RedLotus ScreenShare Guide;

…………………………………………………….RedLotus…………………………………………………………….
An Advanced ScreenShare guide for [Your Server] by the Lotus SS team;
…………………………………………………………—————…………………………………………………………….

……………………
In affiliation with the Red Lotus SS Team;

|—-—-—-—-Introduction—-—-—-—-|
≛ Red Lotus Unified ≛
〔—-—-—-—-〕The Foundation〔—-—-—-—-〕
Red Lotus consists of
Currently the best SS Team
In the entire SS Community;

It aims to improve the quality

of ScreenShares on servers.

Its main objective is safety

of Staff and Players together.

by Red Lotus SS Team

affiliated with SS Community

We are happy to help Servers with their regulations of the SS Team for the best community transparency,
accuracy & quality of the screenshares, last but not least - Safety of the Players & your own screenshare team.
We once again thank you for trusting our experience;
To Introduce Red Lotus and strengthen your trust, allow us to introduce the Foundation of the team:
𝕽𝚎𝚚𝚞𝚒𝚎𝚖 死 | Rancio | Amadeus

As of today, Red Lotus consists of Leading ScreenSharers;

❖ Currently we are the leading unity of individuals who are capable of inventing original methods, creating
original tools that will simplify your job as a ScreenSharer.
❖ We have experience in ScreenSharing of various time-spans, it ranges between 3~6 years and counting.
Our services are FREE of charge
❖ As we already mentioned, our aims are to improve ScreenSharing communities / servers for the
safety of the Players. We offer our entire setup, starting from your custom Discord Template, to
rules, ending on this guide.
We do not dictate
❖ This projects holds a recommending character, which means that with our experience it is
recommended you follow the guidelines and ethics which we’ve enforced within this document, you
may modify or edit out any step, dissect (split) these methods into pieces and create your own
separate document to include only specific parts, if decided by you, for weaker SSers.
❖ Even though we do not force these regulations on you, if you’ve decided to accept these guidelines
it is necessary that you do not steal, claim or spread misinformation about this unity.
There are no risks
❖ By agreeing to the above conditions, note that everything here falls under MIT license; you are
free to do absolutely anything with the given material - as long as Red Lotus is referenced in
credits.
Independent Collaboration
❖ You are by all means allowed to exit and abolish our connection, by which you may still keep our
guide, Discord server template, set of rules and regulations, modify them, replace them or remove
them from your server’s rules. You may keep all the tools given to you here, we are glad we were of
some help till the end.

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

Table of Contents

|—-—-—-—-Introduction—-—-—-—-|..................................................................................................................2
『Introduction to ScreenSharing』.....................................................................................................................4
|ScreenSharing Principles|.............................................................................................................................................. 5
|Defense Mechanisms|..................................................................................................................................................... 6
|Transparency Regulations|............................................................................................................................................. 7
『Chapter I』...............................................................................................................................................................................9
|++++|—First Phase—|++++|............................................................................................................................................ 10
Prefetch.......................................................................................................................................................................10
Temp........................................................................................................................................................................... 12
shell:recent..................................................................................................................................................................13
Deleted Items.............................................................................................................................................................. 13
Mouse Macro Detections............................................................................................................................................ 16
MiniSS Powershell Script............................................................................................................................................ 17
|++++|—Second Phase—|++++|....................................................................................................................................... 18
Event Logs.................................................................................................................................................................. 18
System Informer..........................................................................................................................................................20
Task Scheduler............................................................................................................................................................21
Maceta........................................................................................................................................................................ 23
OSForensics............................................................................................................................................................... 24
[__Processing the Case.................................................................................................................................. 24
[__File System Browser.................................................................................................................................. 24
[__Volume Shadow Copies............................................................................................................................. 25
[__Program Artifacts Viewer............................................................................................................................26
[__Deleted Files Search.................................................................................................................................. 26
[__User Activity Timeline................................................................................................................................. 26
Sherlock Finds............................................................................................................................................................ 28
|++++|—Third Phase—|++++|........................................................................................................................................... 29
Red Lotus Powershell................................................................................................................................................. 29
Velociraptor NTFS.......................................................................................................................................................29
Rancio’s Tools............................................................................................................................................................. 30
Mecha................................................................................................................................................................... 30
DoomsDay Client Finder....................................................................................................................................... 30
Unicode Detector.................................................................................................................................................. 30
777 Linux ScreenShare Tool................................................................................................................................. 31
Ocean SS Tool...................................................................................................................................................... 31
GlobalLister........................................................................................................................................................... 32
Powershell WinPrefetchView...................................................................................................................................... 32
USB Checker.............................................................................................................................................................. 32
『Chapter II』............................................................................................................................................................................33
<>!<> Forensics Stage I <>!<>......................................................................................................................................... 34
Magnet EDD................................................................................................................................................................34
INDXRipper................................................................................................................................................................. 34
$MFT...........................................................................................................................................................................35
Kernel Live Dump........................................................................................................................................................35
PE Injection / Proxy Clients.........................................................................................................................................36
<>!<> Forensics Stage II <>!<>........................................................................................................................................ 36
Red Lotus....................................................................................................................................................................36
『Chapter III』...........................................................................................................................................................................38
[[ Ban Evasion ]]................................................................................................................................................................39

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

『Introduction to ScreenSharing』
Why is it necessary?
♦ In large servers, where various types of rewarding events are held with a cash prize, we’ll often come across a
team of ScreenSharers who are responsible for accurately determining whether or not a suspected Player has
cheated in order to gain an unfair advantage over their competitors, in order to win the prize.
While holding events of various kinds is meant to be fun, the rest of the player-base may find it irritating or even
unfair to not cheat-proof the suspects. Therefore, those who are responsible for this should definitely be
competent, fair and mature enough to properly SS Players.
It is necessary that the SSer understands values of privacy and is trained to not disrupt individual devices, revert
to its original state before SS, to not install unauthorized applications that might harm the user's device, to not
falsely ban the Player for operations that happen in Windows, Linux, MacOS automatically without User initiation.
It is also the heart of the principles to maintain everything disclosed to the SSer in a private manner, without
exposing or leaking even the most harmless information about the Player, regardless of their toxicity or dislike
from the community (of the Player).

