Windows DFIR

🛡 Windows DFIR Reference

📚 Registry • Event Logs • File System • Memory🎯 MITRE ATT&CK Mapped🛠 DFIR • Threat Hunting • IR Workflow
ABSTRACT

Comprehensive cheat sheet & reference guide untuk Digital Forensics and Incident Response (DFIR) pada sistem Windows. Mencakup seluruh artefak forensik utama dengan mapping MITRE ATT&CK.

Untuk siapa?

  • SOC Analyst — threat hunting dan alert triage
  • DFIR Practitioner — checklist investigasi
  • Security Engineer — membangun detection rules
  • Pemula — learning reference terstruktur

Prinsip: Setiap artefak punya blind spot — triangulasi (konfirmasi dari multiple sources) selalu lebih kuat.

1

Registry Hives (Root Keys)

Windows Registry terdiri dari 5 root key utama (hive). Memahami peran setiap hive adalah fondasi sebelum melakukan forensik registry — karena artefak yang sama bisa tersimpan di hive berbeda tergantung scope-nya (system-wide vs per-user).

HKEY_CLASSES_ROOT
HKCR
File association & OLE/COM class registration
Menyimpan informasi aplikasi terdaftar, termasuk asosiasi ekstensi file (contoh: .txt dibuka oleh Notepad) dan Class ID (CLSID) untuk objek OLE/COM. HKCR bukan hive fisik tersendiri — ia adalah merged view dari HKLM\Software\Classes dan HKCU\Software\Classes, di mana setting user (HKCU) diprioritaskan.
🔎 Forensic Note: Target favorit malware untuk COM Hijacking / Fileless Execution — modifikasi pada HKCU\Software\Classes\clsid dapat membuat proses legitimate menjalankan payload tanpa membuat file baru di disk. T1546.015
HKEY_CURRENT_USER
HKCU
Pengaturan spesifik milik user yang sedang login
Menyimpan konfigurasi user aktif — wallpaper, screensaver, setting aplikasi. HKCU adalah symbolic link dinamis yang menunjuk subkey di HKEY_USERS sesuai SID user aktif.
🔎 Forensic Note: Lokasi utama jejak aktivitas user: MRU list, Run/RunOnce per-user, RecentDocs, TypedURLs, RDP history, dan banyak indikator persistence user-context.
HKEY_LOCAL_MACHINE
HKLM
Konfigurasi global untuk seluruh user (system-wide)
Berisi data konfigurasi yang berlaku terlepas dari siapa yang login — hardware, software, driver, service, dan security setting. Dibangun dari file on-disk (SAM, SECURITY, SYSTEM, SOFTWARE).
🔎 Forensic Note: Hive paling sering jadi target persistence karena cakupannya system-wide — Run keys, Services, Winlogon, IFEO, AppInit_DLLs.
HKEY_USERS
HKU
Seluruh profil user yang ter-load di mesin
Berisi subkey per profil user (diidentifikasi SID). Setiap subkey punya struktur sama dengan HKCU — berfungsi sebagai master list setting seluruh user.
🔎 Forensic Note: Berguna untuk memeriksa profil user lain tanpa login sebagai user tersebut — penting untuk investigasi akun yang sudah di-logoff.
HKEY_CURRENT_CONFIG
HKCC
Hardware profile yang aktif saat boot
Menyimpan informasi hardware profile yang sedang digunakan. Relatif kecil dan jarang berubah.
🔎 Forensic Note: Nilai forensik relatif rendah; jarang jadi target investigasi kecuali kasus manipulasi driver/hardware profile.
2

Hive Files on Disk

Setiap hive logis dimuat dari file fisik di disk. Memahami lokasi file ini penting untuk offline forensics — saat menganalisis disk image, file-file inilah yang Anda mount dan parsing.

