Your SlideShare is downloading. ×
Windows forensic artifacts
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Windows forensic artifacts

759
views

Published on

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
759
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
26
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Windows Forensic Artifacts http://null.co.in/ http://nullcon.net/ Pardhasaradhi.ch a.k.a babloo 09762310104 [email_address]
  • 2. http://null.co.in/ http://nullcon.net/ Agenda Introduction Steps of forensics investigation Rules of Forensics investigations Terminology Windows Artifacts Browser artifacts Tools which can be used Evidence gathering Without Tools
  • 3. http://null.co.in/ http://nullcon.net/ Introduction to Forensics
      • It is the application of computer investigation and analysis techniques to gather evidence
      • It is also called as cyber forensics
      • The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.
  • 4. http://null.co.in/ http://nullcon.net/ Steps of Forensics
  • 5. http://null.co.in/ http://nullcon.net/ Rules of Forensics investigation
      • Never mishandle Evidence
      • Never trust the subject operating system
      • Never work on original evidence
      • Never work on original evidence
  • 6. http://null.co.in/ http://nullcon.net/ Terminology C
    • Cloning
      • Storing contents of one disk to another
    • Imaging
      • Storing of contents of a disk to a image / disk
    • Carving
      • Process of extracting data from the disk / image
    • File Slack
    • The space between the end of a file and the end of the disk cluster it is stored in.
    • Unallocated Space
      • Free space which is available to write the data
    • Steganography
      • A technique of hiding text in images
    • Orphan
    • A file that was once associated with a program that still remains on the
    • Computer even after the program has been uninstalled.
  • 7. http://null.co.in/ http://nullcon.net/ Windows Artifacts
    • Thumbs.db
    • Index.dat
    • Hiberfil.sys
    • System volume information
    • Pagefile.sys
    • Prefetch
    • Sticky notes
    • NTUSER.dat and Usrclass.dat
    • Event Logs and audit logs
  • 8. http://null.co.in/ http://nullcon.net/ Browser artifacts in Windows Default auto bookmarks location for Firefox C:Users......AppDataRoamingMozillaFirefoxProfiles,,,,.default Default location Saved Passwords C:Users...AppDataRoamingMozillaFirefoxProfilesl6jq0hlt.defaultKey3.db C:Users...AppDataRoamingMozillaFirefoxProfilesl6jq0hlt.defaultsignons.Sqllite
  • 9. http://null.co.in/ http://nullcon.net/ Using a Dump File We can get User details System Activity Almost every thing using third party tools
  • 10. http://null.co.in/ http://nullcon.net/ Tools Can be used FTK Encase DFF ADDONS Parbens Stegosuite Volatility TZwork sbag
  • 11. http://null.co.in/ http://nullcon.net/ Without tools How can we extract the data ? USB devices :: HKLMSystemControlset00xEnumUSBSTOR what Information can be found Vendor ID, Product ID, Revision, Device ID / Serial Number Mounted Devices HKLMSystemMounted Devices What information can be found This key views each drive connected to the system 
  • 12. http://null.co.in/ http://nullcon.net/ Task manager Event logs Network and performance monitor Task scheduler Windows Update history System files MAC table Commands in cli / Powershell Computer management Regedit Msconfig Prefetch
  • 13. Thank You Pardhasaradhi.ch 09762310104 www.pardhasaradhi.info [email_address]