🛡 Windows DFIR Reference
Comprehensive cheat sheet & reference guide untuk Digital Forensics and Incident Response (DFIR) pada sistem Windows. Mencakup seluruh artefak forensik utama dengan mapping MITRE ATT&CK.
Untuk siapa?
- SOC Analyst — threat hunting dan alert triage
- DFIR Practitioner — checklist investigasi
- Security Engineer — membangun detection rules
- Pemula — learning reference terstruktur
Prinsip: Setiap artefak punya blind spot — triangulasi (konfirmasi dari multiple sources) selalu lebih kuat.
Registry Hives (Root Keys)
Windows Registry terdiri dari 5 root key utama (hive). Memahami peran setiap hive adalah fondasi sebelum melakukan forensik registry — karena artefak yang sama bisa tersimpan di hive berbeda tergantung scope-nya (system-wide vs per-user).
.txt dibuka oleh Notepad) dan Class ID (CLSID) untuk objek OLE/COM. HKCR bukan hive fisik tersendiri — ia adalah merged view dari HKLM\Software\Classes dan HKCU\Software\Classes, di mana setting user (HKCU) diprioritaskan.HKCU\Software\Classes\clsid dapat membuat proses legitimate menjalankan payload tanpa membuat file baru di disk. T1546.015HKEY_USERS sesuai SID user aktif.Hive Files on Disk
Setiap hive logis dimuat dari file fisik di disk. Memahami lokasi file ini penting untuk offline forensics — saat menganalisis disk image, file-file inilah yang Anda mount dan parsing.
reg save, shadow copy, atau disk image offline. Target utama credential dumping.HKLM\Software — Uninstall key, Defender settings, persistence system-wide.Windows Event Logs
Event Log adalah sumber telemetry utama Windows. Pastikan log forwarding/SIEM sudah aktif sebelum insiden, karena log lokal bisa dihapus attacker.
| Tipe | Keterangan | Relevansi DFIR |
|---|---|---|
| 2 | Interactive (keyboard/layar lokal) | Logon fisik |
| 3 | Network (SMB, mapped drive) | Lateral movement via file share |
| 4 | Batch (scheduled task) | Persistence |
| 5 | Service (akun service) | Service start/stop |
| 7 | Unlock workstation | User unlock |
| 8 | Network Cleartext (IIS basic auth) | Credential exposure |
| 9 | New Credentials (RunAs /netonly) | Privilege pivoting |
| 10 | Remote Interactive (RDP) | Lateral movement via RDP |
| 11 | Cached Interactive | Cached creds saat DC unreachable |
EvtxECmd.exe, chainsaw hunt, hayabusa csv-timeline, Get-WinEventNTFS & File System Artifacts
Artefak file system NTFS sering menjadi backbone super timeline — mencatat file creation/deletion/rename yang tidak tercatat di registry manapun.
| Artifact | Registry / File Path | Penjelasan & Nilai Forensik | MITRE ATT&CK |
|---|---|---|---|
| $MFT (Master File Table) | Root NTFS volume | Indeks setiap file/direktori NTFS. Setiap entry (1024 byte) berisi 4 timestamp MACB di 2 atribut ($STANDARD_INFORMATION dan $FILE_NAME). Membandingkan $SI vs $FN = metode utama deteksi timestomping. | T1070.006 |
| $UsnJrnl (USN Change Journal) | $Extend\$UsnJrnl:$J | Melacak setiap modifikasi file pada volume (create, delete, rename). Mencatat bahkan file yang sudah dihapus — sering jadi satu-satunya bukti dropper yang self-delete. | — |
| $LogFile (Transaction Log) | Root NTFS volume | Transaction log NTFS journaling — recovery operasi terakhir sebelum crash/shutdown. | — |
| $I30 (Index Attributes) | Setiap direktori NTFS | Directory index yang bisa menyimpan deleted file entries di slack space-nya — file yang sudah hilang dari MFT kadang masih ada di $I30. | T1070.004 |
| Volume Shadow Copies (VSS) | System Volume Information | Time machine Windows — snapshot read-only. Recovery registry/file yang sudah dimodifikasi attacker. | T1490 |
| Alternate Data Streams (ADS) | Setiap file NTFS | Data tersembunyi terlampir pada file tanpa mengubah ukuran. Dipakai malware untuk menyembunyikan payload. | T1564.004 |
| Zone.Identifier (MotW) | file.ext:Zone.Identifier ADS | ADS khusus pada file yang didownload. Berisi ZoneId=3 (internet) dan kadang ReferrerUrl asal unduhan. | T1553.005 |
$STANDARD_INFORMATION vs $FILE_NAME. Tool timestomping hanya modifikasi $SI — $FN hanya bisa diubah kernel. Jika $SI Created < $FN Created = indikasi kuat timestomping.MFTECmd.exe -f "$MFT" --csv output, vssadmin list shadows, dir /r file.txt (ADS), Get-Item -Path file -Stream *System Information
Artefak dasar untuk membangun konteks sistem. Selalu kumpulkan ini pertama kali.
