Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Windows forensic artifacts

8,169 views

Published on

null Pune November'11 Meet

Published in: Technology
  • Dating for everyone is here: ❤❤❤ http://bit.ly/2F4cEJi ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ♥♥♥ http://bit.ly/2F4cEJi ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Here's How YOU Can Stake Out Your Personal Claim In Our EIGHT MILLION DOLLAR GOLDMINE... ♣♣♣ http://t.cn/AieX2Loq
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/wzxh8ud } ......................................................................................................................... Download Full EPUB Ebook here { https://tinyurl.com/wzxh8ud } ......................................................................................................................... Download Full doc Ebook here { https://tinyurl.com/wzxh8ud } ......................................................................................................................... Download PDF EBOOK here { https://tinyurl.com/wzxh8ud } ......................................................................................................................... Download EPUB Ebook here { https://tinyurl.com/wzxh8ud } ......................................................................................................................... Download doc Ebook here { https://tinyurl.com/wzxh8ud } ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Making Cash more than $15k to $18k consistently just by doing basic online work. I have gotten $18376 a month ago just by working on the web. Its a simple and basic occupation to do from home and its profit are greatly improved than customary office work. Each individual can join this activity now just by pursue this link........go to this site home media tech tab for more detail support your heart :* HERE→→→→→ www.jobsthings.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Windows forensic artifacts

  1. 1. Windows Forensic Artifacts http://null.co.in/ http://nullcon.net/ Pardhasaradhi.ch a.k.a babloo 09762310104 [email_address]
  2. 2. http://null.co.in/ http://nullcon.net/ Agenda Introduction Steps of forensics investigation Rules of Forensics investigations Terminology Windows Artifacts Browser artifacts Tools which can be used Evidence gathering Without Tools
  3. 3. http://null.co.in/ http://nullcon.net/ Introduction to Forensics <ul><ul><li>It is the application of computer investigation and analysis techniques to gather evidence </li></ul></ul><ul><ul><li>It is also called as cyber forensics </li></ul></ul><ul><ul><li>The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it. </li></ul></ul>
  4. 4. http://null.co.in/ http://nullcon.net/ Steps of Forensics
  5. 5. http://null.co.in/ http://nullcon.net/ Rules of Forensics investigation <ul><ul><li>Never mishandle Evidence </li></ul></ul><ul><ul><li>Never trust the subject operating system </li></ul></ul><ul><ul><li>Never work on original evidence </li></ul></ul><ul><ul><li>Never work on original evidence </li></ul></ul>
  6. 6. http://null.co.in/ http://nullcon.net/ Terminology C <ul><li>Cloning </li></ul><ul><ul><li>Storing contents of one disk to another </li></ul></ul><ul><li>Imaging </li></ul><ul><ul><li>Storing of contents of a disk to a image / disk </li></ul></ul><ul><li>Carving </li></ul><ul><ul><li>Process of extracting data from the disk / image </li></ul></ul><ul><li>File Slack </li></ul><ul><li>The space between the end of a file and the end of the disk cluster it is stored in. </li></ul><ul><li>Unallocated Space </li></ul><ul><ul><li>Free space which is available to write the data </li></ul></ul><ul><li>Steganography </li></ul><ul><ul><li>A technique of hiding text in images </li></ul></ul><ul><li>Orphan </li></ul><ul><li>A file that was once associated with a program that still remains on the </li></ul><ul><li>Computer even after the program has been uninstalled. </li></ul>
  7. 7. http://null.co.in/ http://nullcon.net/ Windows Artifacts <ul><li>Thumbs.db </li></ul><ul><li>Index.dat </li></ul><ul><li>Hiberfil.sys </li></ul><ul><li>System volume information </li></ul><ul><li>Pagefile.sys </li></ul><ul><li>Prefetch </li></ul><ul><li>Sticky notes </li></ul><ul><li>NTUSER.dat and Usrclass.dat </li></ul><ul><li>Event Logs and audit logs </li></ul>
  8. 8. http://null.co.in/ http://nullcon.net/ Browser artifacts in Windows Default auto bookmarks location for Firefox C:Users......AppDataRoamingMozillaFirefoxProfiles,,,,.default Default location Saved Passwords C:Users...AppDataRoamingMozillaFirefoxProfilesl6jq0hlt.defaultKey3.db C:Users...AppDataRoamingMozillaFirefoxProfilesl6jq0hlt.defaultsignons.Sqllite
  9. 9. http://null.co.in/ http://nullcon.net/ Using a Dump File We can get User details System Activity Almost every thing using third party tools
  10. 10. http://null.co.in/ http://nullcon.net/ Tools Can be used FTK Encase DFF ADDONS Parbens Stegosuite Volatility TZwork sbag
  11. 11. http://null.co.in/ http://nullcon.net/ Without tools How can we extract the data ? USB devices :: HKLMSystemControlset00xEnumUSBSTOR what Information can be found Vendor ID, Product ID, Revision, Device ID / Serial Number Mounted Devices HKLMSystemMounted Devices What information can be found This key views each drive connected to the system 
  12. 12. http://null.co.in/ http://nullcon.net/ Task manager Event logs Network and performance monitor Task scheduler Windows Update history System files MAC table Commands in cli / Powershell Computer management Regedit Msconfig Prefetch
  13. 13. Thank You Pardhasaradhi.ch 09762310104 www.pardhasaradhi.info [email_address]

×