[Translation] Investigation of manipulations with the control panel. Part 1
Hello! Today we bring to your attention the translation of the article “Control Panel Forensics: Evidence of Time Manipulation and More ...” by Chad Tilbury worked as a special agent in the Office of Special Investigations of the US Air Force, and after that he became involved in piracy issues in the American Film Distributors Association . This guy knows about computer crime investigations not from textbooks. So, let's begin!
The control panel is a long-known Windows tool that allows you to change a huge number of system settings. The use of the control panel can be restricted using Group Policies, but in any case, some elements of the panel are available for most accounts (for making some changes, you need administrator rights). During the investigation, we can audit the use of the control panel in order to identify a wide range of user actions, such as:
The process of identifying individual changes in the system allows, at a minimum, to show which applets from the control panel were launched by the user and when it happened. Artifacts, i.e. traces left in the system may provide additional information for our investigation. Especially important is the context, the sequence of actions. Imagine that you are identifying how the control panel was used and see the following picture:
')
Access to the support center (this applet in the English version is called the Security Center) is not particularly interesting in itself. But it is necessary to take into account that this applet was opened immediately after the launch of the well-known tool for selecting passwords on routers. As they say, feel the difference!
The Windows control panel consists of several applets, each represented by a * .cpl file.
Applets are usually stored in the% system root% \ System32 folder. The file 'control.exe' is used to open applets, but, like for other actions in Windows, there are an infinite number of ways - how to access the applet:
Using different methods leaves different traces in the system. Unfortunately, in some cases, traces may not remain at all, it depends on the execution methods of the applet and the version of Windows. The good news is that the traces of using the control panel remain in different parts of the system - you can almost always find the necessary data for an investigation.
Windows Prefetch Mechanism
The Windows Prefetch engine tracks application execution. Unlike conventional applications, applets do not leave * .pf files in the C: \ Windows \ prefetch folder. It can be assumed that the file “Control.exe” will provide us with proof of the launch of the applet, but unfortunately its prefetch file (if it exists) only indicates that the Control Panel has been opened. In order to find out which applet was launched, we need to dig more deeply! When the applet is launched, a link is created in the prefetch file for the RunDLL32.exe process. Multiple links in the prefetch files of the RunDLL32.exe process, pointing to the same applet, indicate that the applet was launched in various ways. Such links can be created as a result of the algorithm for calculating the hash function of the Windows Prefetch mechanism, which is described in the Hexacorn blog.
The prefetch file for the RunDLL32.exe process may also contain a link to the applet (but not always, depending on the applet and the process by which its call originated). Searching for such links in the prefetch files of the RunDLL32 and DLLHost processes is a laborious task, but we’re celebrating the Spring and Labor holiday in vain. how many times the applet has been launched.
In the figure below, we see that the information extracted from the RUNDLL32.EXE-2F51D544.pf file indicates that the Date and Time applet was launched at least once, on April 6, 2013 at 04:14:58 UTC.
During the study of the prefetch files of the RunDLL32 process, I recommend that you also closely monitor various system applications, such as MMC plugins (COMPMGMT.MSC). A great tool for researching prefetch files was created by Mark Woan .
Windows Registry: Userassist (XP / Vista only)
Prefetch files are more or less reliable evidence, but their significant drawback is that they do not link the actions performed on the system with the user account. The “userassist” key contained in the NTUSER.dat registry hive (NTUSER.DAT \ Software \ Microsoft \ Windows \ Current \ Version \ Explorer \ UserAssist) allows us to fill this gap.
The figure shows a record of using the Control Panel, made in Windows XP. Attention is drawn to the prefix “UEME_RUNCPL”, from which each line begins. This is an identifier used in XP and Vista systems to denote actions related specifically to the execution of Control Panel applets. In our case, we see that the user has launched four different applets, a total of 10 times. The last time the applet was launched on May 4, 2013 at 21:41:41. The UserAssist evidence collection tool was developed by Didier Stevens.
With the release of Windows 7, UserAssist has undergone significant changes. Collecting reliable evidence of running applets is not supported on Windows7 | 8 systems; instead, we can use the so-called. jump lists (jumplists), a source of information containing traces of launching applets in modern operating systems.
We will talk about this in the next part.