Here is a list of necessities that a good ScreenSharer must know, list of what this guide will be teaching:
1. Know general principles of privacy respect
2. Know self-defense & privacy protection of the others
3. Basic understanding of Operating Systems (OS; - Windows, Linux, MacOS)
4. Understanding of System & User-initiated actions on the OS
5. Advanced knowledge of the OS evidence of execution
6. Understanding of mouse softwares & related
7. Understanding of the Tools that are used for SSing
8. Communication skills between them & the Player
9. Necessary Services (Windows)
10. Windows Forensics

How long does it usually take?

♦ An average SS takes about 30 minutes to be considered fully done (on fast computers), however, it may also
take up to 50 minutes or an entire hour.
It isn’t necessary to ScreenShare with every method we’ve put in this document, as concluding a SS with every
—----------------------------- Red Lotus SS Team -----------------------------—
In affiliation with the Red Lotus SS Team;

single method of Red Lotus - it’ll take far more than an hour, maybe even two. Utilize the softwares we’ve
developed for the sole purpose of making a SS reliable, fast & safe, even without the use of SS tools such as
Avenge, Echo, Golden, Soltix and so on.

|ScreenSharing Principles|

Here are some of the root principles that Red Lotus prioritizes while ScreenSharing Players:
1. Always record the ScreenShare;
a) Elaboration of this article will be explained in |Defense Mechanisms| sub-article 2.a, for self-defense of
the staff member.
2. Never target a group of Players, without any proper evidence or reasoning;
a) Do not Freeze / ScreenShare a Player outside of your server duties (for example, unofficially SS-ing them
with no proof “just to make sure they aren’t cheating)
b) Do not ScreenShare a Player with absolutely no reason (if they don’t have any anti cheat logs / if they
weren’t reported by multiple Players) just because you want to
c) A staff member asking you to SS someone with no evidence or reasoning, is considered against this
principle 2.c.
3. Player’s privacy and security above all
a) While ScreenSharer’s privacy and security is also protected, if a staff member gets reported for breaking
ScreenSharing norms, it must be looked into thoroughly with no bias towards the Player.
b) Truthfulness of the Player and the wrongdoing of the ScreenSharer must be determined by no less than
half of the entirety of the SS Team and minimum one SS Manager / Leader / Head / Senior. If the
quantity does not divide in 1/3rd of the team (for example, if there are 10 SSers and 3 Managers), then
the most votes win.
4. Regulations against bias
a) Do not ScreenShare a player based on rumors or misinformation or personal arguments targeted
towards them from the community members. Corresponds to Article 2.c of these regulations.
b) A staff member is not allowed to freeze a player after losing a fight to them - unless they are given the
permissions to or are trusted enough by the Heads of the SS / or unless their evidence is reviewed by no
less than 3 other non-screensharing staff members.
c) Decisions of a ScreenShare Head must not be ignored, however, in case of multiple SS Heads managing
the team - ScreenSharers may decide to trust or not to trust the SS Head asking them to SS a Player, in
case the SS-er assumes the Head might be abusing or acting on a bias. Notify other Heads.
d) SS Requests from other staff members, regardless of their temper and irritation must be followed by
proof or proper reasoning, decision is up to the SS-er to take. The SS Head must not reject or control this
specific decision (SS Heads may not interfere between a non-SS staff & SS-er)
5. Regulations for obstacles during SS
a) Messed up system functionality must not be punished unless it is mentioned in intentional bypass
attempts that are most-likely or above.
b) If you come across anything unfamiliar, contact your SS Heads or find an answer in this guide. If you
can’t, decide collectively or do individual research on the subject. You may contact the Red Lotus Unity
or the ScreenShare Community to find answers if nothing helps you.
c) Do not take a ScreenShare if you have to leave or go AFK under 30 minutes or above.

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

|Defense Mechanisms|

This paragraph will explain a Defense Mechanism Red Lotus suggests the server Head to
implement for the safety of their staff & Players.
1. Virtual Private Networks
a) It is recommended that the server Head regulates this section according to their VPN and
anti-bot / anti-DDoS plugins / securities, for their staff members. For example, keep track of
SS-ers who have requested to use a VPN & Whitelist them from these sorts of server checks.
b) If the server is able to - it is recommended you buy an enterprise of a premium VPN
c) Recommend free VPNs (RadminVPN, HideMe, UrbanVPN etc.)
d) Teach the SS team about AnyDesk safety measures.
e) If they have a very strong feeling that someone has grabbed their IP, teach them how to reset
their IP:
- Restart their router
- Restart their IP from their Net’s Admin panel
- Contact their Net provider to reset their IP
- Use hotspot when SSing (mobile data, if unlimited)
2. Legality Enforcement
a) As some players might go way too far with it, we recommend you attempt to take legal
actions against them. As mentioned in |ScreenSharing Principles| Article 1.a, it is necessary
to record a ScreenShare for multiple reasons:
- It is the best proof a ScreenSharer has of their innocence
- It is the best self-defense Mechanism that the staff team has
- Recorded ScreenShare helps the SS Heads to view one’s skills on full display
Alongside these reasons, the recording will be an extremely useful evidence by the
ScreenSharer, provided to SS Heads who can cooperate with server Owners to report the
DDoS-er’s IP to the authorities with proper evidence.
Note that the IP shall be given to the ScreenSharer so that they are able to report it to the
Law Enforcement or their internet service provider, as they are eligible to do so. However,
only share the IP if the Article 3 of |Defense Mechanisms| is not met.
3. Identifying DDoS attacks - Wireshark & Event Logs
a) As a Head of the SS Team, it is recommended you teach the SS-ers how to use WireShark Network
Analyzer to detect DDoS attacks and potentially retrieve an IP themselves, even if it doesn’t match
the IP-Check in-game. Example monitoring | Example Video
b) Alongside with WireShark, use a powershell script (copy paste) provided by Red Lotus; Note that
indications of the script are POTENTIAL attacks, if your net happens to shut down to then log one
of these detections, it can be accurate. Yet, Wireshark is still the best option.
Download The Script
4. Player’s safety measures
a) Make sure your Community is told to have their AnyDesk set-up like in this screenshot in advance
for their safety, if they don’t, let them know that the SS-er will set it up for them during the start of
the SS.
b) Make sure your Community is aware that the SS-er will be deleting everything downloaded during
the SS and revert things back to normal.
c) a and b subsections will be extensively elaborated in |Transparency Regulations|

