EZ tools

How to process and interpret various artefacts using the EZ tools suite.

To follow along, download and install the EZ tools suite (available here https://ericzimmerman.github.io/#!index.md)

You need to have exported logical files from the E01, or you can mount the image using AIM (which we'll cover here).

Mount the E01 in Windows

Download Arsenal Imager Mounter (from here) and install it.

Load AIM and select 'Mount disk image'. Select the first E01 segment and select open.

Select 'Disk device, read only' and leave sector size as default (512). We don't intend to make changes to the mounted disk, as we only need to read from it. If we were mounting the disk to use as a VM, or wanted to perform some kind of temporary write operation (write operations being stored in a separate location, not committed to the files themselves) then we'd need to mount with the 'write temporary' option.

From the initial information provided, we have sufficient information to start processing. We want to target the following artefacts;

Windows Event Logs (RDP was exposed to the internet, so we want to identify any failed/successful authentication attempts, as well as incoming RDP connections)
MFT (were any files dropped by the threat actor? Ransomware executables? Staged archived/zipped files prior to exfil?)
Prefetch (noting this is a Windows Server install, we need to confirm if Prefetch/Superfetch is enabled or if artefacts exist)
Registry hives (NTUSER.dat, AmCache, SYSTEM, SAM, SOFTWARE, etc - we want to identify if any executables were launched, any new scheduled/executed tasks, etc)

Process Windows Event Logs with EvtxeCmd

Default location for Windows logs is C:\Windows\System32\winevt\Logs

If you run EvtxeCmd.exe in an elevated command prompt by itself, you'll see a list of possible options. In this instance, we're just going to process a series of files within a directory with a single CSV output.

Our final command

Process MFT with MFTECmd

The MFT ($MFT) resides in the root of the volume. In this instance, we're looking at the primary drive from the compromised server, and its original volume was C: (so it would've been C:\$MFT) but since we mounted it with AIM, it's been assigned the letter G: - so it'll exist at G:\$MFT

Process Prefetch with PECmd

In this instance, Prefetch/Superfetch artefacts don't exist (Prefetch is disabled by default on Windows Server operating systems). This

Process registry hives with Registry Explorer

We'll start with the SOFTWARE and SYSTEM hives and pivot from there as the analysis progresses.

Export SYSTEM and SOFTWARE hives and corresponding LOG files.

Load Registry Explorer > File > Load hive > Select SOFTWARE and corresponding .LOG files

Do the same for the SYSTEM hive.

PreviousEvents Ripper NextDEFCON 2019 forensics

Last updated 7 months ago

Was this helpful?

Mount the E01 in Windows

Download Arsenal Imager Mounter (from here) and install it.

Load AIM and select 'Mount disk image'. Select the first E01 segment and select open.

From the initial information provided, we have sufficient information to start processing. We want to target the following artefacts;

Windows Event Logs (RDP was exposed to the internet, so we want to identify any failed/successful authentication attempts, as well as incoming RDP connections)

MFT (were any files dropped by the threat actor? Ransomware executables? Staged archived/zipped files prior to exfil?)

Prefetch (noting this is a Windows Server install, we need to confirm if Prefetch/Superfetch is enabled or if artefacts exist)

Registry hives (NTUSER.dat, AmCache, SYSTEM, SAM, SOFTWARE, etc - we want to identify if any executables were launched, any new scheduled/executed tasks, etc)