SAM
C:\Windows\System32\config\SAM
Akun pengguna lokal & password hash (NTLM/LM)
Tidak bisa dibaca langsung selagi sistem berjalan (locked). Diambil lewat reg save, shadow copy, atau disk image offline. Target utama credential dumping.
T1003.002
SECURITY
C:\Windows\System32\config\SECURITY
Kebijakan keamanan lokal & LSA Secrets
Menyimpan LSA Secrets: password service account, auto-logon credential, cached domain creds — target utama Mimikatz.
T1003.004
SYSTEM
C:\Windows\System32\config\SYSTEM
Konfigurasi hardware, service, driver, boot key
Berisi seluruh ControlSet (CurrentControlSet) — Run keys, Services, ShutdownTime, USBSTOR, AppCompatCache tersimpan di sini.
SOFTWARE
C:\Windows\System32\config\SOFTWARE
Software terinstal & pengaturan OS system-wide
Lokasi fisik HKLM\Software — Uninstall key, Defender settings, persistence system-wide.
NTUSER.DAT
C:\Users\<user>\NTUSER.DAT
Pengaturan dan aktivitas per pengguna (mounted sebagai HKCU)
File paling berharga untuk user-activity: UserAssist, RecentDocs, RunMRU, TypedURLs, RDP history, Office MRU.
UsrClass.dat
C:\Users\<user>\AppData\Local\Microsoft\Windows\UsrClass.dat
Pengaturan shell & COM user (bagian HKCU\Software\Classes)
Lokasi utama ShellBags — membuktikan folder/file yang pernah dibuka lewat Explorer, termasuk di removable media.
3

Windows Event Logs

Event Log adalah sumber telemetry utama Windows. Pastikan log forwarding/SIEM sudah aktif sebelum insiden, karena log lokal bisa dihapus attacker.

Security
%SystemRoot%\System32\Winevt\Logs\Security.evtx
Authentication, authorization, audit events — log paling kritikal.
4624 Successful Logon4625 Failed Logon4648 Logon with Explicit Credentials4672 Special Privileges (Admin)4720 Account Created4768/4769 Kerberos TGT/TGS1102 Audit Log Cleared
T1078 T1110
System
%SystemRoot%\System32\Winevt\Logs\System.evtx
System component events, service lifecycle, shutdown/reboot.
7045 New Service Installed7040 Service Start Type Changed1074 Shutdown/Restart6005/6006 EventLog Started/Stopped104 System Log Cleared
T1543.003
Application
%SystemRoot%\System32\Winevt\Logs\Application.evtx
Application-specific events: error, crash, runtime info.
1000 Application Error/Crash1001 Windows Error Reporting1002 Application Hang
PowerShell/Operational
Microsoft-Windows-PowerShell%4Operational.evtx
Eksekusi command & script block PowerShell.
4103 Module Logging4104 Script Block Logging4105 Command Start400 Engine Started
T1059.001
Sysmon/Operational
Microsoft-Windows-Sysmon%4Operational.evtx
Telemetry mendalam Sysinternals Sysmon.
1 Process Create3 Network Connection7 Image Loaded10 Process Access11 File Create12/13/14 Registry Add/Set/Rename22 DNS Query23 File Delete
Windows Defender
Microsoft-Windows-Windows Defender%4Operational.evtx
Aktivitas antimalware: deteksi, remediasi, status.
1116 Malware Detected1117 Action Taken5001 Real-Time Protection Disabled5000 Real-Time Protection Enabled
T1562.001
TerminalServices-LocalSessionManager
Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Log RDP session lifecycle — sumber paling spesifik lateral movement via RDP.
21 Session Logon23 Session Logoff24 Session Disconnected25 Session Reconnected
T1021.001
TerminalServices-RemoteConnectionManager
Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
Incoming RDP connection attempt beserta source IP.
1149 User Auth Succeeded (source IP)
T1021.001
TaskScheduler/Operational
Microsoft-Windows-TaskScheduler%4Operational.evtx
Log lifecycle scheduled task.
106 Task Created140 Task Updated141 Task Removed200/201 Task Executed/Completed
T1053.005
WMI-Activity/Operational
Microsoft-Windows-WMI-Activity%4Operational.evtx
Aktivitas WMI provider — konfirmasi WMI persistence.
5857 Provider Loaded5858 Query Error5861 Permanent Event Registration
T1546.003
BITS-Client/Operational
Microsoft-Windows-BITS-Client%4Operational.evtx
BITS transfer — download payload / exfil data.
3 Job Created59 Transfer Initiated60 Transfer Completed
T1197
NTLM/Operational
Microsoft-Windows-NTLM%4Operational.evtx
Monitoring autentikasi NTLM (pass-the-hash, NTLM relay).
4001 NTLM Request Blocked8001 NTLM Audit
T1550.002
DNS Client Events
Microsoft-Windows-DNS-Client%4Operational.evtx
Resolusi DNS client — pelengkap Sysmon Event 22.
3006 DNS Query Completed3008 DNS Response3020 DNS Query Failure
T1071.004
Kode Tipe Logon (Security Event 4624)
TipeKeteranganRelevansi DFIR
2Interactive (keyboard/layar lokal)Logon fisik
3Network (SMB, mapped drive)Lateral movement via file share
4Batch (scheduled task)Persistence
5Service (akun service)Service start/stop
7Unlock workstationUser unlock
8Network Cleartext (IIS basic auth)Credential exposure
9New Credentials (RunAs /netonly)Privilege pivoting
10Remote Interactive (RDP)Lateral movement via RDP
11Cached InteractiveCached creds saat DC unreachable
⚙ Tool: EvtxECmd.exe, chainsaw hunt, hayabusa csv-timeline, Get-WinEvent
4