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

|Transparency Regulations|

This paragraph is for the community to be disclosed (shared with) as a guarantee of their
safety & privacy protection regulations; as a member of the community, you may report a
ScreenSharer if you believe that they have ignored any of the articles mentioned here.

1. The ScreenSharer is not allowed to visit websites that display Player’s IP Address or
Geolocation, or do anything to gather Player’s IP Address or Geolocation, unless done
accidentally.
- An accident is considered only as: executing / opening installed programs by the User
that display an IP address on the main menu, such as VPNs, optimizers and any other
form.
- An accident is NOT considered when: the SS-er intentionally visits websites that display
IP Addresses, Geolocation; such as Google Maps / Own IP Gathering webs.
2. Players may not be frozen and ScreenShared with no reason, no anticheat flags, based on
other players’ requests.
- Player’s request to SS another Player may and must be denied, evidence provided by
them must be collectively inspected by the SS staff team and taken into consideration.
The reported player must then be spectated by staff. It is recommended that the SS
team takes both players’ ping into account.
- The staff team must ScreenShare Players only based on logs and insufficient evidence
to ban right off of; Players must be given proof of them flagging the anti cheat - IF
server’s anti cheat also includes flags that don’t reveal anything confidential.
- A staff member may not ScreenShare players they PvP against, no matter how
suspicious the Player seems (unless they’ve also flagged the anticheat in the given
moment) - instead, the SS staff member must request assistance from another
ScreenSharer.
3. The ScreenSharer must not use any disallowed SS Tool to ScreenShare the Player with. A
staff must inform the community with a list of SS tools they will be using in the ScreenShare
globally (make an announcement separately); ScreenShare tools that are flagged by the
Anti-Virus are purely due to them being obfuscated - source protected, thus there is nothing
to be afraid of.
4. A Community must be informed of the competency of the ScreenSharers, they must be made
aware of Red Lotus Unity, since that’s where they’ll need to go to report a server which
breaks our ethics and recommendations - as doing so will revoke our connection.
5. Players may not ScreenShare each-other, no matter what.
- It is recommended that the server strictly bans between-player ScreenShares (one
player SSing the other) - no matter what, on their platform, regardless of the Player’s
SS knowledge or competency.
- It is also recommended that the server creates a separate Discord server for Players
who’d like to share their experience with the SS Team ONLY. It is up to the Staff Team to
decide whether they’d like to implement these recommendations or not.
- If the Player recommendations are against Red Lotus rules, they must be nullified and
immediately notified to the RL Unity SS Team.
6. The ScreenSharer may ban the Player for numerous reasons:
- If the Player visits absurd websites, tempers the SS or does everything to not comply
with the SSer. Patience of the SSer is not regulated by the Red Lotus Unity, thus it is

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

recommended to the players that they do not troll.

- If the Player opens an IP grabber.
- If the Player is caught cheating, using disallowed modifications.
7. The Staff team is not allowed to visit Player’s Discord servers, DMs, browser’s search history,
starred websites, google accounts or anything that includes their personal name, surname,
age or related.
8. The Players are ALLOWED to deny a ScreenShare from SSers they personally dislike, only if:
- Other ScreenSharers are present, capable of SS-ing the Player.
- The Player doesn’t misuse this allowance (saying he dislikes every SSer, dislikes the
next SSer and so on)
9. The Player may refuse a ScreenShare if their personal information has been leaked by the
staff and they can prove it. For that, they must receive a one-time (only ONCE) weekly ban as
compensation.
- It is recommended (not necessary) that the server Developers set up a command to
gamemode-ban a Player. For example - players that are mentioned in this rule may get
banned from accessing only specific game-modes instead of getting banned from the
whole server.
10. The server must set-up their own personalized rules that will not collide with R.L.U (Red
Lotus Unity) ethics and all the 9 rules mentioned above. Players may report accompanied
Servers to the RLU.

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

『Chapter I』

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

|++++|—First Phase—|++++|
In the beginning of a ScreenShare, unlike many servers do - Red Lotus doesn’t recommend or regulate
checks for recorders. It is rather an extremely good self-defense mechanism for the Player themselves.
Therefore, we’ll move onto checking Prefetch, Temp, Recent Items, Deleted Items, Macros and then we’ll
run an immediate PowerShell script to speed up the starting process.

Prefetch
General Information about Prefetch
Prefetch is a Windows component that plays a huge role in memory management; executed
applications leave a prefetch entry in C:\Windows\Prefetch directory that represents their execution
time.
- Prefetch is only generated when a .exe is run, for java based applications or DLL files it’ll instead
generate java.exe and dllhost.exe / rundll32.exe / regsvr32.exe entries. Why is this important to
know? Because this way we’ll know if the Player has executed a renamed extension cheat. For
example - Cheat.exe renamed to Cheat.dll.
- Prefetch is the evidence of execution, in other words, it logs the actual execution time of files. For
example - executing FILE.exe at 04:32 will not update that time on the file’s properties themselves,
however, that execution will be logged in prefetch with Date Modified showing execution time.
- The file will be left with a Hash number, like
7E56853A.pf, for example.

