Artifacts

Posts Tagged ‘Microsoft’


Using Apple Time Capsule with Microsoft Windows

Posted by:  /  Tags: , , , ,

John Lukach

AirPort Utility 5.6.1 for Windows

The AirPort Utility for Windows allows Microsoft computers using Bonjour to access the Apple Time Capsule hard disk. The drive is available as a network share through UNC mapping on your PC. The binary data stored in HKEY_Users\S-1-5-1234567890-1234567890-123456789-1000\Software\AppleInc.\Preferences\com.apple.airport.diskagent will provide confirmation of which volume is associated with your Apple Time Capsule. An external USB connection is available so you could have two volumes listed.

If the end-user setup Windows Backups than you will be able to gain additional insight into the size of the disk with the free space available that may be beneficial in identifying the external USB drive.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams\Rules\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams\PresentableName

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams\UniqueName

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\TargetDevices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\UserDataExclusions

User defined inclusions are listed as numbered keys under the Rules folder containing specific paths.

PsTools Artifacts

Posted by:  /  Tags: , ,  /  Comments: 1

John Lukach

PsTools Suite 2.44

PsTools are a common resource used to manage remote systems. During execution of PsExec, PsFile, PsGetSID, PsInfo, PsKill, PsList, PsLoggedOn, PsLogList, PsPasswd, PsService, PsShutDown, and PsSuspend the EULA software license agreement must be accepted. A registry entry is created allowing you to determine which tools have been used on a specific machine. I used the RegRipper framework by Harlan Carvey to create a new plugin that will be available at: http://regripper.wordpress.com to harvest these artifacts.

\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsExec\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsFile\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsGetSID\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsInfo\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsKill\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsList\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsLoggedOn\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsLogList\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsPasswd\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsService\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsShutDown\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsSuspend\EulaAccepted

http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

http://forensicartifacts.com/wp-content/uploads/gravity_forms/3-b56c65f0d638cb782e8f437e4b2147cf/2012/07/PsTools-Plugin.jpg

Outlook Email Saving Options

Posted by:  /  Tags: , , , ,

John Lukach

Outlook 2010 & Aid4Mail 2.4

Microsoft Outlook 2010 by default allows users to save email messages externally as a MSG, OFT, HTML, MHT, or TXT file format. Microsoft Office programs can have add-ins installed that extend the available functionality of the software. Verifying if any add-ins exists in Outlook can be done by checking the SOFTWARE and NTUSER.DAT registry hives for the following folder path: Microsoft\Office\Outlook\Addins.

Other applications can access email using a Messaging Application Programming Interface (MAPI) connection. One example is Aid4Mail an email conversion program from Fookes Software that adds additional file format export options such as PDF, ZIP, XML, and others. The file formats and export paths used by the application can be found in the C:\Users\\AppData\Roaming\Aid4Mail\Aid4Mail.ini file.

Not every application using MAPI connections will leave as obvious of an artifact thus leaving it up to the specific developer on what email formats will be available. One option is to determine what specific DLL’s are used by an executable such as C:\Windows\SysWow64\mapi32.dll or C:\Program Files (x86)\Microsoft Office\Office14\olmapi32.dll for example. Another is using a time line approach to determine if a MAPI configuration was abnormally accessed by looking for creation and deletion of C:\Users\\Documents\Outlook Files\~Outlook.pst.tmp without other normal Outlook behavior.