@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

Windows Server 2019 and Dedupe

Note:I translated Japanese into English using Google Translate.Thank you, Google. There is a great article called “Windows Server Data Dedupliction and Forensic Analysis”.If you are interested in the Dedupliction feature, I recommend that …

Microsoft-Windows-TerminalServices-RDPClient and NLA

Note:I translated Japanese into English using Google Translate.Thank you, Google. "Microsoft-Windows-Terminal Services-RDPClient / Operational" may record information to help you track Lateral Movement. Destination computer name / IP addre…

Windows Defender Remote Credential Guard and RestrictedAdmin mode.

Note:I translated Japanese into English using Google Translate.Thank you, Google. Windows Defender Remote Credential Guard is available for Windows 10 and Windows Server 2016.Is there any way to check if Remote Credential Guard was used wi…

AD ACL and ADTimeline

Note:I translated Japanese into English using Google Translate.Thank you, Google. Change the ACL of the object on AD and check ADTimline. Use AD ACL Scanner as a tool to check the ACL of AD objects. AD Timeline-FIRST TC Page 22 has an entr…

RDP NLA and ID 4624 Logon Type3

Note:I translated Japanese into English using Google Translate.Thank you, Google. If NLA(Network Level Authentication) is enabled for RDP connection, event ID 4624 logon type 3 will be recorded in the security log. Is there a way to determ…

RDP and ID 1149 "Remote Desktop Services: User authentication succeeded:"

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Windows 10: ID 1149 is recorded when Alice's account is successfully logged on via RDP. Windows 10: If you specify the RestrictedAdmin option, the u…

Windows ID 4648 "A logon was attempted using explicit credentials"

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Check when the ID 4648 occurs. Runas,Overpass-the-Hash,NET USE,Task Scheduler(schtasks),PsExec,WMIC,PowerShell,Remote Desktop(mstsc) If authenticati…

Active Directory and ADTimeline(5)

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Grant the access right of "AdminSDHolder" to Bob account, using DCshadow.The nTSecurityDescriptor of "AdminSDHolder" is recorded in the ADTimeline. …

Active Directory and ADTimeline(4)

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Delete the Bob account. I can check the change of isDeleted on the ADTimeline. Activate the AD recycle bin and delete the Bob account. The changing …

Active Directory and ADTimeline(3)

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I added the Bob account to the "Domain Admins" group and deleted it from the group. You can check this operation with ADTimeline. Run DCsync with Al…

Active Directory and ADTimeline(2)

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I created an Alice account, added it to the Domain admins group, and confirmed it on the timeline. Next, I created a Bob account and logged on to th…

Active Directory and ADTimeline(1)

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I added PC 1 to the example domain, but I could not find it on ADTimeline timeline. I created an Alice account and added it to the Domain Admins gro…

Active Directory and When-Changed (2)

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I got some comments on Twitter about the previous contents. So I did a simple test using DCshadow. Updates of SIDHistory etc. are explained in detai…

Active Directory When-Created and When-Changed (1)

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Active Directory accounts have "When-Created" and "When-Changed" attributes. I am checking when those attributes are updated. However, I just starte…

RDP and UserAssist (Win 10)

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Did you read "Daily Blog # 602: Solution Saturday 1/19/19"?, I read it and tested it on RDP connection. I ran the program via RDP and looked up the …

Task Scheduler Registry key and "Last Run Time"

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: "Last Run Time" is displayed in the GUI of Task Scheduler, this value is saved in the registry. Several timestamps are stored in the "Dynamicinfo" v…

Windows 10 Storage sense and Recycle.bin

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I tested the Recycle.bin delete option of the Storage sense feature. Files in Recycle.bin are deleted by task SilentCleanup??. Sample JPEG file in R…

NTFS last access time and 1 hour (3)

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I confirmed that the latest Last Access Time is written to disk by accessing the file after 1 hour has elapsed. After one hour elapsed, when shuttin…

NTFS last access time and 1 hour (2)

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I used FTK Imager and Autopsy as a tool to check Last Access Time on NTFS volume. However, adding Local Drive did not produce the expected results.(…

NTFS last access time and 1 hour

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: NTFS's Last Access Time resolution is one hour. ( I started the test on Win 10 ver 1803.) "fsutil file layout" command and PowerShell displays the l…

DisableLastAccess and 2 (System Managed, Disabled)

Note:I translated Japanese into English using Google Translate.Thank you, Google. I confirmed DisableLastAccess in verification environment. The size of C: is 40 GB.The value of DisableLastAccess was "2" and "Disabled"...."Disabled"??? I c…

Deleted Registry KEY and Timestamp

Note:I translated Japanese into English using Google Translate.Thank you, Google. Delete the registry key and check the time stamp.Create sample registry keys and values under SYSTEM. Last write timestamp:2018-12-09 05:33:00(UTC) Delete th…

USB and Amcache(2)

Note:I translated Japanese into English using Google Translate.Thank you, Google. This is the continuation of the Amcache test. I connected a USB memory and created an LNK file.Each LNK file targets the CLI and the GUI program that exist o…

USB and Amcache

Note:I translated Japanese into English using Google Translate.Thank you, Google. Have you seen the Amcache season of Forensic Lunch Test Kitchen? Unfortunately, I have not seen everything yet. I am planning to enjoy them at the weekend. a…

ReFS and File ID

Note:I translated Japanese into English using Google Translate.Thank you, Google. The File ID of ReFS looks different from NTFS. Using USN Journal, confirm the ReFS File ID. I enabled the USN Journal on the ReFS volume used for testing. Cr…

Refs and USN Journal(2)

Note:I translated Japanese into English using Google Translate.Thank you, Google. I got the Refs volume of Win10 1803 as E01 image. You can download it from the following URL. (That is the volume I tested last time.) Win10_1083_Refs.E01htt…

Refs and USN Journal

Note:I translated Japanese into English using Google Translate.Thank you, Google. A little while ago I learned that ReFS supports the USN Journal. How do I check the USN Journal on ReFS? Format E: drive with ReFS. Start the administrator c…

Audit PNP Activity and ID 6416

Note:I translated Japanese into English using Google Translate.Thank you, Google. When audit setting "Audit PNP Activity" is enabled on Windows 10, event ID 6416 is recorded. Auditing is not enabled for this item by default. Let's check th…

File System Tunneling and C:\

Note:I translated Japanese into English using Google Translate.Thank you, Google. Last week I enjoyed File System Tunneling.Unfortunately, I could not reproduce File System Tunneling with NTFS 'E: drive. This time I use the C: drive for te…

File System Tunneling and E:\

Note:I translated Japanese into English using Google Translate.Thank you, Google. iria_piyo has published some interesting verifications on File System Tunneling in the blog. I read those blogs and I wanted to see how the USN Journal was r…