windows::forensics

# regripper (parse offline hives)
# https://github.com/keydet89/RegRipper3.0
rip.pl -r NTUSER.DAT -f ntuser     # run all ntuser plugins
rip.pl -r SOFTWARE -f software
rip.pl -r SAM -f sam               # user accounts
rip.pl -r SYSTEM -f system

# List available plugins
rip.pl -l

# python-registry (Python)
pip install python-registry
python3 -c "
from Registry import Registry
reg = Registry.Registry('NTUSER.DAT')
key = reg.open('Software\\Microsoft\\Windows\\CurrentVersion\\Run')
for v in key.values():
    print(v.name(), v.value())
"

# prefetch files: C:\Windows\Prefetch\*.pf
# Name format: PROGRAM.EXE-XXXXXXXX.pf
# Contains: run count, last 8 run times, files accessed

# PEcmd (Eric Zimmermann tools)
# https://github.com/EricZimmermann/PECmd
PECmd.exe -f MALWARE.EXE-12345678.pf
PECmd.exe -d C:\Windows\Prefetch --csv prefetch_out.csv

# On Linux (offline analysis)
pip install prefetch-parser
python3 -m prefetch MALWARE.EXE-12345678.pf

# Volatility prefetch plugin
vol -f memory.dmp windows.prefetch

# Key questions:
# Was this program ever run?
# When was it last run?
# How many times?
# What files did it access?

# Amcache: C:\Windows\AppCompat\Programs\Amcache.hve
# Contains: SHA1 of executed files, install time
# Even records programs run from USB/network

# AmcacheParser
AmcacheParser.exe -f Amcache.hve --csv amcache_out.csv

# Python
python3 -c "
from Registry import Registry
reg = Registry.Registry('Amcache.hve')
key = reg.open('Root\\File')
for sk in key.subkeys():
    for v in sk.subkeys():
        try: print(v.value('FullPath').value())
        except: pass
"

# Shimcache: in SYSTEM hive
# AppCompatCache key → lists recently run executables
rip.pl -r SYSTEM -p appcompatcache

# python-evtx
pip install python-evtx
python3 -m evtx.dump Security.evtx | grep -A5 "EventID>4688"

# EvtxECmd (Zimmermann)
EvtxECmd.exe -f Security.evtx --csv security_out.csv

# Chainsaw (fast EVTX hunting)
# https://github.com/WithSecureLabs/chainsaw
chainsaw hunt . --sigma sigma_rules/ --mapping mapping.yml
chainsaw search --evtx Security.evtx -e 4688

# grep directly (XML format inside)
python3 -m evtx.dump Security.evtx \
    | grep -B2 -A10 "EventID>4624" \
    | grep -i "username\|computer\|logon"

# $MFT: Master File Table — metadata for every file
# Extract with Autopsy, FTK, or:

# MFTECmd (Zimmermann)
MFTECmd.exe -f '$MFT' --csv mft_out.csv

# mft2csv (open source)
mft2csv -i '$MFT' -o mft_out.csv

# Sleuth Kit (from Linux)
icat disk.img 0 > mft.bin          # inode 0 = $MFT

# Key MFT timestamps (4 per file):
# $STANDARD_INFORMATION: can be changed by attacker
# $FILE_NAME: harder to change (anti-timestomping)
# Compare both — mismatch = possible timestomping

# Recycle Bin: C:\$Recycle.Bin\<SID>\
# $I file = metadata (original path, delete time)
# $R file = original file content

# RBCmd (Zimmermann)
RBCmd.exe -d 'C:\$Recycle.Bin' --csv recycle_out.csv

# Python
python3 -c "
import struct
data = open('\$Ifile', 'rb').read()
size = struct.unpack('<Q', data[8:16])[0]
del_time = struct.unpack('<Q', data[16:24])[0]
path = data[28:].decode('utf-16-le').rstrip('\x00')
print('Deleted:', path, 'Size:', size)
"

# Volume Shadow Copies (previous versions)
vssadmin list shadows                      # Windows cmd
# Access via mklink or via forensic tools
# vshadowmount (Linux): vshadowmount disk.img /mnt/vss/