- File’s Hash represents their path - where was the file executed from. Therefore if you see the same
file name with different Hashes, it is recommended you look more into it and mark down the file’s
name to not forget for later checks.
- Tools such as WinPrefetchView and Last Activity Viewer rely on Prefetch and Regedit. Which means
if prefetch has been cleared / deleted - they will show no traces of execution. Therefore it is also
important to check for deleted prefetch files.

To Access Prefetch you must press Win+R and type Prefetch in the Run Box. Sort by Date Modified.

Alternatively, you could use CMD to sort modified prefetch entries by date modified and applied
attributes like hidden, read-only and so on. Run CMD as Administrator.

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

It is worth noting that we can use WinPrefetchView by Nirsoft to also analyze executions by Conhost &
Consent. The top part is where you look for Conhost or Consent and the bottom part of the tool is what
shows which DLLs were loaded or .exes were launched. Note that in Conhost and Consent, we’re only
looking for executables and their directories.

\VOLUME refers to the device path, or Disks to be exact (C:\, D:\, E:\, and so on).
- Pay attention to Modified Time as that refers to last write time.
- Pay attention to icons and directories, if Device Path of a .exe without an icon is gone, alongside
with its modification dates and so on, that is quite suspicious.
- Paying attention to directories becomes more important with rundll and regsvr Injections.

Regsvr and RunDLL services usually are never issued by the system itself, and even if they were to be
issued by the system - they’d never load anything from users directories.

> Some users (or Windows versions) may “break” their prefetch and make WinPrefetchView be unusable.
This will make a ScreenShare very painful to perform, however we can still use Zimmerman’s PECmd to
parse the whole Prefetch. In order to do so, create a folder and name it whatever you want (I’ll name it
Prefetch2) wherever you want (I’ll create it in C:\Prefetch2), copy prefetch entries of the current date that
you want to parse and move them there (Or copy paste with CTRL+C CTRL+V).

Use Zimmerman’s PECmd.exe and run the following command:

PECmd.exe -d "C:\Prefetch2" --csv . Note that after –csv we specify an output directory, thus the output
file will be saved to whichever directory PECmd is located in. The output will be in CSV (comma
separated values) which can be opened with either Excel or Timeline Explorer by Zimmerman.

We can sort the search results with a lot of options, for extended navigating options visit this
demonstration link;
Note that it is recommended you use the navigating options on mentioned prefetch entries (RunDll /
Regsvr / DLLHost / Conhost / Consent)

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

Temp
Temp is a windows temporary files directory, in other words, it is a folder located in
C:\Windows\%username%\AppData\Local\Temp that stores temporary actions performed by Windows
or applications, such as browser / downloaded files cache (it may include images, executables, dlls and
so on).
- By pressing Win+R and typing %temp%, you’ll access this directory.
- Look for things like JnativeHook - Rar$ - Scoped - Zz in the search to find the following:
- JnativeHook stands for 7Clicker, it is a .dll file that generates in %temp% upon the clicker’s
launch, date modified represents its execution time.
- Rar$ represents executions from WinRar compressed files
- Scoped represents scoped directories, they usually store image caches from Windows apps
(often Discord profile pictures and server icons)
- 7z is the same as Rar$ (7zip)

In the past this directory was also being used to store .DLL injectable cheats as it’d be extremely
difficult to distinguish regular DLLs. So using a Powershell script to check unsigned executables in the
directory and its sub-directories might be useful.
Get-ChildItem -Recurse $env:temp\*.dll -ea SilentlyContinue| ForEach-object {Get-AuthenticodeSignature
$_ -ea SilentlyContinue} | Where-Object {$_.status -ine "Valid"}|Select Status,Path

You could modify the script to look for unsigned .exe files in the %temp% directory as well, since it may
have tons of folders that include a cheat. (Detects rar$ex subdirectories as well)
Get-ChildItem -Recurse $env:temp\*.exe -ea SilentlyContinue| ForEach-object {Get-AuthenticodeSignature
$_ -ea SilentlyContinue} | Where-Object {$_.status -ine "Valid"}|Select Status,Path

You must remember that JnativeHook and JNA are not the same. JNA-[Random Numbers] refers to
modified Minecraft launchers (such as Lunar client, badlion, feather client, salwyrr and so on.)

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

shell:recent

Recent Items is one of the most useful targets on Windows, not only can they show virtual disk launches,
.bat cheats and so on, but it also shows recently visited directories. It’s located in
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent
You may access the folder with Win+R then typing shell:recent

From here, you can view last accessed folders, zip files and so on. Note that data collected here derives
from RecentDocs registry path which can be cleared. If that happens, rest assured that the whole
directory will be blank, thus you can then check the deletion of registry values (explained later);
From this directory you can head back to the [Windows] directory and check [PowerShell] Folder to see
what powershell commands they’ve executed.

Go to Powershell > PSReadLine

Note that Date Modified will
always only show user issued
commands.

SS tools like Echo might flag “user accessed powershell” which is mostly a false flag as it launches
powershell upon self execution. Use this method to check when the user has actually accessed
powershell.
- Recent directory holds traces of JumpLists, that may remain even if the user has cleared
RecentDocs from regedit;
- Use Zimmerman’s JumpList Explorer; Run it as Administrator.
- Follow the Tutorial; Directories include [CustomDestinations] and [AutomaticDestinations]
If the tool doesn’t work for whatever reason, you can use LECmd, same way as PECmd works, except
here the command is:
LECmd.exe -d "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent" --csv .
Here’s how it works

Deleted Items
This paragraph will cover USN Journal tracks, prefetch and recentdocs deletions, macro deletions,

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

FAT32 USB deletions.