| Artifact | Registry / File Path | Penjelasan & Nilai Forensik | MITRE ATT&CK |
|---|---|---|---|
| Last Shutdown Time | HKLM\SYSTEM\CurrentControlSet\Control\Windows\ShutdownTime | Waktu shutdown terakhir — timeline korelasi. | — |
| Computer Name | HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName | Identitas hostname — validasi asal evidence. | — |
| Time Zone | HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation | Offset time zone — wajib cek sebelum normalisasi timestamp ke UTC. | — |
| Windows Version | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | Build/edition OS — validasi patch level. | — |
| Network Interfaces | HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{interface} | Konfigurasi jaringan (IP, DHCP, DNS) per interface. | — |
| Defender Settings | HKLM\SOFTWARE\Microsoft\Windows Defender | Status AV bawaan; cek exclusion path mencurigakan. | T1562.001 |
| User Profiles | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\{SID} | Daftar profil user (SID + path) — deteksi akun baru. | T1136.001 |
User Activity & MRU (Most Recently Used)
Jejak interaksi user dengan file, folder, dan program — krusial untuk membuktikan user knowledge & intent.
| Artifact | Registry / File Path | Penjelasan & Nilai Forensik | MITRE ATT&CK |
|---|---|---|---|
| LastVisitedMRU | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPIDlMRU | Aplikasi terakhir yang dipakai save/open file beserta direktori. | — |
| OpenSavePidlMRU | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU | File yang dibuka/disimpan lewat Common Dialog — termasuk file yang sudah dihapus. | — |
| ShellBags | USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags | Artefak terkuat membuktikan folder pernah dibuka — termasuk di removable/network. | — |
| RecentDocs | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs | File yang baru dibuka lewat Explorer, per ekstensi. | — |
| USB Devices | SYSTEM\CurrentControlSet\Enum\USBSTOR | Riwayat USB storage: vendor, serial number, first/last connected. | T1052.001 |
| UserAssist | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist | Program GUI via Explorer: run count & last execution. Key dienkode ROT13. | T1204.002 |
| Typed URLs | NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs | URL yang diketik manual di address bar browser. | — |
| RunMRU | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU | Command di Run dialog (Win+R). | T1059.003 |
| RecentApps | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps | Aplikasi yang baru dijalankan + argumen. | — |
| FeatureUsage AppSwitched | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched | Artefak eksekusi taskbar switching. | — |
| Office MRU | NTUSER.DAT\Software\Microsoft\Office\<ver>.0\Word\File MRU | Riwayat file Office per-aplikasi (Word, Excel, PowerPoint). | T1566.001 |
| Trusted Documents | NTUSER.DAT\Software\Microsoft\Office\<ver>.0\Word\Security\Trusted Documents\TrustRecords | Dokumen yang di-trust user (macro diizinkan jalan). | T1204.002 |
| Jump List Files | %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\ dan CustomDestinations\ | Riwayat file per-aplikasi (taskbar pinned): app ID + timestamp. | — |
Persistence Mechanisms
Teknik attacker/malware untuk memastikan eksekusi bertahan lewat reboot/logon — bagian paling sering dicek saat hunting maupun IR aktif.
