SlideShare ist ein Scribd-Unternehmen logo

Windows Forensics

Prince Boonlia
Prince Boonlia

Few Aspects of Windows Forensics. Small things that we normally overlook

BildungTechnologie
1 von 26
Shri Few More Aspects of Forensics Boonlia Prince Komal Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia
Recycle Bin Analysis Location of Recycle Bin file/ Files Operating System File Location System Windows 95/98/ME FAT32 C:RecycledINFO2 Windows NT/2K/XP NTFS C:Recycler<USER SID>INFO2 Windows Vista/ 7 NTFS C:$Recycle.Bin<USER SID>
Changes With Vista Windows XP/2K/NT/ME/ 98/95 Windows Vista/7
INFO2 File structure
INFO2 File structure Cont.
$Rxxxxxxx.abc $Ixxxxxxx.abc Deletion Time File Name File Size Windows Vista / 7
The $I File Structure
Windows Prefetching
Basics of Prefetching Implemented with Windows XP Windows Memory manager component Super fetch and ready boost with Windows vista Boot V/S Application Prefetching Demo for functioning of Prefetching
Prefetch file in Windows XP
Prefetch File in Vista and Windows 7
Thumbnails 96 X 96 pixel thumbnails Windows XP Option to choose thumbnail size anywhere on the slider Windows Vista and 7
Storage in Windows XP (Thumbs.db) Can not Identify the user who used it Deleted with the deletion of the folder Only 96 X 96 Pixel Thumbnails Tool: Thumbs_Viewer.exe Demo: Manually recreating thumbnail with hex editor
Thumbnails in Vista and Windows 7 Central location for all thumbnails C:Users<USER>AppDataLocalMicrosoftWindowsExplorer Cache files based on maximum pixel thumbnail 32 X 32 (Max) Pixel Thumbnail in thumbcache_32.db Index File to link Unique ID in Cache file to Windows Index C:ProgramDataMicrosoftSearchDataApplicationsWindowsWindows.edb Generation of Thumbs.db in case of Access from network
Thumbnails in Vista and Windows 7 Entry In Thumbnail Cache file
Entries in Thumbcache_IDX, Thumbcache_32, Thumbcache_96, Thumbcache_256 files Thumbcache_IDX Thumbcache_32 Thumbcache_96 Thumbcache_256
Rebuilding the Cache Find filename Look up the data location and path of the in ThumbCache_32 file and match the image file TuhumbnailCacheID Look up the data location Find in ThumbCache_96 file Take Data block, ThumbnailCac and match the Identify file type TuhumbnailCacheID heID for and reconstruct Windows.edb Look up the data location Thumbnail in ThumbCache_256 file and match the TuhumbnailCacheID Find Corresponding Data location in Look up the data location cache files in in ThumbCache_1024 file Thumbcache_IDX and match the TuhumbnailCacheID Reconstruct Thumbnail
Windows Volume Shadow copy Ever wonder how System Restore works? Volume shadow Copy services monitor system and changes Copies changed sectors in 16KB blocks and keep it in a file Copies on: Automatic schedule time, System restore point creation, installation of new package. Can carry data that has been deleted, wiped or encrypted later
Exploring Shadow Copies Explore with VSSadmin Mount with DOSDEV.exe Lets share shadow copy net share shadow=.HarddiskVolumeShadowCopy5
Time Line analysis (Thanks to Rob lee for his awesome research) Basic Time line: (File system time line) File Time Time Modified Accessed Created Metadata System Stored as stored as Modified FAT Local Since Jan 1, Modified Accessed in Created in 1980 in multiple multiple of multiple of of 2 Day (Time 10 ms seconds ususally midnight) NTFS UTC 100 Neno Modified Accessed $MFT Date seconds (FILETIME) (FILE TIME) Modified Created since Jan 1, (Matadata (File Birth) 1601 changed) (FILETIME) Disable Last Access time: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystemNtfsDisableLastAccessUpdate to 1.
Why Timeline analysis Extremely difficult for a malware to handle all times Almost impossible for attacker not to hide the time line evidences Spread across system and multiple of time lines Helps in presenting the entire picture of all the happenings on the system
How Various times behave
Screen Taken from Rob Lee Presentation
Lets Use $FILENAME to avoid win32 API
File Timeline MRU File Download Browser History analysis (Open/Save/Run) Mail analysis Malware analysis Log Analysis Conducting an examination Program Prefetch Open/RunMRU Run MRU User Assist Execution Thumbnail Recycle Bin File Existance Search MRU analysis analysis Browser artifacts Shadow Copy First and last Volume name USB Keys USB Serials time used User who used it Path in MRU and Drive letter File Creation Thumbnails for Time line Shadow copy Recent file MRUs Lnk file analysis image and other and change analysis files Was A Security Regedit Registry key Registry slack execution Regedit Prefetch Shadow file descriptor on the keys deleted? Unallocated Recycle Bin Volume Shadow Recent file list File deletion space analysis copy and lnk Various MRUs Strings Time stamp Time line Execution of Check for neno Volume Shadow tempering analysis program second value copy System Backdoor Network Super time line Connection presence and compromise? forensics analysis analysis analysis Encryption Temp locations Page file analysis Various Memory analysis Rainbow tables LM Hash attack for decrypted attacks for key presence password attacks files
Questions? Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia

Empfohlen

Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Network forensics1
Network forensics1Network forensics1
Network forensics1Santosh Khadsare
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 

Empfohlen

Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Network forensics1
Network forensics1Network forensics1
Network forensics1Santosh Khadsare
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
File system
File systemFile system
File systemHarleen Johal
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in LinuxHenry Osborne
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Backup
BackupBackup
BackupAboubacarAhamadaRouf
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
Windows Registry
Windows RegistryWindows Registry
Windows Registryprimeteacher32
 
File Management
File ManagementFile Management
File ManagementDiane Coyle
 
Unix
UnixUnix
UnixErm78
 
Linux file system
Linux file systemLinux file system
Linux file systemBurhan Abbasi
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Backup And Recovery
Backup And RecoveryBackup And Recovery
Backup And RecoveryWynthorpe
 
Distributed file systems dfs
Distributed file systems dfsDistributed file systems dfs
Distributed file systems dfsPragati Startup Presentation Designer firm
 
Information Security (Digital Signatures)
Information Security (Digital Signatures)Information Security (Digital Signatures)
Information Security (Digital Signatures)Zara Nawaz
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7RIAH ENCARNACION
 

Weitere ähnliche Inhalte

Was ist angesagt?

MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in LinuxHenry Osborne
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
Unix
UnixUnix
UnixErm78
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Backup And Recovery
Backup And RecoveryBackup And Recovery
Backup And RecoveryWynthorpe
 
Information Security (Digital Signatures)
Information Security (Digital Signatures)Information Security (Digital Signatures)
Information Security (Digital Signatures)Zara Nawaz
 

Was ist angesagt? (20)

File system
File systemFile system
File system
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in Linux
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Backup
BackupBackup
Backup
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
 
Windows Registry
Windows RegistryWindows Registry
Windows Registry
 
File Management
File ManagementFile Management
File Management
 
Unix
UnixUnix
Unix
 
Linux file system
Linux file systemLinux file system
Linux file system
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes
 
Backup And Recovery
Backup And RecoveryBackup And Recovery
Backup And Recovery
 
Distributed file systems dfs
Distributed file systems dfsDistributed file systems dfs
Distributed file systems dfs
 
Information Security (Digital Signatures)
Information Security (Digital Signatures)Information Security (Digital Signatures)
Information Security (Digital Signatures)
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 

Andere mochten auch

WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7RIAH ENCARNACION
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007CTIN
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public InvestigationsCTIN
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The DayCTIN
 
Nra
NraNra
NraCTIN
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XPRupesh Kumar
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on TwitterYansi Keim
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!Nearpod
 