The control panel is a long-known Windows tool that allows you to change a huge number of system settings. The use of the control panel can be restricted using Group Policies, but in any case, some elements of the panel are available for most accounts (for making some changes, you need administrator rights). During the investigation, we can audit the use of the control panel in order to identify a wide range of user actions, such as:
- Changes to the Firewall settings (firewall.cpl) are necessary in order to use unauthorized software in the future;
- Add / change accounts (nusrmgr.cpl);
- Disable System Restore and Shadow Backup Services (sysdm.cpl);
- Change the system time (timedate.cpl);
- Interacting with third-party applications that change security settings.
The process of identifying individual changes in the system allows, at a minimum, to show which applets from the control panel were launched by the user and when it happened. Artifacts, i.e. traces left in the system may provide additional information for our investigation. Especially important is the context, the sequence of actions. Imagine that you are identifying how the control panel was used and see the following picture:
')
Access to the support center (this applet in the English version is called the Security Center) is not particularly interesting in itself. But it is necessary to take into account that this applet was opened immediately after the launch of the well-known tool for selecting passwords on routers. As they say, feel the difference!
Overview of Control Panel
The Windows control panel consists of several applets, each represented by a * .cpl file.
Applets are usually stored in the% system root% \ System32 folder. The file 'control.exe' is used to open applets, but, like for other actions in Windows, there are an infinite number of ways - how to access the applet:
- Through the GUI of the Control Panel;
- Through the menu "Start"> "Run";
- Using the Taskbar (for example, "Setting the date and time");
- Using the command line (syntax: control.exe timedate.cpl);
- Using the Windows 8 start screen, write “Control Panel”.
Using different methods leaves different traces in the system. Unfortunately, in some cases, traces may not remain at all, it depends on the execution methods of the applet and the version of Windows. The good news is that the traces of using the control panel remain in different parts of the system - you can almost always find the necessary data for an investigation.
Collect evidence of running the applet
Windows Prefetch Mechanism
The Windows Prefetch engine tracks application execution. Unlike conventional applications, applets do not leave * .pf files in the C: \ Windows \ prefetch folder. It can be assumed that the file “Control.exe” will provide us with proof of the launch of the applet, but unfortunately its prefetch file (if it exists) only indicates that the Control Panel has been opened. In order to find out which applet was launched, we need to dig more deeply! When the applet is launched, a link is created in the prefetch file for the RunDLL32.exe process. Multiple links in the prefetch files of the RunDLL32.exe process, pointing to the same applet, indicate that the applet was launched in various ways. Such links can be created as a result of the algorithm for calculating the hash function of the Windows Prefetch mechanism, which is described in the Hexacorn blog.
The prefetch file for the RunDLL32.exe process may also contain a link to the applet (but not always, depending on the applet and the process by which its call originated). Searching for such links in the prefetch files of the RunDLL32 and DLLHost processes is a laborious task, but we’re celebrating the Spring and Labor holiday in vain. how many times the applet has been launched.
In the figure below, we see that the information extracted from the RUNDLL32.EXE-2F51D544.pf file indicates that the Date and Time applet was launched at least once, on April 6, 2013 at 04:14:58 UTC.
During the study of the prefetch files of the RunDLL32 process, I recommend that you also closely monitor various system applications, such as MMC plugins (COMPMGMT.MSC). A great tool for researching prefetch files was created by Mark Woan .
Windows Registry: Userassist (XP / Vista only)
Prefetch files are more or less reliable evidence, but their significant drawback is that they do not link the actions performed on the system with the user account. The “userassist” key contained in the NTUSER.dat registry hive (NTUSER.DAT \ Software \ Microsoft \ Windows \ Current \ Version \ Explorer \ UserAssist) allows us to fill this gap.
The figure shows a record of using the Control Panel, made in Windows XP. Attention is drawn to the prefix “UEME_RUNCPL”, from which each line begins. This is an identifier used in XP and Vista systems to denote actions related specifically to the execution of Control Panel applets. In our case, we see that the user has launched four different applets, a total of 10 times. The last time the applet was launched on May 4, 2013 at 21:41:41. The UserAssist evidence collection tool was developed by Didier Stevens.
With the release of Windows 7, UserAssist has undergone significant changes. Collecting reliable evidence of running applets is not supported on Windows7 | 8 systems; instead, we can use the so-called. jump lists (jumplists), a source of information containing traces of launching applets in modern operating systems.
We will talk about this in the next part.
Source: https://habr.com/ru/post/221377/
All Articles