NTFS & File System Artifacts

Artefak file system NTFS sering menjadi backbone super timeline — mencatat file creation/deletion/rename yang tidak tercatat di registry manapun.

ArtifactRegistry / File PathPenjelasan & Nilai ForensikMITRE ATT&CK
$MFT (Master File Table)Root NTFS volumeIndeks setiap file/direktori NTFS. Setiap entry (1024 byte) berisi 4 timestamp MACB di 2 atribut ($STANDARD_INFORMATION dan $FILE_NAME). Membandingkan $SI vs $FN = metode utama deteksi timestomping.T1070.006
$UsnJrnl (USN Change Journal)$Extend\$UsnJrnl:$JMelacak setiap modifikasi file pada volume (create, delete, rename). Mencatat bahkan file yang sudah dihapus — sering jadi satu-satunya bukti dropper yang self-delete.
$LogFile (Transaction Log)Root NTFS volumeTransaction log NTFS journaling — recovery operasi terakhir sebelum crash/shutdown.
$I30 (Index Attributes)Setiap direktori NTFSDirectory index yang bisa menyimpan deleted file entries di slack space-nya — file yang sudah hilang dari MFT kadang masih ada di $I30.T1070.004
Volume Shadow Copies (VSS)System Volume InformationTime machine Windows — snapshot read-only. Recovery registry/file yang sudah dimodifikasi attacker.T1490
Alternate Data Streams (ADS)Setiap file NTFSData tersembunyi terlampir pada file tanpa mengubah ukuran. Dipakai malware untuk menyembunyikan payload.T1564.004
Zone.Identifier (MotW)file.ext:Zone.Identifier ADSADS khusus pada file yang didownload. Berisi ZoneId=3 (internet) dan kadang ReferrerUrl asal unduhan.T1553.005
⚠ Deteksi Timestomping: Bandingkan timestamp $STANDARD_INFORMATION vs $FILE_NAME. Tool timestomping hanya modifikasi $SI — $FN hanya bisa diubah kernel. Jika $SI Created < $FN Created = indikasi kuat timestomping.
⚙ Tool: MFTECmd.exe -f "$MFT" --csv output, vssadmin list shadows, dir /r file.txt (ADS), Get-Item -Path file -Stream *
5

System Information

Artefak dasar untuk membangun konteks sistem. Selalu kumpulkan ini pertama kali.

ArtifactRegistry / File PathPenjelasan & Nilai ForensikMITRE ATT&CK
Last Shutdown TimeHKLM\SYSTEM\CurrentControlSet\Control\Windows\ShutdownTimeWaktu shutdown terakhir — timeline korelasi.
Computer NameHKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerNameIdentitas hostname — validasi asal evidence.
Time ZoneHKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformationOffset time zone — wajib cek sebelum normalisasi timestamp ke UTC.
Windows VersionHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionBuild/edition OS — validasi patch level.
Network InterfacesHKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{interface}Konfigurasi jaringan (IP, DHCP, DNS) per interface.
Defender SettingsHKLM\SOFTWARE\Microsoft\Windows DefenderStatus AV bawaan; cek exclusion path mencurigakan.T1562.001
User ProfilesHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\{SID}Daftar profil user (SID + path) — deteksi akun baru.T1136.001
6

User Activity & MRU (Most Recently Used)

Jejak interaksi user dengan file, folder, dan program — krusial untuk membuktikan user knowledge & intent.

