Windows forensic artifacts

Windows Forensic Artifacts http://null.co.in/ http://nullcon.net/ Pardhasaradhi.ch a.k.a babloo 09762310104 [email_address]

http://null.co.in/ http://nullcon.net/ Agenda Introduction Steps of forensics investigation Rules of Forensics investigations Terminology Windows Artifacts Browser artifacts Tools which can be used Evidence gathering Without Tools

http://null.co.in/ http://nullcon.net/ Introduction to Forensics
It is the application of computer investigation and analysis techniques to gather evidence
It is also called as cyber forensics
The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.

http://null.co.in/ http://nullcon.net/ Steps of Forensics

http://null.co.in/ http://nullcon.net/ Rules of Forensics investigation
Never mishandle Evidence
Never trust the subject operating system
Never work on original evidence
Never work on original evidence

http://null.co.in/ http://nullcon.net/ Terminology C
Cloning
Storing contents of one disk to another
Imaging
Storing of contents of a disk to a image / disk
Carving
Process of extracting data from the disk / image
File Slack
The space between the end of a file and the end of the disk cluster it is stored in.
Unallocated Space
Free space which is available to write the data
Steganography
A technique of hiding text in images
Orphan
A file that was once associated with a program that still remains on the
Computer even after the program has been uninstalled.

http://null.co.in/ http://nullcon.net/ Windows Artifacts
Thumbs.db
Index.dat
Hiberfil.sys
System volume information
Pagefile.sys
Prefetch
Sticky notes
NTUSER.dat and Usrclass.dat
Event Logs and audit logs

http://null.co.in/ http://nullcon.net/ Browser artifacts in Windows Default auto bookmarks location for Firefox C:Users......AppDataRoamingMozillaFirefoxProfiles,,,,.default Default location Saved Passwords C:Users...AppDataRoamingMozillaFirefoxProfilesl6jq0hlt.defaultKey3.db C:Users...AppDataRoamingMozillaFirefoxProfilesl6jq0hlt.defaultsignons.Sqllite

http://null.co.in/ http://nullcon.net/ Using a Dump File We can get User details System Activity Almost every thing using third party tools

http://null.co.in/ http://nullcon.net/ Tools Can be used FTK Encase DFF ADDONS Parbens Stegosuite Volatility TZwork sbag

http://null.co.in/ http://nullcon.net/ Without tools How can we extract the data ? USB devices :: HKLMSystemControlset00xEnumUSBSTOR what Information can be found Vendor ID, Product ID, Revision, Device ID / Serial Number Mounted Devices HKLMSystemMounted Devices What information can be found This key views each drive connected to the system

http://null.co.in/ http://nullcon.net/ Task manager Event logs Network and performance monitor Task scheduler Windows Update history System files MAC table Commands in cli / Powershell Computer management Regedit Msconfig Prefetch

Thank You Pardhasaradhi.ch 09762310104 www.pardhasaradhi.info [email_address]

Windows forensic artifacts

by n|u - The Open Security Community on Nov 25, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 546

Statistics

Windows forensic artifacts — Presentation Transcript