SlideShare a Scribd company logo

Windows forensic

Download as PPTX, PDF
MD SAQUIB KHAN
MD SAQUIB KHAN

Windows forensic, Registry Forensic, Recycle Bin Forensic, Prefetch file, Hiberfil.sys, Paging file, thumbs.db, Info2, SID, $R-file, $I-file

Education
1 of 34
Windows Forensic MD Saquib Nasir Khan (JONK) DEA- Data64 www.malc0de.org
CONTENTS • Recycle Bin Forensics • Analyzing Prefetch File • Analyzing Hiberfil.sys File • Analyzing Paging File • Analyzing thumbs.db file • Registry Analysis www.malc0de.org
Introduction • Using forensics techniques and tools to gather digital evidence from a device or pc running on Microsoft Windows. • Different versions of Windows OS, Win XP, 7, Vista, 8, 8.1, 10 • With every version new features of forensic importance has been discovered. • Some Areas include: Windows Registry, Live Acquisition, System files, Cache, Prefetch, ADS etc. www.malc0de.org
Recycle Bin Forensics • RECYCLER folder for Windows XP • $Recycle.Bin folder for Windows 7 or Windows Vista,(C:) • “$RECYCLE.BIN” Other Drive • The subfolder is named with the user’s SID and contains its own INFO file, making it possible to determine which user account was used to delete a file www.malc0de.org
When a file is deleted, it results in three steps: – 1) the deletion of the file’s folder entry in the folder in which the file resided – 2) the creation of a new folder entry for the file in the Recycle Bin – 3) the addition of information about the file in a hidden system file named INFO (or INFO2 depending on windows systems) in the Recycle Bin www.malc0de.org
Every file sent to the recycle bin is renamed in the following format D[ orginal drive letter of file][index no][original extension] E.g. hw1.txt residing in C:My Documents was sent to empty recycle bin » Its new name is DC0.txt www.malc0de.org
SID • According to the Microsoft Developer Network (2009), the SID is an alpha-numeric string that is used by Windows to uniquely identify an object - like a user or a group • “S” means the string is a Security Identifie • “1” refers to the Revision Level. (This value has always been 1) • “5” is the identifier for the Authority Level or “IdentifierAuthority” • “500” at the end of the string, is the Domain or Local Computer Identifier • The “500” at the end is known as the Relative ID, and in this case, “500” means the user is a system administrator www.malc0de.org
Forensic Importance of SID • HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows NT www.malc0de.org
SID • If there are three users and four drives, • there will be four folders named $Recycle.Bin (one on each drive) • And within each of these $Recycle.Bin folders will be three sub-folders with names that correspond to the SID of each of the three users www.malc0de.org
METADATA ANALYSIS • Inside recycle bin folder there are two sub folder – DC1.txt and INFO2 – DC1.txt contain the original file – Info2 Contain Metadata – There is only one INFO2 file for each user‟s Recycle Bin, where all of the metadata for all of the files/folders that are found in that Recycle Bin is stored. www.malc0de.org
EXTRA “TRASH” IN THE BIN • desktop.ini (file is a hidden Windows system file that provides information to Windows Explorer about how to display the contents of a folder. ) • directory named “.” (dot) • “..” (dot-dot) directory www.malc0de.org
$R-file and $I-file • If a file that is deleted was originally in a folder that no longer exists, How it will restore? • When a folder is sent to the Recycle Bin, it too has the “deleted” and “created” time-stamp, but when it is restored, it only retains the “created” time-stamp, and never gains the “modified” or “accessed” time-stamp, unlike what happens with a file. • If the restored file is deleted again, a new $I-file and $R-file are generated. • There will be an $Ifile and $R-file for the folder and there will also be a $I-file and $R-file for each file that was in the deleted folder www.malc0de.org
SHADOW COPIES • Volume Shadow Copy Service www.malc0de.org
PREFETCH FILES SuperFetch • The Prefetching process tries to speed the boot process and application startup • The Prefetching process monitors the first 10 seconds of application startup www.malc0de.org
Forensic • Identify whether the system has been enabled the Prefetching process • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetCo ntrolSessionManagerMemoryManagementPrefetc hParameters • “0” means “disabled • “1” means “application launch Prefetching enabled • “2” means “boot Prefetching enabled” • “3” means “application launch and boot enabled (default www.malc0de.org
www.malc0de.org
www.malc0de.org
