Blue Team-System Live Analysis [Part 4]- Windows: System Information and Configurations
Let's dive into technical aspects from this part onwards. As illustrated in the checklist, identifying system information and understanding its configuration is one main steps in an early stage of an investigation.
Data Types: Current System settings and configurations [e.g. OS installation date, essential folders, hotfixes, drives, shadow copies, top-level network information, etc.]
Investigation Value: To understand the current state of the machine and to plan accordingly.
1- General System Information
There are many ways to retrieve general system information and current settings. I personally prefer the Systeminfo command to look for general information following by WMIC or PowerShell to get specific details.
The animation above shows the use of the systeminfo command. There is several useful information that helps the analyst to plan the rest of the investigation.
OS Version: The compatibility of our tools with the version of OS being investigated is crucial. For example, not all Windows 10 versions are fully supported by the volatility framework for memory analysis. Thus, the OS exact version and build number [e.g. 10.0.18363 N/A Build 18363] helps us select the proper toolset for further investigation.
We can filter out specific information by using the findstr command. For instance, if we look for OS name and version, we can use the command below:
systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
WMIC makes it easy to look for specific information. Type “wmic os get/?” to retrieve the list of available options as follows:
In case we want to check the hostname, we can use the command below:
wmic os get csname
We can combine several values with comma as a separator as follows:
wmic os get csname, WindowsDirectory
2- Environment variables
Environment variables are stored information such as search paths for files, directories for temporary files, application-specific options and etc, that tells us about the environment used by system users and processes.
They provide a wide variety of information that could be useful during the investigation. You can check the list of Standard (built-in) windows environment variables here. The environment variables are divided into three scopes as follows:
- Machine (or System) scope: Belong to running instance of the system.
- User scope: Belong to a particular user under a system.
- Process scope: Combination of variables in the Machine and User scopes.
Note 1: User environment variables are set for each user individually, while Machine environment variables are set for everyone [Ref].
As shown in the figure above, we can see system and user environment variables from advanced system settings.
The above information can be easily retrieved by using SET command as well.
The locations of system and user environment variables in the registry are as follows and can display by reg query.
Note 2: the user variables in this post are associated with the currently logged-in user. The coming posts about the user accounts will discuss how to display the variables for other user accounts.
Without a doubt, the list of installed hotfixes is one of the most important information to be collected as they determine if any patches or updates are missing and if the system is vulnerable.
There are many ways to obtain the installed hotfixes as follows:
Systeminfo: As you may notice, the systeminfo command shows the list of installed hotfixes as well; let’s use systeminfo and findstr to get the hotfixes lists.
systeminfo | findstr KB
WMIC: We can obtain the same list by using “wmic qfe get hotfixid”, but let’s get more details.
wmic qfe get Caption,Description,HotFixID,InstalledOn
Powershell: PowerShell provides investigators with a powerful command interface and scripting capabilities to collect numbers of artifacts. The “powershell get-hotfix” command helps us to get the list of installed hotfixes. However, we can look for specific hotfixes by their number.
Note1: findstr can be combined with systeminfo or WMIC to look for specific hotfixes as well.
Note 2: This post is not comparing the capabilities of windows commands, WMIC, and Powershell. The main aim is to demonstrate different data collection techniques.
A simple conversation with uncle google gives us numbers of stories on how a security flaw in installed drivers opened the doors for attackers! The news below, for instance!
Living off another land: Ransomware borrows vulnerable driver to remove security software
Sophos has been investigating two different ransomware attacks where the adversaries deployed a legitimate, digitally…
The image above depicts the use of windows built-in command and Powershell to retrieve the list of drivers. Nirsoft provides a GUI-based tool called installed_drivers_list to retrieve the list of available drivers as well.
- Green Icon — The driver is running on the Windows kernel.
- Yellow Icon — The driver is not running on the Windows kernel.
- Red Icon — The driver is not running on the Windows kernel, but it should be loaded automatically when Windows starts.
5- Shadow Copies
Shadow copies are the snapshots — backup — of Windows files and can be used to restore data when required. The shadow copies kept the previous state, data, and files of a machine and may help us during an investigation. However, they are not as good as forensics images of a hard disk as they contain a snapshot of a file at a particular point in time.
Besides, not all machines being investigated may have the shadow copies or restore point enabled. Thus, we should check if there is any shadow copy exists on the target machine.
The image below shows WMIC and vssadmin to obtain the list of available shadow copies in a system.
Note1: having the shadow copies do not guarantee any successful or complete data recovery as it highly depends on the type of shadow copies, creation time, and the last overwritten point by OS.
Note 2: The golden rule of digital forensics we collect data as much as possible and available; may the force be with us later in in-depth analysis.