ArtifactRegistry / File PathPenjelasan & Nilai ForensikMITRE ATT&CK
LastVisitedMRUNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPIDlMRUAplikasi terakhir yang dipakai save/open file beserta direktori.
OpenSavePidlMRUNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRUFile yang dibuka/disimpan lewat Common Dialog — termasuk file yang sudah dihapus.
ShellBagsUSRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagsArtefak terkuat membuktikan folder pernah dibuka — termasuk di removable/network.
RecentDocsNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsFile yang baru dibuka lewat Explorer, per ekstensi.
USB DevicesSYSTEM\CurrentControlSet\Enum\USBSTORRiwayat USB storage: vendor, serial number, first/last connected.T1052.001
UserAssistNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssistProgram GUI via Explorer: run count & last execution. Key dienkode ROT13.T1204.002
Typed URLsNTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLsURL yang diketik manual di address bar browser.
RunMRUNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRUCommand di Run dialog (Win+R).T1059.003
RecentAppsNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Search\RecentAppsAplikasi yang baru dijalankan + argumen.
FeatureUsage AppSwitchedNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitchedArtefak eksekusi taskbar switching.
Office MRUNTUSER.DAT\Software\Microsoft\Office\<ver>.0\Word\File MRURiwayat file Office per-aplikasi (Word, Excel, PowerPoint).T1566.001
Trusted DocumentsNTUSER.DAT\Software\Microsoft\Office\<ver>.0\Word\Security\Trusted Documents\TrustRecordsDokumen yang di-trust user (macro diizinkan jalan).T1204.002
Jump List Files%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\ dan CustomDestinations\Riwayat file per-aplikasi (taskbar pinned): app ID + timestamp.
7

Persistence Mechanisms

Teknik attacker/malware untuk memastikan eksekusi bertahan lewat reboot/logon — bagian paling sering dicek saat hunting maupun IR aktif.

ArtifactRegistry / File PathPenjelasan & Nilai ForensikMITRE ATT&CK
Run Key (HKLM)HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunAuto-start system-wide — target klasik persistence.T1547.001
RunOnce Key (HKLM)HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEntry otomatis terhapus setelah 1x eksekusi.T1547.001
Run Key (HKCU)HKCU\Software\Microsoft\Windows\CurrentVersion\RunVarian per-user — RAT tanpa admin.T1547.001
RunOnce Key (HKCU)HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceVarian per-user RunOnce.T1547.001
IFEOHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution OptionsPeriksa value Debugger — payload menggantikan executable target.T1546.012
Sticky Keys HijackHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.execmd.exe SYSTEM-level dari login screen.T1546.008
Utilman HijackHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exeAlternatif Sticky Keys hijack via Utilman.T1546.008
Winlogon UserinitHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserinitNormal: userinit.exe, — tambahan path = hijacking.T1547.004
Winlogon ShellHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellNormal: explorer.exe — diganti = shell hijack.T1547.004
BootExecuteHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecuteDieksekusi smss.exe di fase paling awal boot.T1547.001
User Shell FoldersHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersRedirect path Startup folder ke lokasi attacker.T1547.001
Startup Folder (All Users)C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartupShortcut/file di sini auto-run untuk seluruh user.T1547.001
Startup Folder (Per-User)C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartupVersi per-user Startup folder.T1547.001
WMI Event SubscriptionHKLM\SOFTWARE\Microsoft\WBEMPayload auto-run saat trigger event — tanpa Run key.T1546.003
AppCertDLLsHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDllsDLL di-load ke setiap proses memanggil CreateProcess.T1546.009
AppInit_DLLsHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLsDLL di-load ke setiap proses me-load user32.dll.T1546.010
Scheduled Task (Registry)HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TasksMetadata task di registry — recovery task yang dihapus.T1053.005
Scheduled Task (File)C:\Windows\System32\TasksFile XML definisi task — Author, command, trigger.T1053.005
Windows ServicesHKLM\SYSTEM\CurrentControlSet\ServicesRoot key seluruh service — nama random = red flag.T1543.003
Service ImagePath ModHKLM\SYSTEM\CurrentControlSet\Services\<svcname>\ImagePathUbah ImagePath service existing = privilege escalation.T1574.011
MSDTC / MTxOCI HijackHKLM\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPathDLL hijacking via MSDTC service.T1574.001
SharedDLLsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLsManipulasi reference count DLL.T1574.001
PATH ModificationHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\PathDirektori attacker di awal PATH = path interception.T1574.007
NetSh Helper DLLHKLM\SOFTWARE\Microsoft\NetShDLL di-load setiap netsh.exe dijalankan.T1546.007
Context Menu HijackingHKCR\*\shellex\ContextMenuHandlersShell extension COM saat klik-kanan file.T1546.015
Silent Process ExitHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExitJalankan program saat proses crash/exit.T1546.012
8