Before we proceed, you must first know what FAT32 deletions mean.
● FAT32 is a File System mechanism, a data organizer. There’s NTFS File System which is
Windows specific - it includes USN Journal traces and it is often easier to recover files from
the NTFS file system. FAT32 on the other hand, does not include USN Journal, which makes it
one of the most complicated file systems.

Beginning with USN Journal

We have two useful versions of a USN Journal parser, one is JournalTrace and the other one is
Journal-Tool
https://cdn.discordapp.com/attachments/1014632218183860334/1014637785694621706/journal-tool.exe
Made by Echo. We’ll start with Journal Tool by Echo to cover deleted Macros, Prefetch and Executables.
Open the tool, mark “Deleted” and type .exe or .pf for executables and .prefetch.

Here’s a list of Macro extensions that the Players might delete before SS, make sure you pay attention to
the directory they were deleted from and check further:
.mcf .amc2
.GMAC .cuecfg
.MA32AIY .MSMACRO
record.ini
sequence.dat
macro_list.dat
custom_macro_list.dat

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

FAT32 Deletions
In order to view FAT32 Deletions, we’ll need to download FTK Imager.
https://d1kpmuwb7gvu1i.cloudfront.net/AccessData_FTK_Imager_4.7.1.exe
Open the FTK Imager as Administrator and load all attached Devices:

Navigate to the root of the attached FAT32 USB Drive and check the results;

Note that this does NOT show the date of deletion, so you’ll need to find evidence that the file had been
executed after the last system boot / restart. Sometimes you might also be able to recover the deleted
files from FTK Imager by right clicking on them, if you perform this process right away in the SS, there’s a
higher chance you can potentially recover an executable properly. However, that isn’t a guarantee.

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

Mouse Macro Detections

Mouse Macro detections are summarized by 𝕽𝚎𝚚𝚞𝚒𝚎𝚖 死 in two of his guides regarding them.
1. Onboard Macro guidelines
2. General Macro check guidelines

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

MiniSS Powershell Script

Red Lotus Unity delivers some PowerShell utilities to cooperate servers that we’ve mostly not shared or
included in our other guides. We’ll start off with MiniSS powershell Script.
MiniSS Powershell Script
- Open CMD as Administrator and type mkdir C:\ScreenShare && cd C:\ScreenShare
- Download the powershell Script by pasting this command:
curl -O
“https://cdn.discordapp.com/attachments/1083546232745644152/1087887260948631652/miniss.ps1”
- Type powershell in CMD and run the following commands:
Set-ExecutionPolicy RemoteSigned -Scope LocalMachine
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Press [A] on each notification.
- Run the MiniSS.ps1 by typing ./MiniSS.ps1 (or type mini and press [TAB])

Here’s how the process should look

The scan will take some time to load (based on how good Player’s PC is)

After the scan is finished, it’ll output found results in C:\ScreenShare current directory as a .txt file.

There’s an alternative .exe version of this script in my repositories.

[ https://github.com/Amadeus411/Red-Lotus-buster/releases/tag/Minecraft ]

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

|++++|—Second Phase—|++++|
If nothing was found by following the First Phase steps, assuming the ScreenSharer has paid attention
to every small detail, there’s a slight chance that the Player isn’t cheating - or they’re using some sort of
a bypass method to hide most traces. In this phase, we’ll cover Event Logs, Task Scheduler, Search
Everything, System Informer, Maceta, OSForensics, and SherlockFinds.

Event Logs

EventViewer is a Windows tool that stores troubleshooting logs, in other words, they store traces of
errors, crashes, system modifications and more. Players might clear USN Journal, Change system Time,
mount and dismount virtual disks, restart their services… Or, their Explorer might crash & restart itself
which is when we’ll be able to use EventViewer to make sure it wasn’t done by the Player to avoid false
bans!
Deleted USN Journal, Modified System Time, Virtual Disks, Restarted Services
I am glad to tell you that RLU has created a Powershell script that will check if Event Logs Service is
running, parse and output results with dates of deleted USN journal, modified system time, virtual disks,
USB activity, restarted services, user Logon Time, powershell downloads (that don’t leave traces in their
downloads history) and event logs cleared!
- Copy this whole script and you may keep it to paste in Powershell.
$EventIDs = @(3079, 1102, 7, 7036, 7045, 1001, 1002, 104, 1074, 4663, 7036, 4688, 4660, 4616,)
$EventLogs = @("Application", "System", "Security", "Windows PowerShell", "Windows PowerShell Operational", "Setup", "ForwardedEvents", "Internet Explorer")
$Results = @()
foreach ($EventLog in $EventLogs) {
$Events = foreach ($EventID in $EventIDs) {
Get-EventLog -LogName $EventLog -InstanceId $EventID -Newest 3
}
$Results += $Events
}
$Results | Export-Csv -Path ".\RLUEvents.csv"

To understand what you’re looking at, you must understand what these numbers stand for.
3079 - USN Journal has been deleted.
1102 - Audit logs (event logs) have been cleared.
7 - Unexpected system shutdown (PC died due to low energy or it has been shut down by the user)
7036 - Modified service state (started, stopped)
1001 - Service has crashed
1002 - Service crash too
104 - User logon
1074 - System shut down by user
4663 - Folder permissions change
4688 - Executed a script
4660 - File’s permissions menu was accessed
4616 - System time change

The output is in csv so use Timeline Explorer. Here’s a Video Demonstration of the Script. Don’t lose
your time while the script is in progress, do some regular SS checks after minimizing the CMD window
and get back to the output later.

