Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DATA64- Windows Forensics

704 views

Published on

Published in: Internet, Technology
  • Be the first to comment

  • Be the first to like this

DATA64- Windows Forensics

  1. 1. • Windows Forensics 1
  2. 2. WINDOWS FORENSICS BY CATALYST
  3. 3. CONTENTS • Registry Analysis • Recycle bin Analysis • Hiberfil.sys file Analysis • Paging File Analysis • Prefetch Analysis • Thumb.db Analysis Windows Forensics 3
  4. 4. REGISTRY ANALYSIS • The Registry is a database used to store settings and options for the 32/64 bit versions of Microsoft Windows . • It contains information and settings for all the hardware, software, users, and preferences of the PC. • It was First introduced in Windows 95. • Whenever a user makes changes to a Control Panel settings, or File Associations, System Policies, or installed software, the changes are reflected and stored in the Registry. • Virtually everything done in Windows refers to or is recorded into the Registry. Windows Forensics 4 What is Registry ??
  5. 5. • To EDIT Registry files run Regedit.exe REGISTRY ANALYSIS Windows Forensics 5 Value DataTypeValue Name Content Pane Key Pane Sub keys Root Keys
  6. 6. 1.HKEY_CLASSES_ROOT (HKCR) {alias HKLMSoftwareClass} 2.HKEY_CURRENT_USER (HKCU) {alias HKLMSoftwareClasses} 3.HKEY_LOCAL_MACHINE (HKLM) 4.HKEY_USERS (HKU) 5.HKEY_CURRENT_CONFIG (HCU) {alias HKLMConfigprofile } Windows Forensics 6 REGISTRY ANALYSIS  HIVES These files are saved in systemrootSystem32Config and updated with each login.
  7. 7. • OpenSaveMRU maintains a list of recently opened or saved files. • HKCUSoftwareMicrosoftWindowsCurrentVersion ExplorerComDlg32 OpenSaveMRU • RunMRU maintains the commands typed in “Run” Dialog Box • HKCUSoftwareMicrosoftWindows CurrentVersionExplorerRunMRU Windows Forensics 7 REGISTRY ANALYSIS  Most Recently Used [ MRU ]
  8. 8. • This key also maintains list of files recently executed or opened through Windows Explorer. • HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs Windows Forensics 8 REGISTRY ANALYSIS  Recent Docs
  9. 9. • The paging file (usually C:pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown. • ClearPagefileAtShutdown specify whether Windows should clear off the paging file when the computer shutdowns. Windows Forensics 9 REGISTRY ANALYSIS  Windows Virtual Memory [Paging File] Configuaration HKLMSYSTEMCurrentControlSetControlSessionManager Memory Management
  10. 10. • This key contains recent search terms using Windows default search. • Subkey 5603 contains search terms for finding folders and filenames. • Subkey 5604 contains search terms for finding words or phrases in a file. • HKCU SoftwareMicrosoftSearch AssistantACMru Windows Forensics 10 REGISTRY ANALYSIS  Recent Search Terms
  11. 11. • Each sub key in this key represent an installed program in the computer. • HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall. Windows Forensics 11 REGISTRY ANALYSIS  Installed Programs
  12. 12. • What is Recycle Bin? • When you delete a file, the complete path and file name is stored in a hidden file called Info or Info2 (Windows 98) in the Recycled folder. • Deleting a single file from Recycle bin Changes the first byte of the record in INFO2 file to 00. • Removable Device does not have recycle bin. • The deleted file is renamed, using the following syntax: D <original drive letter of file><#>.<original extension> Windows Forensics 12 RECYCLE BIN ANALYSIS
  13. 13. Windows Forensics 13 RECYCLE BIN ANALYSIS Tools for analysis Windows File Analyzer Recuva
  14. 14. Frequently Used application are logged in a Special Folder Speed up their Start by noting which sector from the disk will be Required directly upon Start. Sored in a Directory “C:WindowsPrefetch” Named as: < Executable File Name> - XXXXXXXX .pf XXXXX is the hash of the location from where it was run. Windows Forensics 14 PREFETCH FILE ANALYSIS
  15. 15. Windows Forensics 15 PREFETCH FILE ANALYSIS Tools for analysis
  16. 16. Windows Forensics 16 HIBERFIL.SYS ANALYSIS • Hibernation mode ?? • The computer uses the Hiberfil.sys file to store a copy of the system memory on the hard disk when the hybrid sleep setting is turned on. • The Hiberfil.sys hidden system file • Hiberfil.sys ≥ RAM [Size] • The Hibernation file is compressed.
  17. 17. Windows Forensics 17 HIBERFIL.SYS ANALYSIS
  18. 18. • A page file is a hidden file or files on the hard disk that the operating system uses to hold parts of programs and data files that do not fit in memory. • Virtual memory comprises the paging file and physical memory or random access memory (RAM). • Windows moves data from the paging file to memory as needed, and it moves data from memory to the paging file to make room for new data. • By default, Windows stores the paging file on the boot partition (the partition that contains the operating system and its support files). The default paging file size is equal to 1.5 times the total RAM. Windows Forensics 18 PAGING FILE ANALYSIS
  19. 19. Windows Forensics 19 PAGING FILE ANALYSIS
  20. 20. Windows Forensics 20 Any Queries ?

×