| Artifact | Registry / File Path | Penjelasan & Nilai Forensik | MITRE ATT&CK |
|---|---|---|---|
| Run Key (HKLM) | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Auto-start system-wide — target klasik persistence. | T1547.001 |
| RunOnce Key (HKLM) | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | Entry otomatis terhapus setelah 1x eksekusi. | T1547.001 |
| Run Key (HKCU) | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Varian per-user — RAT tanpa admin. | T1547.001 |
| RunOnce Key (HKCU) | HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce | Varian per-user RunOnce. | T1547.001 |
| IFEO | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | Periksa value Debugger — payload menggantikan executable target. | T1546.012 |
| Sticky Keys Hijack | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe | cmd.exe SYSTEM-level dari login screen. | T1546.008 |
| Utilman Hijack | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe | Alternatif Sticky Keys hijack via Utilman. | T1546.008 |
| Winlogon Userinit | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit | Normal: userinit.exe, — tambahan path = hijacking. | T1547.004 |
| Winlogon Shell | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell | Normal: explorer.exe — diganti = shell hijack. | T1547.004 |
| BootExecute | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute | Dieksekusi smss.exe di fase paling awal boot. | T1547.001 |
| User Shell Folders | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders | Redirect path Startup folder ke lokasi attacker. | T1547.001 |
| Startup Folder (All Users) | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup | Shortcut/file di sini auto-run untuk seluruh user. | T1547.001 |
| Startup Folder (Per-User) | C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup | Versi per-user Startup folder. | T1547.001 |
| WMI Event Subscription | HKLM\SOFTWARE\Microsoft\WBEM | Payload auto-run saat trigger event — tanpa Run key. | T1546.003 |
| AppCertDLLs | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls | DLL di-load ke setiap proses memanggil CreateProcess. | T1546.009 |
| AppInit_DLLs | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs | DLL di-load ke setiap proses me-load user32.dll. | T1546.010 |
| Scheduled Task (Registry) | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks | Metadata task di registry — recovery task yang dihapus. | T1053.005 |
| Scheduled Task (File) | C:\Windows\System32\Tasks | File XML definisi task — Author, command, trigger. | T1053.005 |
| Windows Services | HKLM\SYSTEM\CurrentControlSet\Services | Root key seluruh service — nama random = red flag. | T1543.003 |
| Service ImagePath Mod | HKLM\SYSTEM\CurrentControlSet\Services\<svcname>\ImagePath | Ubah ImagePath service existing = privilege escalation. | T1574.011 |
| MSDTC / MTxOCI Hijack | HKLM\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath | DLL hijacking via MSDTC service. | T1574.001 |
| SharedDLLs | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs | Manipulasi reference count DLL. | T1574.001 |
| PATH Modification | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path | Direktori attacker di awal PATH = path interception. | T1574.007 |
| NetSh Helper DLL | HKLM\SOFTWARE\Microsoft\NetSh | DLL di-load setiap netsh.exe dijalankan. | T1546.007 |
| Context Menu Hijacking | HKCR\*\shellex\ContextMenuHandlers | Shell extension COM saat klik-kanan file. | T1546.015 |
| Silent Process Exit | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit | Jalankan program saat proses crash/exit. | T1546.012 |
Credential Access & Privilege Escalation
Key terkait penyimpanan kredensial atau kontrol akses — modifikasi di area ini biasanya untuk mencuri credential atau menaikkan privilege.