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

Even though the script automates several checks, there are still Kernel-PnP Configurations and
Management logs we’ll need to check, assuming the user has mounted a Virtual Disk, skip otherwise.
Press Win+R and type Eventvwr

Go to Applications and Services Logs > Microsoft > Windows > Kernel-PnP/Configurations

Specifically check event IDs of 400, 410, 411 that were recently generated (current date)

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

System Informer
System Informer (SI) is a new version of Process Hacker - As per say, it is “A free, powerful, multi-purpose
tool that helps you monitor system resources, debug software and detect malware.”

There are many alternatives to this tool that search for given specifics in services memory, such as
strings64, bstrings, volatility and so on, however, none of them come close to the possibilities of this tool
as all of them require a memory sample to be usable.
It is also the only version of Process Hacker that has the option to actually toggle Kernel Driver option
on Windows11, although some of its functions mentioned in this guide might bluescreen the Player’s
PC… (those methods will include a !WARNING! notice)
To toggle Kernel Driver on Windows, go to Options, select it and Close. You’ll need to restart SI.

The “Disk” option in SI will display currently working tasks, for example, recordings or background VPNs.

The “Devices” option will display all the currently plugged in Devices, it may also leave tracks of once
recognized devices (such are Virtual disks or USBs).

We’ll be mainly concentrating on the Processes section, as that’s what we need to use. We’ll be using
System Informer for the Task Scheduler section of this guide.

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

Task Scheduler
Task Scheduler is a built-in feature in Windows operating systems that allows users to schedule tasks or
programs to run automatically at specified times or on specific events. It can be accessed through the
Control Panel or the Administrative Tools folder in the Start menu. With Task Scheduler, you can create
tasks that perform a wide range of actions, such as running programs or scripts, sending emails, or
performing system maintenance tasks, and schedule them to run on a one-time or recurring basis.
Access Task Scheduler from the search bar;

Since tasks can be started at boot time, it may bypass string logging.
To make a detection, we will consider two cases:
The task is currently in the system, not deleted:
1. We can detect its presence by analyzing every task in the Task Scheduler program, and checking it
"Actions" parameters
This way, we can check if the file is a cheat or not, and you may only check tasks that are executed at
boot/logon time

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

2. We can detect its presence by analyzing files logged by the Scheduler process, or xml artifacts
registered when the task was made.
To detect artifacts traces, we may filter this string:
COMPUTERNAME=\Windows Username
Replace Computername= with the value that you get in the Scheduler process after filtering
"computername=, and Windows username with the current username being used, that you can get in
the task manager or in the C:\Users path

To detect files executed by Schedule, we may filter this regex (contains case-insensitive):
([A-Z]:\\.+\.(dll|exe)|"[A-Z]:\\.+\.(dll|exe)")$ - Look for suspicious files, for example .exe files from directories
other than C:\Windows\System32;

- Windows tasks are located in C:\Windows\System32\Tasks directory, use JournalTool to detect

deleted task names if the above methods are too complicated, but you’ll still need to perform them.
- After reading what task was deleted before / near SS, use System Informer and filter the Scheduler
by the name of that specific task, copy the results in a .txt and read </Command>

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

Maceta
Maceta is a SS Tool created by Rancio, it uses virustotal API to detect unsigned malicious executions by
specified files. Let’s break it down:
- You may Download Maceta using this link: [ https://github.com/RRancio/Exec/raw/main/Files/maceta.exe ]
- Make a VirusTotal account and generate your API key

- Before executing Maceta, open System Informer and dump csrss with highest memory with strings:
:\ and .exe | save results as a .txt.

Demonstration Video

Maceta will output detected files in a folder & then it’ll open the folder itself. Make sure you execute
it as Admin.

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

OSForensics
➖Download➖
OSForensics - Download

▪▪➖Introduction➖▪▪
OSForensics is a Forensic toolkit that has a Trial version available for FREE. The tool is ~240MB, which might be impractical in some cases
but it’s definitely a tool that has many uses. This guide will only cover some of the most useful features of the tool.
➖▪➖
[__Processing the Case

To start off, you’ll need to create a new case instead of doing a Triangle Acquisition. To do so, navigate to the Create Case
option under Case Management.

From here on, you’ll be met with a menu to select case options. In Case
Name you’ll type anything as it plays no significant role in this.
For Acquisition Type - You’ll select Investigate Disk(s)

For Case Folder - You’ll enable USB Write-Block, with this you’ll rest
assured that any external drive modifications will not be done by you,
any data alteration / deletion is safe to ban for. Important Note -
Enable this only if the user has disconnected a drive & ask them to
reconnect it. Make sure it’s the right drive number.
This way, any file on the drive will lose “rename” /
“delete” options as the drive will be Write protected.

In Case Properties, select

Manage Devices and add
all the Drives that are
currently connected to the device.

[__File System Browser

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

After you’ve set up the case drives, you can easily navigate through the utilities without having to create a new case for each new
drive entry. First, we’ll be looking for Deleted Files Search.
⛓___________________________________________________________________________________⛓

Select a Device in the Case (or Other devices that you need to parse) and press Scan.
After the Scan is finished, right click to a blank space and press Select All
Right click again and save selections as HTML | Note - Only do this if you need to acquire recently deleted files that are .exe /
.dll / suspicious enough.

This HTML output will show an estimated restoration quality, if it’s above 70% there’s a high chance of successfully recovering
them; otherwise a lower than 60~50% estimation might indicate multiple things, such as:
➖The deletion space has been overwritten (may indicate a replacement)
➖The file has been corrupted (may indicate an anti-forensic technique of file deletion)
➖May indicate the file has been deleted ages ago, but a similar file has been put in its place
➖The deleted file has been scattered across the device (may indicate a fragmentation technique which makes it nearly
impossible to recover them)
Keep in mind - You can filter to only look for deleted .exe files in the search patterns.

