BIPI
BIPI

Windows Endpoint Triage: What to Grab in the First Hour

Cybersecurity

Full disk images are a luxury during a live incident. This is the Windows triage workflow we run with KAPE and the Eric Zimmerman toolset to get answers in 45 minutes instead of three days.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 2, 2024 · 9 min read

#dfir#windows#forensics

When a Windows endpoint goes hot, the temptation is to dd the whole disk and call it forensically sound. In a live incident with twelve confirmed hosts and counting, that strategy guarantees you will miss the next pivot. Targeted triage with KAPE gets you 90 percent of the answer in a fraction of the time.

What to grab first

Volatile data first, always. If the host is still running, capture memory with WinPMEM before anything else. Memory dies on reboot, disk artifacts do not. After memory, run KAPE with the !SANS_Triage compound target. That single command pulls registry hives, EVTX, MFT, USN journal, Prefetch, Amcache, ShimCache, browser history, Recycle Bin metadata, scheduled tasks, services, and PowerShell logs.

  • Memory dump (WinPMEM, Magnet RAM Capture, or DumpIt), first, before isolation
  • KAPE !SANS_Triage target to a USB or SMB share with chain of custody on the destination
  • EDR raw telemetry export covering the last 90 days, not just the alert window
  • Network capture if the host is still on, 5 to 10 minutes is plenty to see beacon callouts

Parsing the artifacts that matter

After collection, run KAPE with the modules side, which fires the Eric Zimmerman parsers. EvtxECmd flattens the EVTX into CSV you can grep. MFTECmd parses the Master File Table. AmcacheParser surfaces executed binaries with SHA-1 hashes you can throw at VirusTotal. RECmd with the Kroll batch files pulls the registry into readable output. AppCompatCacheParser gives you ShimCache, which is gold for finding execution evidence even when Prefetch is disabled.

Execution evidence: the four-source rule

Never trust a single artifact to prove execution. Cross-reference at least four sources before you put a binary on the timeline. Prefetch confirms execution within the last 128 entries. Amcache logs first-time execution with hash. ShimCache records file existence at boot. UserAssist tracks GUI launches. SRUM stores network and process resource usage. If three of these agree, you have a story.

  1. Prefetch: PECmd -d C:\Windows\Prefetch --csv outputs first-run and last-run times
  2. Amcache: AmcacheParser -f Amcache.hve --csv pulls SHA-1 and execution path
  3. ShimCache: AppCompatCacheParser -f SYSTEM --csv shows file existence at boot
  4. UserAssist: RECmd with the UserAssist batch file decodes the ROT13 entries

Persistence: the boring places attackers hide

Autoruns from Sysinternals is still the fastest way to enumerate persistence on a triaged endpoint. Run it with /accepteula /a * /h /v /s /m /nobanner against the mounted image. Look for unsigned binaries in the Run keys, scheduled tasks created outside maintenance windows, WMI event subscriptions, and Image File Execution Options hijacks. Service installations show up in System EVTX as Event ID 7045. Filter for non-Microsoft publishers and binaries in user-writable directories.

Triage versus full image: when to escalate

Triage is enough for scoping, lateral movement reconstruction, and most ransomware cases. Full disk imaging is required when you need slack space analysis, when the case is going to litigation, when the artifact you need lives in deleted file fragments, or when the threat actor used wipers. If your scoping points to a sophisticated actor with anti-forensics behavior, image the patient zero and the last lateral target. Triage everything else.

Image one, triage many. That ratio scales an IR team across an enterprise breach without drowning in 2 TB of disk.

Where teams trip

  • Running KAPE from the C drive of the affected host (writes evidence on the evidence)
  • Forgetting to hash the output container before moving it off the host
  • Skipping memory because the host is still up and seemingly clean
  • Parsing without the Kroll batch files, missing half the useful registry keys

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.