3

I am in preparation of developing an Incident Response Plan for a computer that has been hacked (no malware installed, just a system hack). My plan is to analyse through Windows Event Viewer to try and detect some unusual behaviour to the machine.

However, if a hacker has changed the contents of the log file or changed the time, what are the alternative routes for developing an IRP other than Windows Event viewer?

C.Mann
  • 73
  • 7

1 Answers1

2

I once had a similar task and I found Nirsoft Mega Report. It combines some of the NirSoft utilities. I didn't find it very useful, since you get a lot of single reports, but not a complete timeline.

End of 2014, I tried to achieve it myself by using the NirSoft tools, running them in unattended mode and exporting to XML. The tools I considered for that were

  • AppCrashView (maybe someone tried to exploit a bug in an application)
  • JumpListsView (see what was done last)
  • RecentFilesView (which files were used last)
  • UserAssistView
  • BlueScreenView (maybe some kernel exploit caused a bluescreen)
  • FirefoxDownloadsView (maybe some malware came from there)
  • LastActivityView (see what was done last)
  • ShellBagsView
  • WinLogOnView (who logged on)
  • BrowsingHistoryView
  • FlashCookiesView
  • MozillaCacheView
  • SkypeLogView
  • WinPrefetchView
  • DevManView (were there devices connected)
  • IECacheView
  • MyEventViewer (like Windows Event Viewer)
  • TurnedOnTimesView
  • ImageCacheViewer
  • myuninst
  • USBDeview (were there devices connected)

From all these XMLs I tried to build a complete timeline. I say "tried", because

  1. I found that the XMLs were not always well-formed. I reported that as bugs, but I was never notified whether they were fixed.
  2. Not all tools provide XML export

Still, all those reports may be helpful.

If you do forensic stuff, consider the following basic rules:

  1. get an image in a forensically sound way
  2. only work on a copy of that image. Never work on the original and never work on the forensically sound image (of step one).
Thomas Weller
  • 3,246
  • 3
  • 21
  • 39
  • So in other words - you would need to perform a full forensic analysis. I would also add registry analysis since it contains some spicy content like recent USB devices, last WiFi hotspot etc – Sir Muffington Nov 18 '19 at 21:03
  • 1
    @SirMuffington: USBDeview is likely doing the recent USB device analysis. Not sure if Nir Sofer has a utility for recent WLANs. Not sure if I would perform a full forensic analysis in such a case. Depends on the threat. As a small company, I would at least not buy a fully fledged forensics suite. – Thomas Weller Nov 18 '19 at 21:32
  • 1
    there are open source free tools like Autopsy for performing forensics... The Sleuth Kit, which contains the basis with MACtimes etc is also free and open source – Sir Muffington Nov 18 '19 at 21:37
  • @SirMuffington: I'm not sure whether I interpret the [windows] tag correctly. I was answering for tools that run on WIndows. Since OP mentioned "Windows Event Viewer", I got that impression. Feel free to add a Linux answer in addition to mine. I don't use Linux that much, so I can hardly answer. – Thomas Weller Nov 19 '19 at 15:59
  • Linux is great for analyzing Windows. Only the image itself is Windows, any OS can analyze the image. – Sir Muffington Nov 19 '19 at 16:23
  • Thanks for both of your help @Thomas Weller – C.Mann Nov 19 '19 at 18:57