Blue Team-System Live Analysis [Part 4]- Windows: System Information and Configurations

Nothing Cyber [NC]
7 min readJan 18, 2021

--

Let’s Connect | LinkedIn | Twitter

I have discussed the need for system live analysis, rules, and some required tools, and the checklist to carry out Windows live investigation in the previous parts.

Let's dive into technical aspects from this part onwards. As illustrated in the checklist, identifying system information and understanding its configuration is one main step in an investigation's early stage.

Data Types: Current System settings and configurations [e.g. OS installation date, essential folders, hotfixes, drives, shadow copies, top-level network information, etc.]

Investigation Value: To understand the current state of the machine and to plan accordingly.

1- General System Information

There are many ways to retrieve general system information and current settings. I prefer the winver and Systeminfo command to look for general information, followed by WMIC or PowerShell, to get specific details.

Winver

It’s a straightforward yet useful command to quickly check the version and build the number of running Windows.

Winver Command

The version number can help investigators to obtain more information about issues and potential security risks. For instance, the issues related to the example above [version 20H2] can be found here.

Moreover, The compatibility of our tools with the version of OS being investigated is crucial. For example, not all Windows 10 versions are fully supported by the volatility framework for memory analysis. Thus, the OS exact version and build number [e.g. 10.0.18363 N/A Build 18363] helps us select the proper toolset for further investigation.

Systeminfo

Systeminfo Command

The animation above shows the use of the systeminfo command. There is several useful information that helps the analyst to plan the rest of the investigation.

We can filter out specific information by using the findstr command. For instance, if we look for OS name and version, we can use the command below:

systeminfo | findstr /B /C:”OS Name” /C:”OS Version”

Filter Results with Findstr

WMIC makes it easy to look for specific information. Type “wmic os get/?” to retrieve the list of available options as follows:

WMIC Available Options to Obtain System Information

In case we want to check the hostname, we can use the command below:

wmic os get csname

OS name obtained by WMIC

We can combine several values with comma as a separator as follows:

wmic os get csname, WindowsDirectory

OS name and directory obtained by WMIC

powershell Get-ComputerInfo

Obtain System Information Using powershell Get-ComputerInfo

Get-ComputerInfo -Property OsWindowsDirectory

Windows Installed directory obtained by powershell Get-ComputerInfo

2- Environment variables

Environment variables are stored information such as search paths for files, directories for temporary files, application-specific options, etc. That tells us about the environment used by system users and processes.

They provide a wide variety of information that could be useful during the investigation. You can check the list of Standard (built-in) windows environment variables here. The environment variables are divided into three scopes as follows:

  • Machine (or System) scope: Belong to running instance of the system.
  • User scope: Belong to a particular user under a system.
  • Process scope: Combination of variables in the Machine and User scopes.

Note 1: User environment variables are set for each user individually, while Machine environment variables are set for everyone [Ref].

System and User Environment Variables

As shown in the figure above, we can see system and user environment variables from advanced system settings.

SET Command

The above information can be easily retrieved by using the SET command as well.

SET Command to Display System and User Environment Variables

Windows Registry

The locations of system and user environment variables in the registry are as follows and can display by reg query.

System:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
User:
HKEY_CURRENT_USER\Environment
Reg Query Command to Display System and User Environment Variables from Windows Registry

Note 2: the user variables in this post are associated with the currently logged-in user. The coming posts about the user accounts will discuss how to display the variables for other user accounts.

3- Hotfixes

Without a doubt, the list of installed hotfixes is one of the most important information to be collected as they determine if any patches or updates are missing and if the system is vulnerable.

There are many ways to obtain the installed hotfixes as follows:

Systeminfo: As you may notice, the systeminfo command shows the list of installed hotfixes as well; let’s use systeminfo and findstr to get the hotfixes lists.

systeminfo | findstr KB

List of Installed Hotfixes from Systeminfo.

