Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Windows Forensic Artifacts http://null.co.in/ http://nullcon.net/ Pardhasaradhi.ch a.k.a babloo 09762310104 [email_address]
http://null.co.in/ http://nullcon.net/ Agenda Introduction Steps of forensics investigation Rules of Forensics investigati...
http://null.co.in/ http://nullcon.net/ Introduction to Forensics <ul><ul><li>It is the application of computer investigati...
http://null.co.in/ http://nullcon.net/ Steps of Forensics
http://null.co.in/ http://nullcon.net/ Rules of Forensics investigation <ul><ul><li>Never mishandle Evidence </li></ul></u...
http://null.co.in/ http://nullcon.net/ Terminology C <ul><li>Cloning </li></ul><ul><ul><li>Storing contents of one disk to...
http://null.co.in/ http://nullcon.net/ Windows Artifacts <ul><li>Thumbs.db </li></ul><ul><li>Index.dat </li></ul><ul><li>H...
http://null.co.in/ http://nullcon.net/ Browser artifacts in Windows Default auto bookmarks location for Firefox C:Users......
http://null.co.in/ http://nullcon.net/ Using a Dump File  We can get   User details    System Activity   Almost every thin...
http://null.co.in/ http://nullcon.net/ Tools Can be used FTK Encase DFF ADDONS Parbens Stegosuite Volatility TZwork sbag
http://null.co.in/ http://nullcon.net/ Without tools How can we extract the data ? USB devices :: HKLMSystemControlset00xE...
http://null.co.in/ http://nullcon.net/ Task manager Event logs Network and performance monitor Task scheduler Windows Upda...
Thank You Pardhasaradhi.ch 09762310104 www.pardhasaradhi.info [email_address]
Nächste SlideShare
Wird geladen in …5
×

Windows forensic artifacts

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

Windows forensic artifacts

  1. 1. Windows Forensic Artifacts http://null.co.in/ http://nullcon.net/ Pardhasaradhi.ch a.k.a babloo 09762310104 [email_address]
  2. 2. http://null.co.in/ http://nullcon.net/ Agenda Introduction Steps of forensics investigation Rules of Forensics investigations Terminology Windows Artifacts Browser artifacts Tools which can be used Evidence gathering Without Tools
  3. 3. http://null.co.in/ http://nullcon.net/ Introduction to Forensics <ul><ul><li>It is the application of computer investigation and analysis techniques to gather evidence </li></ul></ul><ul><ul><li>It is also called as cyber forensics </li></ul></ul><ul><ul><li>The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it. </li></ul></ul>
  4. 4. http://null.co.in/ http://nullcon.net/ Steps of Forensics
  5. 5. http://null.co.in/ http://nullcon.net/ Rules of Forensics investigation <ul><ul><li>Never mishandle Evidence </li></ul></ul><ul><ul><li>Never trust the subject operating system </li></ul></ul><ul><ul><li>Never work on original evidence </li></ul></ul><ul><ul><li>Never work on original evidence </li></ul></ul>
  6. 6. http://null.co.in/ http://nullcon.net/ Terminology C <ul><li>Cloning </li></ul><ul><ul><li>Storing contents of one disk to another </li></ul></ul><ul><li>Imaging </li></ul><ul><ul><li>Storing of contents of a disk to a image / disk </li></ul></ul><ul><li>Carving </li></ul><ul><ul><li>Process of extracting data from the disk / image </li></ul></ul><ul><li>File Slack </li></ul><ul><li>The space between the end of a file and the end of the disk cluster it is stored in. </li></ul><ul><li>Unallocated Space </li></ul><ul><ul><li>Free space which is available to write the data </li></ul></ul><ul><li>Steganography </li></ul><ul><ul><li>A technique of hiding text in images </li></ul></ul><ul><li>Orphan </li></ul><ul><li>A file that was once associated with a program that still remains on the </li></ul><ul><li>Computer even after the program has been uninstalled. </li></ul>
  7. 7. http://null.co.in/ http://nullcon.net/ Windows Artifacts <ul><li>Thumbs.db </li></ul><ul><li>Index.dat </li></ul><ul><li>Hiberfil.sys </li></ul><ul><li>System volume information </li></ul><ul><li>Pagefile.sys </li></ul><ul><li>Prefetch </li></ul><ul><li>Sticky notes </li></ul><ul><li>NTUSER.dat and Usrclass.dat </li></ul><ul><li>Event Logs and audit logs </li></ul>
  8. 8. http://null.co.in/ http://nullcon.net/ Browser artifacts in Windows Default auto bookmarks location for Firefox C:Users......AppDataRoamingMozillaFirefoxProfiles,,,,.default Default location Saved Passwords C:Users...AppDataRoamingMozillaFirefoxProfilesl6jq0hlt.defaultKey3.db C:Users...AppDataRoamingMozillaFirefoxProfilesl6jq0hlt.defaultsignons.Sqllite
  9. 9. http://null.co.in/ http://nullcon.net/ Using a Dump File We can get User details System Activity Almost every thing using third party tools
  10. 10. http://null.co.in/ http://nullcon.net/ Tools Can be used FTK Encase DFF ADDONS Parbens Stegosuite Volatility TZwork sbag
  11. 11. http://null.co.in/ http://nullcon.net/ Without tools How can we extract the data ? USB devices :: HKLMSystemControlset00xEnumUSBSTOR what Information can be found Vendor ID, Product ID, Revision, Device ID / Serial Number Mounted Devices HKLMSystemMounted Devices What information can be found This key views each drive connected to the system 
  12. 12. http://null.co.in/ http://nullcon.net/ Task manager Event logs Network and performance monitor Task scheduler Windows Update history System files MAC table Commands in cli / Powershell Computer management Regedit Msconfig Prefetch
  13. 13. Thank You Pardhasaradhi.ch 09762310104 www.pardhasaradhi.info [email_address]

×