Francisco Javier Cruces Doval
jueves, 28 de marzo de 2024 | 23 minutos
Informática Forense
La informática forense es el conjunto de técnicas que nos permite obtener la máxima información posible tras un incidente o delito informático. En esta práctica, realizarás la fase de toma de evidencias y análisis de las mismas sobre una máquina Linux y otra Windows. Supondremos que pillamos al delincuente ‘in fraganti’ y las máquinas se encontraban encendidas. Opcionalmente, podéis realizar el análisis de un dispositivo Android. Sobre cada una de las máquinas debes realizar un volcado de memoria y otro de disco duro, tomando las medidas necesarias para certificar posteriormente la cadena de custodia.
Volcado de las imágenes y memoria
Windows
Me voy a preparar el disco en el cual contiene las herramientas :
javiercruces@HPOMEN15:~$ sudo guestmount -a /var/lib/libvirt/images/win_foresense-1.qcow2 -m /dev/sda1 /mnt/vdb/
javiercruces@HPOMEN15:~/Descargas$ sudo cp AccessData_FTK_Imager_4.7.1.exe /mnt/vdb
Este lo pinchare en la maquina ya que le he instalado el FTK :
Volcado de la memoria
Así que vamos a proceder a sacar una imagen de la memoria :
Seleccionamos donde la vamos a guardar :
Volcado del registro
Vamos a sacar el registro , para ello seleccionamos la opción de obtener ficheros protegidos :
Seleccionare los ficheros de contraseñas y todos los registros , ademas lo guardare en el disco externo :
Volcado de disco
Para realizar el volcado de disco , seleccionaremos crear imagen de disco :
Nuestro disco de origen es un dispositivo físico , así que seleccionare esa opción :
Elegimos donde vamos a guardar la imagen , en mi caso en el disco externo :
Una vez hecho , verificara la imagen creada :
Aquí tenemos los hash de la imagen del disco :
También le haremos el volcado al disco de datos que esta cifrado :
Los hashes del segundo disco :
Ahora voy a hacer llegar estos ficheros a mi maquina host , para ello montare el volumen de la mv en la cual he hecho los volcados de datos :
javiercruces@HPOMEN15:~$ sudo guestmount -a /var/lib/libvirt/images/win10-2.qcow2 -m /dev/sda2 /mnt/vdb/
Para asegurarme de que las imagen de los discos no son manipuladas voy a sacarles a todas los hashes :
javiercruces@HPOMEN15:~$ sudo find /mnt/vdb -type f -exec sha256sum {} +
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 /mnt/vdb/$RECYCLE.BIN/S-1-5-21-1723251262-3026432737-944335575-1001/desktop.ini
57020f3e585d0f2a7ee783054c50886db4c65af1bbbe5e12e114dbf674326184 /mnt/vdb/AccessData_FTK_Imager_4.7.1.exe
91cbca5b445780e72522d872e0d229000849d6deb464ac707ee378c0c0e1794c /mnt/vdb/discodatos/discodatos.001
44ca1fe875ba863adbb5b2675acb3345122f8dee0ba3ce8e2c4cfb9c523d38b0 /mnt/vdb/discodatos/discodatos.001.txt
5a45f6418924d3eab3ea820b4bdb4a609e7f95a6f4665f043217593eeab5056e /mnt/vdb/discowin/discowin.001
aeb282e38ebe64be765b43e20a6a419ac1aa1ae4d6edd08cae3d8973bc0ac5a9 /mnt/vdb/discowin/discowin.001.txt
372a1157215515100f42e5a73adecc2407a1d8b586fa2c4770d2619d8094baf1 /mnt/vdb/discowin/discowin.002
e06c8472a09f209f23e49fb63195d8c471c86aea67e9587002b884ade22c8b97 /mnt/vdb/discowin/discowin.003
947ce5b6c2d7c8139de359723fecef351b1c6877b09647fb1d3015a4588f95df /mnt/vdb/discowin/discowin.004
7bc813aee24fd973f2c3563c66e92c3becbbe2a40e341e693b5c4c38df3c8eb8 /mnt/vdb/discowin/discowin.005
e7d920807e329ba1f9dfd3b6987a6c12efd7a3b9a0563302509db73d88862909 /mnt/vdb/discowin/discowin.006
94c1cd9d910a39a1df7852c69032d68cdaf8ba59b4849f84963f3728880e53c0 /mnt/vdb/discowin/discowin.007
fa01765ac897aa4c8a1c2e9569cf9b0c50c5aea2c947ae9bf932f0eec89986e3 /mnt/vdb/discowin/discowin.008
095a0b5d4e88826a88427f5a2e64d621f81315bd1307db21b34aa76fad65af84 /mnt/vdb/discowin/discowin.009
a70aa8c7c1c723d97d4845a87a33d47697d48edcacc7b9bc83f2510baee4237e /mnt/vdb/discowin/discowin.010
3e6b92b9764b3786091e5bb67e8ffb8c3271be4c977101da9fa14afa12fea171 /mnt/vdb/discowin/discowin.011
3e6b92b9764b3786091e5bb67e8ffb8c3271be4c977101da9fa14afa12fea171 /mnt/vdb/discowin/discowin.012
3e6b92b9764b3786091e5bb67e8ffb8c3271be4c977101da9fa14afa12fea171 /mnt/vdb/discowin/discowin.013
83954736003d261f58a1ce24f73cba37953df229fdfebd15d00245ba5a700197 /mnt/vdb/discowin/discowin.014
5353e34d4487ae5450be372e5ec37a0ca5dd746b206823abf561cd2af5d0d371 /mnt/vdb/memoria/memdump.mem
e8380620a1d5a99c0a39da8a2c5a59af17dd4bff7a4d48d8652ecca9683ef099 /mnt/vdb/memoria/pagefile.sys
9cce8fc11ca271c3e528a48257bb5472c2f4cbdbb809c19895c36b1be51c3d0b /mnt/vdb/registro/default
816ab103521bcb7adcd11b5ac9359fc8f0de945fe10507411d0127bdcc24ff70 /mnt/vdb/registro/SAM
cbac2073fe665e11e5d043c5ab054ae58c70687b0b59197559c4077e4fdaa696 /mnt/vdb/registro/SECURITY
7cd909de86fc9e9ecb73e3d432d68aa892053be3848b6c32d3aefffc347140f6 /mnt/vdb/registro/software
4cf3a831081ab8e890b5c297ed5238cecebdfecdb1805a3b2e391489cd48fe5b /mnt/vdb/registro/system
0e2961777eb214825652cc4b35b3b85dcfbdba2a58f5d2c1f586d8800abe9f83 /mnt/vdb/registro/Users/Default/NTUSER.DAT
59ffce3dd25b5f242f425a6dfdc642813f429bc0c19694aad1dcd5d2a9871c1f /mnt/vdb/registro/Users/javiercruces/Crypto/Keys/de7cf8a7901d2ad13e5c67c29e5d1662_42c962d9-bf79-4299-be81-eebad4e81473
ea127864137edff0844c2e5731c51d1d2ef22cb3a8030d413166df1114eae5a5 /mnt/vdb/registro/Users/javiercruces/NTUSER.DAT
a564c8fa96557437d4b69e870ff8797a8beee20892a632735ac0a1f838ed453b /mnt/vdb/registro/Users/javiercruces/Protect/CREDHIST
fb321d3671cf9f911f933e29fc9a099cd6834838c40d01fe6404b6975990c041 /mnt/vdb/registro/Users/javiercruces/Protect/S-1-5-21-1723251262-3026432737-944335575-1001/e8d02ff1-98d6-4ba4-99a4-1db28276ecda
13150cc91caed3c1d4321e8815afd5fc21eb4831eb1a93b40b4c9c48a4109fa1 /mnt/vdb/registro/Users/javiercruces/Protect/S-1-5-21-1723251262-3026432737-944335575-1001/Preferred
78596ecc21720053b44f78689bb06870bbe4f47029dc3d7e781cfe4d2d7a940f /mnt/vdb/registro/Users/javiercruces/UsrClass.dat
Linux
Volcado de disco
javiercruces@debian:~/LiME/src$ lsblk -f
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
sda
└─sda1
crypto 2 9fc1bfa7-9224-4e8e-896a-09516d4fd613
sr0 iso966 Jolie Debian 12.1.0 amd64 n 2023-07-22-10-52-30-00
vda
├─vda1
│ vfat FAT32 DB79-1C75 597,9M 37% /boot
├─vda2
│ ext4 1.0 6666d9d8-9a41-46e5-a370-0730f713d3a7 7,6G 52% /
└─vda3
swap 1 e24babe0-340c-4b09-836e-dd5f447bcecc [SWAP]
vdb
└─vdb1
ext4 1.0 f79f0d79-209b-42b9-9087-5c72ee1595ee 54G 3% /mnt
javiercruces@debian:~/LiME/src$ sudo dd if=/dev/vda2 of=/mnt/discoLinux.raw bs=64K
296784+0 records in
296784+0 records out
19450036224 bytes (19 GB, 18 GiB) copied, 27,2778 s, 713 MB/s
javiercruces@debian:~/LiME/src$
Volcado de memoria
javiercruces@debian:~$ git clone https://github.com/504ensicsLabs/LiME.git
javiercruces@debian:~$ cd LiME/src/
javiercruces@debian:~/LiME/src$ make
javiercruces@debian:~/LiME/src$ sudo insmod ./lime-6.1.0-18-amd64.ko "path=/mnt/vdb format=lime"
javiercruces@HPOMEN15:~$ sudo guestmount -a /var/lib/libvirt/images/ASO-systemd-boot-1.qcow2 -m /dev/vda1 /mnt/vdb/
javiercruces@HPOMEN15:~$ sudo ls -l /mnt/vdb
total 25023392
-rw-r--r-- 1 root root 19450036224 feb 18 12:07 discoLinux.raw
drwx------ 2 root root 16384 feb 18 11:25 lost+found
-rw-r--r-- 1 root root 1900818432 feb 18 11:47 memdebian.mem
-r--r--r-- 1 root root 4273066304 feb 18 12:10 vdb
Voy a guardarme los hashes de las imágenes :
javiercruces@HPOMEN15:~$ sudo find /mnt/vdb -type f -exec sha256sum {} +
5f136603c0e34a74a58bc59f1934f5f2850ca8bec9c356a283ee7161a8f39a76 /mnt/vdb/memdebian.mem
b63693142f2823a95a11d9f1fcbd845c118b2fc5d0b2508586d0fc6c8fe482af /mnt/vdb/discoLinux.raw
b419ec819114f21a10bc5146a0b28183165c8b2cf77b2fe160e3044b1b5e04a0 /mnt/vdb/vdb
Análisis de la maquina Windows
Lo primero que haré sera crear un caso en autopsy (Esta documentación esta hecha en debian , los ejercicios los he respondido en Windows ).
