Mining Digital Evidence in Microsoft Windows   –  Answering Who, When, Why and How?
Agenda <ul><li>CSI Computer Crime and Security Survey, 2007 </li></ul><ul><li>What is Computer Forensics? </li></ul><ul><l...
A Quick CSI-FBI 2007 Survey Summary <ul><li>The average annual loss in 2007 - $350,424  </li></ul><ul><ul><li>Average annu...
CSI Computer Crime and Security Survey <ul><li>Insider abuse of network access or e-mail -  the most prevalent security pr...
CSI Computer Crime and Security Survey <ul><li>How many Incidents in the past twelve months? </li></ul>
Computer Forensics – the laws <ul><li>First Law of Computer Forensics </li></ul><ul><li>There is evidence of every action....
Tip of the “Digital” Iceberg Data as seen by a casual observer using common tools (Explorer Window, cmd shell, web browser...
Mining Windows XP
Windows XP – Market Share <ul><li>92.69% of the people surfing the Web use Windows on PCs  </li></ul><ul><ul><li>Windows X...
10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Fil...
10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Fil...
Mining NTFS Attributes <ul><li>MFT entry  </li></ul>
Mining $logfile  <ul><li>$Logfile entry in the MFT contains the log of all file system transactions </li></ul><ul><li>The ...
Mining NTFS timestamps <ul><li>NTFS has four timestamps: </li></ul><ul><ul><li>Creation time </li></ul></ul><ul><ul><li>La...
10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Fil...
Windows Registry <ul><li>Registry files are essentially databases containing information and settings for </li></ul><ul><u...
Mining Windows Registry <ul><li>Multiple forensic avenues in the registry! </li></ul><ul><ul><li>System and User-specific ...
10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>Prefetch Fil...
The Prefetch feature <ul><li>Microsoft created a Prefetch cache to improve boot and application launch time. </li></ul><ul...
The Prefetch feature <ul><li>The file contains among other items the last time that the file was modified as a 64bit HEX v...
Mining Prefetch – wfa.exe
10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Fil...
Print Spooler Files <ul><li>On Windows XP, systems you would find these two files in the  </li></ul><ul><li>C:WindowsSyste...
PA Spool Viewer – view .shd files Splview.exe - available at  http:// undocprint.printassociates.com This tool allows you ...
EMF Spool viewer – view .spl files <ul><li>EMF Spool Viewer  - available at  </li></ul><ul><li>http://www.codeproject.com/...
10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Fil...
Mining the Recycle bin <ul><li>The INFO2 file contains records that correspond to each deleted file in the Recycle Bin;  <...
10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Fil...
Mining Thumbs.db <ul><li>Thumbs.db contains cached thumbnails of the images in a folder. </li></ul><ul><li>OLE embedded da...
10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Fil...
Event Logs  <ul><li>Windows event logs provide crucial insight into the happenings in the system </li></ul><ul><li>Using e...
Mining event logs… <ul><li>What the logs can tell u: </li></ul><ul><ul><li>Unsuccessful logon attempts  </li></ul></ul><ul...
10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Fil...
Tracing Internet Activity <ul><li>Internet Browsers leave detailed history on Hard drive which can show all sites visited ...
Mining Internet Explorer  <ul><li>IE maintains rich logging of a user’s browsing activities which allow for creating a web...
Mining Mozilla Firefox <ul><li>Mozilla Firefox stores the Internet activity in the following folder: </li></ul><ul><li>C:D...
10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Fil...
Mining shortcut files <ul><li>Link files refer to or link to target files which can be applications, directories, document...
Mining shortcut files… <ul><ul><li>Media type (fixed/removable) </li></ul></ul><ul><ul><li>Working directory </li></ul></u...
10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Fil...
The restore point feature <ul><li>Rp.log is the restore point log file is located within the restore point (RPxx) director...
The restore point feature <ul><li>Change.log.x files  </li></ul><ul><ul><li>Record changes to key application files </li><...
Mining restore points <ul><li>What restore points can tell: </li></ul><ul><ul><li>Installation or removal of an applicatio...
Queries are welcome!
Upcoming SlideShare
Loading in …5
×

Chetan-Mining_Digital_Evidence_in_Microsoft_Windows

2,645 views
2,543 views

Published on

Published in: Economy & Finance, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,645
On SlideShare
0
From Embeds
0
Number of Embeds
33
Actions
Shares
0
Downloads
110
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Chetan-Mining_Digital_Evidence_in_Microsoft_Windows

  1. 1. Mining Digital Evidence in Microsoft Windows – Answering Who, When, Why and How?
