Blue Team-System Live Analysis [Part 4]- Windows: System Information and Configurations
Let’s Connect | LinkedIn | Twitter
I have discussed the need for system live analysis, rules, and some required tools, and the checklist to carry out Windows live investigation in the previous parts.
Let's dive into technical aspects from this part onwards. As illustrated in the checklist, identifying system information and understanding its configuration is one main step in an investigation's early stage.
Data Types: Current System settings and configurations [e.g. OS installation date, essential folders, hotfixes, drives, shadow copies, top-level network information, etc.]
Investigation Value: To understand the current state of the machine and to plan accordingly.
1- General System Information
There are many ways to retrieve general system information and current settings. I prefer the winver and Systeminfo command to look for general information, followed by WMIC or PowerShell, to get specific details.
Winver
It’s a straightforward yet useful command to quickly check the version and build the number of running Windows.
The version number can help investigators to obtain more information about issues and potential security risks. For instance, the issues related to the example above [version 20H2] can be found here.
Moreover, The compatibility of our tools with the version of OS being investigated is crucial. For example, not all Windows 10 versions are fully supported by the volatility framework for memory analysis. Thus, the OS exact version and build number [e.g. 10.0.18363 N/A Build 18363] helps us select the proper toolset for further investigation.
Systeminfo
The animation above shows the use of the systeminfo command. There is several useful information that helps the analyst to plan the rest of the investigation.
We can filter out specific information by using the findstr command. For instance, if we look for OS name and version, we can use the command below:
systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
WMIC makes it easy to look for specific information. Type “wmic os get/?” to retrieve the list of available options as follows:
In case we want to check the hostname, we can use the command below:
wmic os get csname
We can combine several values with comma as a separator as follows:
wmic os get csname, WindowsDirectory
powershell Get-ComputerInfo
Get-ComputerInfo -Property OsWindowsDirectory
2- Environment variables
Environment variables are stored information such as search paths for files, directories for temporary files, application-specific options, etc. That tells us about the environment used by system users and processes.
They provide a wide variety of information that could be useful during the investigation. You can check the list of Standard (built-in) windows environment variables here. The environment variables are divided into three scopes as follows:
- Machine (or System) scope: Belong to running instance of the system.
- User scope: Belong to a particular user under a system.
- Process scope: Combination of variables in the Machine and User scopes.
Note 1: User environment variables are set for each user individually, while Machine environment variables are set for everyone [Ref].
As shown in the figure above, we can see system and user environment variables from advanced system settings.
SET Command
The above information can be easily retrieved by using the SET command as well.
Windows Registry
The locations of system and user environment variables in the registry are as follows and can display by reg query.
System:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\EnvironmentUser:
HKEY_CURRENT_USER\Environment
Note 2: the user variables in this post are associated with the currently logged-in user. The coming posts about the user accounts will discuss how to display the variables for other user accounts.
3- Hotfixes
Without a doubt, the list of installed hotfixes is one of the most important information to be collected as they determine if any patches or updates are missing and if the system is vulnerable.
There are many ways to obtain the installed hotfixes as follows:
Systeminfo: As you may notice, the systeminfo command shows the list of installed hotfixes as well; let’s use systeminfo and findstr to get the hotfixes lists.
systeminfo | findstr KB
WMIC: We can obtain the same list by using “wmic qfe get hotfixid”, but let’s get more details.
wmic qfe get Caption,Description,HotFixID,InstalledOn
Powershell: PowerShell provides investigators with a powerful command interface and scripting capabilities to collect numbers of artifacts. The “powershell get-hotfix” command helps us to get the list of installed hotfixes. However, we can look for specific hotfixes by their number.
Note1: findstr can be combined with systeminfo or WMIC to look for specific hotfixes as well.
Note 2: This post is not comparing the capabilities of windows commands, WMIC, and Powershell. The main aim is to demonstrate different data collection techniques.
4- Missing Updates
The list of installed hotfixes must be validated to ensure all the latest patches have been installed. We just need to obtain the window version [Winver command] and System type [systeminfo | findstr /B /C:”System Type”].
For example, the above system OS is a 64 bit Windows with the version number 20H2 and built the number 19042. Now it's time to check the official Microsoft security update portal.
In the Security Update Guide section, we can use a keyword search to look for any update that matches our OS version and type.
As depicts in the figure above, we can check the security issues impact, severity and related CVE details. The Article section gives us details information about updates s including released hotfixes, if any.
Let's check if the hotfix is installed on the system or not:
Yes, it's already there! But wait, what if it was missing:
- Look at the patch policies, rewrite, edit and roll out new ones.
- Formulate a vulnerability oriented hypothesis to examine the system.
Suppose a missing hotfix connects to a specific vulnerability. In that case, we can look for any indicator of compromise (IoC), an indicator of attack (IoA), or any unwanted activities related to that particular vulnerability.
5- Drivers!
A simple conversation with uncle google gives us several stories on how a security flaw in installed drivers opened the doors for attackers! The news below, for instance!
The image above depicts the use of windows built-in command and Powershell to retrieve the list of drivers. Nirsoft provides a GUI-based tool called installed_drivers_list to retrieve the list of available drivers as well.
- Green Icon — The driver is running on the Windows kernel.
- Yellow Icon — The driver is not running on the Windows kernel.
- Red Icon — The driver is not running on the Windows kernel, but it should be loaded automatically when Windows starts.
6- Shadow Copies
Shadow copies are the snapshots — backup — of Windows files and can be used to restore data when required. The shadow copies kept the previous state, data, and files of a machine and may help us during an investigation. However, they are not as good as forensics images of a hard disk as they contain a snapshot of a file at a particular point in time.
Besides, not all machines being investigated may have the shadow copies or restore point enabled. Thus, we should check if there is any shadow copy that exists on the target machine.
The image below shows WMIC and vssadmin to obtain the list of available shadow copies in a system.
wmic path Win32_ShadowCopy get DeviceObject, InstallDate
vssadmin list shadows
Nirsoft provides a GUI-based tool called ShadowCopyView to view the available shadow copies in a system.
Note1: having the shadow copies does not guarantee any successful or complete data recovery. It highly depends on the type of shadow copies, creation time, and the last overwritten point by OS.
Note 2: Based on the golden rule of digital forensics, we collect data as much as possible and available; may the force be with us later in in-depth analysis.
Stay tuned…!