DNS investigation on Windows

Recently, a friend of mine has asked for my help in an investigation. In his SIEM system, he saw that a machine generated some DNS sinkhole events, but he couldn’t find the originally requested DNS by the host. The events were generated because the machine tried to resolve a DNS hostname which was marked as malicious in the DNS Server. Unfortunately due to the huge amount of DNS requests in a network, this company did not store the DNS events in the SIEM.
Read more

NTFS Timestamp changes on Windows 10

During my File System Tunneling related investigation I tested NTFS timestamp changes in case of different operations on Windows 10. I used SANS’s DFPS_FOR500_v4.9_4-19 and Cyberforensicator’s timestamp posters for comparison. I found out that my results were different from theirs. In my tests, some of the operations produced different timestamp changes and inheritance than the previously mentioned posters show. These timestamp rules can change in every Windows version so it is worth checking them from time to time.
Read more

File System Tunneling in Windows

File System Tunneling is a really old feature of Windows. It was already discussed on many security or Windows administration related blogs and books. However, it is still somewhat obscure for lots of examiners because its forensic implication is limited. The simplest way to test and observe it in action is to delete a file and then create a new one with the same name in the same path. The new file is going to inherit the creation timestamp of the original file.
Read more