  2. 2. Agenda <ul><li>CSI Computer Crime and Security Survey, 2007 </li></ul><ul><li>What is Computer Forensics? </li></ul><ul><li>Laws of computer Forensics </li></ul><ul><li>10 Forensics avenues in Windows XP </li></ul>
  3. 3. A Quick CSI-FBI 2007 Survey Summary <ul><li>The average annual loss in 2007 - $350,424 </li></ul><ul><ul><li>Average annual loss in the previous year - $168,000. </li></ul></ul><ul><li>Not since the 2004 report have average losses been this high! </li></ul><ul><li>46% of the overall respondents said that they had suffered a security incident. </li></ul><ul><li>Almost one-fifth (18 percent) of those respondents who suffered one or more kinds of security incident further said they’d suffered a “ targeted attack ” </li></ul><ul><li>Financial fraud - the source of the greatest financial losses. </li></ul>
  4. 4. CSI Computer Crime and Security Survey <ul><li>Insider abuse of network access or e-mail - the most prevalent security problem – 59% percent of respondents </li></ul><ul><li>Virus incidents – 52% percent of respondents </li></ul><ul><li>Dollar Amount Losses </li></ul><ul><ul><li>Financial Fraud - $21,124,750 </li></ul></ul><ul><ul><li>Virus (Worms / Spyware) - $8,391,800 </li></ul></ul><ul><ul><li>Theft of Confidential Data - $5,685,000 </li></ul></ul><ul><ul><li>Insider abuse of resources - $2,889,700 </li></ul></ul><ul><li>Total losses for 2007 - $ 66,930,950 </li></ul>
  5. 5. CSI Computer Crime and Security Survey <ul><li>How many Incidents in the past twelve months? </li></ul>
  6. 6. Computer Forensics – the laws <ul><li>First Law of Computer Forensics </li></ul><ul><li>There is evidence of every action. </li></ul><ul><li>Harlan Carvey’s Corollary : Once you understand what actions or conditions create or modify an artifact, then the absence of that artifact is itself an artifact. </li></ul>
  7. 7. Tip of the “Digital” Iceberg Data as seen by a casual observer using common tools (Explorer Window, cmd shell, web browser etc. ) Data as seen by Forensic Investigators using his sophisticated toolkit. May include deleted data, hidden data, unauthorized information and records of illegal activity!
  8. 8. Mining Windows XP
  9. 9. Windows XP – Market Share <ul><li>92.69% of the people surfing the Web use Windows on PCs </li></ul><ul><ul><li>Windows XP’s share - 79.32% </li></ul></ul><ul><ul><li>Windows Vista – 7.38% </li></ul></ul><ul><ul><li>Source: http://marketshare.hitslink.com </li></ul></ul>
  10. 10. 10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Files (.pf) </li></ul><ul><li>Spooler Files </li></ul><ul><li>Recycle Bin info2 records </li></ul><ul><li>Thumbs.db </li></ul><ul><li>Event Logs (.evt) </li></ul><ul><li>Internet History Files (.dat) </li></ul><ul><li>Shortcut files (.lnk) </li></ul><ul><li>Restore Point Forensics </li></ul>
  11. 11. 10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Files (.pf) </li></ul><ul><li>Spooler Files </li></ul><ul><li>Recycle Bin info2 records </li></ul><ul><li>Thumbs.db </li></ul><ul><li>Event Logs (.evt) </li></ul><ul><li>Internet History Files (.dat) </li></ul><ul><li>Shortcut files (.lnk) </li></ul><ul><li>Restore Point Forensics </li></ul>
  12. 12. Mining NTFS Attributes <ul><li>MFT entry </li></ul>
  13. 13. Mining $logfile <ul><li>$Logfile entry in the MFT contains the log of all file system transactions </li></ul><ul><li>The deletion of a file leaves several entries in $Logfile </li></ul><ul><li>It is not unusual to find files that are no longer on the disk </li></ul><ul><li>Also shows that the file was used by the system </li></ul><ul><li>Encase $logfile parser Enscript </li></ul>
