DFIR Sleuths

Recording Procedures

• All tools used in the project had their version and hash recorded.
• Each Virtual Machine had its own timeline recorded, tying into the main scenario timeline.
• Each artefact generated was hashed and time stamped to maintain the integrity and align with the scenario timeline of events.
• Tests along with outcomes and incidents were recorded.

Development Setup

• VMware version 14 was used to mount the Windows 10 ISOs.
• Windows 10 - 1803 2018 April, 1809 October and 1709 Fall builds were installed from ISO’s acquired from Windows 10 ISO DB. Windows Pro was chosen due to the flexibility that version of Windows has, even though it is more likely that the actors would have used Windows Home.
• Each Operating system had their automatic update features disabled. Unfortunately, due to the using Windows 10, there is a 33 day limit on restricting automatic updates without the use of group policy.
• Open source and free memory tools were tested to determine which tool leaves the smallest footprint on the virtual machine. Due to the limited support for Windows 10 only tools that were compatible were tested:
• FTK Imager Version 4.2.0.13
• WinPmem Version 1.6.2
• Belkasoft Ram Capturer 1.1.2
• Comae Dumpit Version 3.0.20181116.2
• The team determined that Comae Dumpit had the least impact on a system.

Testing Procedures

• Artefacts generated were individually tested on each ISO version to determine changes between Windows builds. This also helped to test reproducibility.
• During the unit test, testers used a fresh VM snapshot taken at installation, this allowed testers to reset the system to provide a clean testing platform.
• System testing involved testing both the Virtual Machine and raw files artefacts. This ensured that no artefacts were lost during the conversion of the Virtual Machine to a raw file format.