Forensic Analysis Preparation of Windows Operating Systems in Incident Response [ PART 1 ]

Background: During incident response, one often encounters situations requiring the acquisition of logs for forensic analysis to assess the impact of an incident. There are three primary methods for acquiring these logs:

• Preserving logs for forensic and legal purposes: This involves capturing logs to be used in legal contexts or forensic investigations.
• Preserving logs from running memory: This method focuses on capturing logs directly from the system's volatile memory.
• Preserving logs for cloud assets: This approach involves collecting logs related to cloud-based resources and services.

Methods and approaches: First, create a clone of the logical drive using OSFClone from a bootable USB. Alternatively, you can use Tsurugi Linux or the SIFT OS from SANS. These tools can be run from a bootable USB or live USB to acquire a clone of the hard disk. Collect data from specific locations on a Windows system using PowerShell. This information may include system logs, user activity, and file changes. 1. %SystemRoot%\System32\Winevt\Logs\ 2. %SystemRoot%\Prefetch - Collect prefetch files 3. %SystemRoot%\system32\SRU\SRUDB.dat 4. Browsers Histories location 5. Run USN journal checking to track all the file changes 6. Run shell script to get all the created newest file the time range when activity had been done 7. Dump regedit values 8. All users directory AppData\Roaming\Microsoft\Windows\Recent 9. Users folders temp location 10. "Public User" all directories 11. %USERPROFILE%\AppData\Local\Microsoft\PowerShell\PSReadline - Get powershell hisotry

Conclusion: This guide covers the initial steps you should take before starting a forensic analysis. In a future article, we’ll explore additional methods that use the data you’ve collected to help you understand the impact of incidents more clearly.