  14. 14. Mining NTFS timestamps <ul><li>NTFS has four timestamps: </li></ul><ul><ul><li>Creation time </li></ul></ul><ul><ul><li>Last accessed time </li></ul></ul><ul><ul><li>Last written time </li></ul></ul><ul><ul><li>Last Modification time </li></ul></ul><ul><li>Windows 64-Bit Time Stamp </li></ul><ul><ul><li>It is an 8-byte string (64 bits), </li></ul></ul><ul><ul><li>its most significant value is 01h, which is located at the far right of the string as it is stored in little endian. </li></ul></ul><ul><li>The FN and SIA attributes </li></ul>
  15. 15. 10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Files (.pf) </li></ul><ul><li>Print Spooler Files </li></ul><ul><li>Recycle Bin info2 records </li></ul><ul><li>Thumbs.db </li></ul><ul><li>Event Logs (.evt) </li></ul><ul><li>Internet History Files (.dat) </li></ul><ul><li>Shortcut files (.lnk) </li></ul><ul><li>System Restore Points </li></ul>
  16. 16. Windows Registry <ul><li>Registry files are essentially databases containing information and settings for </li></ul><ul><ul><li>Hardware </li></ul></ul><ul><ul><li>Software </li></ul></ul><ul><ul><li>Users </li></ul></ul><ul><ul><li>Preferences </li></ul></ul><ul><li>A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data. </li></ul><ul><li>In Windows 98, the registry files are named User.dat and System.dat. </li></ul><ul><li>In Windows Millennium Edition, the registry files are named Classes.dat, User.dat, and System.dat. </li></ul><ul><li>In Win XP, the registry files are available in C:windowssystem32config folder </li></ul>
  17. 17. Mining Windows Registry <ul><li>Multiple forensic avenues in the registry! </li></ul><ul><ul><li>System and User-specific settings </li></ul></ul><ul><ul><li>UserAssist </li></ul></ul><ul><ul><li>MuiCache </li></ul></ul><ul><ul><li>MRU Lists </li></ul></ul><ul><ul><li>ProgramsCache </li></ul></ul><ul><ul><li>StreamMRU </li></ul></ul><ul><ul><li>Shellbags </li></ul></ul><ul><ul><li>Usbstor </li></ul></ul><ul><ul><li>IE passwords </li></ul></ul><ul><ul><li>and many more! </li></ul></ul><ul><li>Demo </li></ul>
  18. 18. 10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>Prefetch Files (.pf) </li></ul><ul><li>Spooler Files </li></ul><ul><li>Recycle Bin info2 records </li></ul><ul><li>Thumbs.db </li></ul><ul><li>Event Logs (.evt) </li></ul><ul><li>Internet History Files (.dat) </li></ul><ul><li>Shortcut files (.lnk) </li></ul><ul><li>System Restore Points </li></ul>
  19. 19. The Prefetch feature <ul><li>Microsoft created a Prefetch cache to improve boot and application launch time. </li></ul><ul><li>By caching commonly used applications the OS can determine to apportion system resources in anticipation that the user will access the application. </li></ul><ul><li>When an application is launched the system updates an entry in the path C:/Windows/Prefetch with the name of the application and a file extension (.pf). </li></ul>
  20. 20. The Prefetch feature <ul><li>The file contains among other items the last time that the file was modified as a 64bit HEX value time, and increments an integer on how many times the application has been run. </li></ul><ul><li>Analyze Prefetch – Mount Image Pro (MIP) + read-only image + WFA.exe </li></ul><ul><li>Demo </li></ul>
  21. 21. Mining Prefetch – wfa.exe
  22. 22. 10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Files (.pf) </li></ul><ul><li>Print Spooler Files </li></ul><ul><li>Recycle Bin info2 records </li></ul><ul><li>Thumbs.db </li></ul><ul><li>Event Logs (.evt) </li></ul><ul><li>Internet History Files (.dat) </li></ul><ul><li>Shortcut files (.lnk) </li></ul><ul><li>System Restore points </li></ul>
  23. 23. Print Spooler Files <ul><li>On Windows XP, systems you would find these two files in the </li></ul><ul><li>C:WindowsSystem32spoolPrinters folder. </li></ul><ul><ul><li>.SPL -   The print job’s spooled data is contained in a spool file. </li></ul></ul><ul><ul><li>.SHD - The shadow file contains the job settings </li></ul></ul>
  24. 24. PA Spool Viewer – view .shd files Splview.exe - available at http:// undocprint.printassociates.com This tool allows you to view the metadata of the print job!