To configure Deleted Files Search, press Config… option next to the scan button. Here, you can choose to also scan Index
Records, File Size limits, Minimum Quality of the files and so on. Note that usually, excellent quality will refer to fresh deletion
(not overwritten / corrupted)

[__Volume Shadow Copies

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

While analyzing Volume Shadow Copies might be useless, sometimes they can be used to recover freshly deleted files (such as
python scripts / bat / css scripts). Scroll slightly down and click Analyze Shadow Copies. Press Find Shadow Copies and reopen
OSForensics. This time you should be able to see several VSS mounts to your active Case.

[__Program Artifacts Viewer

Program Artifacts Viewer is a Prefetch & AmCache data collector, This can practically be used if WinPrefetchView faces an error.
Simply select this option, select
the drive and analyze the results.

⛓___________________________________________________________________________________⛓
[__Deleted Files Search

File System Browser is basically more fun to use FTK Imager, with this, we should (in theory) be able to detect deletions on FAT32
/ external Drives. But before you begin, go to File & Options to check everything for better results.
Select the drive (FAT32 in my case) you want to analyze and you’ll see Deleted files with their estimated size. Note that this will not
show a deletion date of the file but rather its Access date; if there’s a cheat on the drive that has been recently accessed (you can
use System Informer to see if the file has been executed since last reboot), the ban will be valid.

[__User Activity Timeline

One of the most useful features of OSForensics is a Timeline viewer. This isn’t Timeline Explorer, it’s an option that lets you view
timeline data of the state of the device. In other words, you’re simply able to navigate through only executables, only DLLs and
only any data you’re looking for. Most options have this setting, I’ll be using User Activity to demonstrate it.
For this scan, recommended options are:

➖Most Recently Used

➖Autorun commands
➖Clipboard
➖User Assist
➖Jump Lists
➖Shellbags
—----------------------------- Red Lotus SS Team -----------------------------—
In affiliation with the Red Lotus SS Team;

➖Windows 10 Timeline
➖Recycle bin
➖Windows search
➖Anti-Forensics artifacts
➖BAM/DAM (DAM for Windows8)
➖USB / Mounted Volumes
Simply select a device and proceed to a quick scan.

➖▪▪▪▪➖Timeline➖▪▪▪▪➖

The Timeline output will display a chart of parsed output which you can navigate through by simply clicking on them. The data
you’ll be redirected to will be more oriented on specific dates of the acquisition.

Clicking the same acquisition twice will spread the data into more specifics.

After you’ve gone directly to whatever data you’re looking

for, right click and press Show these items to be left with a
specific output only.

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

Sherlock Finds
SherlockFinds is a File Signature Checker for NTFS and FAT Drives, it displays Date of Modification on
output results. The tool is made by the Red Lotus SS Team.
Note that the tool is getting updated from time to time, it detects unsigned files but the Date of
Modification isn’t sufficient. Thus we’d rather recommend you filter Directories to search (for example
files in C:\Windows\System32) and so on.
- Download https://github.com/SherlockHolmesv/SherlockSignatureChecker/releases/tag/DFIR

Execute the file and wait. It’ll output results in a .csv which you’ll check in Timeline Explorer.
Recommended filtering methodology;

You may ignore filtering by the Dates at all and only use directories search.
It detects .jar and .bat files too.

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

|++++|—Third Phase—|++++|
This phase will include only the most useful manual SS-ing methods and tools, explained in mere
details. It’ll mainly cover a powershell toolkit.

Red Lotus Powershell

RedLotus Powershell is a ToolKit that includes various Powershell commands, as well as Velociraptor
support for automatic launch.

To Download the utility, copy paste this link in user’s browser:

https://cdn.discordapp.com/attachments/1079116000244535427/1085364756241723462/RedLotus_Powershell.exe
A demonstration of this utility is in the official Red Lotus Unity server, public access; or visit this link to
view a clip of its usage. I recommend running it with a CMD instead of double clicking.

Velociraptor NTFS
Velociraptor offers a compilation of NTFS parsers, with a combination of these 4:
Windows.NTFS.ADSHunter - Alternate Data Stream in NTFS
Windows.NTFS.ExtendedAttributes - Malicious Attributes trackdown
Windows.NTFS.I30 - $i30 Parse
Windows.NTFS.MFT - $MFT Parse

Note that it is recommended you either use only Windows.NTFS.ADSHunter &

Windows.NTFS.ExtendedAttributes, or either one of the four since all 4 at once will drastically slow
down the PC due to how much data it's parsing. For the tutorial, visit this link.

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

Rancio’s Tools
Rancio has also made multiple extremely useful SS Tools to help you with ScreenShares; They can be
viewed in his github repository. Here they are:

Mecha
To Download Mecha, copy this link in user’s Browser:
https://cdn.discordapp.com/attachments/926545068230344714/1078495196846772365/Mecha.exe
Just like Maceta, Mecha is based on Virustotal Scans and does a similar job. Its scan area is
amacache. Here’s a Demonstration Link

DoomsDay Client Finder

Executable file capable of detecting the DoomsDay client internally.
This was only tested on version 1.16.5, I have no idea about other versions.

Download the executable from the following link: https://github.com/RRancio/Exec/raw/main/Files/DDFO.exe

Video demonstration;

Unicode Detector
There are several ways for detecting Unicode character files on the user’s device, Rancio has made a
tool that detects the most suspicious unicode files (executables, DLLs and so on)
Download the tool from the following link: https://github.com/RRancio/Exec/raw/main/Files/Unicode.exe

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

777 Linux ScreenShare Tool

777 Is a Linux ScreenShare Tool made by Rancio, for more information visit the Discord server.

Tool’s Repository: https://github.com/RRancio/777

Ocean SS Tool
Ocean is by far the biggest Free SS Tool project ever done; the tool is a free version of Golden SS Tool.
To download the tool and use it with pins, visit Ocean’s Discord server.
The tool supports Windows 7/8/10/11 and Linux operating systems.

