In case you missed it over on the SANS Computer Forensics blog, we recently updated our memory forensics cheat sheet. Not a lot has changed other than updating a few parameter options, adding Michael Cohen’s WinPmem (live memory analysis with Volatility!), and reflecting a few of the changes in the upcoming 2.3 Volatility release (including body file format in Jamie Levy’s timeliner plugin)
The GUI control panel is a long-standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features. It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes). From a forensic perspective, we can audit control panel usage to identify a wide range of user activity:
Firewall changes made for unauthorized software (firewall.cpl)
User account additions / modifications (nusrmgr.cpl)
Turning off System Restore / Volume Shadow Copies (sysdm.cpl)
System time changes (timedate.cpl)
Interaction with third-party security software applets
While identifying individual system modifications is difficult, at a minimum we can show that a user accessed a specific control panel applet at a specific time. Context provided by other artifacts may provide further information. As an example, imagine you were reviewing control panel usage on a system and came across Figure 1.
Figure 1: Sample Userassist Output
Context is critical, and, while access to the Windows Security Center might not normally be particularly interesting, the fact that it was accessed immediately following the execution of a known (router) password cracking tool might make all the difference.