  25. 25. EMF Spool viewer – view .spl files <ul><li>EMF Spool Viewer  - available at </li></ul><ul><li>http://www.codeproject.com/dotnet/EMFSpoolViewer/EMFSpoolViewer.zip </li></ul><ul><li>  </li></ul><ul><li>This tool allows you to view the actual spooled pages! </li></ul>
  26. 26. 10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Files (.pf) </li></ul><ul><li>Print Spooler Files </li></ul><ul><li>Recycle Bin info2 records </li></ul><ul><li>Thumbs.db </li></ul><ul><li>Event Logs (.evt) </li></ul><ul><li>Internet History Files (.dat) </li></ul><ul><li>Shortcut files (.lnk) </li></ul><ul><li>System Restore Points </li></ul>
  27. 27. Mining the Recycle bin <ul><li>The INFO2 file contains records that correspond to each deleted file in the Recycle Bin; </li></ul><ul><ul><li>each record contains the record number, </li></ul></ul><ul><ul><li>the drive designator, </li></ul></ul><ul><ul><li>the timestamp of when the file was moved to the Recycle Bin, </li></ul></ul><ul><ul><li>the file size, </li></ul></ul><ul><ul><li>file’s original name and full path, in both ASCII and Unicode. </li></ul></ul><ul><li>Files sent to the Recycle Bin are maintained according to a specific naming convention </li></ul><ul><ul><li>D<original drive letter of file><#>.<original extension> </li></ul></ul><ul><li>Demo </li></ul>
  28. 28. 10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Files (.pf) </li></ul><ul><li>Print Spooler Files </li></ul><ul><li>Recycle Bin info2 records </li></ul><ul><li>Thumbs.db </li></ul><ul><li>Event Logs (.evt) </li></ul><ul><li>Internet History Files (.dat) </li></ul><ul><li>Shortcut files (.lnk) </li></ul><ul><li>System Restore Points </li></ul>
  29. 29. Mining Thumbs.db <ul><li>Thumbs.db contains cached thumbnails of the images in a folder. </li></ul><ul><li>OLE embedded data present in the Thumbs.db file </li></ul><ul><li>In many cases, the images may have been deleted from the directory but they may still be available in the thumbs.db cache! </li></ul><ul><li>Tools: </li></ul><ul><ul><li>Encase </li></ul></ul><ul><ul><li>Windows File Analyzer </li></ul></ul><ul><ul><li>Accessdata FTK </li></ul></ul><ul><li>Demo </li></ul>
  30. 30. 10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Files (.pf) </li></ul><ul><li>Print Spooler Files </li></ul><ul><li>Recycle Bin info2 records </li></ul><ul><li>Thumbs.db </li></ul><ul><li>Event Logs (.evt) </li></ul><ul><li>Internet History File </li></ul><ul><li>Shortcut files (.lnk) </li></ul><ul><li>System Restore Points </li></ul>
  31. 31. Event Logs <ul><li>Windows event logs provide crucial insight into the happenings in the system </li></ul><ul><li>Using event logs in conjunction with other forensic avenue such a registry data (Userassist, Muicache, MRU Lists etc.) can help reconstructing the past events on the system. </li></ul><ul><li>Three types of event logs: </li></ul><ul><ul><li>Application </li></ul></ul><ul><ul><li>System </li></ul></ul><ul><ul><li>Security </li></ul></ul>
  32. 32. Mining event logs… <ul><li>What the logs can tell u: </li></ul><ul><ul><li>Unsuccessful logon attempts </li></ul></ul><ul><ul><li>Successful Privilege escalation attempts </li></ul></ul><ul><ul><li>System time was changed </li></ul></ul><ul><ul><li>Logon time restriction violation </li></ul></ul><ul><ul><li>Logon/logoff times </li></ul></ul><ul><ul><li>Successful/unsuccessful object access </li></ul></ul><ul><li>Default Windows security settings is to log nothing at all! </li></ul><ul><li>Unfortunately, event logs only record the Netbios name and not the IP address! </li></ul><ul><li>Demo </li></ul>
  33. 33. 10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Files (.pf) </li></ul><ul><li>Print Spooler Files </li></ul><ul><li>Recycle Bin info2 records </li></ul><ul><li>Thumbs.db </li></ul><ul><li>Event Logs (.evt) </li></ul><ul><li>Internet History Files </li></ul><ul><li>Shortcut files (.lnk) </li></ul><ul><li>System Restore Points </li></ul>
  34. 34. Tracing Internet Activity <ul><li>Internet Browsers leave detailed history on Hard drive which can show all sites visited and all graphics viewed. </li></ul><ul><li>An individual's web browsing activity often provides investigative leads during most investigations. </li></ul><ul><li>We can reconstruct an individual’s web browsing activity using sophisticated tools such as Encase, NetAnalysis and WebHistorian </li></ul><ul><li>The predominant two web browsers encountered during computer related investigations are </li></ul><ul><ul><li>Microsoft's Internet Explorer (IE) and </li></ul></ul><ul><ul><li>Firefox/Mozilla/Netscape family </li></ul></ul>
