SlideShare ist ein Scribd-Unternehmen logo

Windows Forensics

Prince Boonlia
Prince Boonlia

Few Aspects of Windows Forensics. Small things that we normally overlook

BildungTechnologie
1 von 26
Shri Few More Aspects of Forensics Boonlia Prince Komal Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia
Recycle Bin Analysis Location of Recycle Bin file/ Files Operating System File Location System Windows 95/98/ME FAT32 C:RecycledINFO2 Windows NT/2K/XP NTFS C:Recycler<USER SID>INFO2 Windows Vista/ 7 NTFS C:$Recycle.Bin<USER SID>
Changes With Vista Windows XP/2K/NT/ME/ 98/95 Windows Vista/7
INFO2 File structure
INFO2 File structure Cont.
$Rxxxxxxx.abc $Ixxxxxxx.abc Deletion Time File Name File Size Windows Vista / 7
The $I File Structure
Windows Prefetching
Basics of Prefetching Implemented with Windows XP Windows Memory manager component Super fetch and ready boost with Windows vista Boot V/S Application Prefetching Demo for functioning of Prefetching
Prefetch file in Windows XP
Prefetch File in Vista and Windows 7
Thumbnails 96 X 96 pixel thumbnails Windows XP Option to choose thumbnail size anywhere on the slider Windows Vista and 7
Storage in Windows XP (Thumbs.db) Can not Identify the user who used it Deleted with the deletion of the folder Only 96 X 96 Pixel Thumbnails Tool: Thumbs_Viewer.exe Demo: Manually recreating thumbnail with hex editor
Thumbnails in Vista and Windows 7 Central location for all thumbnails C:Users<USER>AppDataLocalMicrosoftWindowsExplorer Cache files based on maximum pixel thumbnail 32 X 32 (Max) Pixel Thumbnail in thumbcache_32.db Index File to link Unique ID in Cache file to Windows Index C:ProgramDataMicrosoftSearchDataApplicationsWindowsWindows.edb Generation of Thumbs.db in case of Access from network
Thumbnails in Vista and Windows 7 Entry In Thumbnail Cache file
Entries in Thumbcache_IDX, Thumbcache_32, Thumbcache_96, Thumbcache_256 files Thumbcache_IDX Thumbcache_32 Thumbcache_96 Thumbcache_256
Rebuilding the Cache Find filename Look up the data location and path of the in ThumbCache_32 file and match the image file TuhumbnailCacheID Look up the data location Find in ThumbCache_96 file Take Data block, ThumbnailCac and match the Identify file type TuhumbnailCacheID heID for and reconstruct Windows.edb Look up the data location Thumbnail in ThumbCache_256 file and match the TuhumbnailCacheID Find Corresponding Data location in Look up the data location cache files in in ThumbCache_1024 file Thumbcache_IDX and match the TuhumbnailCacheID Reconstruct Thumbnail
Windows Volume Shadow copy Ever wonder how System Restore works? Volume shadow Copy services monitor system and changes Copies changed sectors in 16KB blocks and keep it in a file Copies on: Automatic schedule time, System restore point creation, installation of new package. Can carry data that has been deleted, wiped or encrypted later
Exploring Shadow Copies Explore with VSSadmin Mount with DOSDEV.exe Lets share shadow copy net share shadow=.HarddiskVolumeShadowCopy5
Time Line analysis (Thanks to Rob lee for his awesome research) Basic Time line: (File system time line) File Time Time Modified Accessed Created Metadata System Stored as stored as Modified FAT Local Since Jan 1, Modified Accessed in Created in 1980 in multiple multiple of multiple of of 2 Day (Time 10 ms seconds ususally midnight) NTFS UTC 100 Neno Modified Accessed $MFT Date seconds (FILETIME) (FILE TIME) Modified Created since Jan 1, (Matadata (File Birth) 1601 changed) (FILETIME) Disable Last Access time: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystemNtfsDisableLastAccessUpdate to 1.
Why Timeline analysis Extremely difficult for a malware to handle all times Almost impossible for attacker not to hide the time line evidences Spread across system and multiple of time lines Helps in presenting the entire picture of all the happenings on the system
How Various times behave
Screen Taken from Rob Lee Presentation
Lets Use $FILENAME to avoid win32 API
File Timeline MRU File Download Browser History analysis (Open/Save/Run) Mail analysis Malware analysis Log Analysis Conducting an examination Program Prefetch Open/RunMRU Run MRU User Assist Execution Thumbnail Recycle Bin File Existance Search MRU analysis analysis Browser artifacts Shadow Copy First and last Volume name USB Keys USB Serials time used User who used it Path in MRU and Drive letter File Creation Thumbnails for Time line Shadow copy Recent file MRUs Lnk file analysis image and other and change analysis files Was A Security Regedit Registry key Registry slack execution Regedit Prefetch Shadow file descriptor on the keys deleted? Unallocated Recycle Bin Volume Shadow Recent file list File deletion space analysis copy and lnk Various MRUs Strings Time stamp Time line Execution of Check for neno Volume Shadow tempering analysis program second value copy System Backdoor Network Super time line Connection presence and compromise? forensics analysis analysis analysis Encryption Temp locations Page file analysis Various Memory analysis Rainbow tables LM Hash attack for decrypted attacks for key presence password attacks files
Questions? Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia

Empfohlen

Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation Jyothishmathi Institute of Technology and Science Karimnagar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsGol D Roger
 
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique Sujeet Suryawanshi
 

Empfohlen

Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation Jyothishmathi Institute of Technology and Science Karimnagar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsGol D Roger
 
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique Sujeet Suryawanshi
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensicsprimeteacher32
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Email Forensics
Email ForensicsEmail Forensics
Email ForensicsGol D Roger
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools Jyothishmathi Institute of Technology and Science Karimnagar
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensicspranjal dutta
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imagingDINESH KAMBLE
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7RIAH ENCARNACION
 

Weitere ähnliche Inhalte

Was ist angesagt?

Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 

Was ist angesagt? (20)

Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 

Andere mochten auch

WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7RIAH ENCARNACION
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007CTIN
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public InvestigationsCTIN
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The DayCTIN
 
Nra
NraNra
NraCTIN
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XPRupesh Kumar
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on TwitterYansi Keim
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 

Andere mochten auch (20)

WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7
 
Digital forensic upload
Digital forensic uploadDigital forensic upload
Digital forensic upload
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
Windows 7-cheat-sheet
Windows 7-cheat-sheetWindows 7-cheat-sheet
Windows 7-cheat-sheet
 
File carving tools
File carving toolsFile carving tools
File carving tools
 
Nra
NraNra
Nra
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
 
Cheatsheet of msdos
Cheatsheet of msdosCheatsheet of msdos
Cheatsheet of msdos
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on Twitter
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 

Ähnlich wie Windows Forensics

Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
Tidy up for mac
Tidy up for macTidy up for mac
Tidy up for macanna ardis
 
Section02-Structures.ppt
Section02-Structures.pptSection02-Structures.ppt
Section02-Structures.pptJamelPandiin2
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Randphanleson
 
Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5sabtolinux
 
Ch11 OS
Ch11 OSCh11 OS
Ch11 OSC.U
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malwaretmugherini
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on LinuxAnton Chuvakin
 
Distributed File System
Distributed File SystemDistributed File System
Distributed File SystemNtu
 
Chapter 10 - File System Interface
Chapter 10 - File System InterfaceChapter 10 - File System Interface
Chapter 10 - File System InterfaceWayne Jones Jnr
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 

Ähnlich wie Windows Forensics (20)

Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Tidy up for mac
Tidy up for macTidy up for mac
Tidy up for mac
 
Section02-Structures.ppt
Section02-Structures.pptSection02-Structures.ppt
Section02-Structures.ppt
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Rand
 
Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5
 
DFSNov1.pptx
DFSNov1.pptxDFSNov1.pptx
DFSNov1.pptx
 
OSCh11
OSCh11OSCh11
OSCh11
 
OS_Ch11
OS_Ch11OS_Ch11
OS_Ch11
 
Ch11 OS
Ch11 OSCh11 OS
Ch11 OS
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Introduction to Unix
Introduction to UnixIntroduction to Unix
Introduction to Unix
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malware
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
 
Rhel1
Rhel1Rhel1
Rhel1
 
Distributed File System
Distributed File SystemDistributed File System
Distributed File System
 
Linux 4 you
Linux 4 youLinux 4 you
Linux 4 you
 
Chapter 10 - File System Interface
Chapter 10 - File System InterfaceChapter 10 - File System Interface
Chapter 10 - File System Interface
 
File
FileFile
File
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 

Kürzlich hochgeladen

AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 

Kürzlich hochgeladen (20)

YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 

Windows Forensics

  • 1. Shri Few More Aspects of Forensics Boonlia Prince Komal Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia
  • 2. Recycle Bin Analysis Location of Recycle Bin file/ Files Operating System File Location System Windows 95/98/ME FAT32 C:RecycledINFO2 Windows NT/2K/XP NTFS C:Recycler<USER SID>INFO2 Windows Vista/ 7 NTFS C:$Recycle.Bin<USER SID>
  • 3. Changes With Vista Windows XP/2K/NT/ME/ 98/95 Windows Vista/7
  • 6. $Rxxxxxxx.abc $Ixxxxxxx.abc Deletion Time File Name File Size Windows Vista / 7
  • 7. The $I File Structure
  • 9. Basics of Prefetching Implemented with Windows XP Windows Memory manager component Super fetch and ready boost with Windows vista Boot V/S Application Prefetching Demo for functioning of Prefetching
  • 10. Prefetch file in Windows XP
  • 11. Prefetch File in Vista and Windows 7
  • 12. Thumbnails 96 X 96 pixel thumbnails Windows XP Option to choose thumbnail size anywhere on the slider Windows Vista and 7
  • 13. Storage in Windows XP (Thumbs.db) Can not Identify the user who used it Deleted with the deletion of the folder Only 96 X 96 Pixel Thumbnails Tool: Thumbs_Viewer.exe Demo: Manually recreating thumbnail with hex editor
  • 14. Thumbnails in Vista and Windows 7 Central location for all thumbnails C:Users<USER>AppDataLocalMicrosoftWindowsExplorer Cache files based on maximum pixel thumbnail 32 X 32 (Max) Pixel Thumbnail in thumbcache_32.db Index File to link Unique ID in Cache file to Windows Index C:ProgramDataMicrosoftSearchDataApplicationsWindowsWindows.edb Generation of Thumbs.db in case of Access from network
  • 15. Thumbnails in Vista and Windows 7 Entry In Thumbnail Cache file
  • 16. Entries in Thumbcache_IDX, Thumbcache_32, Thumbcache_96, Thumbcache_256 files Thumbcache_IDX Thumbcache_32 Thumbcache_96 Thumbcache_256
  • 17. Rebuilding the Cache Find filename Look up the data location and path of the in ThumbCache_32 file and match the image file TuhumbnailCacheID Look up the data location Find in ThumbCache_96 file Take Data block, ThumbnailCac and match the Identify file type TuhumbnailCacheID heID for and reconstruct Windows.edb Look up the data location Thumbnail in ThumbCache_256 file and match the TuhumbnailCacheID Find Corresponding Data location in Look up the data location cache files in in ThumbCache_1024 file Thumbcache_IDX and match the TuhumbnailCacheID Reconstruct Thumbnail
  • 18. Windows Volume Shadow copy Ever wonder how System Restore works? Volume shadow Copy services monitor system and changes Copies changed sectors in 16KB blocks and keep it in a file Copies on: Automatic schedule time, System restore point creation, installation of new package. Can carry data that has been deleted, wiped or encrypted later
  • 19. Exploring Shadow Copies Explore with VSSadmin Mount with DOSDEV.exe Lets share shadow copy net share shadow=.HarddiskVolumeShadowCopy5
  • 20. Time Line analysis (Thanks to Rob lee for his awesome research) Basic Time line: (File system time line) File Time Time Modified Accessed Created Metadata System Stored as stored as Modified FAT Local Since Jan 1, Modified Accessed in Created in 1980 in multiple multiple of multiple of of 2 Day (Time 10 ms seconds ususally midnight) NTFS UTC 100 Neno Modified Accessed $MFT Date seconds (FILETIME) (FILE TIME) Modified Created since Jan 1, (Matadata (File Birth) 1601 changed) (FILETIME) Disable Last Access time: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystemNtfsDisableLastAccessUpdate to 1.
  • 21. Why Timeline analysis Extremely difficult for a malware to handle all times Almost impossible for attacker not to hide the time line evidences Spread across system and multiple of time lines Helps in presenting the entire picture of all the happenings on the system
  • 23. Screen Taken from Rob Lee Presentation
  • 24. Lets Use $FILENAME to avoid win32 API
  • 25. File Timeline MRU File Download Browser History analysis (Open/Save/Run) Mail analysis Malware analysis Log Analysis Conducting an examination Program Prefetch Open/RunMRU Run MRU User Assist Execution Thumbnail Recycle Bin File Existance Search MRU analysis analysis Browser artifacts Shadow Copy First and last Volume name USB Keys USB Serials time used User who used it Path in MRU and Drive letter File Creation Thumbnails for Time line Shadow copy Recent file MRUs Lnk file analysis image and other and change analysis files Was A Security Regedit Registry key Registry slack execution Regedit Prefetch Shadow file descriptor on the keys deleted? Unallocated Recycle Bin Volume Shadow Recent file list File deletion space analysis copy and lnk Various MRUs Strings Time stamp Time line Execution of Check for neno Volume Shadow tempering analysis program second value copy System Backdoor Network Super time line Connection presence and compromise? forensics analysis analysis analysis Encryption Temp locations Page file analysis Various Memory analysis Rainbow tables LM Hash attack for decrypted attacks for key presence password attacks files
  • 26. Questions? Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia