What's New in FOR500: Windows Forensic Analysis

I am pleased to announce the latest update to the SANS Institute’s FOR500: Windows Forensic Analysis course!

This update focused on testing and documenting significant changes across the Windows ecosystem. Cloud storage applications continue to be a part of many forensic investigations, from insider theft to external threats, using them to move malware into the network and sensitive data out. Microsoft OneDrive databases have changed significantly, with Microsoft moving from a home-grown database format to a more forensic-friendly SQLite database. Microsoft has also standardized more artifacts between the personal and business editions, resulting in changes like the switch of hashing algorithms from SHA1 to the quickXorHash format common in SharePoint and OneDrive for Business. While our analysis techniques must be amended, the new database still offers massive insight into the cloud storage contents.

Google Drive has added new databases, including one containing a historical list of removable devices previously present on the system. New research is providing interesting opportunities to mine existing Google Drive databases for even more information like MD5 hashes of both local and cloud-only files.

Research into the Windows Search Index Database has increased, and for good reason. It can track up to a million items, each recording extensive metadata including full or partial file contents and artifacts like timestamps and photo EXIF data holding GPS coordinates. Interestingly, Windows 11 changed the database format, requiring new parsers but ultimately making in-depth reporting easier. It is hard to imagine a forensic investigation where the Windows Search Index data could not be relevant. As an example, here is a small sample of the over 600 types of metadata which can be present:

Web Storage

Web browsers continue to host a wealth of forensic information, profiling user actions across internet sites, web applications, and internal company applications like SharePoint, OneDrive, and Teams. They also continue to be moving targets with rapid release schedules and new artifacts being added while older databases and artifacts are deprecated.

A big push of this course update was to build capabilities to explore the "Web Storage" capabilities of modern browsers. Operating behind the scenes, Web Storage is now keeping more local data than browser caches. To give an idea of the possible scale, Google Chrome and Microsoft Edge each allow up to 60% of the hard drive to be used for storage per website domain! While that maximum is not being used today, gigabytes of data are going un-analyzed due to a lack of tools and processes to interact with these difficult data sources.

Similarly, many desktop applications are being built on top of the Chromium browser using the Electron/WebView2 framework, including nearly every major chat client on the market. Each application can use similar Chromium Web Storage databases to keep its own massive set of data, with databases that go largely unexplored by many mainstream forensic tools. SANS FOR500 brings students up to the state of the art with understanding these data sources and providing the techniques necessary to leverage these important data sources in their own investigations.

Finally, as Microsoft continues to push Windows Apps and move mainstay applications into that sandboxed format, unexpected artifacts like Windows 11 Notepad history are emerging, and examiners need to focus on new locations for evidence like new dedicated registry hives. More attention to the analysis of these Universal Windows Platform Applications was added to the course.

Email

Email holds the key to so many important investigations, as it is a primary communication source used by nearly everyone. Business Email Compromise (BEC) attacks also remain a significant threat. The FBI has reported over $50 billion in losses due to BEC in the years 2013-2022.

From humble beginnings, email has become ever more complicated, both in the technologies used and in the sheer number of locations it can be found: clients, servers, webmail, and mobile devices. A big thrust of this course update was bringing our email forensics section up to the state of the art, arming students with more insight into the wealth of information present in email headers, including a focus on email authenticity taking advantage of technologies like SPF, DKIM, ARC, and DMARC.

Options to retrieve email were expanded, with important discussions about the differences between vendor web-based tools, API collection, and traditional IMAP collection. Knowing the differences and having the proper plan (and tool) in place is often what decides whether data will be available to prove or disprove an assertion.

Exchange, Microsoft 365, Microsoft Purview, Google Workspace, and Google Vault are all covered in-depth, including their underutilized logging functions. We are also excited to introduce Metaspike Forensic Email Intelligence into the course, providing impressive capabilities for deep-dive analysis into email headers and email archives.

Summing Up the Update

The latest FOR500 update increases the capabilities of investigators across a wide range of forensic artifacts. Nearly every hands-on lab was improved. Many lab updates were required to take advantage of the latest tool updates, and a new course virtual machine has been updated to include the latest versions of the best tools available for the job. A new email lab was included to put into practice the upgraded course material.

Similarly, additional exercises were added for the Windows Search Index and Web Storage analysis, including finding artifacts like Slack messages in web browser databases. As always, the goal of the update was to ensure students walk away with the latest knowledge, tools, and techniques to make them exemplary forensic examiners and leaders in the field.

In today's threat environment, having this skillset on the team is a requirement to support the entire spectrum of computer crimes, including fraud, insider threats, employee misuse, industrial espionage, ransomware, and computer intrusion investigations.

You can find a flyer covering many of the latest updates here.

Chad Tilbury has spent over twenty years conducting computer crime investigations ranging from hacking to espionage to multimillion-dollar fraud cases. He is a SANS Institute Fellow and co-author of FOR500 Windows Forensic Analysis and FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics. Find him on Twitter @chadtilbury