Note:I translated Japanese into English using Google Translate.Thank you, Google. There is a great article called “Windows Server Data Dedupliction and Forensic Analysis”.If you are interested in the Dedupliction feature, I recommend that …
Note:I translated Japanese into English using Google Translate.Thank you, Google. "Microsoft-Windows-Terminal Services-RDPClient / Operational" may record information to help you track Lateral Movement. Destination computer name / IP addre…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Windows Defender Remote Credential Guard is available for Windows 10 and Windows Server 2016.Is there any way to check if Remote Credential Guard was used wi…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Change the ACL of the object on AD and check ADTimline. Use AD ACL Scanner as a tool to check the ACL of AD objects. AD Timeline-FIRST TC Page 22 has an entr…
Note:I translated Japanese into English using Google Translate.Thank you, Google. If NLA(Network Level Authentication) is enabled for RDP connection, event ID 4624 logon type 3 will be recorded in the security log. Is there a way to determ…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Windows 10: ID 1149 is recorded when Alice's account is successfully logged on via RDP. Windows 10: If you specify the RestrictedAdmin option, the u…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Check when the ID 4648 occurs. Runas,Overpass-the-Hash,NET USE,Task Scheduler(schtasks),PsExec,WMIC,PowerShell,Remote Desktop(mstsc) If authenticati…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Grant the access right of "AdminSDHolder" to Bob account, using DCshadow.The nTSecurityDescriptor of "AdminSDHolder" is recorded in the ADTimeline. …
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Delete the Bob account. I can check the change of isDeleted on the ADTimeline. Activate the AD recycle bin and delete the Bob account. The changing …
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I added the Bob account to the "Domain Admins" group and deleted it from the group. You can check this operation with ADTimeline. Run DCsync with Al…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I created an Alice account, added it to the Domain admins group, and confirmed it on the timeline. Next, I created a Bob account and logged on to th…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I added PC 1 to the example domain, but I could not find it on ADTimeline timeline. I created an Alice account and added it to the Domain Admins gro…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I got some comments on Twitter about the previous contents. So I did a simple test using DCshadow. Updates of SIDHistory etc. are explained in detai…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Active Directory accounts have "When-Created" and "When-Changed" attributes. I am checking when those attributes are updated. However, I just starte…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Did you read "Daily Blog # 602: Solution Saturday 1/19/19"?, I read it and tested it on RDP connection. I ran the program via RDP and looked up the …
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: "Last Run Time" is displayed in the GUI of Task Scheduler, this value is saved in the registry. Several timestamps are stored in the "Dynamicinfo" v…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I tested the Recycle.bin delete option of the Storage sense feature. Files in Recycle.bin are deleted by task SilentCleanup??. Sample JPEG file in R…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I confirmed that the latest Last Access Time is written to disk by accessing the file after 1 hour has elapsed. After one hour elapsed, when shuttin…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I used FTK Imager and Autopsy as a tool to check Last Access Time on NTFS volume. However, adding Local Drive did not produce the expected results.(…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: NTFS's Last Access Time resolution is one hour. ( I started the test on Win 10 ver 1803.) "fsutil file layout" command and PowerShell displays the l…
Note:I translated Japanese into English using Google Translate.Thank you, Google. I confirmed DisableLastAccess in verification environment. The size of C: is 40 GB.The value of DisableLastAccess was "2" and "Disabled"...."Disabled"??? I c…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Delete the registry key and check the time stamp.Create sample registry keys and values under SYSTEM. Last write timestamp:2018-12-09 05:33:00(UTC) Delete th…
Note:I translated Japanese into English using Google Translate.Thank you, Google. This is the continuation of the Amcache test. I connected a USB memory and created an LNK file.Each LNK file targets the CLI and the GUI program that exist o…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Have you seen the Amcache season of Forensic Lunch Test Kitchen? Unfortunately, I have not seen everything yet. I am planning to enjoy them at the weekend. a…
Note:I translated Japanese into English using Google Translate.Thank you, Google. The File ID of ReFS looks different from NTFS. Using USN Journal, confirm the ReFS File ID. I enabled the USN Journal on the ReFS volume used for testing. Cr…
Note:I translated Japanese into English using Google Translate.Thank you, Google. I got the Refs volume of Win10 1803 as E01 image. You can download it from the following URL. (That is the volume I tested last time.) Win10_1083_Refs.E01htt…
Note:I translated Japanese into English using Google Translate.Thank you, Google. A little while ago I learned that ReFS supports the USN Journal. How do I check the USN Journal on ReFS? Format E: drive with ReFS. Start the administrator c…
Note:I translated Japanese into English using Google Translate.Thank you, Google. When audit setting "Audit PNP Activity" is enabled on Windows 10, event ID 6416 is recorded. Auditing is not enabled for this item by default. Let's check th…
Note:I translated Japanese into English using Google Translate.Thank you, Google. Last week I enjoyed File System Tunneling.Unfortunately, I could not reproduce File System Tunneling with NTFS 'E: drive. This time I use the C: drive for te…
Note:I translated Japanese into English using Google Translate.Thank you, Google. iria_piyo has published some interesting verifications on File System Tunneling in the blog. I read those blogs and I wanted to see how the USN Journal was r…