WMIC: We can obtain the same list by using “wmic qfe get hotfixid”, but let’s get more details.

wmic qfe get Caption,Description,HotFixID,InstalledOn

Installed Hotfixes obtained by WMIC

Powershell: PowerShell provides investigators with a powerful command interface and scripting capabilities to collect numbers of artifacts. The “powershell get-hotfix” command helps us to get the list of installed hotfixes. However, we can look for specific hotfixes by their number.

Installed Hotfixes obtained by Powershell

Note1: findstr can be combined with systeminfo or WMIC to look for specific hotfixes as well.

Note 2: This post is not comparing the capabilities of windows commands, WMIC, and Powershell. The main aim is to demonstrate different data collection techniques.

4- Missing Updates

The list of installed hotfixes must be validated to ensure all the latest patches have been installed. We just need to obtain the window version [Winver command] and System type [systeminfo | findstr /B /C:”System Type”].

Windows Version and Type

For example, the above system OS is a 64 bit Windows with the version number 20H2 and built the number 19042. Now it's time to check the official Microsoft security update portal.

In the Security Update Guide section, we can use a keyword search to look for any update that matches our OS version and type.

Security Update Guide for Windows 10 Version 20H2 for x64-based Systems

As depicts in the figure above, we can check the security issues impact, severity and related CVE details. The Article section gives us details information about updates s including released hotfixes, if any.

More Information about KB5004237

Let's check if the hotfix is installed on the system or not:

Installed Hotfixes

Yes, it's already there! But wait, what if it was missing:

  • Look at the patch policies, rewrite, edit and roll out new ones.
  • Formulate a vulnerability oriented hypothesis to examine the system.

Suppose a missing hotfix connects to a specific vulnerability. In that case, we can look for any indicator of compromise (IoC), an indicator of attack (IoA), or any unwanted activities related to that particular vulnerability.

5- Drivers!

A simple conversation with uncle google gives us several stories on how a security flaw in installed drivers opened the doors for attackers! The news below, for instance!

Installed Drivers List obtained.

The image above depicts the use of windows built-in command and Powershell to retrieve the list of drivers. Nirsoft provides a GUI-based tool called installed_drivers_list to retrieve the list of available drivers as well.

InstalledDriverList by Nirsoft
  • Green Icon — The driver is running on the Windows kernel.
  • Yellow Icon — The driver is not running on the Windows kernel.
  • Red Icon — The driver is not running on the Windows kernel, but it should be loaded automatically when Windows starts.

6- Shadow Copies

Shadow copies are the snapshots — backup — of Windows files and can be used to restore data when required. The shadow copies kept the previous state, data, and files of a machine and may help us during an investigation. However, they are not as good as forensics images of a hard disk as they contain a snapshot of a file at a particular point in time.

Besides, not all machines being investigated may have the shadow copies or restore point enabled. Thus, we should check if there is any shadow copy that exists on the target machine.

The image below shows WMIC and vssadmin to obtain the list of available shadow copies in a system.

wmic path Win32_ShadowCopy get DeviceObject, InstallDate
The List of Available Shadow Copies in a system obtained by WMIC
vssadmin list shadows
The List of Available Shadow Copies in a system obtained by VSSADMIN

Nirsoft provides a GUI-based tool called ShadowCopyView to view the available shadow copies in a system.

The List of Available Shadow Copies in a system obtained by Nirsoft Tool

Note1: having the shadow copies does not guarantee any successful or complete data recovery. It highly depends on the type of shadow copies, creation time, and the last overwritten point by OS.

Note 2: Based on the golden rule of digital forensics, we collect data as much as possible and available; may the force be with us later in in-depth analysis.

Stay tuned…!

--

--

Nothing Cyber [NC]
Nothing Cyber [NC]

Written by Nothing Cyber [NC]

Nothing Stands in your Way! Learn Cybersecurity here, training, techniques, tools, and resources are in a simple way, all for free! - Dr. Meisam Eslahi

No responses yet