKLM\Software\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications. It caught my eye, because it has sub-keys for (what appears to be) applications executed on the system. This is what it looks like on my own system: It has quite a few sub-keys, and each one has a LastDetectionTime QWORD value, containing what appears to be a Windows FILETIME timestamp:...
Resolving File Paths Using the MFT
In NTFS, the MFT (Master File Table) is a structure that contains a lot of the file-system metadata, and also the contents of small files. It is stored in a special file, called $MFT. In incident response, we often collect and parse this file to determine the file system contents and how it changed over time, without having to acquire a full disk image. There are many bad MFT parsers out there....
Home Adventures! A Prefetch File in $I30 Slack, PyInstaller & Prefetch Hash Cracking
I often test my tools on my old computer at home. It’s so much more interesting to investigate than a newly created virtual machine. Today, while testing, I found evidence of activity from almost 2 years ago. It got me really excited, and I thought it would make a cool blog post! Here’s a snippet from the timeline I created using MFTECmd and INDXRipper: A Prefetch File in $I30 Slack The Prefetch file FLOSS64....