Blue Team-System Live Analysis [Part 4]- Windows: System Information and Configurations

Let’s Connect | LinkedIn | Twitter

In the previous parts, I have discussed the needs for system live analysis, rules, and some required tools, and the checklist to carry out Windows live investigation.

Let's dive into technical aspects from this part onwards. As illustrated in the checklist, identifying system information and understanding its configuration is one main steps in an early stage of an investigation.

Data Types: Current System settings and configurations [e.g. OS installation date, essential folders, hotfixes, drives, shadow copies, top-level network information, etc.]

Investigation Value: To understand the current state of the machine and to plan accordingly.

1- General System Information

There are many ways to retrieve general system information and current settings. I personally prefer the Systeminfo command to look for general information following by WMIC or PowerShell to get specific details.

Systeminfo Command

The animation above shows the use of the systeminfo command. There is several useful information that helps the analyst to plan the rest of the investigation.

OS Version: The compatibility of our tools with the version of OS being investigated is crucial. For example, not all Windows 10 versions are fully supported by the volatility framework for memory analysis. Thus, the OS exact version and build number [e.g. 10.0.18363 N/A Build 18363] helps us select the proper toolset for further investigation.

We can filter out specific information by using the findstr command. For instance, if we look for OS name and version, we can use the command below:

systeminfo | findstr /B /C:”OS Name” /C:”OS Version”

Filter Results with Findstr

WMIC makes it easy to look for specific information. Type “wmic os get/?” to retrieve the list of available options as follows:

WMIC Available Options to Obtain System Information

In case we want to check the hostname, we can use the command below:

wmic os get csname

OS name obtained by WMIC

We can combine several values with comma as a separator as follows:

wmic os get csname, WindowsDirectory

OS name and directory obtained by WMIC

2- Environment variables

Environment variables are stored information such as search paths for files, directories for temporary files, application-specific options and etc, that tells us about the environment used by system users and processes.

They provide a wide variety of information that could be useful during the investigation. You can check the list of Standard (built-in) windows environment variables here. The environment variables are divided into three scopes as follows:

  • Machine (or System) scope: Belong to running instance of the system.
  • User scope: Belong to a particular user under a system.
  • Process scope: Combination of variables in the Machine and User scopes.

Note 1: User environment variables are set for each user individually, while Machine environment variables are set for everyone [Ref].

System and User Environment Variables

As shown in the figure above, we can see system and user environment variables from advanced system settings.

SET Command

The above information can be easily retrieved by using SET command as well.

SET Command to Display System and User Environment Variables

Windows Registry

The locations of system and user environment variables in the registry are as follows and can display by reg query.

System:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
User:
HKEY_CURRENT_USER\Environment
Reg Query Command to Display System and User Environment Variables from Windows Registry

Note 2: the user variables in this post are associated with the currently logged-in user. The coming posts about the user accounts will discuss how to display the variables for other user accounts.

3- Hotfixes

Without a doubt, the list of installed hotfixes is one of the most important information to be collected as they determine if any patches or updates are missing and if the system is vulnerable.

There are many ways to obtain the installed hotfixes as follows:

Systeminfo: As you may notice, the systeminfo command shows the list of installed hotfixes as well; let’s use systeminfo and findstr to get the hotfixes lists.

systeminfo | findstr KB

List of Installed Hotfixes form Systeminfo

WMIC: We can obtain the same list by using “wmic qfe get hotfixid”, but let’s get more details.

wmic qfe get Caption,Description,HotFixID,InstalledOn

Installed Hotfixes obtained by WMIC

Powershell: PowerShell provides investigators with a powerful command interface and scripting capabilities to collect numbers of artifacts. The “powershell get-hotfix” command helps us to get the list of installed hotfixes. However, we can look for specific hotfixes by their number.

Installed Hotfixes obtained by Powershell

Note1: findstr can be combined with systeminfo or WMIC to look for specific hotfixes as well.

Note 2: This post is not comparing the capabilities of windows commands, WMIC, and Powershell. The main aim is to demonstrate different data collection techniques.

4- Drivers!

A simple conversation with uncle google gives us numbers of stories on how a security flaw in installed drivers opened the doors for attackers! The news below, for instance!

Installed Drivers List obtained

The image above depicts the use of windows built-in command and Powershell to retrieve the list of drivers. Nirsoft provides a GUI-based tool called installed_drivers_list to retrieve the list of available drivers as well.

InstalledDriverList by Nirsoft
  • Green Icon — The driver is running on the Windows kernel.
  • Yellow Icon — The driver is not running on the Windows kernel.
  • Red Icon — The driver is not running on the Windows kernel, but it should be loaded automatically when Windows starts.

5- Shadow Copies

Shadow copies are the snapshots — backup — of Windows files and can be used to restore data when required. The shadow copies kept the previous state, data, and files of a machine and may help us during an investigation. However, they are not as good as forensics images of a hard disk as they contain a snapshot of a file at a particular point in time.

Besides, not all machines being investigated may have the shadow copies or restore point enabled. Thus, we should check if there is any shadow copy exists on the target machine.

The image below shows WMIC and vssadmin to obtain the list of available shadow copies in a system.

The List of Available Shadow Copies in a system obtained by WMIC and VSSADMIN

Note1: having the shadow copies do not guarantee any successful or complete data recovery as it highly depends on the type of shadow copies, creation time, and the last overwritten point by OS.

Note 2: The golden rule of digital forensics we collect data as much as possible and available; may the force be with us later in in-depth analysis.

Stay tuned…!

by Meisam Eslahi

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store