volatile information

10. 1. 2022

2

Networking

ipconfig

• IP address

• fake DHCP server and lease

• fake DNS server IP address

• NICs will disappear in a mounted VM

netstat -ano

• already established connections

• listening software

netsh http show servicestate

arp -a

• ARP poisoning

ipconfig /displaydns

HTTP.SYS

kernel

http.sys

:80

:443

:5985

:xxxx

Win

RM

IIS

w3w

p

SQ

L R

eport

ing S

erv

ices

Hyp

er-

V R

eplic

ation

AD

FS

SS

TP

VP

N

user

3

4

10. 1. 2022

3

Logon status

klist

klist -li 3e4 # network service

klist -li 3e7 # system

klist sessions

Disk and volume mappings

▪ volume letters

▪ disk signatures

gwmi Win32_LogicalDisk

gwmi Win32_DiskDrive

gwmi Win32_DiskPartition

gwmi Win32_Volume

5

6

10. 1. 2022

4

Remote access to machines what to record

▪ when

▪ from where• forensic clean source computer

• my IP address, my MAC address, ...

▪ DNS name

▪ IP address

▪ MAC• local VLAN only

▪ authenticated user, logon method• SSO?

• Kerberos?, LM/NTLM/NTLMv2?

▪ ..., transport encryption, ...

Remote process startup and other access

▪ \\target\Admin$, \\target\C$ + remote registry Autoruns• TCP 445

• start as the autorun account

• also services, local users and groups

• Remote Registry service not running by default since Windows 7

▪ psexec• TCP 445

• \\target\Admin$

• custom service registered (PSEXESVC)

• start as System or the calling user or any user with password

7

8

10. 1. 2022

5

Remote process startup and other access

(gwmi -List Win32_Process -Computer target).Create('process -parameters')

([wmiclass] '\\target\root\default:StdRegProv').EnumKey(0x80000002L, 'Software')

([wmiclass] '\\target\root\default:StdRegProv').SetDwordValue(0x80000002L, 'Software', 'SomeVal', 5)

• TCP 135 + DCOM dynamic port, on Domain networks opened by default

• start as the calling user

▪ Enter-PSSession target (PowerShell Remoting = WinRM)• TCP 5985

• enabled on Windows Server 2012+, must be enabled manually on Windows clients

• start as the calling user

▪ task scheduler• TCP 135 + DCOM dynamic port, on Domain networks opened by default

• start as System, any user with password or the remote logged-on user

Volatile registry keys

▪ HKCU\Volatile Environment

▪ HKLM\System\CCS\Control\hivelist

• currently loaded registry hives

▪ HKLM\Hardware

▪ HKLM\SYSTEM\CCS\Control\Session

Manager\FileRenameOperations

• semi-volatile, gets processed during start

9

10

10. 1. 2022

6

List of volatile shares

gwmi Win32_Share

# C$, Admin$, ...

Stopped or running services and scheduled

tasks

gwmi Win32_Service

schtasks /query /fo csv /nh /v

11

12

10. 1. 2022

7

Clipboard

▪ one clipboard per desktop session

▪ several different clipboard formats stored

• text

• formatted RTF

• HTML

• picture

• ...

[Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms')

[Windows.Forms.Clipboard]::GetText()

Processes

▪ parent process ID

▪ executable path• can be moved even when running

▪ loaded DLLs

▪ opened files

▪ user account and groups (access token)• logon session

• desktop session

▪ aero/modernUI/immersive/universal windows apps• sandbox

▪ virtual memory dump• strings, passwords, addresses, ...

• AES keys

• no kernel memory, but works under limited user

13

14

10. 1. 2022

8

RAM memory dump

▪ process memory dumps

• incomplete if in pagefile or compressed

• inconsistent over time

▪ registry

▪ AES keys

RAM dump vs. virtual memory dump

▪ virtual memory dump• all process memory

• non-admins

• non-compressed

• including all source code of EXE and DLLs

• consistent

• slower - may require paging from/to pagefile.sys

• more destructive - loads unused EXE and DLL pages from files and may force other processes to page out to swap file

▪ RAM memory dump• includes kernel memory

• non-destructive against memory contents and pagefile.sys

• most registry contents

• must be administrators

• inconsistent

• compressed memory pages

• not everything if paged out in swap files

• BSOD risks

15

16

10. 1. 2022

9

Text and sequence extractions

▪ strings.exe

▪ WinHex

Sequence extractions in PowerShell

(any logic you need)