Hibernate is a feature of many computer operating systems where the contents of RAM are written to non-volatile storage such as a hard disk, as a file or on a separate partition, before powering off the computer. The computer uses the Hiberfil.sys file to store a copy of the system memory on the hard disk when the hybrid sleep setting is turned on. The Hiberfil.sys hidden system file is located in the root folder of the drive where the operating system is installed and Windows Kernel Power Manager reserves this file when you install Microsoft Windows. The size of this file is approximately equal to the amount of random access memory (RAM) that is installed on the computer. ANALYZING HIBERFIL.SYS FILES www.malc0de.org
A page file is a hidden file or files on the hard disk that the operating system uses to hold parts of programs and data files that do not fit in memory. Virtual memory comprises the paging file and physical memory or random access memory (RAM). Windows moves data from the paging file to memory as needed, and it moves data from memory to the paging file to make room for new data. By default, Windows stores the paging file on the boot partition (the partition that contains the operating system and its support files). The default paging file size is equal to 1.5 times the total RAM. ANALYZING PAGING FILES www.malc0de.org
The computer can be configured to clear the paging file at shutdown. For this the data value of the ClearPageFileAtShutdown value in the following registry key must be set to a value of 1: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management ANALYZING PAGING FILES www.malc0de.org
Thumbs.db is a hidden file used by Windows to store thumbnail images of the files in a folder. It is then used to display thumbnails when a folder is in Thumbnails view. Deleting images from a folder does not remove the thumbnail from the thumbs.db database cache. This makes the thumbs.db file useful from a forensic point of view. FTex is useful utility for thumbs.db analysis. ANALYZING THUMBS.DB FILES www.malc0de.org
Registry Hive • The five most hierarchal folders are called hives and begin with .HKEY (an abbreviation for Handle to a Key). • Although five hives can be seen, only two of these are actually real, HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM). • The other three are shortcuts or aliases to branches within one of the two hives. www.malc0de.org
REGISTRY ANALYSIS www.malc0de.org
The structure of the Registry www.malc0de.org
HIVE KEY: HKEY_LOCAL_MACHINE (HKLM) It is the first master key.Contains all of the configuration setting of a computer. When a computer startups, the local machine settings will boot before the individual user settings.The HKEY_LOCAL_MACHINE key has the following subkeys: HARDWARE SAM SECURITY SOFTWARE SYSTEM REGISTRY ANALYSIS www.malc0de.org
Registry keys of forensic value MRU Most-recently-used key maintains a list of recently opened files(e.g. .txt, .pdf, .htm, .jpg) or saved files from within a web browser (including IE and Firefox). OpenSaveMRU contain far more entries related to previously opened or saved files (including the 10 most recent ones). HKCUSoftwareMicro softWindowsCurrent VersionExplorerCom Dlg32 OpenSaveMRU www.malc0de.org
HKLMSYSTEMCurrentControlSet EnumUSBSTOR This key contains addition information about list of mounted USB storage devices, including external memory cards. Mounted USB Storage Devices REGISTRY ANALYSIS www.malc0de.org
Device ID • The device ID for a specific device identified. • It should be noted that not all USB thumb drives will have a serial number. www.malc0de.org
REGISTRY ANALYSIS ShutDownTime HKLMSystemControlSet001ControlWindows www.malc0de.org
Autostart locations • Used by a great many pieces of malware to remain persistent on the victim system. • Example: HKEY_CURRENT_USERSoftwareMicros- oftWindowsCurrentVersionRun www.malc0de.org
Wireless SSIDs • SSIDs (service set identifiers) • This shows you which wireless networks you’ve connected to, and if you travel and make use of the ubiquitous wireless hotspots, you’ll see quite a few entries there. www.malc0de.org
Registry: A Wealth of Information Information that can be recovered include: – System Configuration – Devices on the System – User Names – Personal Settings and Browser Preferences – Web Browsing Activity – Files Opened – Programs Executed – Passwords www.malc0de.org
www.malc0de.org
Registry Organization • Root Keys – HKEY_CLASSES_ROOT (HKCR) • Contains information in order that the correct program opens when executing a file with Windows Explorer. – HKEY_CURRENT_USER (HKCU) • Contains the profile (settings, etc) about the user that is logged in. – HKEY_LOCAL_MACHINE (HKLM) • Contains system-wide hardware settings and configuration information. – HKEY_USERS (HKU) • Contains the root of all user profiles that exist on the system. – HKEY_CURRENT_CONFIG (HKCC) • Contains information about the hardware profile used by the computer during start up. • Sub Keys – These are essentially sub directories that exist under the Root Keys. www.malc0de.org