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

GlobalLister
queries DeviceID to a website to check specification and original product names.

Download from here: Releases · RRancio/GlobalLister (github.com)

Powershell WinPrefetchView
To make your job slightly easier, we’ve created a powershell script to Download and Execute
WinPrefetchView (by Nirsoft) according to your specific dates. Here’s a Demonstration;
- Simply Input the date in MM-DD-YYYY format (Month, Day, Year)
Here’s a downloadable version of the script:
https://cdn.discordapp.com/attachments/1086389114577895545/1086392746090168380/WinPrefetch_P
owershell.ps1
Note that you will have to execute Powershell policies to run the .ps1 file (like with MiniSS.ps1)

USB Checker
USB Checker is a small script by 3gbCyber - it’ll detect and hash all .exe files on connected USB drives
(even if they’re hidden) - including .bat files. Download the Tool here

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

『Chapter II』

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

<>!<> Forensics Stage I <>!<>

You’ve reached the Forensics part of this guide.

Magnet EDD
Magnet EDD stands for Magnet Encrypted Disk Detector. It detects active encrypted disks like
VeraCrypt, TrueCrypt, BitLocker and so on. Download the tool Here

You’ll only need to execute the detector and it’ll start scanning. As you can see, it scans NTFS, exFat
and FAT32 file systems.

INDXRipper
INDXRipper is a Forensic utility created in Python, by Harel Segev, it is an extremely heavy and powerful
utility for carving metadata from NTFS $i30 indexes.
- NTFS consists of $FILE_ALLOCATION and $INDEX_ALLOCATION attributes. By parsing both,
INDXRipper will output information of file’s Modification and Access date. Unlike $MFT parsing, this
tool will display slack data of deleted files as well.
To use the tool, Download it from here and extract it. Open CMD and navigate to the extracted folder,
run the following command:
INDXRipper.exe //./C: --deleted-dirs output.csv
The output will be in .csv format which you may view through TimeLine Explorer. Sort by last access date
to view in the latest UTC time format.
Here’s a Demonstration Clip. Note that parsing will take more than 3 minutes.

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

$MFT
MFT, in short for Master File Table, is a database in NTFS file systems that keep track of file activity,
including their streams (where they were downloaded from).
- We’ll parse $MFT of the specified NTFS system (C:\ disk D:\ disk or whichever) by using Zimmerman’s
MFTECmd.exe. Use CMD to navigate to the same Directory and execute command:
MFTECmd.exe -f C:\$MFT –csv .

- follow the video clip here. I suggest you practice these tools mentioned above on your device.

Kernel Live Dump

To perform this check, we’ll need to use System Informer and create a Kerlen Live Dump .dmp file first.
!WARNING! - this may bluescreen Player’s PC so use it only if you suspect WMIC, Regsvr, Rundll or any
hollow bypasses with it in the very end of the SS.
1) Go to System Informer and Dump Live Kernel Memory

= =

= =
2) Use Strings64.exe by SysInternals to parse the .dmp output. Here’s option variants:
- To dump Rundll / Regsvr Injections, use a command:
strings64.exe -accepteula -s -n 4 .\*.dmp | findstr "RunDLL32.exe " > Output.txt
It will create a .txt output of results. Navigate through it with ctr+f

- There’s a java library Injection technique that is based on CMD, to detect that using this
kernel live dump - search for “java -jar “ instead of “RunDLL32.exe “ (note that there’s a
space after -jar )

- To detect process hollowing, look for keywords like “Injecting” or “Encrypting File” or
“Target File “

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

PE Injection / Proxy Clients

Requiem has made a Tutorial on how to detect Process Hollowing, Onboard Macros, Proxy Clients and
more - here’s a video for that.

<>!<> Forensics Stage II <>!<>

Red Lotus
Red Lotus is a tool that adapts a miniature interpretation of KAPE Forensics. I’ve gotten permission
from Eric Zimmerman to distribute a stripped version of Kape under my delivered GKape, which I have
implemented in the above mentioned tool - Red Lotus.
To get a basic idea of what Red Lotus tool is, here’s a demonstration video of it.
The tool will keep getting updated with newer utilities. For now, it includes everything that Red
Lotus offers for Minecraft ScreenSharing.
- Download # Red Lotus Forensic Artifact Parser
- OwOScript is a Powershell based Entropy .exe detection. Put the script in Powershell
modules to be able to use it with Red Lotus. Note that Entropy refers to the file's code - is it

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

malicious or not.
- Join the Red Lotus Unity Discord for more Forensic methods and collaboration with the
ScreenShare community mainstream - for even greater experience, as these are methods
we in Red Lotus were simply willing to publicly share. A lot of private methods still exist…

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

『Chapter III』

—----------------------------- Red Lotus SS Team -----------------------------—

In affiliation with the Red Lotus SS Team;

[[ Ban Evasion ]]
As for the final method in this guide, I’ve made a powershell script that’ll parse the whole C:\Users
directory with sub-directories, checking all Minecraft folders and other .txt, .json files for the strings
“user” & “username”, then it’ll output a .csv file that you can inspect using Timeline Explorer for your
specific usernames.
Download
https://cdn.discordapp.com/attachments/1083164927696588921/1106689460202123304/WatsonAltChecker.
ps1
The tool will ask you to input a Username you’re looking for.

There’s also a 2nd script that I’ve created, it will output and wrap all chat logs of the user from known
directories. Here’s a demonstration of how to use it:
This time, I’ve also made the script search for deleted .json / .log / .txt files. Here’s the downloadable
script that you can copy-paste in powershell:
https://cdn.discordapp.com/attachments/1095072783068827769/1106683442105688084/message.txt

—----------------------------- Red Lotus SS Team -----------------------------—