Credential Access & Privilege Escalation

Key terkait penyimpanan kredensial atau kontrol akses — modifikasi di area ini biasanya untuk mencuri credential atau menaikkan privilege.

ArtifactRegistry / File PathPenjelasan & Nilai ForensikMITRE ATT&CK
LSA ConfigurationHKLM\SYSTEM\CurrentControlSet\Control\LsaKonfigurasi Local Security Authority — target Mimikatz.T1003.004 T1003.001
LimitBlankPasswordUseHKLM\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUseValue 0 = akun password kosong bisa login remote (default: 1).T1078.003
EnableLUA (UAC)HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAValue 0 = UAC dimatikan sepenuhnya.T1548.002
Service Weak PermissionsHKLM\SYSTEM\CurrentControlSet\Services\<svcname>ACL terlalu permisif = attacker ubah ImagePath.T1574.011
9

Defense Evasion & Anti-Forensics

Indikator attacker berusaha menghindari deteksi atau menghapus jejak.

ArtifactRegistry / File PathPenjelasan & Nilai ForensikMITRE ATT&CK
AV RTP DisableHKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time ProtectionPenonaktifan real-time protection — cek DisableRealtimeMonitoring.T1562.001
System RestoreHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestoreMenonaktifkan System Restore = korban tidak bisa rollback.T1490
Audit Policy TamperingHKLM\Security\Policy\PolAdEvBinary value konfigurasi audit policy bisa dimatikan diam-diam.T1562.002
Security Log SizeHKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security (MaxSize & Retention)MaxSize diperkecil = log cepat ter-overwrite.T1070.001
Event Log ConfigHKLM\SYSTEM\CurrentControlSet\Services\EventLog\SecurityKonfigurasi retention/overwrite policy.T1070.001
CLSID HijackHKCU\Software\Classes\clsidMenimpa CLSID komponen legitimate = fileless execution.T1546.015
Malware ConfigHKCU\Software\<Malware Name>\SettingsMalware menyimpan C2, campaign ID di registry custom.
Uninstall ListHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDaftar software — attacker pakai untuk recon AV/EDR.T1518.001
MuiCacheHKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCacheFriendly-name aplikasi yang pernah dijalankan.
SRP/AppLockerHKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiersModifikasi rule untuk whitelist payload.T1562.001
10

Lateral Movement & Network Artifacts

Jejak konektivitas dan persiapan pergerakan lateral — memetakan jangkauan attacker.

ArtifactRegistry / File PathPenjelasan & Nilai ForensikMITRE ATT&CK
Firewall Domain ProfileHKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfilePerubahan rule firewall untuk lateral movement.T1562.004
Network SharesHKCU\NetworkNetwork drive yang pernah di-mapping.T1021.002
Network List ProfilesHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\ProfilesRiwayat profil network (SSID/LAN, first/last connected).
WLAN ProfilesHKLM\SOFTWARE\Microsoft\Wlansvc\ProfilesDetail profil Wi-Fi — korelasi lokasi fisik.
RDP Connection HistoryHKCU\Software\Microsoft\Terminal Server Client\ServersHostname/IP yang diakses lewat RDP.T1021.001
RDP DefaultHKCU\Software\Microsoft\Terminal Server Client\DefaultIP/host tambahan sesi RDP terakhir.T1021.001
PuTTY SSH KeysHKCU\Software\SimonTatham\PuTTY\SshHostKeysHost key SSH yang pernah diakses.T1021.004
Firewall Log%SystemRoot%\System32\LogFiles\Firewall\pfirewall.logLog firewall bawaan (jika diaktifkan).
11

Execution Artifacts

Artefak yang membuktikan program benar-benar dieksekusi — triangulasi beberapa sumber lebih kuat.

