I have been participating in a DFIR challenge (I won’t say which one, so as to not post spoilers) in which I was given a Windows image and a list of questions that I would need to answer. I went through the initial steps of opening it up in Autopsy and FTK Imager and quickly hit an impasse. One of the questions I need to answer is regarding network connections to this image I was given. From my understanding, network connections aren’t accessible from a dead disk perspective, but they can be found in memory.
I don’t have a live system to pull memory from, so that is not an option. Being that it is a Windows Server image, I know that I should be able to pull some of those things from the hiberfile.sys. As I took my first look at C:\ for the hiberfile, I started to worry because it was not there. The pagefile.sys was there, but it isn’t as easy to investigate.
I did run page_brute.py against the pagefile and it showed tons of evidence of intrusion, but not any quickly parsible network connections. My next question to answer today is whether it is possible that the intruder deleted the hiberfile, in which case I will need to locate it and carve it out, or whether the system is set to not create a hiberfile. The latter would necessitate a fairly crafty intruder, but it is not impossible.
Once I attempt to tackle those questions, I will come back with some screenshots and information regarding the intrusion.