More Related Content
Similar to Forensic3e ppt ch08
Similar to Forensic3e ppt ch08 (20)
More from Skillspire LLC (20)
Forensic3e ppt ch08
- 1. © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
System Forensics,
Investigation, and Response
Lesson 8
Windows Forensics
- 2. Page 2
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
Understand the essentials of the Windows
operating system.
Be able to extract forensic data from a Windows
system.
- 3. Page 3
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Windows details
Evidence in volatile data
Windows swap file
Windows logs and directories
Windows Registry
- 4. Page 4
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
History of Windows
Windows
3.x
Windows
95/NT
Windows
98/2000
- 5. Page 5
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
History of Windows (Cont.)
Windows
XP/Server
2003
Windows
Vista/
Windows 7/
Server 2008
Windows
10/
Server 2016
- 6. Page 6
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
History of Windows (Cont.)
Windows
10
Cortana
Edge
browser
Universal
apps
- 7. Page 7
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Issues Pertinent to Forensics
What version of Windows is being used?
Is BitLocker in use?
Does the version of Windows support the
Encrypted File System (EFS)?
- 8. Page 8
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Details
• Addresses up to 4,294,967,295
bytes
• Limited to 4 gigabytes (GB) of RAM
• Referred to as x86
32-bit
• Addresses up to
18,446,744,073,709,551,616 bytes
• Referred to as x64
64-bit
- 9. Page 9
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Boot Process
Boot Files
Min. drivers boot.ini NTOSKRNL
Boot Loader
Loads NTLDR Switches to 32- or 64-bit
BIOS
POST Read MBR
- 10. Page 10
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Boot Process (Cont.)
Win32 Subsystem Starts
Kernel Loading
Boot Files (cont.)
hal.dll Windows Registry
- 11. Page 11
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Important Files
Ntdetect.com Ntbootdd.sys Ntoskrnl.exe
Hal.dll Smss.exe Winlogon.exe
Lsass.exe Explorer.exe Crss.exe
- 12. Page 12
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Volatile Memory
Live system forensic technique in which
you:
• Collect a memory dump
• Compute the hash
• Perform analysis in an isolated environment
- 13. Page 13
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Offline Vs. Volatile Data Analysis
Offline Data Analysis Volatile Data Analysis
Nonvolatile data Volatile data
Isolation is relatively easy for
experienced specialist
Isolation is difficult
Repeatable Repeatable only if captured
Can be captured later. Must be captured immediately.
- 14. Page 14
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Volatile Memory (cont.)
Stack (S)
• Allocated based
on last-in, first-
out (LIFO)
• Most dynamic
area of memory
process
Heap (H)
• Data can exist
between function
calls
- 15. Page 15
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Live Forensics Tools
PsList - processes
PsInfo – operating system details
ListDLLs – loaded DLLs
PsLoggedOn – login information
netstat – network connections
- 16. Page 16
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
PsList
Used
with
permission
from
Microsoft
- 17. Page 17
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
PsInfo
Used
with
permission
from
Microsoft
- 18. Page 18
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
ListDLLs
Used
with
permission
from
Microsoft
- 19. Page 19
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
PsLoggedOn
Used
with
permission
from
Microsoft
- 20. Page 20
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Netstat
Used
with
permission
from
Microsoft
- 21. Page 21
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Other Live Forensics Tools
• View all open TCP and UDP ports
• Map ports to specific processes
FPort
• Extract memory dumps of running
processes
Userdump
• Enumerates processes and
threads in a memory dump
PTFinder
- 22. Page 22
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Swap File
A special place on the hard disk where
items from memory can be temporarily
stored for fast retrieval
Used to end in a .swp extension; since
Windows XP, called pagefile.sys
Typically found in Windows root directory
Often referred to as virtual memory
- 23. Page 23
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Log Files
Files that contain information about events
and other activities that occur in Windows
Event Viewer used to view log files
- 24. Page 24
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Log Files
Security
Application
System
ForwardedEvents
Applications and Services
- 25. Page 25
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Event Viewer
- 26. Page 26
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Directories/Folders
C:Windows documents and settings
C:users
C:Program Files
C:Program Files (x86)
C:UsersusernameDocuments
- 27. Page 27
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
UserAssist
Used
with
permission
from
Microsoft
- 28. Page 28
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Unallocated/Slack Space
- 29. Page 29
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Alternate Data Streams (ADS)
A method of attaching one file to another
file, using the NTFS file system
A feature of NTFS that contains metadata
for locating a specific file by some
criterion, like title
What are the risks associated with ADS?
- 30. Page 30
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Index.dat
No longer in Edge
Used by Microsoft Internet Explorer
Stores:
• Web addresses
• Search queries
• Recently opened files
- 31. Page 31
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Window Washer
Courtesy
of
Eusing
Software
- 32. Page 32
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Files and Permissions
When copying and pasting on the same
partition, files and folders inherit the rights
of the folder they are being copied to.
When cutting and pasting (moving), files
and folders retain the original
permissions if they are on the same
partition.
- 33. Page 33
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Files and Permissions
(Cont.)
MAC refers to three critical properties:
• File modified
• File accessed
• File created
- 34. Page 34
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Computer hardware configuration
Multiple users and preferences
Program shortcuts and properties
sheets
Remote administration through
network
Windows Registry
- 35. Page 35
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Registry
- 36. Page 36
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows Registry Hives
HKEY_CLASSES_ROOT (HKCR)
HKEY_CURRENT_USER (HKCU)
HKEY_LOCAL_MACHINE (HKLM)
HKEY_USERS (HKU)
HKEY_CURRENT_CONFIG (HCU)
- 37. Page 37
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Importance of Examining
Windows Registry
USB
Wireless
network
Word
documents
Malware
Uninstalled
software
Passwords
ShellBag Prefetch
- 38. Page 38
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Prefetch
- 39. Page 39
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Volume Shadow Copy
Keeps a record or copy of state changes
Stores them in blocks of data that are
compared daily
Changed blocks are copied to Volume
Shadow
Volume Shadow Copy service runs once
per day
- 40. Page 40
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Memory Forensics
1. Capture the memory from a live machine.
Can use:
• Dump-it, RAM Capturer from Belkasoft,
OSForensics, other tools
2. Analyze the captured memory.
Can use:
• Volatility, Pslist, Pstree, Psscan, Svcscan,
other tools
- 41. Page 41
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Windows details
Evidence in volatile data
Windows swap file
Windows logs and directories
Windows Registry