$filePath = 'c:\temp\memory.dmp'

$seqnc = [byte[]] @(0x78, 0xF3, 0x0F)

$binFile = [IO.File]::OpenRead($filePath)

[byte[]] $buffer = New-Object byte[] $seqnc.Length

$poss = 0

while ($binFile.Read($buffer, 0, $buffer.Length) -eq $buffer.Length) {

[bool] $fits = $true

for ($i = 0; $i -lt $buffer.Length; $i ++) {

$fits = $fits -and ($seqnc[$i] -eq $buffer[$i])

}

if ($fits) { Write-Host ('Found at #: 0x{0:X8} | d-{0:D10}' -f $poss) }

$poss ++; [void] $binFile.Seek( -($buffer.Length - 1), 'Current')

}

17

18

10. 1. 2022

10

Password and hash extraction from LSASS

mimikatz

sekurlsa::minidump lsass.dmp

sekurlsa::logonpasswords

# since Windows 8.1/2012 no clean passwords by default

# Credential Delegation keeps clean passwords if enabled

# Restricted Users group membership prevents NTLM hash

extraction

# Credential Guard (Device Guard) prevents hash/ticket

extraction

AES key extraction from

memory

19

20

10. 1. 2022

11

How

▪ AES keys are random (high entropy)

• 16 bytes = 128 bit, 24 bytes = 192 bit, 32 bytes = 256 bit

• encryption is not performed by the AES key itself

▪ Key schedule

• the actual block by which the encryption is performed

• computed from the key (prolonged key)

• XORing specific 4 byte blocks

• 176 bytes, 208 bytes, 240 bytes

AES key schedule

original key (128 bits, 192 bits, 256 bits)

4 B

key schedule (176 bytes, 208 bytes, 240 bytes)

21

22

10. 1. 2022

12

AES key schedule


4 B


AES key schedule



23

24

10. 1. 2022

13

AES key schedule



AES key schedule



25

26

10. 1. 2022

14

AES key schedule



AES key schedule



27

28

10. 1. 2022

15

AES key schedule



AES key schedule



29

30

10. 1. 2022

16

AES key schedule



AES key schedule



31

32

10. 1. 2022

17

AES key schedule



AES key schedule



33

34

10. 1. 2022

18

The search process

▪ Take every 16/24/32 bytes

▪ Compute key schedule for the possible key

▪ If not present, proceed further

▪ If present, must be the key

BitLocker

35

36

10. 1. 2022

19

Key protectors

▪ password

▪ TPM

▪ TPM + PIN

▪ recovery password 48 digits

• visible to Administrators for unlocked volumes

• possibly backed-up to Active Directory or OneDrive

▪ .BEK file

encrypted with TPM

en

cry

pte

d w

ith

ra

nd

om

se

cre

t ke

y

FV

EK

BitLocker decryptors/protectors on partition metadata

data

FVEK

encrypted with USB

FVEK

encrypted with password

FVEK

encrypted with PW48

FVEK

1048576x rounds to

prevent brute-force

37

38

10. 1. 2022

20

encrypted with VMK

encrypted with VMK

encrypted with VMK

encrypted with VMKencrypted with TPM

en

cry

pte

d w

ith

ra

nd

om

se

cre

t ke

y

FV

EK

Volume Master Key (VMK) - random AES 256

data

FVEK

encrypted with USB

FVEK


FVEK

encrypted with PW48

FVEK

VMK

VMK

VMK

VMK

1048576x rounds to

prevent brute-force

encrypted with TPM

en

cry

pte

d w

ith

ra

nd

om

se

cre

t ke

y

FV

EK

Protection disabled = FVEK visibly stored on the volume

data

FVEK

encrypted with USB

FVEK


FVEK

encrypted with PW48

FVEK

1048576x rounds to

prevent brute-force

no encryption

FVEK

39

40

10. 1. 2022

21

manage-bde

-status c:

-protectors -get c:

-protectors -disable c: -rc 0

Other useful pre-shutdown modifications

41

42

10. 1. 2022

22

Windows Firewall

▪ pass-the-hash into VM

▪ exploits to access the VM

Disable cleaning pagefile on shutdown

▪ HKLM\SYSTEM\CCS\Control\Session Manager\Memory Management

• ClearPageFileAtShutdown = DWORD = 0

43

44

volatile information

Documents