Recently I've received the Announcing Windows 10 Insider Preview Build 18999 including an update for «Your Phone» app, and my first thing was — is there something useful for digital forensics?

So, I've immediately installed this app on my test workstation and connected it with my Android phone. On the same time I was checking for all system activities with Process Monitor to understand where all Your Phone app files are stored.

Hello again, guys!

After I published my article about Telegram IM-based RAT, I've received some messages with one common point — what additional evidences can be found if a workstation being infected with Telegram IM-based RAT?

Ok, I thought, let's continue this investigation, moreover the theme had attracted such interest.

Did you know that Telegram IM becomes more and more popular as a toolkit to make some illegal do's?
There are a lot of hidden channels and bots with different illegal and piracy content. I can suggest you an article where some of these points are described deeply.

But my point of interest is using Telegram as Remote Access Toolkit (RAT).

As you know, some people throw a coins into a fountain or sea for a luck or for come back to this place later.



So, cyber attackers are do the same thing — they often hide some little malware agents in the IT Infrastructure to keep a possibility to come back again.

I pretty often meet the question: how to attach an Encase image (.e01) to the virtual machine as a primary bootable disk? Sometimes a digital forensics experts need to boot up the image of the researching machine. It's not so hard actually, but this task has it's hidden stones which ones must be counted.

For this case I'll use a VMware Workstation for Windows and VirtualBox for Linux as a virtualization platforms.

Windows Part

1. Open FTK Imager and mount the .e01 image as a physical (only) device in Writable mode

First of all let's remember a standart group policy precedence: Local — Site — Domain — Organisation Unit (LSDOU). From less specific level to more specific. It means that Local GPO settings will apply first, then Site-level, Domain-level etc. And the last applied (OU GPO) settings have the highest precedence on the resulting system. However, if a domain administrator didn't set some settings in the higher-level GPOs (e.g. Enable/Disable Windows Defender service) but the same settings have been configured on the Local-level GPO — the last ones will be apply. Yes, even the machine is a domain member.

The Local GPO files are located in %systemroot%\System32\GroupPolicy hidden folder and, of course, it has two scopes (located in subfolders): for User and for Computer. Any user (here I mean a «bad guy» of course), having access to this folder(s), can copy a Registry.pol file and check/change a Local GPO settings. An intruder can use a third-part apllication, such as a RegPol Viewer:

Sometimes you can meet a case when a cyber-attacker uses VPN to establish a reliable channel between C2 server and infected IT-infrastructure. And, as Threat Intelligence experts say, attackers often use native Windows VPN connection tools and Windows .pbk (phonebook) files. Lets find out how we can detect it using a memory dump.

What is .pbk file and how does it look inside? It's just a text file with a lot of different parameters using when VPN connection is establishing.

Let's imagine a situation when cyber-attacker executes some commands remotely on the infected workstation using command line interface (cmd.exe) or using a special USB-device like Teensy or Rubber Ducky



How can we see these commands during digital forensics process?

During the digital forensics analyze process, you may need to find out a local (non-domain) user accounts membership in built-in groups. For example in case when you checking some objects' ACLs which contain permissions only for local security groups.

I've tested a several system registry analyzers but didn't find at least one tool with such function. BTW if you know about such app, please write a it's name in comments.

So, I tried to understand how to check a user account membership manually and here is the solution. All you need is any of hex editors and patience of course :)