| Artifact | Registry / File Path | Penjelasan & Nilai Forensik | MITRE ATT&CK |
|---|---|---|---|
| LSA Configuration | HKLM\SYSTEM\CurrentControlSet\Control\Lsa | Konfigurasi Local Security Authority — target Mimikatz. | T1003.004 T1003.001 |
| LimitBlankPasswordUse | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse | Value 0 = akun password kosong bisa login remote (default: 1). | T1078.003 |
| EnableLUA (UAC) | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | Value 0 = UAC dimatikan sepenuhnya. | T1548.002 |
| Service Weak Permissions | HKLM\SYSTEM\CurrentControlSet\Services\<svcname> | ACL terlalu permisif = attacker ubah ImagePath. | T1574.011 |
Defense Evasion & Anti-Forensics
Indikator attacker berusaha menghindari deteksi atau menghapus jejak.
| Artifact | Registry / File Path | Penjelasan & Nilai Forensik | MITRE ATT&CK |
|---|---|---|---|
| AV RTP Disable | HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection | Penonaktifan real-time protection — cek DisableRealtimeMonitoring. | T1562.001 |
| System Restore | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore | Menonaktifkan System Restore = korban tidak bisa rollback. | T1490 |
| Audit Policy Tampering | HKLM\Security\Policy\PolAdEv | Binary value konfigurasi audit policy bisa dimatikan diam-diam. | T1562.002 |
| Security Log Size | HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security (MaxSize & Retention) | MaxSize diperkecil = log cepat ter-overwrite. | T1070.001 |
| Event Log Config | HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security | Konfigurasi retention/overwrite policy. | T1070.001 |
| CLSID Hijack | HKCU\Software\Classes\clsid | Menimpa CLSID komponen legitimate = fileless execution. | T1546.015 |
| Malware Config | HKCU\Software\<Malware Name>\Settings | Malware menyimpan C2, campaign ID di registry custom. | — |
| Uninstall List | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | Daftar software — attacker pakai untuk recon AV/EDR. | T1518.001 |
| MuiCache | HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache | Friendly-name aplikasi yang pernah dijalankan. | — |
| SRP/AppLocker | HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Modifikasi rule untuk whitelist payload. | T1562.001 |
Lateral Movement & Network Artifacts
Jejak konektivitas dan persiapan pergerakan lateral — memetakan jangkauan attacker.
| Artifact | Registry / File Path | Penjelasan & Nilai Forensik | MITRE ATT&CK |
|---|---|---|---|
| Firewall Domain Profile | HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile | Perubahan rule firewall untuk lateral movement. | T1562.004 |
| Network Shares | HKCU\Network | Network drive yang pernah di-mapping. | T1021.002 |
| Network List Profiles | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles | Riwayat profil network (SSID/LAN, first/last connected). | — |
| WLAN Profiles | HKLM\SOFTWARE\Microsoft\Wlansvc\Profiles | Detail profil Wi-Fi — korelasi lokasi fisik. | — |
| RDP Connection History | HKCU\Software\Microsoft\Terminal Server Client\Servers | Hostname/IP yang diakses lewat RDP. | T1021.001 |
| RDP Default | HKCU\Software\Microsoft\Terminal Server Client\Default | IP/host tambahan sesi RDP terakhir. | T1021.001 |
| PuTTY SSH Keys | HKCU\Software\SimonTatham\PuTTY\SshHostKeys | Host key SSH yang pernah diakses. | T1021.004 |
| Firewall Log | %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log | Log firewall bawaan (jika diaktifkan). | — |
Execution Artifacts
Artefak yang membuktikan program benar-benar dieksekusi — triangulasi beberapa sumber lebih kuat.
| Artifact | Registry / File Path | Penjelasan & Nilai Forensik | MITRE ATT&CK |
|---|---|---|---|
| BAM | HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings | Full path + timestamp eksekusi per-user SID (Win10 1709+). | — |
| Shimcache | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache | Metadata executable (path, ukuran, timestamp). Tidak selalu berarti berhasil jalan. | — |
| AmCache | C:\Windows\AppCompat\Programs\Amcache.hve | Metadata detail termasuk SHA1 hash. | — |
| Prefetch | C:\Windows\Prefetch\*.pf | Nama file, run count, 8 last execution times (Win8+), DLL di-load. | — |
| LNK Files | C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent | Shortcut otomatis: metadata target, MAC address drive, volume serial. | — |
| SRUM | C:\Windows\System32\sru\SRUDB.dat | Network/CPU usage per aplikasi per jam — termasuk yang ter-uninstall. | — |
| WMI Repository | C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Database WMI consumer/filter — konfirmasi WMI persistence. | T1546.003 |
PECmd.exe (Prefetch), AmcacheParser.exe, AppCompatCacheParser.exe, LECmd.exe (LNK), SrumECmd.exeBrowser & Internet Artifacts
Jejak aktivitas web dari browser modern (Chrome, Edge Chromium, Firefox) dan legacy (IE).
| Artifact | Registry / File Path | Penjelasan & Nilai Forensik | MITRE ATT&CK |
|---|---|---|---|
| Chrome History | %LocalAppData%\Google\Chrome\User Data\Default\History | SQLite DB: URL, judul, visit count, timestamp. | — |
| Chrome Downloads | %LocalAppData%\Google\Chrome\User Data\Default\History (tabel downloads) | URL sumber, path lokal, ukuran, timestamp. | — |
| Chrome Login Data | %LocalAppData%\Google\Chrome\User Data\Default\Login Data | Kredensial tersimpan (encrypted) — target credential harvesting. | T1555.003 |
| Chrome Cookies | %LocalAppData%\Google\Chrome\User Data\Default\Cookies | Session cookies — pass-the-cookie. | T1539 |
| Chrome Extensions | %LocalAppData%\Google\Chrome\User Data\Default\Extensions\ | Extension bisa jadi vector initial access atau keylogger. | T1176 |
| Edge Chromium | %LocalAppData%\Microsoft\Edge\User Data\Default\ | Struktur hampir identik Chrome (History, Login Data, Cookies). | — |
| Firefox Places | %AppData%\Mozilla\Firefox\Profiles\<profile>\places.sqlite | SQLite: browsing history + bookmarks. | — |
| Firefox Logins | %AppData%\Mozilla\Firefox\Profiles\<profile>\logins.json + key4.db | Kredensial tersimpan Firefox. | T1555.003 |
| Zone Map Domains | HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains | Domain di Trusted zone = security lebih rendah. | T1112 |
| Search History | HKCU\Software\Microsoft\Windows\CurrentVersion\Search\Flighting | Riwayat pencarian Windows Search/Cortana. | — |
Hindsight (Chrome/Edge), BrowsingHistoryView (NirSoft), DB Browser for SQLiteCloud, Office & Email Artifacts
Cloud sync, dokumen Office, dan email — relevan untuk data exfiltration, BEC, dan initial access via macro.
| Artifact | Registry / File Path | Penjelasan & Nilai Forensik | MITRE ATT&CK |
|---|---|---|---|
| Cloud Storage | HKCU\Software\Microsoft\Windows\CurrentVersion\CloudStorage\Providers | Provider cloud sync (OneDrive, Dropbox, GDrive) — cek folder sync. | T1567.002 |
| Outlook OST/PST | C:\Users\<user>\AppData\Local\Microsoft\Outlook\*.ost dan *.pst | Database email Outlook lokal — krusial untuk investigasi BEC/phishing. | T1114.001 |
| Trusted Documents | NTUSER.DAT\Software\Microsoft\Office\<ver>.0\Word\Security\Trusted Documents\TrustRecords | Dokumen yang di-trust (macro diizinkan). | T1204.002 |
| Office MRU | NTUSER.DAT\Software\Microsoft\Office\<ver>.0\Word\File MRU | Riwayat file Office per-aplikasi. | T1566.001 |
Memory Forensics
Analisis RAM — mengungkap proses berjalan, koneksi aktif, injected code, dan kredensial plaintext yang tidak pernah menyentuh disk.