Recommended

Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
Himanshu0734
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 

Recommended

Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
Himanshu0734
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
ParminderKaurBScHons
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating System
nishant24894
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
somutripathi
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
n|u - The Open Security Community
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
Sagar Rahurkar
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
Marco Alamanni
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
Somesh Sawhney
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
Milap Oza
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptx
GaganvirKaur
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
Bhupeshkumar Nanhe
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
pda forensics
pda forensicspda forensics
pda forensics
saddamhusain hadimani
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Mithileysh Sathiyanarayanan
 
Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS Systems
Jyothishmathi Institute of Technology and Science Karimnagar
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
SumeraHangi
 
Active Directory Domain Services Installation & Configuration - Windows Ser...
Active Directory Domain Services Installation & Configuration - Windows Ser...Active Directory Domain Services Installation & Configuration - Windows Ser...
Active Directory Domain Services Installation & Configuration - Windows Ser...
Adel Alghamdi
 
Install Windows Server 2012 Step-by-Step
Install Windows Server 2012 Step-by-StepInstall Windows Server 2012 Step-by-Step
Install Windows Server 2012 Step-by-Step
Mehdi Poustchi Amin
 

More Related Content

What's hot

Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
somutripathi
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
Sagar Rahurkar
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
Milap Oza
 

What's hot (20)

Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating System
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptx
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
 
pda forensics
pda forensicspda forensics
pda forensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS Systems
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
 

Viewers also liked

Windows 2008 basics
Windows 2008 basicsWindows 2008 basics
Windows 2008 basics
anilinvns
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
Security Bootcamp
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 

Viewers also liked (20)

Active Directory Domain Services Installation & Configuration - Windows Ser...
Active Directory Domain Services Installation & Configuration - Windows Ser...Active Directory Domain Services Installation & Configuration - Windows Ser...
Active Directory Domain Services Installation & Configuration - Windows Ser...
 
Install Windows Server 2012 Step-by-Step
Install Windows Server 2012 Step-by-StepInstall Windows Server 2012 Step-by-Step
Install Windows Server 2012 Step-by-Step
 
Install Windows Server 2008 Step-by-Step
Install Windows Server 2008 Step-by-StepInstall Windows Server 2008 Step-by-Step
Install Windows Server 2008 Step-by-Step
 
Windows 2008 basics
Windows 2008 basicsWindows 2008 basics
Windows 2008 basics
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
 
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
 
HITCON CTF 2016導覽
HITCON CTF 2016導覽HITCON CTF 2016導覽
HITCON CTF 2016導覽
 
HITCON GIRLS Malware Analysis
HITCON GIRLS Malware AnalysisHITCON GIRLS Malware Analysis
HITCON GIRLS Malware Analysis
 
CTF 經驗分享
CTF 經驗分享CTF 經驗分享
CTF 經驗分享
 

Similar to Windows forensic

Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
EPAM Systems
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
CTIN
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
ClubHack
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
fangjiafu
 
Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows Programs
Natraj G
 
Linux fundamentals
Linux fundamentalsLinux fundamentals
Linux fundamentals
Raghu nath
 

Similar to Windows forensic (20)

Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows Programs
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Trace File Database admanistartion and manegment
Trace File Database admanistartion and manegmentTrace File Database admanistartion and manegment
Trace File Database admanistartion and manegment
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
 
Linux fundamentals
Linux fundamentalsLinux fundamentals
Linux fundamentals
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linux
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profit
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
 

Recently uploaded

Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Recently uploaded (20)

