Investigation Scenario 🔎
An attacker remotely wiped an executive’s laptop at some point after accessing it.
What do you look for to investigate how the attacker accessed the system and their actions while in control of it?
Your only evidence source is a backup of the Windows registry taken just before the attacker wiped the system.
This exercise is intentionally limited a bit to help you do two things:
1. Consider what you know about the forensic value of the registry
2. Think through the limitations of your conclusions based on the evidence available.
The registry contains a lot of helpful information that can help you get a sense of what’s going on here. Lots of great replies with some ideas here… the affected account, access mechanisms, recently accessed files, and so on.
You can build a pretty good idea of some of the activity leading up to the system being wiped, but you won’t be able to complete the full story of the attack timeline with registry data alone.
Further, many of the artifacts you will identify aren’t things you’d be able to validate with other evidence sources, which puts you in a tricky spot when drawing conclusions. You have to weigh that in your response decision-making.
Remember that it’s possible that the attacker has also accessed other systems on the network. Lots of prevalence searches on the interesting artifacts you find in the registry evidence across other hosts will be warranted.
What evidence source do you rely on most? If you have to examine that source in a vacuum, what limitations does it impose on the conclusions you can draw?
That’s something to think about… 🚀 #InvPath #DFIR #SOC
My response of the week goes to Harsh (on LinkedIn) for identifying several relevant registry artifacts that could be valuable in this scenario. He'll get a free month access to my Analyst Skills Vault.
Chris Sanders 🔎 🧠
Joseph E