| Sumber | Lokasi | Penjelasan | MITRE |
|---|---|---|---|
| Live RAM Dump | Acquired via WinPmem, DumpIt, Magnet RAM Capture | Snapshot RAM langsung — harus di-acquire sebelum power off. | — |
| hiberfil.sys | C:\hiberfil.sys | Snapshot RAM saat hibernasi — bisa diparsing meski reboot. | — |
| pagefile.sys | C:\pagefile.sys | File paging — fragmen password, encryption key. | — |
| swapfile.sys | C:\swapfile.sys | File paging UWP (Windows 8+). | — |
| Crash Dumps | C:\Windows\MEMORY.DMP atau C:\Windows\Minidump\ | Memory dump saat BSOD. | — |
| WER Crash Dumps | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ | Memory dump proses crash akibat exploit. | — |
- Process List & Process Tree — semua proses termasuk yang di-hide dari Task Manager
- Network Connections — koneksi aktif dan listening port (termasuk C2 yang sudah terminate)
- Injected Code Detection — DLL injection, process hollowing, reflective loading
- Command Line Arguments — command yang dijalankan setiap proses
- Loaded DLLs & Drivers — termasuk rootkit kernel-mode
- Registry Hives in Memory — versi terbaru yang belum di-flush ke disk
- Credential Extraction — password plaintext, Kerberos tickets, NTLM hashes dari LSASS
- Clipboard Content — data yang di-copy user
- Encryption Keys — BitLocker, TrueCrypt, VeraCrypt keys di memory
vol.py -f mem.dmp windows.pslist, vol.py windows.netscan, vol.py windows.malfind, vol.py windows.hashdump, MemProcFSFile-Based Artifacts (Non-Registry)
Artefak di luar registry yang tetap krusial — termasuk sumber data yang sering terlewat.
| Artifact | Registry / File Path | Penjelasan & Nilai Forensik | MITRE ATT&CK |
|---|---|---|---|
| User Temp | C:\Users\<user>\AppData\Local\Temp\ | Staging payload/dropper sebelum eksekusi. | T1074.001 |
| Windows Temp | C:\Windows\Temp\ | Staging malware di context SYSTEM/service. | T1074.001 |
| Recycle Bin | $Recycle.Bin\<SID>\ | File dihapus + nama asli dan waktu (metadata $I). | T1070.004 |
| Print Spool | C:\Windows\System32\spool\PRINTERS\ | Sisa dokumen dicetak — insider threat. | — |
| PowerShell History | C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt | Riwayat command PowerShell interaktif. | T1059.001 |
| PowerShell Transcripts | Lokasi custom via GPO (default: C:\PSTranscripts\) | Full transcript sesi PowerShell termasuk output. | T1059.001 |
| Thumbcache | C:\Users\<user>\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db | Thumbnail gambar/dokumen — membuktikan file exist meski dihapus. | — |
| Windows.edb | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb | Windows Search index — metadata file yang sudah dihapus. | — |
| ETW Traces | C:\Windows\System32\LogFiles\WMI\ | Event Tracing telemetry di luar Event Log. | — |
| Group Policy | C:\Windows\System32\GroupPolicy\ | GPO lokal — attacker bisa disable security setting. | — |
DFIR Methodology & Workflow
Mengetahui apa yang bisa dicek saja tidak cukup — Anda perlu tahu urutan dan prioritas.
Acquire data dari yang paling volatile ke yang paling persisten. Jangan matikan mesin sebelum ambil data volatile!