  35. 35. Mining Internet Explorer <ul><li>IE maintains rich logging of a user’s browsing activities which allow for creating a web profile of the suspect. </li></ul><ul><li>IE has three separate logging facilities that can be used to reconstruct the suspect’s web browsing activities. </li></ul><ul><ul><li>History of visited URLs </li></ul></ul><ul><ul><li>Cookies </li></ul></ul><ul><ul><li>Temporary Internet Files </li></ul></ul><ul><li>In many cases, the web profiling has lead to successful conviction of pedophiles! </li></ul>
  36. 36. Mining Mozilla Firefox <ul><li>Mozilla Firefox stores the Internet activity in the following folder: </li></ul><ul><li>C:Documents and Settings<user name>Application Data MozillaFirefoxProfiles<random text>Cache </li></ul><ul><li>There are three types of files in this directory: </li></ul><ul><ul><li>A Cache Map File </li></ul></ul><ul><ul><li>Three Cache Block Files </li></ul></ul><ul><ul><li>Separate Cache Data Files </li></ul></ul><ul><li>Demo </li></ul>
  37. 37. 10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Files (.pf) </li></ul><ul><li>Print Spooler Files </li></ul><ul><li>Recycle Bin info2 records </li></ul><ul><li>Thumbs.db </li></ul><ul><li>Event Logs (.evt) </li></ul><ul><li>Internet History Files </li></ul><ul><li>Shortcut files (.lnk) </li></ul><ul><li>System Restore Points </li></ul>
  38. 38. Mining shortcut files <ul><li>Link files refer to or link to target files which can be applications, directories, documents, or data files. </li></ul><ul><li>The data contained inside a link file describes the various attributes of the target file. </li></ul><ul><li>A link file contains: </li></ul><ul><ul><li>the complete path to the target file </li></ul></ul><ul><ul><li>the volume label and volume serial number on which the target file or folder exists - this can be useful for connecting a file to a unique volume! </li></ul></ul><ul><ul><li>the file’s size in bytes </li></ul></ul><ul><ul><li>the MAC time stamps of the target file!!! </li></ul></ul>
  39. 39. Mining shortcut files… <ul><ul><li>Media type (fixed/removable) </li></ul></ul><ul><ul><li>Working directory </li></ul></ul><ul><ul><li>MAC address </li></ul></ul><ul><ul><li>Remote share name </li></ul></ul><ul><li>May be found in unallocated clusters and swap space </li></ul><ul><li>May indicate that data was copied to a removable media! </li></ul><ul><li>Encase link parser EnScript </li></ul><ul><li>Windows File Analyzer </li></ul><ul><li>Demo </li></ul>
  40. 40. 10 Forensics avenues in Windows XP <ul><li>NTFS attributes </li></ul><ul><li>Registry Files </li></ul><ul><li>PreFetch Files (.pf) </li></ul><ul><li>Print Spooler Files </li></ul><ul><li>Recycle Bin info2 records </li></ul><ul><li>Thumbs.db </li></ul><ul><li>Event Logs (.evt) </li></ul><ul><li>Internet History Files </li></ul><ul><li>Shortcut files (.lnk) </li></ul><ul><li>System Restore Points </li></ul>
  41. 41. The restore point feature <ul><li>Rp.log is the restore point log file is located within the restore point (RPxx) directory. </li></ul><ul><li>This restore point log contains </li></ul><ul><ul><li>a value indicating the type of the restore point, </li></ul></ul><ul><ul><li>a descriptive name for the restore point creation event (i.e, application or device driver installation, application uninstall etc. ) </li></ul></ul><ul><ul><li>the 64-bit FILETIME object indicating when the restore point was created </li></ul></ul>
  42. 42. The restore point feature <ul><li>Change.log.x files </li></ul><ul><ul><li>Record changes to key application files </li></ul></ul><ul><ul><li>When a change is detected, the original filename is entered into the change.log file along with a sequence number and other necessary information,such as the type of change that occurred (file deletion, change of file attributes, or change of content). </li></ul></ul><ul><ul><li>Sometimes the entire file may be preserved (Axxxxxx.ext format)! </li></ul></ul><ul><ul><li>Each change.log.x file consists of a number of change log records </li></ul></ul><ul><li>Ref: Windows Forensic Analysis by Harlan Carvey </li></ul>
  43. 43. Mining restore points <ul><li>What restore points can tell: </li></ul><ul><ul><li>Installation or removal of an application </li></ul></ul><ul><ul><li>Changes to the system time </li></ul></ul><ul><ul><li>Remnants of deleted/uninstalled applications </li></ul></ul><ul><ul><li>Remnants of deleted files </li></ul></ul><ul><ul><li>Evidence of files being accessed in the past </li></ul></ul><ul><li>Demo </li></ul>
  44. 44. Queries are welcome!

×