One of the key evidence items to acquire and analyze in a security incident is information about network connections established on the device that is being investigated. Unfortunately, not on every situation this information will be available, because if the device was powered off, the network connections are lost, as it is volatile information that resides in the RAM memory of the computer. In this case, we would try to locate and analyze hibernation files (extremely valuable, but not always available) or offline files trying to identify any remnant of a network connection, such as the pagefile.sys or service specific logs, but this information would be very limited and incomplete as compared to the information that could have been displayed by the command netstat. We could also try to obtain logs from any firewalls available on the organization, but we would depend on logging being enabled and that the network traffic of the device under investigation had passed through the specific network path where the firewall is located. Finally, network activity could also happen when the device is not at the enterprise, common for laptops, in that case obviously the firewall would have no relevant logs for that specific investigation.
Modern OS have host-based firewalls which can be easily configured to store logs about the network connections, providing a valuable source of information in case of a security incident. Regarding the Windows operating system, it is very easy to enable logging of the network connections through the integrated Windows Firewall. If the log is enabled, it will require administrator privileges to delete it, which will not always be the case if the attacker cannot achieve admin rights on the compromised host. Even if the attacker achieves admin rights, not all of them will be aware of the log so there will be a good chance that it will be available for collection and analysis.
Windows Firewall log can be enabled extremely easy, both through command line interface and through GUI and it allows the user to determine what kind of network connections should be logged (failed or successful). I will show how to enable it using the command line interface. We can log both allowed and dropped connections, but I recommend doing it only for allowed connections, as dropped connections would log lots of noise, especially related to the UPnP protocol.
We can also increase the size of the log, the acceptable range is 1-32767 kilobytes.
The window Firewall will be created by default on C:\Windows\System32\LogFiles\Firewall, although it can be configured to a different location. If you try to open the active file, you will get an error. To solve this problem, simply create a copy of the file and open it. The structure of the log is very simple and straightforward to read, it is in clear text and stores the following fields:
Since it is generated by the host, it will be synced with other logs generated on the same computer, allowing for quick correlation. If the logs were generated by a network firewall, we would first have to check if it is synced to the same NTP server or otherwise calculate the time skew and adjust the timestamps, which is not always a fun or easy task to do.
You can determine if logging is enabled for a given Windows computer by running the following command:
The relevant parameters for every profile are LogAllowedConnection, LogDroppedConnection FileName and MaxFileSize.
Enabling the Windows Firewall log is a quick win, as it is very simple to do and can provide extremely valuable information during a DFIR investigation. Because of its small size, it can be used for triage and rapidly search a given IP address or uncommon port that has been previously identified as malicious or suspicious. In the following article, I will show several use cases for this information, and I will share a useful script to extract information from the log to make it more actionable.
If you disabled Windows Firewall because you use a third-party host firewall, make sure that you have logging enabled in the third-party firewall, determine the retention time and make sure it meets your requirements.