ArtifactRegistry / File PathPenjelasan & Nilai ForensikMITRE ATT&CK
BAMHKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettingsFull path + timestamp eksekusi per-user SID (Win10 1709+).
ShimcacheHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCacheMetadata executable (path, ukuran, timestamp). Tidak selalu berarti berhasil jalan.
AmCacheC:\Windows\AppCompat\Programs\Amcache.hveMetadata detail termasuk SHA1 hash.
PrefetchC:\Windows\Prefetch\*.pfNama file, run count, 8 last execution times (Win8+), DLL di-load.
LNK FilesC:\Users\<username>\AppData\Roaming\Microsoft\Windows\RecentShortcut otomatis: metadata target, MAC address drive, volume serial.
SRUMC:\Windows\System32\sru\SRUDB.datNetwork/CPU usage per aplikasi per jam — termasuk yang ter-uninstall.
WMI RepositoryC:\Windows\System32\wbem\Repository\OBJECTS.DATADatabase WMI consumer/filter — konfirmasi WMI persistence.T1546.003
⚙ Tool: PECmd.exe (Prefetch), AmcacheParser.exe, AppCompatCacheParser.exe, LECmd.exe (LNK), SrumECmd.exe
12

Browser & Internet Artifacts

Jejak aktivitas web dari browser modern (Chrome, Edge Chromium, Firefox) dan legacy (IE).

ArtifactRegistry / File PathPenjelasan & Nilai ForensikMITRE ATT&CK
Chrome History%LocalAppData%\Google\Chrome\User Data\Default\HistorySQLite DB: URL, judul, visit count, timestamp.
Chrome Downloads%LocalAppData%\Google\Chrome\User Data\Default\History (tabel downloads)URL sumber, path lokal, ukuran, timestamp.
Chrome Login Data%LocalAppData%\Google\Chrome\User Data\Default\Login DataKredensial tersimpan (encrypted) — target credential harvesting.T1555.003
Chrome Cookies%LocalAppData%\Google\Chrome\User Data\Default\CookiesSession cookies — pass-the-cookie.T1539
Chrome Extensions%LocalAppData%\Google\Chrome\User Data\Default\Extensions\Extension bisa jadi vector initial access atau keylogger.T1176
Edge Chromium%LocalAppData%\Microsoft\Edge\User Data\Default\Struktur hampir identik Chrome (History, Login Data, Cookies).
Firefox Places%AppData%\Mozilla\Firefox\Profiles\<profile>\places.sqliteSQLite: browsing history + bookmarks.
Firefox Logins%AppData%\Mozilla\Firefox\Profiles\<profile>\logins.json + key4.dbKredensial tersimpan Firefox.T1555.003
Zone Map DomainsHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\DomainsDomain di Trusted zone = security lebih rendah.T1112
Search HistoryHKCU\Software\Microsoft\Windows\CurrentVersion\Search\FlightingRiwayat pencarian Windows Search/Cortana.
⚙ Tool: Hindsight (Chrome/Edge), BrowsingHistoryView (NirSoft), DB Browser for SQLite
13

Cloud, Office & Email Artifacts

Cloud sync, dokumen Office, dan email — relevan untuk data exfiltration, BEC, dan initial access via macro.

ArtifactRegistry / File PathPenjelasan & Nilai ForensikMITRE ATT&CK
Cloud StorageHKCU\Software\Microsoft\Windows\CurrentVersion\CloudStorage\ProvidersProvider cloud sync (OneDrive, Dropbox, GDrive) — cek folder sync.T1567.002
Outlook OST/PSTC:\Users\<user>\AppData\Local\Microsoft\Outlook\*.ost dan *.pstDatabase email Outlook lokal — krusial untuk investigasi BEC/phishing.T1114.001
Trusted DocumentsNTUSER.DAT\Software\Microsoft\Office\<ver>.0\Word\Security\Trusted Documents\TrustRecordsDokumen yang di-trust (macro diizinkan).T1204.002
Office MRUNTUSER.DAT\Software\Microsoft\Office\<ver>.0\Word\File MRURiwayat file Office per-aplikasi.T1566.001
14

Memory Forensics

Analisis RAM — mengungkap proses berjalan, koneksi aktif, injected code, dan kredensial plaintext yang tidak pernah menyentuh disk.