Le añadimos metainformación al caso , si lo consideramos necesario :
Esperamos a que autopsy procese la imagen de disco :
Instalación volatility
javiercruces@HPOMEN15:~$ git clone https://github.com/volatilityfoundation/volatility3.git
Clonando en 'volatility3'...
remote: Enumerating objects: 32373, done.
remote: Counting objects: 100% (3665/3665), done.
remote: Compressing objects: 100% (771/771), done.
remote: Total 32373 (delta 3350), reused 2971 (delta 2894), pack-reused 28708
Recibiendo objetos: 100% (32373/32373), 6.32 MiB | 14.10 MiB/s, listo.
Resolviendo deltas: 100% (24696/24696), listo.
javiercruces@HPOMEN15:~$ cd volatility3/
javiercruces@HPOMEN15:~/volatility3$ python3 -m venv volatility
javiercruces@HPOMEN15:~/volatility3$ source volatility/bin/activate
(volatility) javiercruces@HPOMEN15:~/volatility3$ pip3 install -r requirements.txt
Máquina Windows
1. Procesos en ejecución
(volatility) javiercruces@HPOMEN15:~/volatility3$ sudo python3 vol.py -f "/mnt/vdb/memoria/memdump.mem" windows.pslist.PsList
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0xb088ea4af080 158 - N/A False 2024-02-05 19:30:59.000000 N/A Disabled
92 4 Registry 0xb088ea5b8040 4 - N/A False 2024-02-05 19:30:56.000000 N/A Disabled
344 4 smss.exe 0xb0891a80e040 2 - N/A False 2024-02-05 19:30:59.000000 N/A Disabled
448 440 csrss.exe 0xb088f6093140 10 - 0 False 2024-02-05 19:31:15.000000 N/A Disabled
516 440 wininit.exe 0xb088ebd2e080 1 - 0 False 2024-02-05 19:31:15.000000 N/A Disabled
528 508 csrss.exe 0xb088ebd34080 11 - 1 False 2024-02-05 19:31:15.000000 N/A Disabled
612 508 winlogon.exe 0xb08929ff6080 3 - 1 False 2024-02-05 19:31:15.000000 N/A Disabled
648 516 services.exe 0xb088eb1b40c0 10 - 0 False 2024-02-05 19:31:15.000000 N/A Disabled
668 516 lsass.exe 0xb088eb1b9080 10 - 0 False 2024-02-05 19:31:15.000000 N/A Disabled
768 516 fontdrvhost.ex 0xb088eb1bd080 5 - 0 False 2024-02-05 19:31:15.000000 N/A Disabled
776 612 fontdrvhost.ex 0xb088f59eb140 5 - 1 False 2024-02-05 19:31:15.000000 N/A Disabled
788 648 svchost.exe 0xb088f59ee240 25 - 0 False 2024-02-05 19:31:15.000000 N/A Disabled
880 648 svchost.exe 0xb08919be72c0 19 - 0 False 2024-02-05 19:31:15.000000 N/A Disabled
988 612 dwm.exe 0xb088f5d7e080 14 - 1 False 2024-02-05 19:31:15.000000 N/A Disabled
996 612 LogonUI.exe 0xb088f5d81080 13 - 1 False 2024-02-05 19:31:15.000000 N/A Disabled
400 648 svchost.exe 0xb088f654c2c0 42 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
444 648 svchost.exe 0xb088f654e240 73 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
584 648 svchost.exe 0xb088f82052c0 16 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
1032 648 svchost.exe 0xb088f8ea62c0 15 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
1040 648 svchost.exe 0xb088f8ea8280 20 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
1244 648 svchost.exe 0xb088f8e0a2c0 22 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
1460 648 svchost.exe 0xb088fa6e62c0 19 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
1520 648 svchost.exe 0xb088f9fc4080 14 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
1572 648 svchost.exe 0xb088fa6e8300 3 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
1768 4 MemCompression 0xb088f9fc8040 42 - N/A False 2024-02-05 19:31:16.000000 N/A Disabled
1924 648 svchost.exe 0xb088fbbd42c0 8 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
1956 648 svchost.exe 0xb088fc1292c0 9 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
1052 648 svchost.exe 0xb088fe704240 11 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
1068 648 svchost.exe 0xb088fe7062c0 5 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
1232 648 svchost.exe 0xb088fe708080 4 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
1568 648 spoolsv.exe 0xb088fdbde200 8 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
2052 648 svchost.exe 0xb088f67072c0 14 - 0 False 2024-02-05 19:31:16.000000 N/A Disabled
2300 648 svchost.exe 0xb088f834a240 12 - 0 False 2024-02-05 19:31:17.000000 N/A Disabled
2412 648 MsMpEng.exe 0xb088f5b06280 28 - 0 False 2024-02-05 19:31:17.000000 N/A Disabled
2868 648 svchost.exe 0xb08919b82240 27 - 0 False 2024-02-05 19:31:18.000000 N/A Disabled
3044 1040 dasHost.exe 0xb088f5c08280 3 - 0 False 2024-02-05 19:31:18.000000 N/A Disabled
664 648 svchost.exe 0xb088faadd300 5 - 0 False 2024-02-05 19:31:19.000000 N/A Disabled
3792 3784 csrss.exe 0xb088faaf5080 11 - 2 False 2024-02-05 19:31:38.000000 N/A Disabled
3840 3784 winlogon.exe 0xb08901ded080 6 - 2 False 2024-02-05 19:31:38.000000 N/A Disabled
3868 648 WUDFHost.exe 0xb088f55e5080 10 - 0 False 2024-02-05 19:31:38.000000 N/A Disabled
3960 3840 fontdrvhost.ex 0xb088f0fbb0c0 5 - 2 False 2024-02-05 19:31:38.000000 N/A Disabled
4020 3840 dwm.exe 0xb088f7551340 16 - 2 False 2024-02-05 19:31:38.000000 N/A Disabled
3456 400 rdpclip.exe 0xb088eb1ed2c0 8 - 2 False 2024-02-05 19:31:39.000000 N/A Disabled
3616 444 sihost.exe 0xb088eaec5300 16 - 2 False 2024-02-05 19:31:39.000000 N/A Disabled
3400 648 svchost.exe 0xb088fafee340 20 - 2 False 2024-02-05 19:31:39.000000 N/A Disabled
3188 444 taskhostw.exe 0xb088f6af1380 12 - 2 False 2024-02-05 19:31:39.000000 N/A Disabled
3068 648 NisSrv.exe 0xb088eadcc300 7 - 0 False 2024-02-05 19:31:39.000000 N/A Disabled
3344 1040 ctfmon.exe 0xb088f632d080 11 - 2 False 2024-02-05 19:31:39.000000 N/A Disabled
4208 3840 userinit.exe 0xb088fc324080 0 - 2 False 2024-02-05 19:31:40.000000 2024-02-05 19:32:04.000000 Disabled
4236 4208 explorer.exe 0xb088fc332080 76 - 2 False 2024-02-05 19:31:40.000000 N/A Disabled
4388 648 svchost.exe 0xb088f5430080 14 - 2 False 2024-02-05 19:31:40.000000 N/A Disabled
4452 648 SearchIndexer. 0xb0891ee2a240 21 - 0 False 2024-02-05 19:31:40.000000 N/A Disabled
4876 788 StartMenuExper 0xb088f90130c0 14 - 2 False 2024-02-05 19:31:41.000000 N/A Disabled
5096 788 RuntimeBroker. 0xb088f94ec340 4 - 2 False 2024-02-05 19:31:42.000000 N/A Disabled
4732 788 SearchApp.exe 0xb088f65130c0 57 - 2 False 2024-02-05 19:31:42.000000 N/A Disabled
5184 788 RuntimeBroker. 0xb088fb73e340 17 - 2 False 2024-02-05 19:31:42.000000 N/A Disabled
5828 788 WmiPrvSE.exe 0xb088ead52300 8 - 0 False 2024-02-05 19:31:44.000000 N/A Disabled
6028 3104 GoogleCrashHan 0xb088f871c340 5 - 0 True 2024-02-05 19:31:45.000000 N/A Disabled
6092 3104 GoogleCrashHan 0xb088f870f080 4 - 0 False 2024-02-05 19:31:45.000000 N/A Disabled
3740 788 RuntimeBroker. 0xb0891ee2f080 9 - 2 False 2024-02-05 19:31:52.000000 N/A Disabled
1912 788 smartscreen.ex 0xb088f901d080 7 - 2 False 2024-02-05 19:31:54.000000 N/A Disabled
3524 4236 SecurityHealth 0xb088f87020c0 6 - 2 False 2024-02-05 19:31:54.000000 N/A Disabled
3236 648 SecurityHealth 0xb088f9c4e340 15 - 0 False 2024-02-05 19:31:54.000000 N/A Disabled
820 4236 OneDrive.exe 0xb088f8ec7080 23 - 2 True 2024-02-05 19:31:55.000000 N/A Disabled
6128 4236 chrome.exe 0xb088f8e61080 40 - 2 False 2024-02-05 19:31:56.000000 N/A Disabled
2040 6128 chrome.exe 0xb088f8732080 8 - 2 False 2024-02-05 19:31:57.000000 N/A Disabled
5404 6128 chrome.exe 0xb088f3cb2080 14 - 2 False 2024-02-05 19:31:57.000000 N/A Disabled
5392 6128 chrome.exe 0xb088f60e8080 15 - 2 False 2024-02-05 19:31:57.000000 N/A Disabled
5348 6128 chrome.exe 0xb088f8fa3080 8 - 2 False 2024-02-05 19:31:57.000000 N/A Disabled
5496 6128 chrome.exe 0xb088f3cc1080 15 - 2 False 2024-02-05 19:31:57.000000 N/A Disabled
6184 6128 chrome.exe 0xb088f44e5080 14 - 2 False 2024-02-05 19:31:57.000000 N/A Disabled
6200 6128 chrome.exe 0xb088f3cf3080 14 - 2 False 2024-02-05 19:31:57.000000 N/A Disabled
6380 788 TextInputHost. 0xb088f8a0e080 9 - 2 False 2024-02-05 19:31:57.000000 N/A Disabled
6556 788 dllhost.exe 0xb0891a1ec080 11 - 2 False 2024-02-05 19:31:58.000000 N/A Disabled
6156 6128 chrome.exe 0xb088f44cc080 14 - 2 False 2024-02-05 19:33:00.000000 N/A Disabled
5284 6128 chrome.exe 0xb088f872c080 14 - 2 False 2024-02-05 19:33:00.000000 N/A Disabled
4036 6128 chrome.exe 0xb088f44e4080 14 - 2 False 2024-02-05 19:33:05.000000 N/A Disabled
6916 4236 FTK Imager.exe 0xb0891a1d9080 22 - 2 False 2024-02-05 19:33:11.000000 N/A Disabled