How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 

Windows forensic

  • 1. Windows Forensic MD Saquib Nasir Khan (JONK) DEA- Data64 www.malc0de.org
  • 2. CONTENTS • Recycle Bin Forensics • Analyzing Prefetch File • Analyzing Hiberfil.sys File • Analyzing Paging File • Analyzing thumbs.db file • Registry Analysis www.malc0de.org
  • 3. Introduction • Using forensics techniques and tools to gather digital evidence from a device or pc running on Microsoft Windows. • Different versions of Windows OS, Win XP, 7, Vista, 8, 8.1, 10 • With every version new features of forensic importance has been discovered. • Some Areas include: Windows Registry, Live Acquisition, System files, Cache, Prefetch, ADS etc. www.malc0de.org
  • 4. Recycle Bin Forensics • RECYCLER folder for Windows XP • $Recycle.Bin folder for Windows 7 or Windows Vista,(C:) • “$RECYCLE.BIN” Other Drive • The subfolder is named with the user’s SID and contains its own INFO file, making it possible to determine which user account was used to delete a file www.malc0de.org
  • 5. When a file is deleted, it results in three steps: – 1) the deletion of the file’s folder entry in the folder in which the file resided – 2) the creation of a new folder entry for the file in the Recycle Bin – 3) the addition of information about the file in a hidden system file named INFO (or INFO2 depending on windows systems) in the Recycle Bin www.malc0de.org
  • 6. Every file sent to the recycle bin is renamed in the following format D[ orginal drive letter of file][index no][original extension] E.g. hw1.txt residing in C:My Documents was sent to empty recycle bin » Its new name is DC0.txt www.malc0de.org
  • 7. SID • According to the Microsoft Developer Network (2009), the SID is an alpha-numeric string that is used by Windows to uniquely identify an object - like a user or a group • “S” means the string is a Security Identifie • “1” refers to the Revision Level. (This value has always been 1) • “5” is the identifier for the Authority Level or “IdentifierAuthority” • “500” at the end of the string, is the Domain or Local Computer Identifier • The “500” at the end is known as the Relative ID, and in this case, “500” means the user is a system administrator www.malc0de.org
  • 8. Forensic Importance of SID • HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows NT www.malc0de.org
  • 9. SID • If there are three users and four drives, • there will be four folders named $Recycle.Bin (one on each drive) • And within each of these $Recycle.Bin folders will be three sub-folders with names that correspond to the SID of each of the three users www.malc0de.org
  • 10. METADATA ANALYSIS • Inside recycle bin folder there are two sub folder – DC1.txt and INFO2 – DC1.txt contain the original file – Info2 Contain Metadata – There is only one INFO2 file for each user‟s Recycle Bin, where all of the metadata for all of the files/folders that are found in that Recycle Bin is stored. www.malc0de.org
  • 11. EXTRA “TRASH” IN THE BIN • desktop.ini (file is a hidden Windows system file that provides information to Windows Explorer about how to display the contents of a folder. ) • directory named “.” (dot) • “..” (dot-dot) directory www.malc0de.org
  • 12. $R-file and $I-file • If a file that is deleted was originally in a folder that no longer exists, How it will restore? • When a folder is sent to the Recycle Bin, it too has the “deleted” and “created” time-stamp, but when it is restored, it only retains the “created” time-stamp, and never gains the “modified” or “accessed” time-stamp, unlike what happens with a file. • If the restored file is deleted again, a new $I-file and $R-file are generated. • There will be an $Ifile and $R-file for the folder and there will also be a $I-file and $R-file for each file that was in the deleted folder www.malc0de.org
  • 13. SHADOW COPIES • Volume Shadow Copy Service www.malc0de.org
  • 14. PREFETCH FILES SuperFetch • The Prefetching process tries to speed the boot process and application startup • The Prefetching process monitors the first 10 seconds of application startup www.malc0de.org
  • 15. Forensic • Identify whether the system has been enabled the Prefetching process • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetCo ntrolSessionManagerMemoryManagementPrefetc hParameters • “0” means “disabled • “1” means “application launch Prefetching enabled • “2” means “boot Prefetching enabled” • “3” means “application launch and boot enabled (default www.malc0de.org
  • 18. Hibernate is a feature of many computer operating systems where the contents of RAM are written to non-volatile storage such as a hard disk, as a file or on a separate partition, before powering off the computer. The computer uses the Hiberfil.sys file to store a copy of the system memory on the hard disk when the hybrid sleep setting is turned on. The Hiberfil.sys hidden system file is located in the root folder of the drive where the operating system is installed and Windows Kernel Power Manager reserves this file when you install Microsoft Windows. The size of this file is approximately equal to the amount of random access memory (RAM) that is installed on the computer. ANALYZING HIBERFIL.SYS FILES www.malc0de.org
  • 19. A page file is a hidden file or files on the hard disk that the operating system uses to hold parts of programs and data files that do not fit in memory. Virtual memory comprises the paging file and physical memory or random access memory (RAM). Windows moves data from the paging file to memory as needed, and it moves data from memory to the paging file to make room for new data. By default, Windows stores the paging file on the boot partition (the partition that contains the operating system and its support files). The default paging file size is equal to 1.5 times the total RAM. ANALYZING PAGING FILES www.malc0de.org
  • 20. The computer can be configured to clear the paging file at shutdown. For this the data value of the ClearPageFileAtShutdown value in the following registry key must be set to a value of 1: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management ANALYZING PAGING FILES www.malc0de.org
  • 21. Thumbs.db is a hidden file used by Windows to store thumbnail images of the files in a folder. It is then used to display thumbnails when a folder is in Thumbnails view. Deleting images from a folder does not remove the thumbnail from the thumbs.db database cache. This makes the thumbs.db file useful from a forensic point of view. FTex is useful utility for thumbs.db analysis. ANALYZING THUMBS.DB FILES www.malc0de.org
  • 22. Registry Hive • The five most hierarchal folders are called hives and begin with .HKEY (an abbreviation for Handle to a Key). • Although five hives can be seen, only two of these are actually real, HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM). • The other three are shortcuts or aliases to branches within one of the two hives. www.malc0de.org
  • 24. The structure of the Registry www.malc0de.org
  • 25. HIVE KEY: HKEY_LOCAL_MACHINE (HKLM) It is the first master key.Contains all of the configuration setting of a computer. When a computer startups, the local machine settings will boot before the individual user settings.The HKEY_LOCAL_MACHINE key has the following subkeys: HARDWARE SAM SECURITY SOFTWARE SYSTEM REGISTRY ANALYSIS www.malc0de.org
  • 26. Registry keys of forensic value MRU Most-recently-used key maintains a list of recently opened files(e.g. .txt, .pdf, .htm, .jpg) or saved files from within a web browser (including IE and Firefox). OpenSaveMRU contain far more entries related to previously opened or saved files (including the 10 most recent ones). HKCUSoftwareMicro softWindowsCurrent VersionExplorerCom Dlg32 OpenSaveMRU www.malc0de.org
  • 27. HKLMSYSTEMCurrentControlSet EnumUSBSTOR This key contains addition information about list of mounted USB storage devices, including external memory cards. Mounted USB Storage Devices REGISTRY ANALYSIS www.malc0de.org
  • 28. Device ID • The device ID for a specific device identified. • It should be noted that not all USB thumb drives will have a serial number. www.malc0de.org
  • 30. Autostart locations • Used by a great many pieces of malware to remain persistent on the victim system. • Example: HKEY_CURRENT_USERSoftwareMicros- oftWindowsCurrentVersionRun www.malc0de.org
  • 31. Wireless SSIDs • SSIDs (service set identifiers) • This shows you which wireless networks you’ve connected to, and if you travel and make use of the ubiquitous wireless hotspots, you’ll see quite a few entries there. www.malc0de.org
  • 32. Registry: A Wealth of Information Information that can be recovered include: – System Configuration – Devices on the System – User Names – Personal Settings and Browser Preferences – Web Browsing Activity – Files Opened – Programs Executed – Passwords www.malc0de.org
  • 34. Registry Organization • Root Keys – HKEY_CLASSES_ROOT (HKCR) • Contains information in order that the correct program opens when executing a file with Windows Explorer. – HKEY_CURRENT_USER (HKCU) • Contains the profile (settings, etc) about the user that is logged in. – HKEY_LOCAL_MACHINE (HKLM) • Contains system-wide hardware settings and configuration information. – HKEY_USERS (HKU) • Contains the root of all user profiles that exist on the system. – HKEY_CURRENT_CONFIG (HKCC) • Contains information about the hardware profile used by the computer during start up. • Sub Keys – These are essentially sub directories that exist under the Root Keys. www.malc0de.org