Sumber Data Memory
SumberLokasiPenjelasanMITRE
Live RAM DumpAcquired via WinPmem, DumpIt, Magnet RAM CaptureSnapshot RAM langsung — harus di-acquire sebelum power off.
hiberfil.sysC:\hiberfil.sysSnapshot RAM saat hibernasi — bisa diparsing meski reboot.
pagefile.sysC:\pagefile.sysFile paging — fragmen password, encryption key.
swapfile.sysC:\swapfile.sysFile paging UWP (Windows 8+).
Crash DumpsC:\Windows\MEMORY.DMP atau C:\Windows\Minidump\Memory dump saat BSOD.
WER Crash DumpsC:\ProgramData\Microsoft\Windows\WER\ReportQueue\Memory dump proses crash akibat exploit.
Data yang Bisa Di-Extract dari Memory
  • Process List & Process Tree — semua proses termasuk yang di-hide dari Task Manager
  • Network Connections — koneksi aktif dan listening port (termasuk C2 yang sudah terminate)
  • Injected Code Detection — DLL injection, process hollowing, reflective loading
  • Command Line Arguments — command yang dijalankan setiap proses
  • Loaded DLLs & Drivers — termasuk rootkit kernel-mode
  • Registry Hives in Memory — versi terbaru yang belum di-flush ke disk
  • Credential Extraction — password plaintext, Kerberos tickets, NTLM hashes dari LSASS
  • Clipboard Content — data yang di-copy user
  • Encryption Keys — BitLocker, TrueCrypt, VeraCrypt keys di memory
⚙ Tool: vol.py -f mem.dmp windows.pslist, vol.py windows.netscan, vol.py windows.malfind, vol.py windows.hashdump, MemProcFS
15

File-Based Artifacts (Non-Registry)

Artefak di luar registry yang tetap krusial — termasuk sumber data yang sering terlewat.

ArtifactRegistry / File PathPenjelasan & Nilai ForensikMITRE ATT&CK
User TempC:\Users\<user>\AppData\Local\Temp\Staging payload/dropper sebelum eksekusi.T1074.001
Windows TempC:\Windows\Temp\Staging malware di context SYSTEM/service.T1074.001
Recycle Bin$Recycle.Bin\<SID>\File dihapus + nama asli dan waktu (metadata $I).T1070.004
Print SpoolC:\Windows\System32\spool\PRINTERS\Sisa dokumen dicetak — insider threat.
PowerShell HistoryC:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txtRiwayat command PowerShell interaktif.T1059.001
PowerShell TranscriptsLokasi custom via GPO (default: C:\PSTranscripts\)Full transcript sesi PowerShell termasuk output.T1059.001
ThumbcacheC:\Users\<user>\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.dbThumbnail gambar/dokumen — membuktikan file exist meski dihapus.
Windows.edbC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edbWindows Search index — metadata file yang sudah dihapus.
ETW TracesC:\Windows\System32\LogFiles\WMI\Event Tracing telemetry di luar Event Log.
Group PolicyC:\Windows\System32\GroupPolicy\GPO lokal — attacker bisa disable security setting.
16

DFIR Methodology & Workflow

Mengetahui apa yang bisa dicek saja tidak cukup — Anda perlu tahu urutan dan prioritas.

Order of Volatility (Urutan Akuisisi)

Acquire data dari yang paling volatile ke yang paling persisten. Jangan matikan mesin sebelum ambil data volatile!

