How to get the IP and the lease time from registry key

(Just for my references)

On digital forensics, sometimes you need to find out what IPs that the laptop got and when was the time it has these IPs.

Suppose you have a Windows 10 DD image, and you want to find out the IP addresses that were assigned to it and the lease time, so you can use it to search the logs (firewall, AD etc.) to find out the relevant events.

The information could be found on the registry key (Below screenshots were from a Windows 10 DD Image).

 

If the IP was permanently assigned, it could be found on HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\Parameters\Tcpip.

If it was DHCP, it could be found on 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Services\Tcpip\Parameters\Interfaces\{ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx } 

or even easier, search “dhcpipaddress” to find the IPs.

 

There were 2 keys: LeaseObtainedTime and LeaseTerminatesTime. They were using Epoch time format.

 

You can use python3 to convert them:

matrix@matrix ~ % python3

Python 3.9.1 (default, Jan  8 2021, 17:17:43) 

[Clang 12.0.0 (clang-1200.0.32.28)] on darwin

Type "help", "copyright", "credits" or "license" for more information.

>>> from datetime import datetime

>>> datetime.fromtimestamp(1614085226).isoformat()

'2021-02-23T08:00:26'

>>> datetime.fromtimestamp(1614161347).isoformat()

'2021-02-24T05:09:07'

>>> datetime.fromtimestamp(1614123286).isoformat()

'2021-02-23T18:34:46'

>>> datetime.fromtimestamp(1614151831).isoformat()

'2021-02-24T02:30:31'

>>> 

There are 2 other keys (T1 and T2) that related to time stamps and also have Epoch time format. They stores the time that the interface acquired the lease on its IP address.

 

The client attempts to renew its lease when the value of T1 expires and, if necessary, attempts again when the value of T2 expires. By default, T1 is equal to half of the value of Lease and T2 is equal to 7/8 (87.5%) of the value of Lease.
.

Office 365 Forensics (1)

(Just for my reference)

When an attacker gets the office 365 portal admin access, the first thing he is going to delegate a user to get full access to the user’s account, contact and calendar etc.

To get the full access of another user’s account, Login to https://outlook.office365.com/ecp/,

Select “recipients” -> “Mailboxes”.

Double click the user that need to be full access, on the “Edit User Mailbox” window, Under “Full Access”, add the compromised email account.

Then the attacker can open the user’s mailbox through File -> Open -> Other User’s Folder

To see if someone access your mailbox, Login to https://outlook.office365.com/ecp/, select “compliance management” -> “auditing” -> “Run a non-owner mailbox access report”

On the popup window, select start day and end date, on “Search for access by” dropdown list, select “All non-owners”, click “Search”.

Forensics Android APKs on the phone

(Just for my reference)

Purpose: Check .apk files in the phone using VirusTotal.

Tools:

1.     VirusTotal website: https://virustotal.com

2.     MOBILedit Forensic Express 7

3.     sigcheck64: https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck

Steps:

1.     Use MOBILedit to create a full report

2.     Open a command line window and Go to the report folder Run sigcheck64 -h -a -c -w ..\apks.csv -u -s .\*.apk

3.     Run sigcheck64 -c -w .\samsung.csv -vrs -vt -o .\apks.csv to get these

4.     Open the csv file and analyze the output.