6044 788 ApplicationFra 0xb0890d7dc080 13 - 2 False 2024-02-05 19:33:14.000000 N/A Disabled
6104 788 Calculator.exe 0xb088f9bf1340 17 - 2 False 2024-02-05 19:33:14.000000 N/A Disabled
5864 788 RuntimeBroker. 0xb0890d7d9080 6 - 2 False 2024-02-05 19:33:14.000000 N/A Disabled
7020 648 svchost.exe 0xb088f8720300 7 - 0 False 2024-02-05 19:33:17.000000 N/A Disabled
4788 648 SgrmBroker.exe 0xb088fbe4c080 7 - 0 False 2024-02-05 19:33:18.000000 N/A Disabled
760 648 svchost.exe 0xb088fac482c0 13 - 0 False 2024-02-05 19:33:18.000000 N/A Disabled
7348 788 HxCalendarAppI 0xb088f5f5a080 29 - 2 False 2024-02-05 19:33:20.000000 N/A Disabled
7412 788 RuntimeBroker. 0xb088faf61080 6 - 2 False 2024-02-05 19:33:20.000000 N/A Disabled
7476 788 HxTsr.exe 0xb088fc642080 13 - 2 False 2024-02-05 19:33:20.000000 N/A Disabled
7816 4236 Taskmgr.exe 0xb088facb8340 16 - 2 False 2024-02-05 19:33:22.000000 N/A Disabled
8072 788 explorer.exe 0xb088ead54080 11 - 2 False 2024-02-05 19:33:34.000000 N/A Disabled
7256 3616 PaintStudio.Vi 0xb088facbe340 45 - 2 False 2024-02-05 19:33:39.000000 N/A Disabled
7796 788 RuntimeBroker. 0xb088f8e64300 8 - 2 False 2024-02-05 19:33:40.000000 N/A Disabled
900 788 Time.exe 0xb088f9c15080 16 - 2 False 2024-02-05 19:33:42.000000 N/A Disabled
2132 788 RuntimeBroker. 0xb088ead3d080 7 - 2 False 2024-02-05 19:33:43.000000 N/A Disabled
2. Servicios en ejecución
(volatility) javiercruces@HPOMEN15:~/volatility3$ sudo python3 vol.py -f "/mnt/vdb/memoria/memdump.mem" windows.getservicesids.GetServiceSIDs
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
SID Service
S-1-5-80-4151353957-356578678-4163131872-800126167-2037860865 .NET CLR Networking 4.0.0.0
S-1-5-80-1135273183-3738781202-689480478-891280274-255333391 .NET Memory Cache 4.0
S-1-5-80-3459415445-2224257447-3423677131-2829651752-4257665947 3ware
S-1-5-80-2917441881-3404282297-3983348447-1829381237-2935805708 AarSvc
S-1-5-80-2345285467-3342891147-82292311-2275197348-1578354944 AarSvc_50fad
S-1-5-80-1975967573-2913356537-819030703-3730719923-1995772179 AcpiDev
S-1-5-80-2670625634-2386107419-4204951937-4094372046-2600379021 acpiex
S-1-5-80-3267050047-1503497915-401953950-2662906978-1179039408 acpipagr
S-1-5-80-772678238-4220935223-620583658-4118486195-1180343772 acpitime
S-1-5-80-1863632671-1375125309-1493738800-1551534981-2387622636 Acx01000
S-1-5-80-3261807240-4279319092-2126406095-947934052-2578847935 ADOVMPPackage
S-1-5-80-2046354688-3987051615-3879164971-215375460-2633017214 ADP80XX
S-1-5-80-1535954936-2128305610-2033289386-4003803006-3961564848 ad_driver
S-1-5-80-521319896-1227547225-1440366370-1094984824-1952325498 afunix
S-1-5-80-3882103802-2937937445-2149894622-934926057-1088273958 ahcache
S-1-5-80-3532809085-2652327567-2620918877-1058261733-582902671 AJRouter
S-1-5-80-3520885947-347258037-358237196-958877718-2177097675 amdgpio2
S-1-5-80-3034931084-4111837248-3722498124-953434196-229084002 amdi2c
S-1-5-80-940484976-4139584748-3980625906-2403118188-3770008912 applockerfltr
S-1-5-80-2020831507-1298702824-3288167190-116113825-4190209 AppReadiness
S-1-5-80-3690054487-1922792274-847725564-1425669114-2396631621 AppVClient
S-1-5-80-1981223234-350633043-1452159618-1133528455-2295233572 AppvStrm
S-1-5-80-1995813674-3661462697-784932380-3834207926-917317866 AppvVemgr
S-1-5-80-1543189782-2596160705-3795570588-3168413527-2925017820 AppvVfs
S-1-5-80-1949724575-2387902436-65106593-1201171665-3967308604 AppXSvc
S-1-5-80-689100834-1985168674-2379302174-2224748125-4125308070 AssignedAccessManagerSvc
S-1-5-80-3169285310-278349998-1452333686-3865143136-4212226833 autotimesvc
S-1-5-80-286416697-2074333985-3953926783-2730543180-4207904231 bam
S-1-5-80-2025233850-3714960172-3834018148-2523054830-2209135241 BasicDisplay
S-1-5-80-4178409850-1580268469-397489987-3195816699-129657517 BasicRender
S-1-5-80-3969992995-4113734098-2838120167-1440264772-583281004 BcastDVRUserService
S-1-5-80-1091833278-2140613478-3064603973-1607650773-3857006778 BcastDVRUserService_50fad
S-1-5-80-856979437-3912875207-2720685236-703935298-3759072829 bcmfn2
S-1-5-80-3451400966-3703281935-2685268016-3285412533-1470843506 bindflt
S-1-5-80-2033999825-3741098712-1851668902-216055579-943193379 BluetoothUserService
S-1-5-80-2602215105-3353301314-225129424-3242260137-2199118732 BluetoothUserService_50fad
S-1-5-80-1988685059-1921232356-378231328-2704142597-890457928 BrokerInfrastructure
S-1-5-80-3316959809-2577409367-488518535-1805171532-1438653141 BTAGService
S-1-5-80-3397485379-1673558126-3852117732-4170930301-4011713027 BthA2dp
S-1-5-80-1264790548-4164306546-4160824920-750804445-3452039388 BthAvctpSvc
S-1-5-80-3742302039-178175996-3312716580-300089339-184318439 BthEnum
S-1-5-80-4190030514-1955060627-1650410980-2059579884-2945205035 BthHFEnum
S-1-5-80-2319449347-3660344761-1621844049-61588942-3837794983 BthLEEnum
S-1-5-80-411364929-2494992265-235336807-3339216277-1376253409 BthMini
S-1-5-80-3533787624-3536623824-1878644040-3113243162-1610647180 BTHUSB
S-1-5-80-1102738-1048517740-3681369803-3100335448-3129350187 bttflt
S-1-5-80-4235005237-3293881321-902755294-2421876860-1688724929 buttonconverter
S-1-5-80-3988044632-483646655-3689529973-3635425272-2751329168 CAD
S-1-5-80-3369530244-1263555520-1552818992-544823788-1590281562 camsvc
S-1-5-80-2195691530-3564058219-2185687823-1858318469-3207429352 CaptureService
S-1-5-80-2061916618-2473786339-1209003124-203996862-3865510505 CaptureService_50fad
S-1-5-80-546976454-1426073922-427304975-3694345144-4147405473 cbdhsvc
S-1-5-80-2514868401-1614040450-3339499687-2942524132-3960226468 cbdhsvc_50fad
S-1-5-80-3433512109-503559027-1389316256-1766580070-2256751264 CDPSvc
S-1-5-80-1260278928-804197538-2066346633-4268302704-2216462912 CDPUserSvc
S-1-5-80-1518900912-1420122119-1615577584-34666731-2598493892 CDPUserSvc_50fad
S-1-5-80-1055174906-2416269421-2304048803-1043379310-100576628 cht4iscsi
S-1-5-80-867907225-1838866732-3207111219-3362010221-3938223369 cht4vbd
S-1-5-80-1592074278-3653508928-2768813056-1918619345-1433065180 CimFS
S-1-5-80-1404165011-2000956283-1442398411-3799073753-1383434776 CldFlt
S-1-5-80-65843127-2189646064-2697706863-2125155322-3141006483 ClipSVC
S-1-5-80-2119957892-4152124429-3625998117-4006912763-1737903618 cloudidsvc
S-1-5-80-2611951811-1959136347-1062071333-3982815153-2811717512 clr_optimization_v4.0.30319_32
S-1-5-80-2839768381-3691089589-2614646340-3191585287-3380622033 clr_optimization_v4.0.30319_64
S-1-5-80-4162882437-1505926369-3203888135-2472178355-2995762856 cnghwassist
S-1-5-80-1796617447-2916456010-10894564-1845345233-3515002435 condrv
S-1-5-80-3749766068-1582991359-4182444126-1144602875-625653745 ConsentUxUserSvc
S-1-5-80-1689245047-2517065848-119126955-928953782-3881496094 ConsentUxUserSvc_50fad
S-1-5-80-1021139062-1866602279-1255292388-1008060685-2498416891 CoreMessagingRegistrar
S-1-5-80-109488485-4147369969-3056774085-3969564951-1913080067 CoreUI
S-1-5-80-2720979471-2110640377-1938553337-2954392914-939353058 CredentialEnrollmentManagerUserSvc
S-1-5-80-2870883986-4281173727-708603794-2134363143-2686522016 CredentialEnrollmentManagerUserSvc_50fad
S-1-5-80-3427364867-2348656012-3079877547-1505400018-1601214341 dam
S-1-5-80-2667170245-2239725068-1742831399-533342241-2651120191 dcsvc
S-1-5-80-1692619910-1358769708-3047346990-2477994898-1876611151 DeviceAssociationBrokerSvc
S-1-5-80-933457078-909669165-2371787725-499192611-2576228100 DeviceAssociationBrokerSvc_50fad
S-1-5-80-2536636004-4072673470-1048721469-2703517266-1433793019 DeviceAssociationService
S-1-5-80-2659457741-469498900-3203170401-3149177360-3048467625 DeviceInstall
S-1-5-80-3981010603-2563310902-4138807455-2513867770-1689624316 DevicePickerUserSvc
S-1-5-80-1542622939-2432071804-441627781-2155588311-412164416 DevicePickerUserSvc_50fad
S-1-5-80-1731526583-713188386-1588570932-65458670-665563417 DevicesFlowUserSvc
S-1-5-80-2139216848-1834768328-3639298086-1478984899-2276215200 DevicesFlowUserSvc_50fad
S-1-5-80-1646229720-1474186231-1049421145-3719583575-3014288788 DevQueryBroker
S-1-5-80-3837255464-839197112-3211601036-3795322556-2690640524 Dfsc
S-1-5-80-3427281794-3208260282-895156161-4152208786-3156774898 diagnosticshub.standardcollector.service
S-1-5-80-2291377395-3838044599-2142290114-2473825573-3813973113 diagsvc
S-1-5-80-2620808479-2171380039-3191355562-2070425692-3097948119 DiagTrack
S-1-5-80-2947989659-52033649-2604989816-125447294-1386081903 DialogBlockingService
S-1-5-80-1827140278-1118305254-4004251663-1512899043-4081885502 disk
S-1-5-80-4171086659-1617898341-2870161492-1466607281-2109097600 DispBrokerDesktopSvc
S-1-5-80-3914275374-678031271-1603343729-3906112567-2888048264 DisplayEnhancementService
S-1-5-80-538170410-2190149038-799223143-2506663053-4165713448 DmEnrollmentSvc
S-1-5-80-2597136289-665204401-1725106016-1253143166-1853691573 dmvsc
S-1-5-80-3841379657-834162867-3056945855-2577476187-70241904 dmwappushservice
S-1-5-80-3055155277-3816794035-3994065555-2874236192-2193176987 DoSvc
S-1-5-80-286057374-2594772386-1471686342-3682429118-820474675 DsmSvc
S-1-5-80-1551822644-3134808374-1042292604-2865742758-3851661496 DsSvc
S-1-5-80-4071458001-3563271761-1846288968-3700919931-3809667977 DusmSvc
S-1-5-80-1830903284-3590783070-1256105943-1989567323-3273248812 e1i65x64
S-1-5-80-3578261754-285310837-913589462-2834155770-667502746 Eaphost
S-1-5-80-263376457-2115425240-177348680-1339839713-3837480443 edgeupdate
S-1-5-80-605514040-344704999-4120406818-2499438505-150840210 edgeupdatem
S-1-5-80-2169634130-1039499152-2857656644-2663134321-2733247747 EhStorClass
S-1-5-80-286318078-2644501994-4034150745-2802514947-3987682007 EhStorTcgDrv
S-1-5-80-197064213-1107091946-1970926662-1288706631-716503202 embeddedmode
S-1-5-80-2744483880-3889877944-846434063-3461941807-3140553215 EntAppSvc
S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122 EventLog
S-1-5-80-2617507558-3328795327-711547822-311560295-1636921165 fhsvc
S-1-5-80-1314638815-3435960472-2727226528-1675998635-1902597435 FileCrypt
S-1-5-80-3915894004-2104103821-3047269622-1811662266-774708259 FrameServer
S-1-5-80-3181391832-1165339916-824804796-1846270512-1987055954 gencounter
S-1-5-80-4137420670-1714900858-4048147207-1486404520-2727663781 genericusbfn
S-1-5-80-75387917-508843547-2432396020-3132913102-4137377952 GoogleChromeElevationService
S-1-5-80-3892015463-3880225558-716464106-2623782912-3537878324 GPIOClx0101
S-1-5-80-45206258-3912194098-2707507260-3008220167-2543420661 GpuEnergyDrv
S-1-5-80-1517824832-3405227061-4234718464-3265367437-2784406453 GraphicsPerfSvc
S-1-5-80-1628851891-332911214-942992855-2381080451-357317118 gupdate
S-1-5-80-1391398224-2746689181-3888380295-1755171859-6364376 gupdatem
S-1-5-80-1708301557-710215499-1045718168-382692165-3542596111 HdAudAddService
S-1-5-80-1632474125-2303985310-1465129739-461431387-3339616311 hidi2c
S-1-5-80-595487790-2902857704-1637225563-1046489922-3656573765 hidinterrupt
S-1-5-80-3338532743-2167017084-2688270890-3351665506-1257551220 hidspi
S-1-5-80-2718569444-1738374061-3304332439-3451140840-1824115491 hvcrash
S-1-5-80-44780642-2200031541-2427509763-915290973-996987375 HvHost
S-1-5-80-2939390288-356272421-3595829934-3436785230-198171780 hvservice
S-1-5-80-2274115272-1034313707-3787864051-261592831-2149061657 HwNClx0101
S-1-5-80-1636647319-4072889561-245816251-3892323420-125393640 hyperkbd
S-1-5-80-1568740187-908130129-1280451789-1901112753-2221687382 HyperVideo
S-1-5-80-2670277838-3947594761-3239889572-3393358898-1622853222 iagpio
S-1-5-80-2158641323-386083531-4194214369-34619318-3813434458 iai2c
S-1-5-80-1751987400-2816258287-31600907-3962047115-1737274117 iaLPSS2i_GPIO2
S-1-5-80-1111475540-466917029-2679550370-2578483454-692614412 iaLPSS2i_GPIO2_BXT_P
S-1-5-80-1739240851-3621344408-1713079411-1646377490-2636667785 iaLPSS2i_GPIO2_CNL
S-1-5-80-2673509282-3250608688-4161211656-2193043397-2070765280 iaLPSS2i_GPIO2_GLK
S-1-5-80-2560230824-2699639875-2946887507-2809778676-469529665 iaLPSS2i_I2C
S-1-5-80-12980661-1673373748-4127468638-2895847452-4070398594 iaLPSS2i_I2C_BXT_P
S-1-5-80-2145177943-2751001835-2841195933-1950876073-3621000904 iaLPSS2i_I2C_CNL
S-1-5-80-780176066-3721089017-3511631931-2580781662-523231243 iaLPSS2i_I2C_GLK
S-1-5-80-1532184652-4035834151-1950529856-1922329247-3348818483 iaLPSSi_GPIO
S-1-5-80-730113209-3859422966-2743155648-3421359225-3886647409 iaLPSSi_I2C
S-1-5-80-3323158773-131258738-3057376072-3701579410-1953672022 iaStorAV
S-1-5-80-2020084033-1359107645-3278428846-795142582-1815602196 iaStorAVC
S-1-5-80-3391758085-3386442682-1652486205-1841141806-1992729197 ibbus
S-1-5-80-3935728946-315639613-922904133-3250794525-491832002 icssvc
S-1-5-80-2392126525-1736915593-2210125632-2563158532-2616938475 IndirectKmd
S-1-5-80-2284069148-621670086-2606570695-3321162879-2563206788 InstallService
S-1-5-80-3327892994-1960904528-3982671949-1654996949-2464229733 intelpep
S-1-5-80-1900340034-3449890540-182776197-3466871519-875942235 intelpmax
S-1-5-80-3964494243-732302783-2234246214-3803256551-723791621 iorate
S-1-5-80-1954766798-2967939946-3605743322-553214224-2296400261 IPT
S-1-5-80-2355113075-3359631449-3346493237-3667020425-1655874352 IpxlatCfgSvc
S-1-5-80-3226934113-1398865432-993897477-3177498405-3382167683 ItSas35i
S-1-5-80-2148130874-1768494572-716210-54149643-3932447678 kbldfltr
S-1-5-80-2271880911-1251856977-1706928486-259807789-537220688 kdnic
S-1-5-80-2876499719-392125430-158013367-819050375-2387260967 ksthunk
S-1-5-80-3704025948-1094794811-1175534343-2088422159-783153058 lfsvc
S-1-5-80-2168654060-3115992504-1782388893-2584760693-2634250426 LicenseManager
S-1-5-80-828721388-3792639465-1596558500-741975338-1843353865 LSI_SAS2i
S-1-5-80-1292554068-3641467945-3524739894-1349342977-636852090 LSI_SAS3i
S-1-5-80-4045025553-2976580352-2420774707-2188590102-3192113229 LSI_SSS
S-1-5-80-1230977110-1477712667-2747199032-477530733-939374687 LSM
S-1-5-80-1594061079-2000966165-462148798-751814865-2644087104 LxpSvc
S-1-5-80-3028837079-3186095147-955107200-3701964851-1150726376 MapsBroker
S-1-5-80-3114654814-2921064011-1905572160-152804539-1417807178 mausbhost
S-1-5-80-1689786627-2800348145-589537150-160302296-3926153891 mausbip
S-1-5-80-482631164-113973055-3624764966-2186786627-2645029274 MbbCx
S-1-5-80-1346060813-323363712-587550660-3142329655-742851739 McpManagementService
S-1-5-80-1684110676-2342826027-2954792854-2461032557-4007556361 megasas2i
S-1-5-80-2869657570-1778740833-83850822-3186679656-2472655231 megasas35i
S-1-5-80-4024713676-1017792628-381990976-3540878265-1306153904 megasr
S-1-5-80-3999755614-3418583833-1896887384-2999918798-210212794 MessagingService
S-1-5-80-202946138-985291779-3159394747-43634094-4075641753 MessagingService_50fad
S-1-5-80-450487634-32044177-1119026171-1009345945-1629791242 MicrosoftEdgeElevationService
S-1-5-80-1290887583-3890804311-3227577290-3287571674-2651233138 Microsoft_Bluetooth_AvrcpTransport
S-1-5-80-1543190384-3367925291-586273452-2558737455-3425399499 MixedRealityOpenXRSvc
S-1-5-80-3755756047-2886117673-2566125725-1838300879-2590056170 mlx4_bus
S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052 mpssvc
S-1-5-80-766433145-569980108-2081788762-104033110-3841863914 MsBridge
S-1-5-80-61387632-1770052757-913906803-2764154990-1232092381 MSDTC Bridge 4.0.0.0
S-1-5-80-1709243854-2721926396-509980330-3397245316-2789600492 msgpiowin32
S-1-5-80-2335093085-4288963418-862046716-1348633750-1984735259 mshidumdf
S-1-5-80-3719317199-3405270365-2794832041-2304024896-2914089004 MsKeyboardFilter
S-1-5-80-2542081156-3563385132-3937647205-2588572414-2394664210 MsLldp
S-1-5-80-2804434951-625509142-572389148-2638030035-2993097285 MsQuic
S-1-5-80-3977605483-200570079-739940831-2932290302-2649018641 MsSecCore
S-1-5-80-1868534811-1113969215-1254686383-3122237719-2449736172 MsSecFlt
S-1-5-80-3642563950-456203802-1490755371-2601848954-63880797 MsSecWfp
S-1-5-80-4018724706-2388594414-778837249-3759549757-2342992247 mvumis
S-1-5-80-1693791390-661026542-4284378996-1616250691-2477593537 NaturalAuthentication
S-1-5-80-154974075-1852685594-3179713959-2755908004-3936262621 NcaSvc
S-1-5-80-3169048008-2586333165-76651690-3609634147-4147641610 NcbService
S-1-5-80-639065985-1709096039-2702309040-2770678766-2981280942 NcdAutoSetup
S-1-5-80-1929895091-2833432830-2697471735-1135988795-2264472352 ndfltr
S-1-5-80-375564701-3513094222-427343084-2529536460-2480510224 NdisImPlatform
S-1-5-80-1856495872-3151408123-1737732000-490184210-1622466692 NdisVirtualBus
S-1-5-80-3687920589-2211470767-2846922358-2300776228-356028302 ndiswanlegacy
S-1-5-80-1488665879-159185889-877450046-2151251822-3875779066 NDKPing
S-1-5-80-3999445478-1493703614-491198216-2250085872-3662815299 ndproxy
S-1-5-80-1235769596-2241049241-3512080025-3142132805-3400791542 Ndu
S-1-5-80-2475926400-260174619-1668875208-528473860-3272058262 NetAdapterCx
S-1-5-80-2038182892-1846284197-1242326240-2615352543-44767121 NetbiosSmb
S-1-5-80-3290392786-819420393-1694314755-3737624005-3552167228 NetSetupSvc
S-1-5-80-3551186791-2451211144-2320551185-397537932-3221552100 netvsc
S-1-5-80-2381253463-2694003897-3435975801-3559003598-683041300 NgcCtnrSvc
S-1-5-80-1999281942-4196217620-51267815-1628483199-606183737 NgcSvc
S-1-5-80-389868755-419489745-3026704534-2242740522-2006634936 npsvctrig
S-1-5-80-3903180505-3896017075-4285990333-2375284902-1925993444 nvdimm
S-1-5-80-3753458296-2578515382-296172075-2568624853-485985677 OneSyncSvc
S-1-5-80-3515428-2931623117-804653153-3478930650-257201455 OneSyncSvc_50fad
S-1-5-80-3145084533-2700894668-2078824647-1465192519-3266618331 pdc
S-1-5-80-4215928932-1248355774-1205732377-1093571376-2379325634 perceptionsimulation
S-1-5-80-1046995410-3007147168-922272172-967041193-3794187727 percsas2i
S-1-5-80-42157666-624349265-169177574-52107575-3728749841 percsas3i
S-1-5-80-3596911058-2952229928-1888671852-1743692427-614402820 PerfHost
S-1-5-80-2636612206-2079418197-1004231589-1812192203-4197254245 PhoneSvc
S-1-5-80-2428418161-1754247685-758903264-2475084861-4167363882 PimIndexMaintenanceSvc
S-1-5-80-3410280176-3299602888-1332419371-1911054326-2542463980 PimIndexMaintenanceSvc_50fad
S-1-5-80-2785576034-242416339-385417889-2054053173-3638954698 PktMon
S-1-5-80-3355885494-318102177-1313724702-1621550881-803011355 pmem
S-1-5-80-3239442711-4074742016-684152919-2253013163-2274039561 PNPMEM
S-1-5-80-3082810783-1413926421-1831856127-837733229-953361461 portcfg
S-1-5-80-1250897762-2760119941-576021590-2872322938-624617480 PrintNotify
S-1-5-80-3011530997-228986608-3623458339-2361303491-1043592577 PrintWorkflowUserSvc
S-1-5-80-1552224136-2279772909-4069248841-1973210782-3001653797 PrintWorkflowUserSvc_50fad
S-1-5-80-2949785411-1458004381-4011503523-1439849274-3428788682 PushToInstall
S-1-5-80-1681795462-3431334705-92433549-1962541325-160118133 Ramdisk
S-1-5-80-2223301817-4248418169-3249847036-321434835-1272792247 RDMANDK
S-1-5-80-1934309797-2043993622-339923705-3871978825-766431271 RDPUDD
S-1-5-80-3072462152-34466603-861212222-1753422877-4071721522 RdpVideoMiniport
S-1-5-80-1596569074-2677311441-962104887-2749517281-2857086053 ReFS
S-1-5-80-2316697869-4025289487-468236631-2575080373-2608813053 ReFSv1
S-1-5-80-457603595-166122335-4119162879-888033224-3685571132 RetailDemo
S-1-5-80-2932307366-730193993-4255125875-3321969383-2534286350 RFCOMM
S-1-5-80-3216188369-3897538938-543323431-4144952942-4182718943 rhproxy
S-1-5-80-3765985997-1043742756-2756022526-3497566756-2081646175 RmSvc
S-1-5-80-3993802144-2555107232-3516638766-2735499450-3275915967 ScDeviceEnum
S-1-5-80-739156932-4202345562-1098723576-2529635932-2179704457 scmbus
S-1-5-80-3730768523-2660761635-2080149804-588026050-2891317352 sdbus
S-1-5-80-2993119251-3416827737-2039089254-2988278179-172925588 SDFRd
S-1-5-80-106427005-851153787-2361826242-1841078065-3276170637 sdstor
S-1-5-80-259296475-4084429506-1152984619-38739575-565535606 SecurityHealthService
S-1-5-80-2226967063-754826275-1661302337-2802353169-2369347280 SEMgrSvc
S-1-5-80-1523878533-411328482-2798077809-3098663872-2604013308 Sense
S-1-5-80-3835358604-2805616403-1686431098-2148037164-3679743528 SensorDataService
S-1-5-80-869152694-422618349-3448047118-1397179936-2828741493 SensorService
S-1-5-80-3391662211-1836087953-1525834830-1506885508-682969218 SerCx
S-1-5-80-3290564682-3359114709-1529561987-4148060287-271116923 SerCx2
S-1-5-80-1582054788-470990004-40152839-730814383-1124151202 SgrmAgent
S-1-5-80-3706850399-3459138796-2835936764-562029542-397710147 SgrmBroker
S-1-5-80-3246321066-2451215914-3422911474-2201726393-166328789 SharedRealitySvc
S-1-5-80-4106268995-3617844033-680706512-3896918354-2380077472 shpamsvc
S-1-5-80-3842628764-1253170212-1172882037-4289227758-4267631040 SmartSAMD
S-1-5-80-1821507682-1115666477-1591553307-1734210999-3312719974 smbdirect
S-1-5-80-230328282-2568015442-686465752-3474446193-2137307224 smphost
S-1-5-80-2950457502-2299174248-3328245479-1326271200-3113355612 SmsRouter
S-1-5-80-217413056-3833387362-178569430-1954288181-1272411947 SMSvcHost 4.0.0.0
S-1-5-80-2030916845-920430783-420616369-4268599728-1745276005 spaceparser
S-1-5-80-3804375463-2979979117-3280645550-3527107762-3022760719 spaceport
S-1-5-80-664203522-3160570195-1635065499-2708521076-3299712393 SpatialGraphFilter
S-1-5-80-3979690135-2752926531-2282419748-2415739691-1066856619 SpbCx
S-1-5-80-2731152606-4244467407-1946816704-3721569673-479255522 spectrum
S-1-5-80-2277354432-2697620045-1656008878-1855416240-261295475 ssh-agent
S-1-5-80-4118144674-975173503-976751360-2062754009-4288402176 StateRepository
S-1-5-80-3182985763-1431228038-2757062859-428472846-3914011746 stisvc
S-1-5-80-341174513-3036333638-3617001766-2776055326-2809179524 storahci
S-1-5-80-4243609067-2923323804-3669886039-3498181113-4202203050 stornvme
S-1-5-80-2198686546-2221861197-1858316108-2015056224-400908585 storqosflt
S-1-5-80-2019411066-3003329723-2609168412-3625837524-2221108837 storufs
S-1-5-80-2483706823-3321877870-553300257-593996131-450212729 svsvc
S-1-5-80-927584136-3246479672-3996289350-2713334021-2098405977 Synth3dVsc
S-1-5-80-1662832393-3268938575-4001313665-1200257238-783911988 SystemEventsBroker
S-1-5-80-842221325-3630721446-2015653073-424833842-1069621030 Tcpip6
S-1-5-80-1003279123-1651757316-1243245493-3539186934-1753552613 Telemetry
S-1-5-80-3141112300-3466319987-880208219-2791244925-2953947883 terminpt
S-1-5-80-427241336-4111990062-2791250970-2845566439-1217505164 TieringEngineService
S-1-5-80-410965207-2550896871-1717734767-2321332215-3755966139 TimeBrokerSvc
S-1-5-80-4077216321-3151206942-641340059-4241647091-1300899357 TokenBroker
S-1-5-80-325036955-4200148024-1479951852-2634116931-2865895459 TPM
S-1-5-80-1139522462-2689595747-457373284-4037083511-4201549542 TroubleshootingSvc
S-1-5-80-3547539953-1452514991-991928397-2821742631-2888215071 TsUsbFlt
S-1-5-80-651631395-3385332028-373277408-2457879084-1955742111 TsUsbGD
S-1-5-80-2292203918-1506848946-3955473809-4024494573-4108135173 tsusbhub
S-1-5-80-3641914668-2724251012-1186334157-2460844255-322272688 tzautoupdate
S-1-5-80-3033002672-3264167506-3374793840-2611327823-1324250788 UASPStor
S-1-5-80-3559279508-480464440-2060053639-2450836018-584673110 UcmCx0101
S-1-5-80-986347966-4291837576-3105858776-4112886612-1615276934 UcmTcpciCx0101
S-1-5-80-2946873420-2809826944-3342656785-1798640712-1793966795 UcmUcsiAcpiClient
S-1-5-80-3947455493-1779752151-1865639843-1092346862-2012747891 UcmUcsiCx0101
S-1-5-80-3476958810-2644384738-2655413726-1639285643-1444265662 Ucx01000
S-1-5-80-227846823-3077342265-3698762170-815164292-2633305508 UdeCx
S-1-5-80-2008930627-2960539461-4086452603-1305618659-1299222103 UdkUserSvc
S-1-5-80-2960622349-2603655608-463014845-353330955-2631882611 UdkUserSvc_50fad
S-1-5-80-259741192-1658403178-390766877-3226735796-603445823 UEFI
S-1-5-80-3429946394-717031342-3915206314-2329540128-2872892288 UevAgentDriver
S-1-5-80-1639943639-1314739636-372181295-777240325-3530900257 UevAgentService
S-1-5-80-1983721769-1446015346-1638820087-833790554-4117195697 Ufx01000
S-1-5-80-2486803200-2786917169-1479676890-818817034-2254858114 UfxChipidea
S-1-5-80-3461039289-3711732118-2967254728-2566641523-4135479736 ufxsynopsys
S-1-5-80-951045732-3304998411-4140413591-2375454759-2566081399 UnistoreSvc
S-1-5-80-1232783531-1412289346-3408063018-2430219916-590553325 UnistoreSvc_50fad
S-1-5-80-948646300-214352964-3153699637-3534669071-395810831 UrsChipidea
S-1-5-80-311046983-1549683341-1485789459-3189993376-3259784172 UrsCx01000
S-1-5-80-3858170093-3095794678-3940928812-3402197675-2417274444 UrsSynopsys
S-1-5-80-1038357558-2508750332-1127516358-2098882773-1571978916 usbaudio
S-1-5-80-3715696977-77976676-2422196092-1701963391-244329408 usbaudio2
S-1-5-80-2532058633-1854360046-4195713749-973563373-2229526857 USBHUB3
S-1-5-80-322830934-407560818-413383929-2953137197-2859522744 usbser
S-1-5-80-811199202-3756583514-1800339595-8156802-767824446 USBXHCI
S-1-5-80-2995899262-2131376444-1860748247-2210972999-1941275431 UserDataSvc
S-1-5-80-339627148-1085118590-1191147914-145126631-47496027 UserDataSvc_50fad
S-1-5-80-2008603874-3981339663-2468433650-2111681540-3858834245 UserManager
S-1-5-80-223807737-1693445485-119162242-1977420160-1403034029 UsoSvc
S-1-5-80-1989757894-211065159-731672622-1783776043-3948168785 VacSvc
S-1-5-80-2231687835-1975921998-2379643093-1123054981-1892632637 VerifierExt
S-1-5-80-2337629457-4082528419-1990172282-783805348-776062068 vhf
S-1-5-80-4056652736-3832535469-1849010726-800110142-2900318757 Vid
S-1-5-80-4005553843-2860153778-2672767370-1614289598-2532660634 VirtualRender
S-1-5-80-3419770058-1088902930-2242902800-2505332296-3985202246 vmgid
S-1-5-80-3074984378-4122987768-2130325677-2031866499-3405430279 vmicguestinterface
S-1-5-80-534935901-3437432317-481271085-1710633381-983106267 vmicheartbeat
S-1-5-80-1877308096-3090306141-3032871208-3115266146-1400827410 vmickvpexchange
S-1-5-80-3076811988-2254870394-2658297454-3934945422-2393138642 vmicrdv
S-1-5-80-3110303136-3426481729-3186938678-1087894076-2178433439 vmicshutdown
S-1-5-80-3098585136-2538892366-1097114017-2832417424-2016953023 vmictimesync
S-1-5-80-235582178-102246843-358262472-4132936818-1867412993 vmicvmsession
S-1-5-80-1752088424-1054500994-3489791022-3310831482-3926524968 vmicvss
S-1-5-80-2476029939-3227366791-4018265514-4032530291-4172793725 volume
S-1-5-80-1770745653-882454895-2389083440-3735684190-802018898 vpci
S-1-5-80-1072045427-3277916734-2175442256-760694638-1728218837 VSTXRAID
S-1-5-80-3303534547-3920260423-752829696-1552054067-268166277 vwififlt
S-1-5-80-2169053098-454685327-3448947123-3791923320-414336915 WaaSMedicSvc
S-1-5-80-1874328037-1620432936-4113708365-722077214-3851787529 WalletService
S-1-5-80-145391760-3682396335-1395736941-2543690743-1822485816 wanarp
S-1-5-80-3957613141-1606606214-622769385-3049525404-2510868034 wanarpv6
S-1-5-80-2145785123-2886438689-3072542501-3020378507-1504386134 WarpJITSvc
S-1-5-80-1468946484-2183346801-2582215073-2203958287-114577455 wcifs
S-1-5-80-4155767994-3874329934-3800885181-2130851812-726865888 Wcmsvc
S-1-5-80-486657452-3436462838-2743705563-1382716400-3286987141 wcnfs
S-1-5-80-3188579509-896559776-1549670742-2760322350-3311614235 WdBoot
S-1-5-80-2003142183-3009844670-3971145999-3073937758-3917121208 WdFilter
S-1-5-80-499275411-3916059529-905482537-4117857359-1999665194 wdiwifi
S-1-5-80-2105769960-3462231971-121635667-3410645665-2561607156 WdmCompanionFilter
S-1-5-80-2946744033-2833218566-1164540619-314168540-3391284662 WdNisDrv
S-1-5-80-3668810961-2468724468-4084584310-3029221373-430494444 WdNisSvc
S-1-5-80-1282825935-788281630-359899028-1878232204-2860951615 WEPHOSTSVC
S-1-5-80-1495648203-2503502111-1597754693-3445174711-1316708627 WFDSConMgrSvc
S-1-5-80-2768376765-85268660-951480638-2317617532-3422828864 WFPLWFS
S-1-5-80-533360197-2630880149-807505739-2151714924-2570839994 WiaRpc
S-1-5-80-3488966095-3237316714-2152248236-3202922946-3275547626 Windows Workflow Foundation 4.0.0.0
S-1-5-80-1314485122-3970895080-1653179290-3214604197-56682579 WindowsTrustedRT
S-1-5-80-2899914805-2506168806-919368875-2051509565-976885860 WindowsTrustedRTProxy
S-1-5-80-350045039-4213533676-3741949053-609707664-895491048 WinMad
S-1-5-80-4015764710-1917268369-2628323210-1820452808-4095801055 WinNat
S-1-5-80-2971715461-3208067863-1422018366-770925591-1162363329 WINUSB
S-1-5-80-1409370327-2262994431-3181734005-3492817815-127119016 WinVerbs
S-1-5-80-2429767553-128593128-2427591838-1778256749-2155598187 wisvc
S-1-5-80-1428027539-3309602793-2678353003-1498846795-3763184142 WlanSvc
S-1-5-80-2952724807-2252311773-3412998076-2712868122-780978283 wlidsvc
S-1-5-80-3916113136-2435487254-2535488001-4050622930-2364918814 wlpasvc
S-1-5-80-3577588319-513283748-931039988-2701962192-2148388740 WManSvc
S-1-5-80-1635442456-4231674260-3066288937-1147435026-1365933032 Wof
S-1-5-80-3413159032-3694667005-1396569551-1250786377-1429361823 workerdd
S-1-5-80-3006764832-2469330069-4024865495-2754276538-3243839463 workfolderssvc
S-1-5-80-2657955583-569354589-921901904-1883788092-850583853 WpcMonSvc
S-1-5-80-358856340-4190185137-1150018170-4132368399-2594611401 WpdUpFltr
S-1-5-80-1938892561-4120931771-3580170924-3403102300-2651602529 WpnService
S-1-5-80-951620777-1059631183-2804607755-3010024351-809615488 WpnUserService
S-1-5-80-1069300804-2231982870-930986846-425802403-2676852813 WpnUserService_50fad
S-1-5-80-1803441692-2341117941-3526855333-3767870088-2684717574 WUDFWpdFs
S-1-5-80-472864980-3821642676-709327584-2321888604-4243627364 XblAuthManager
S-1-5-80-2649222292-2060825207-2866066902-505902355-282187514 XblGameSave
S-1-5-80-794853676-1269112726-2386671565-1760138502-3367587780 xboxgip
S-1-5-80-3605394182-687838168-1441221562-1662690741-4241567093 XboxGipSvc
S-1-5-80-1352715831-1104254428-97934242-2131353953-1898040052 XboxNetApiSvc
S-1-5-80-1281037624-1782002805-990284447-3522102690-2853398433 xinputhid
3. Puertos abiertos
Volatility parece ser que no tiene soporte para esta funcionalidad para Windows 10/11 , así que lo haré desde la propia powershell de la maquina :
(volatility) javiercruces@HPOMEN15:~/volatility3$ sudo python3 vol.py -f "/mnt/vdb/memoria/memdump.mem" windows.netstat
Volatility 3 Framework 2.5.2
PS C:\Windows\system32> Get-NetTCPConnection | Where-Object {$_.State -eq 'Listen'} | Select-Object LocalAddress, LocalPort
LocalAddress LocalPort
------------ ---------
:: 49670
:: 49669
:: 49668
:: 49667
:: 49666
:: 49665
:: 49664
:: 7680
:: 5357
:: 3389
:: 445
:: 135
0.0.0.0 49670
0.0.0.0 49669
0.0.0.0 49668
0.0.0.0 49667
0.0.0.0 49666
0.0.0.0 49665
0.0.0.0 49664
0.0.0.0 5040
0.0.0.0 3389
192.168.122.203 139
0.0.0.0 135
4. Conexiones establecidas por la máquina
Al igual que el punto anterior , parece que volatility no tiene soporte para las versiones actuales de windows :
(volatility) javiercruces@HPOMEN15:~/volatility3$ sudo python3 vol.py -f "/mnt/vdb/memoria/memdump.mem" windows.netscan.NetScan
PS C:\Windows\system32> Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.LocalAddress -ne '127.0.0.1'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State
LocalAddress : 192.168.122.203
LocalPort : 49855
RemoteAddress : 142.250.200.138
RemotePort : 443
State : Established
LocalAddress : 192.168.122.203
LocalPort : 49853
RemoteAddress : 184.28.177.55
RemotePort : 80
State : Established
LocalAddress : 192.168.122.203
LocalPort : 49846
RemoteAddress : 2.20.253.149
RemotePort : 443
State : Established
LocalAddress : 192.168.122.203
LocalPort : 49845
RemoteAddress : 184.28.177.9
RemotePort : 443
State : Established
5. Sesiones de usuario establecidas remotamente
(volatility) javiercruces@HPOMEN15:~/volatility3$ sudo python3 vol.py -f "/mnt/vdb/memoria/memdump.mem" windows.sessions.Sessions
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Session ID Session Type Process ID Process User Name Create Time
N/A - 4 System - 2024-02-05 19:30:59.000000
N/A - 92 Registry - 2024-02-05 19:30:56.000000
N/A - 344 smss.exe - 2024-02-05 19:30:59.000000
0 - 448 csrss.exe /SYSTEM 2024-02-05 19:31:15.000000
0 - 516 wininit.exe /SYSTEM 2024-02-05 19:31:15.000000
0 - 648 services.exe /SYSTEM 2024-02-05 19:31:15.000000
0 - 668 lsass.exe /SYSTEM 2024-02-05 19:31:15.000000
0 - 768 fontdrvhost.ex Font Driver Host/UMFD-0 2024-02-05 19:31:15.000000
0 - 788 svchost.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:15.000000
0 - 880 svchost.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:15.000000
0 - 400 svchost.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:16.000000
0 - 444 svchost.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:16.000000
0 - 584 svchost.exe NT AUTHORITY/SERVICIO LOCAL 2024-02-05 19:31:16.000000
0 - 1032 svchost.exe NT AUTHORITY/SERVICIO LOCAL 2024-02-05 19:31:16.000000
0 - 1040 svchost.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:16.000000
0 - 1244 svchost.exe NT AUTHORITY/SERVICIO LOCAL 2024-02-05 19:31:16.000000
0 - 1460 svchost.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:16.000000
0 - 1520 svchost.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:16.000000
0 - 1572 svchost.exe NT AUTHORITY/SERVICIO LOCAL 2024-02-05 19:31:16.000000
0 - 1924 svchost.exe NT AUTHORITY/SERVICIO LOCAL 2024-02-05 19:31:16.000000
0 - 1956 svchost.exe NT AUTHORITY/SERVICIO LOCAL 2024-02-05 19:31:16.000000
0 - 1052 svchost.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:16.000000
0 - 1068 svchost.exe NT AUTHORITY/SERVICIO LOCAL 2024-02-05 19:31:16.000000
0 - 1232 svchost.exe NT AUTHORITY/SERVICIO LOCAL 2024-02-05 19:31:16.000000
0 - 1568 spoolsv.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:16.000000
0 - 2052 svchost.exe NT AUTHORITY/SERVICIO LOCAL 2024-02-05 19:31:16.000000
0 - 2300 svchost.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:17.000000
0 - 2412 MsMpEng.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:17.000000
0 - 2868 svchost.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:18.000000
0 - 3044 dasHost.exe NT AUTHORITY/SERVICIO LOCAL 2024-02-05 19:31:18.000000
0 - 664 svchost.exe NT AUTHORITY/SERVICIO LOCAL 2024-02-05 19:31:19.000000
0 - 3868 WUDFHost.exe /SYSTEM 2024-02-05 19:31:38.000000
0 - 3068 NisSrv.exe NT AUTHORITY/SERVICIO LOCAL 2024-02-05 19:31:39.000000
0 - 4452 SearchIndexer. WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:40.000000
0 - 5828 WmiPrvSE.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:44.000000
0 - 6028 GoogleCrashHan - 2024-02-05 19:31:45.000000
0 - 6092 GoogleCrashHan WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:45.000000
0 - 3236 SecurityHealth WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:31:54.000000
0 - 7020 svchost.exe WORKGROUP/DESKTOP-KG80ESU$ 2024-02-05 19:33:17.000000
0 - 4788 SgrmBroker.exe - 2024-02-05 19:33:18.000000
0 - 760 svchost.exe NT AUTHORITY/SERVICIO LOCAL 2024-02-05 19:33:18.000000
1 - 528 csrss.exe /SYSTEM 2024-02-05 19:31:15.000000
1 - 612 winlogon.exe /SYSTEM 2024-02-05 19:31:15.000000
1 - 776 fontdrvhost.ex Font Driver Host/UMFD-1 2024-02-05 19:31:15.000000
1 - 988 dwm.exe /SYSTEM 2024-02-05 19:31:15.000000
1 - 996 LogonUI.exe /SYSTEM 2024-02-05 19:31:15.000000
N/A - 1768 MemCompression - 2024-02-05 19:31:16.000000
2 - 3792 csrss.exe /SYSTEM 2024-02-05 19:31:38.000000
2 - 3840 winlogon.exe /SYSTEM 2024-02-05 19:31:38.000000
2 - 3960 fontdrvhost.ex Font Driver Host/UMFD-2 2024-02-05 19:31:38.000000
2 - 4020 dwm.exe /SYSTEM 2024-02-05 19:31:38.000000
2 - 3456 rdpclip.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:39.000000
2 - 3616 sihost.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:39.000000
2 - 3400 svchost.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:39.000000
2 - 3188 taskhostw.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:39.000000
2 - 3344 ctfmon.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:39.000000
2 - 4208 userinit.exe - 2024-02-05 19:31:40.000000
2 RDP-Tcp#1 4236 explorer.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:40.000000
2 - 4388 svchost.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:40.000000
2 - 4876 StartMenuExper DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:41.000000
2 - 5096 RuntimeBroker. DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:42.000000
2 - 4732 SearchApp.exe - 2024-02-05 19:31:42.000000
2 - 5184 RuntimeBroker. DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:42.000000
2 - 3740 RuntimeBroker. DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:52.000000
2 - 1912 smartscreen.ex DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:54.000000
2 RDP-Tcp#1 3524 SecurityHealth DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:54.000000
2 RDP-Tcp#1 820 OneDrive.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:55.000000
2 RDP-Tcp#1 6128 chrome.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:56.000000
2 - 2040 chrome.exe - 2024-02-05 19:31:57.000000
2 RDP-Tcp#1 5404 chrome.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:57.000000
2 RDP-Tcp#1 5392 chrome.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:57.000000
2 RDP-Tcp#1 5348 chrome.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:57.000000
2 - 5496 chrome.exe - 2024-02-05 19:31:57.000000
2 - 6184 chrome.exe - 2024-02-05 19:31:57.000000
2 - 6200 chrome.exe - 2024-02-05 19:31:57.000000
2 - 6380 TextInputHost. DESKTOP-KG80ESU/javiercruces 2024-02-05 19:31:57.000000
2 - 6556 dllhost.exe - 2024-02-05 19:31:58.000000
2 - 6156 chrome.exe - 2024-02-05 19:33:00.000000
2 - 5284 chrome.exe - 2024-02-05 19:33:00.000000
2 - 4036 chrome.exe - 2024-02-05 19:33:05.000000
2 - 6916 FTK Imager.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:33:11.000000
2 - 6044 ApplicationFra DESKTOP-KG80ESU/javiercruces 2024-02-05 19:33:14.000000
2 - 6104 Calculator.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:33:14.000000
2 - 5864 RuntimeBroker. DESKTOP-KG80ESU/javiercruces 2024-02-05 19:33:14.000000
2 - 7348 HxCalendarAppI - 2024-02-05 19:33:20.000000
2 - 7412 RuntimeBroker. DESKTOP-KG80ESU/javiercruces 2024-02-05 19:33:20.000000
2 - 7476 HxTsr.exe - 2024-02-05 19:33:20.000000
2 - 7816 Taskmgr.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:33:22.000000
2 - 8072 explorer.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:33:34.000000
2 - 7256 PaintStudio.Vi DESKTOP-KG80ESU/javiercruces 2024-02-05 19:33:39.000000
2 - 7796 RuntimeBroker. DESKTOP-KG80ESU/javiercruces 2024-02-05 19:33:40.000000
2 - 900 Time.exe DESKTOP-KG80ESU/javiercruces 2024-02-05 19:33:42.000000
2 - 2132 RuntimeBroker. DESKTOP-KG80ESU/javiercruces 2024-02-05 19:33:43.000000
6. Ficheros transferidos recientemente por NetBios
Volatility no tiene soporte para esta función :
Al estar en una red aislada sin ningún otro Windows , no se han transferido ficheros usando este protocolo
PS C:\Windows\system32> Get-WinEvent -LogName Security | Where-Object {$_.Message -match "EventID: 5140"} | Select-Object TimeCreated, @{Name="File";Expression={$_.Properties[8].Value}}
PS C:\Users\javiercruces> NBTSTAT -n
Ethernet:
Dirección IP del nodo: [192.168.122.203] Id. de ámbito : []
Tabla de nombres locales NetBIOS
Nombre Tipo Estado
---------------------------------------------
DESKTOP-KG80ESU<20> Único Registrado
DESKTOP-KG80ESU<00> Único Registrado
WORKGROUP <00> Grupo Registrado
7. Contenido de la caché DNS
Volatility no tiene soporte para esta función :
PS C:\Windows\system32> ipconfig /displaydns
Configuración IP de Windows
edgedl.me.gvt1.com
----------------------------------------
Nombre de registro . : edgedl.me.gvt1.com
Tipo de registro . . : 1
Período de vida . . . : 897
Longitud de datos . . : 4
Sección . . . . . . . : respuesta
Un registro (host). . : 34.104.35.123
msedge.b.tlu.dl.delivery.mp.microsoft.com
----------------------------------------
Nombre de registro . : msedge.b.tlu.dl.delivery.mp.microsoft.com
Tipo de registro . . : 5
Período de vida . . . : 44
Longitud de datos . . : 8
Sección . . . . . . . : respuesta
Registro CNAME. . . . : cdp-tlu-shim.trafficmanager.net
8. Variables de entorno
(volatility) javiercruces@HPOMEN15:~/volatility3$ sudo python3 vol.py -f "/mnt/vdb/memoria/memdump.mem" windows.envars
2132 RuntimeBroker. 0x1ae8f803400 USERDOMAIN DESKTOP-KG80ESU
2132 RuntimeBroker. 0x1ae8f803400 USERDOMAIN_ROAMINGPROFILE DESKTOP-KG80ESU
2132 RuntimeBroker. 0x1ae8f803400 USERNAME javiercruces
2132 RuntimeBroker. 0x1ae8f803400 USERPROFILE C:\Users\javiercruces
2132 RuntimeBroker. 0x1ae8f803400 windir C:\Windows
Analizando el Registro de Windows
Para esto nos descargamos el Registry Viewer 2.0.0 https://www.exterro.com/ftk-product-downloads/registry-viewer-2-0-0
Abrimos el fichero system que es el registro de Windows :
9. Dispositivos USB conectados
Autopsy:
10. Redes wifi utilizadas recientemente.
Lo podemos encontrar en –> system/ControlSet001/Control/Network/Connections
11. Configuración del firewall de nodo.
system\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy
12. Programas que se ejecutan en el Inicio.
software\Microsoft\Windows\CurrentVersion\Run
13. Asociación de extensiones de ficheros y aplicaciones.
Esta debajo de este directorio –> software\Classes
14. Aplicaciones usadas recientemente.
15. Ficheros abiertos recientemente.
16. Software Instalado.
17. Contraseñas guardadas.
18. Cuentas de Usuario
Podemos ver las respuestas a las preguntas de seguridad :
Con Aplicaciones de terceros:
19. Historial de navegación y descargas. Cookies.
Historial :
Descargas :
Cookies :
20. Volúmenes cifrados
Te muestra los FICHEROS cifrados :
Sobre la imagen del disco:
21. Archivos con extensión cambiada
Nos fijaremos en que el tipo MIME coincida con la extensión :
También hay un artefacto que nos permite ver los ficheros que están con otra extensión :
22. Archivos eliminados
Tienes un apartado en especifico que te dice los ficheros borrados :
Pero si navegas por los directorios , te informara si hay algún fichero borrado en el mismo :
23. Archivos Ocultos
24. Archivos que contienen una cadena determinada
25. Búsqueda de imágenes por ubicación.
La ubicación de autopsy no me localiza la imagen , así que usare una herramienta externa .
26. Búsqueda de archivos por autor.
Apartado B Máquina Linux.
Intenta realizar las mismas operaciones en una máquina Linux para aquellos apartados que tengan sentido y no se realicen de manera idéntica a Windows.
Al utilizar volatility para esta parte , no me reconoce los plugins para la versión especifica de Debian , los he generado siguiendo este tutorial : https://markuta.com/live-memory-acquisition-on-linux-systems/
Sin embargo no me los reconoce y he utilizado tanto volatility 2 como la versión 3 . Me conectare a la maquina y te indicare con comandos como mostrar cada ejercicio , no me queda otra . Lo que haré sera redirigir la salida de los comandos a un fichero en el dispositivo en el que he almacenado los volcados .
1. Procesos en ejecución
root@debian:~# ps aux > /mnt/procesos
root@debian:~# cat /mnt/procesos
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.3 0.6 102660 12616 ? Ss 16:44 0:00 /sbin/init
root 2 0.0 0.0 0 0 ? S 16:44 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? I< 16:44 0:00 [rcu_gp]
2. Servicios en ejecución
root@debian:~# systemctl list-units --type=service --state=running > /mnt/servicios_corriendo
root@debian:~# systemctl list-units --type=service --state=running
UNIT LOAD ACTIVE SUB DESCRIPTION
accounts-daemon.service loaded active running Accounts Service
avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack
colord.service loaded active running Manage, Install and Generate Color Profiles
3. Puertos abiertos
root@debian:~# ss -tuln > /mnt/puertos_abiertos
root@debian:~# ss -tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:631 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:42925 0.0.0.0:*
4. Conexiones establecidas por la máquina
root@debian:~# ss -an > /mnt/conexiones_establecidas
root@debian:~# ss -an
u_dgr ESTAB 0 0 * 19629 * 19630
u_str ESTAB 0 0 /run/user/112/pipewire-0 19262 * 19261
u_str ESTAB 0 0 * 18971 * 18972
u_str ESTAB 0 0 * 18439 * 18440
5. Sesiones de usuario establecidas remotamente
root@debian:~# who
javiercruces pts/0 2024-02-18 16:44 (192.168.122.1)
javiercruces pts/1 2024-02-18 16:46 (192.168.122.1)
root@debian:~# who > /mnt/conexiones_remtoas
7. Contenido de la caché DNS
root@debian:~# sudo journalctl -u systemd-resolved > /mnt/cachedns
8. Variables de entorno
root@debian:~# env > /mnt/variables_entorno
9. Dispositivos USB conectados
root@debian:~# lsusb
Bus 002 Device 002: ID 46f4:0001 QEMU QEMU USB HARDDRIVE
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU Tablet
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
root@debian:~# lsusb > /mnt/usb_conectados
10. Redes wifi utilizadas recientemente
Al ser un MV no tenemos historial de redes wifi
11. Configuración del firewall de nodo
root@debian:~# sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:9999
root@debian:~# sudo iptables -L > /mnt/firewall_nodo
12. Programas que se ejecutan en el Inicio
root@debian:~# systemctl list-unit-files --type=service > /mnt/servicios_incio
netfilter-persistent.service enabled enabled
networking.service enabled enabled
13. Asociación de extensiones de ficheros y aplicaciones
root@debian:~# cat /usr/share/applications/mimeinfo.cache > /mnt/asosiacion_ficheros_ext
14. Aplicaciones usadas recientemente
Lo mas parecido a esto , en Linux es ver que han hecho cada usuario , así que me traeré todos los historiales :
root@debian:~# sudo cat /home/*/.bash_history > /mnt/historial_usuarios
root@debian:~# sudo cat /root/.bash_history > /mnt/historial_root
15. Ficheros abiertos recientemente
*Dependerá de la ruta de los ficheros , pondré un ejemplo para el home
root@debian:~# ls -lu /home/*/ > /mnt/ficheros_recientes
16. Software Instalado
root@debian:~# dpkg --get-selections > /mnt/paquetes_instalados
17. Contraseñas guardadas
Algunas contraseñas de configuración se guardan dentro del directorio home de nuestro usuario , si queremos ver las del navegador , la encontraremos en el mismo lugar que autopsy .
18. Cuentas de Usuario
root@debian:~# cat /etc/passwd | cut -d ":" -f 1 > /mnt/lista_usuarios
sshd
debian
user1
19. Historial de navegación , descargas y Cookies
Historial :
Cookies :
Descargas :
root@debian:~# ls -l /home/*/Descargas > /mnt/descargas_usuarios
20. Volúmenes cifrados
root@debian:~# lsblk -f | grep crypt
└─sda1 crypto_LUKS 2 9fc1bfa7-9224-4e8e-896a-09516d4fd613
21. Archivos con extensión cambiada
*No me carga el artefacto de Mismatch Detector , pero podemos verlo fijandonos en los metadatos :
22. Archivos eliminados
23. Archivos Ocultos
En Linux , todos los que empiezan por .
root@debian:~# find / -type f -name ".*" > /mnt/ficheros_ocultos
24. Archivos que contienen una cadena determinada
root@debian:~# grep -rnw / -e 'File' > /mnt/FicherosContienenFile
26. Búsqueda de archivos por autor
He intentado ya que no he podido utilizar volatility para estos ejercicios , usar comandos para poder realizar lass comprobaciones manualmente . Para darle mas seriedad a los ejercicios voy a sacar los hashes de las salidas de los diferentes comandos para asegurarnos de que no se modifiquen :
root@debian:~# find /mnt/* -type f -exec sha256sum {} +
5b46470021e68c2f5b517fa0bf3daeea665e525d3fa427326c53f93f09968d32 /mnt/asosiacion_ficheros_ext
d9ed5ccc5da76e64a158605065f9bdccbb42dfa889d1b66d8c1660a4511065b4 /mnt/conexiones_establecidas
8c65702fe0e26bf57cb2138a618a3cd023be45a23c46e50c77fc191b36c842ca /mnt/conexiones_remtoas
bf22d9341614e23448d92045f9ada00f2d62b00491261ec5843adca20e5a4b3a /mnt/descargas_usuarios
b63693142f2823a95a11d9f1fcbd845c118b2fc5d0b2508586d0fc6c8fe482af /mnt/discoLinux.raw
f5f82603dc58e22f0e38c70321ca1b28524b565b4a85264b07e06a5f9c967024 /mnt/FicherosContienenFile
faf7aa5603cb456e86c320549a4b34c12f3167260cb0e8cbfc94ec3ebd42f1ab /mnt/ficheros_ocultos
f767cd7a3d0802ebaebb3f18be2d188eb4c16f6a53444e9669f153a304cdb027 /mnt/ficheros_recientes
cb910e861a19148c6249fa53cc5b957fb0ae2e0f37ef4081c77aa90e7dde7eb0 /mnt/firewall_nodo
61f44639402d823b9452ad6eaf66eff0ed078fe1cf512c0fdebc9bba9fb58fb1 /mnt/historial_root
fed8854df34d3687edcd85697fda768ba58b88fa1b8d788bdd0d033b29209f85 /mnt/historial_usuarios
0a2c590ff6773acf9f601586cb4b013fb65bc32070019acb7368ae4212c07f8d /mnt/lista_usuarios
5f136603c0e34a74a58bc59f1934f5f2850ca8bec9c356a283ee7161a8f39a76 /mnt/memdebian.mem
1b503447d038a0ace6b81aaaf1390ac82ce6e08838a32e0b18b7656048794ebb /mnt/paquetes_instalados
8e29c5c098b2a664c23deb84abe943b666ca0dc05ce8020d0bb110b17e12d60a /mnt/procesos
9b889a5d5a59e615dc8fbbc4de9c5dbeaac1ae97990bab3dda39c3ef18c5dd72 /mnt/puertos_abiertos
cf7776ea7ca74f27b5a650ad14b074d3ac400df1b2729bca2e6a9f74696e94c3 /mnt/servicios_corriendo
b83d26c9829478eac7c19ff60eecc83b3d139fda26b5e057e882aefdaaeda7da /mnt/servicios_incio
17a519d6c20c48bd9cb39c4fd39dd107ee23c909712fada41cb75ba0d5cb703d /mnt/usb_conectados
575f849aed774bef68eb9cb85823030432afc6bfa3242ef4e1efe5cf14a98a0c /mnt/variables_entorno
b419ec819114f21a10bc5146a0b28183165c8b2cf77b2fe160e3044b1b5e04a0 /mnt/vdb
Bibliografía
https://cibersec.iescampanillas.com/archivos/3046 https://markuta.com/live-memory-acquisition-on-linux-systems/ https://cpuu.hashnode.dev/how-to-perform-memory-forensic-analysis-in-linux-using-volatility-3 https://isf-server.techanarchy.net/ https://github.com/volatilityfoundation/volatility3?tab=readme-ov-file https://github.com/volatilityfoundation/dwarf2json