NoDataMetode AkuisisiVolatilitas
1CPU Registers, Cache, RAMWinPmem, DumpIt, Magnet RAM CaptureDetik — hilang saat power off
2Network Connections & Routingnetstat -anob, arp -a, ipconfig /allDetik
3Running Processes & Servicestasklist /v, Get-Process, sc queryDetik
4Open Files & Registry in Memoryhandle.exe, memory dumpMenit
5Disk (File System, Registry, Event Log)FTK Imager, dd, KAPEPersisten
6Physical Media & BackupFull imaging, backup restoreSangat persisten
Prioritas Triage per Skenario

Artefak yang relevan berbeda tergantung jenis insiden:

🔒 Ransomware
1. Event Log: Security 4624/4625, System 7045
2. Persistence: Run keys, Services, Scheduled Tasks
3. Execution: Prefetch, AmCache, BAM
4. Anti-Forensics: System Restore, VSS deletion, Event 1102/104
5. Lateral Movement: RDP history, Network connections
6. File System: $MFT/$UsnJrnl (timeline encryption)
🎣 Lateral Movement / APT
1. Network: RDP history, PuTTY SSH, Network shares, Firewall
2. Event Log: Security 4624 Type 3/10, TerminalServices 21/1149
3. Credentials: LSA, SAM/SECURITY hive, LSASS memory
4. Execution: Shimcache + AmCache + Prefetch (triangulasi)
5. Persistence: Services, WMI, Scheduled Tasks, IFEO
6. Memory: Process list, network connections, injected code
📧 Phishing / BEC
1. Email: Outlook OST/PST, headers, attachment metadata
2. Browser: Chrome/Edge History + Downloads
3. User Activity: Office MRU, Trusted Documents
4. Execution: Prefetch (payload executed?), UserAssist
5. File System: Zone.Identifier (MotW), Temp folders
6. Persistence: Run keys, Scheduled Tasks
🕵 Insider Threat
1. User Activity: RecentDocs, ShellBags, USB, Jump Lists
2. Cloud/Exfil: Cloud Storage, browser uploads, Network shares
3. File System: $MFT/$UsnJrnl (copy/move/delete timeline)
4. Browser: Download history, search, webmail
5. Print Spool: dokumen yang dicetak
6. Recycle Bin: file yang coba dihapus
Super Timeline Workflow
⚙ Workflow:
1. KAPE --tsource C: --tdest output --target !SANS_Triage — Collect
2. log2timeline.py timeline.plaso image.E01 — Parse
3. psort.py -w timeline.csv timeline.plaso — Sort
4. Timeline Explorer — Analisis visual
5. Filter berdasarkan timeframe insiden
17

Tooling Reference

Rekomendasi tool per kategori — sebagian besar gratis dan open-source.

KategoriToolKegunaan
CollectionKAPE (Kroll)Automated artifact collection & processing
CollectionVelociraptorEndpoint forensic agent + hunting
RegistryRegistry Explorer (EZ)GUI registry hive viewer + transaction log replay
RegistryRegRipperAutomated registry extraction via plugins
RegistryRECmd (EZ)CLI registry search & batch processing
File SystemMFTECmd (EZ)Parse $MFT, $UsnJrnl, $LogFile, $Boot
File SystemAutopsy / FTK ImagerDisk imaging & file system analysis
ExecutionPECmd (EZ)Prefetch parser
ExecutionAmcacheParser (EZ)Amcache.hve parser
ExecutionAppCompatCacheParser (EZ)Shimcache parser
ExecutionSrumECmd (EZ)SRUM database parser
Event LogsEvtxECmd (EZ)EVTX parser ke CSV/JSON
Event LogsChainsawSigma rule-based EVTX hunting
Event LogsHayabusaFast forensics & threat hunting
LNK/JumpListLECmd / JLECmd (EZ)LNK file & Jump List parser
BrowserHindsightChrome/Edge Chromium forensic parser
BrowserBrowsingHistoryViewMulti-browser viewer (NirSoft)
MemoryVolatility 3Memory forensics framework
MemoryMemProcFSMount memory dump as virtual FS
MemoryWinPmem / DumpItLive RAM acquisition
TimelinePlaso / log2timelineSuper timeline generator
TimelineTimeline Explorer (EZ)GUI timeline CSV viewer

(EZ) = Eric Zimmerman's Tools — https://ericzimmerman.github.io

Referensi
  • SANS Windows Forensic Analysis Poster
  • Eric Zimmerman's Tools: https://ericzimmerman.github.io
  • MITRE ATT&CK®: https://attack.mitre.org
  • 13Cubed YouTube DFIR Series
  • Magnet Forensics Artifact Reference
tags