My HackerRank LinkedIn Codewars

Day 8 : Santa's Special Bag of Toys (John Hammond Special)

Working with Powershell Transcription Logs (Windows Forensics)

Introduction to Windows Forensics

- Powershell Transcription Logs

PowerShell Transcription Logs capture the input and output of Windows PowerShell commands, allowing an analyst to review what happened when. Typically, PowerShell Transcription can be enabled by Group Policy, but another method to turn on this logging is by configuring the Windows Registry.

these will turn on PowerShell Transcription Logging for a local host if entered in an Administrator command prompt:


reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0x1 /f
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v OutputDirectory /t REG_SZ /d C:/ /f
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableInvocationHeader /t REG_DWORD /d 0x1 /f

The Windows Registry is a large database of operating system settings and configurations. It is organized by "hives", with each hive containing "keys" and their corresponding "values."

PowerShell Transcription Logging can be enabled in this way "per-user" via the HKEY_CURRENT_USER registry hive, or across the entire host via the HKEY_LOCAL_MACHINE registry hive.

The actor uses a Living Off The Land binary (LOLbin) to encode this file - windows binary used for handling certificates, and then verifies it succeeded by viewing the output file.

  • the UsrClass.dat file was encoded with Base64, which we decoded.

  • now open this file in the GUI Windows registry explorer > load offline hive > download.dat file from decoded

- UsrClass.dat file

  • contains shellbags, or artifacts contained within Windows registry that store user preferences while viewing folders within the Windows Explorer GUI

  • analyze this to see what user activity was performed on the laptop before it was compromised

To extract the Shellbags information within this UsrClass.dat file, we will use the "Shellbags Explorer" graphical utility put together by Eric Zimmerman.

Unfortunately, from just Shellbags alone, we only have insight into folder names (sometimes files, if we are lucky) and column data within Windows Explorer, but not files

- Finding commits on Github

Go to code tab > look for upper right corner below the clone button > notice the 5 commits

Total of 228 files in the extracted zip.

PreviousDay 7 : Migration without SecurityNextDay 9 : Networking - Where is all this data going

Last updated