Raidprep
RaidprepRaidprep
RaidprepCTIN
 

Andere mochten auch (20)

WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7
 
Digital forensic upload
Digital forensic uploadDigital forensic upload
Digital forensic upload
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
Windows 7-cheat-sheet
Windows 7-cheat-sheetWindows 7-cheat-sheet
Windows 7-cheat-sheet
 
File carving tools
File carving toolsFile carving tools
File carving tools
 
Nra
NraNra
Nra
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
 
Cheatsheet of msdos
Cheatsheet of msdosCheatsheet of msdos
Cheatsheet of msdos
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on Twitter
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!
 
Raidprep
RaidprepRaidprep
Raidprep
 

Ähnlich wie Windows Forensics

Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
Tidy up for mac
Tidy up for macTidy up for mac
Tidy up for macanna ardis
 
Section02-Structures.ppt
Section02-Structures.pptSection02-Structures.ppt
Section02-Structures.pptJamelPandiin2
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Randphanleson
 
Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5sabtolinux
 
Ch11 OS
Ch11 OSCh11 OS
Ch11 OSC.U
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malwaretmugherini
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on LinuxAnton Chuvakin
 
Distributed File System
Distributed File SystemDistributed File System
Distributed File SystemNtu
 
Chapter 10 - File System Interface
Chapter 10 - File System InterfaceChapter 10 - File System Interface
Chapter 10 - File System InterfaceWayne Jones Jnr
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 

Ähnlich wie Windows Forensics (20)

Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Tidy up for mac
Tidy up for macTidy up for mac
Tidy up for mac
 
Section02-Structures.ppt
Section02-Structures.pptSection02-Structures.ppt
Section02-Structures.ppt
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Rand
 
Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5
 
DFSNov1.pptx
DFSNov1.pptxDFSNov1.pptx
DFSNov1.pptx
 
Ch11 OS
Ch11 OSCh11 OS
Ch11 OS
 
OSCh11
OSCh11OSCh11
OSCh11
 
OS_Ch11
OS_Ch11OS_Ch11
OS_Ch11
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Introduction to Unix
Introduction to UnixIntroduction to Unix
Introduction to Unix
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malware
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
 
Rhel1
Rhel1Rhel1
Rhel1
 
Distributed File System
Distributed File SystemDistributed File System
Distributed File System
 
Linux 4 you
Linux 4 youLinux 4 you
Linux 4 you
 
Chapter 10 - File System Interface
Chapter 10 - File System InterfaceChapter 10 - File System Interface
Chapter 10 - File System Interface
 
File
FileFile
File
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 

Kürzlich hochgeladen

SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 

Kürzlich hochgeladen (20)

SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 

Windows Forensics

  • 1. Shri Few More Aspects of Forensics Boonlia Prince Komal Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia
  • 2. Recycle Bin Analysis Location of Recycle Bin file/ Files Operating System File Location System Windows 95/98/ME FAT32 C:RecycledINFO2 Windows NT/2K/XP NTFS C:Recycler<USER SID>INFO2 Windows Vista/ 7 NTFS C:$Recycle.Bin<USER SID>
  • 3. Changes With Vista Windows XP/2K/NT/ME/ 98/95 Windows Vista/7
  • 6. $Rxxxxxxx.abc $Ixxxxxxx.abc Deletion Time File Name File Size Windows Vista / 7
  • 7. The $I File Structure
  • 9. Basics of Prefetching Implemented with Windows XP Windows Memory manager component Super fetch and ready boost with Windows vista Boot V/S Application Prefetching Demo for functioning of Prefetching
  • 10. Prefetch file in Windows XP
  • 11. Prefetch File in Vista and Windows 7
  • 12. Thumbnails 96 X 96 pixel thumbnails Windows XP Option to choose thumbnail size anywhere on the slider Windows Vista and 7
  • 13. Storage in Windows XP (Thumbs.db) Can not Identify the user who used it Deleted with the deletion of the folder Only 96 X 96 Pixel Thumbnails Tool: Thumbs_Viewer.exe Demo: Manually recreating thumbnail with hex editor
  • 14. Thumbnails in Vista and Windows 7 Central location for all thumbnails C:Users<USER>AppDataLocalMicrosoftWindowsExplorer Cache files based on maximum pixel thumbnail 32 X 32 (Max) Pixel Thumbnail in thumbcache_32.db Index File to link Unique ID in Cache file to Windows Index C:ProgramDataMicrosoftSearchDataApplicationsWindowsWindows.edb Generation of Thumbs.db in case of Access from network
  • 15. Thumbnails in Vista and Windows 7 Entry In Thumbnail Cache file
  • 16. Entries in Thumbcache_IDX, Thumbcache_32, Thumbcache_96, Thumbcache_256 files Thumbcache_IDX Thumbcache_32 Thumbcache_96 Thumbcache_256
  • 17. Rebuilding the Cache Find filename Look up the data location and path of the in ThumbCache_32 file and match the image file TuhumbnailCacheID Look up the data location Find in ThumbCache_96 file Take Data block, ThumbnailCac and match the Identify file type TuhumbnailCacheID heID for and reconstruct Windows.edb Look up the data location Thumbnail in ThumbCache_256 file and match the TuhumbnailCacheID Find Corresponding Data location in Look up the data location cache files in in ThumbCache_1024 file Thumbcache_IDX and match the TuhumbnailCacheID Reconstruct Thumbnail
  • 18. Windows Volume Shadow copy Ever wonder how System Restore works? Volume shadow Copy services monitor system and changes Copies changed sectors in 16KB blocks and keep it in a file Copies on: Automatic schedule time, System restore point creation, installation of new package. Can carry data that has been deleted, wiped or encrypted later
  • 19. Exploring Shadow Copies Explore with VSSadmin Mount with DOSDEV.exe Lets share shadow copy net share shadow=.HarddiskVolumeShadowCopy5
  • 20. Time Line analysis (Thanks to Rob lee for his awesome research) Basic Time line: (File system time line) File Time Time Modified Accessed Created Metadata System Stored as stored as Modified FAT Local Since Jan 1, Modified Accessed in Created in 1980 in multiple multiple of multiple of of 2 Day (Time 10 ms seconds ususally midnight) NTFS UTC 100 Neno Modified Accessed $MFT Date seconds (FILETIME) (FILE TIME) Modified Created since Jan 1, (Matadata (File Birth) 1601 changed) (FILETIME) Disable Last Access time: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystemNtfsDisableLastAccessUpdate to 1.
  • 21. Why Timeline analysis Extremely difficult for a malware to handle all times Almost impossible for attacker not to hide the time line evidences Spread across system and multiple of time lines Helps in presenting the entire picture of all the happenings on the system
  • 23. Screen Taken from Rob Lee Presentation
  • 24. Lets Use $FILENAME to avoid win32 API
  • 25. File Timeline MRU File Download Browser History analysis (Open/Save/Run) Mail analysis Malware analysis Log Analysis Conducting an examination Program Prefetch Open/RunMRU Run MRU User Assist Execution Thumbnail Recycle Bin File Existance Search MRU analysis analysis Browser artifacts Shadow Copy First and last Volume name USB Keys USB Serials time used User who used it Path in MRU and Drive letter File Creation Thumbnails for Time line Shadow copy Recent file MRUs Lnk file analysis image and other and change analysis files Was A Security Regedit Registry key Registry slack execution Regedit Prefetch Shadow file descriptor on the keys deleted? Unallocated Recycle Bin Volume Shadow Recent file list File deletion space analysis copy and lnk Various MRUs Strings Time stamp Time line Execution of Check for neno Volume Shadow tempering analysis program second value copy System Backdoor Network Super time line Connection presence and compromise? forensics analysis analysis analysis Encryption Temp locations Page file analysis Various Memory analysis Rainbow tables LM Hash attack for decrypted attacks for key presence password attacks files
  • 26. Questions? Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia