Over the years, different means have been used to discuss the DFIR analysis process, and one of those has been artifact categories. This is where categories are created and artifacts placed in the various columns, as they relate to those categories. One such example is the SANS IR poster, which provides a great visual reminder for folks looking to employ this approach. Honestly, it is a good way to approach analysis…looking at even a single system image, artifacts have grown over the years as the versions of Windows have progressed from XP to Win7, through to Win10, and as such, it benefits a large portion of the community to have a repeatable approach to analysis.
However, when using approaches such as this, we need to keep in mind the context of the category titles. Yes, the artifacts of “program execution” provide an indication of applications that were launched on a system, but what does that mean?
At this point, I can guess what you’re thinking…wait, what?? And believe me, I get it. “Program execution” means exactly that…that a program was executed. End of story. But wait…is that what it really means?
Consider this for a second…someone unfamiliar with a program or application might “open” it on their first try, to see what it does. Command line tools, for example, often contain information about their usage, which we can see by either typing the name of the program at the command prompt (no arguments), or by adding “/?” or “-h” ("–help" for Linuxphiles). This causes the program to run, but not in the sense that the functionality of the program is actually used.
As an example, I opened a command prompt, and changed directories to the C:\Windows\Prefetch folder. Most analysts who’ve been in the industry for some time are familiar with the application prefetch files, often referred to as simply “Prefetch”. Specifically, these are files are widely known as an artifact of “program execution”.
I first typed “dir ftp*.pf” to see if there were any Prefetch files that appeared to point to the use of ftp.exe, and got the expected result: File Not Found. Next, I typed “ftp /?” at the prompt, which displayed the usage syntax of the application.
I then retyped (actually, I hit the up arrow twice…) the ‘dir’ command, and this time, I found that there was a file named FTP.EXE-7BA637EA.pf, which was 2,685 bytes in size.
So, what happened? I ran the program, but only to the point where I could read the usage syntax. I didn’t actually use the program to transfer files or exfil data in any way. However, the artifacts of program execution were populated.
Now, the same thing applies to GUI applications, maybe even more so. You can launch a GUI application, look around at the interface, maybe click a few of the options to see what functionality is available, and then close the UI without ever having employed the functionality provided by the application.
Case in point…consider this analysis of the DefCon 2018 CTF file server image. Other publicly available write-ups addressed the question of interest (which application was used to delete forensic artifacts?) with various findings. One was the result of the itempos.pl RegRipper plugin; not an artifact normally associated with program execution, but rather that the application was resident on the desktop. The two other write-ups went with the UserAssist artifacts, widely associated with program execution; however, there was no verification that the application was actually used to, as stated in the CTF question, delete forensic artifacts. As such, the GUI application could have been launched, closed, and then something else could have been used to take the specified actions. In fact, the actions in question were never verified.
As such, something to consider going forward is, when artifacts of program execution are found, what do they really mean?
Finally, a question…there is a way to make use of the FTP protocol on Windows workstations (XP, 7, 8, 10) that does not leave the ‘normal’ artifacts of program execution (i.e., Prefetch file, UserAssist entry) that does not involve disabling any default functionality. What is it, and how would you determine/verify it?
Article Link: https://windowsir.blogspot.com/2019/08/program-executionor-not.html