| No | Data | Metode Akuisisi | Volatilitas |
|---|---|---|---|
| 1 | CPU Registers, Cache, RAM | WinPmem, DumpIt, Magnet RAM Capture | Detik — hilang saat power off |
| 2 | Network Connections & Routing | netstat -anob, arp -a, ipconfig /all | Detik |
| 3 | Running Processes & Services | tasklist /v, Get-Process, sc query | Detik |
| 4 | Open Files & Registry in Memory | handle.exe, memory dump | Menit |
| 5 | Disk (File System, Registry, Event Log) | FTK Imager, dd, KAPE | Persisten |
| 6 | Physical Media & Backup | Full imaging, backup restore | Sangat persisten |
Artefak yang relevan berbeda tergantung jenis insiden:
1. Event Log: Security 4624/4625, System 7045 2. Persistence: Run keys, Services, Scheduled Tasks 3. Execution: Prefetch, AmCache, BAM 4. Anti-Forensics: System Restore, VSS deletion, Event 1102/104 5. Lateral Movement: RDP history, Network connections 6. File System: $MFT/$UsnJrnl (timeline encryption)
1. Network: RDP history, PuTTY SSH, Network shares, Firewall 2. Event Log: Security 4624 Type 3/10, TerminalServices 21/1149 3. Credentials: LSA, SAM/SECURITY hive, LSASS memory 4. Execution: Shimcache + AmCache + Prefetch (triangulasi) 5. Persistence: Services, WMI, Scheduled Tasks, IFEO 6. Memory: Process list, network connections, injected code
1. Email: Outlook OST/PST, headers, attachment metadata 2. Browser: Chrome/Edge History + Downloads 3. User Activity: Office MRU, Trusted Documents 4. Execution: Prefetch (payload executed?), UserAssist 5. File System: Zone.Identifier (MotW), Temp folders 6. Persistence: Run keys, Scheduled Tasks
1. User Activity: RecentDocs, ShellBags, USB, Jump Lists 2. Cloud/Exfil: Cloud Storage, browser uploads, Network shares 3. File System: $MFT/$UsnJrnl (copy/move/delete timeline) 4. Browser: Download history, search, webmail 5. Print Spool: dokumen yang dicetak 6. Recycle Bin: file yang coba dihapus
1.
KAPE --tsource C: --tdest output --target !SANS_Triage — Collect2.
log2timeline.py timeline.plaso image.E01 — Parse3.
psort.py -w timeline.csv timeline.plaso — Sort4.
Timeline Explorer — Analisis visual5. Filter berdasarkan timeframe insiden
Tooling Reference
Rekomendasi tool per kategori — sebagian besar gratis dan open-source.
| Kategori | Tool | Kegunaan |
|---|---|---|
| Collection | KAPE (Kroll) | Automated artifact collection & processing |
| Collection | Velociraptor | Endpoint forensic agent + hunting |
| Registry | Registry Explorer (EZ) | GUI registry hive viewer + transaction log replay |
| Registry | RegRipper | Automated registry extraction via plugins |
| Registry | RECmd (EZ) | CLI registry search & batch processing |
| File System | MFTECmd (EZ) | Parse $MFT, $UsnJrnl, $LogFile, $Boot |
| File System | Autopsy / FTK Imager | Disk imaging & file system analysis |
| Execution | PECmd (EZ) | Prefetch parser |
| Execution | AmcacheParser (EZ) | Amcache.hve parser |
| Execution | AppCompatCacheParser (EZ) | Shimcache parser |
| Execution | SrumECmd (EZ) | SRUM database parser |
| Event Logs | EvtxECmd (EZ) | EVTX parser ke CSV/JSON |
| Event Logs | Chainsaw | Sigma rule-based EVTX hunting |
| Event Logs | Hayabusa | Fast forensics & threat hunting |
| LNK/JumpList | LECmd / JLECmd (EZ) | LNK file & Jump List parser |
| Browser | Hindsight | Chrome/Edge Chromium forensic parser |
| Browser | BrowsingHistoryView | Multi-browser viewer (NirSoft) |
| Memory | Volatility 3 | Memory forensics framework |
| Memory | MemProcFS | Mount memory dump as virtual FS |
| Memory | WinPmem / DumpIt | Live RAM acquisition |
| Timeline | Plaso / log2timeline | Super timeline generator |
| Timeline | Timeline Explorer (EZ) | GUI timeline CSV viewer |
(EZ) = Eric Zimmerman's Tools — https://ericzimmerman.github.io
- SANS Windows Forensic Analysis Poster
- Eric Zimmerman's Tools:
https://ericzimmerman.github.io - MITRE ATT&CK®:
https://attack.mitre.org - 13Cubed YouTube DFIR Series
- Magnet Forensics Artifact Reference
