Windows Forensic Artifacts http://null.co.in/ http://nullcon.net/ Pardhasaradhi.ch a.k.a babloo 09762310104 [email_address]
http://null.co.in/ http://nullcon.net/ Agenda Introduction Steps of forensics investigation Rules of Forensics investigati...
http://null.co.in/ http://nullcon.net/ Introduction to Forensics <ul><ul><li>It is the application of computer investigati...
http://null.co.in/ http://nullcon.net/ Steps of Forensics
http://null.co.in/ http://nullcon.net/ Rules of Forensics investigation <ul><ul><li>Never mishandle Evidence </li></ul></u...
http://null.co.in/ http://nullcon.net/ Terminology C <ul><li>Cloning </li></ul><ul><ul><li>Storing contents of one disk to...
http://null.co.in/ http://nullcon.net/ Windows Artifacts <ul><li>Thumbs.db </li></ul><ul><li>Index.dat </li></ul><ul><li>H...
http://null.co.in/ http://nullcon.net/ Browser artifacts in Windows Default auto bookmarks location for Firefox C:Users......
http://null.co.in/ http://nullcon.net/ Using a Dump File  We can get   User details    System Activity   Almost every thin...
http://null.co.in/ http://nullcon.net/ Tools Can be used FTK Encase DFF ADDONS Parbens Stegosuite Volatility TZwork sbag
http://null.co.in/ http://nullcon.net/ Without tools How can we extract the data ? USB devices :: HKLMSystemControlset00xE...
http://null.co.in/ http://nullcon.net/ Task manager Event logs Network and performance monitor Task scheduler Windows Upda...
Thank You Pardhasaradhi.ch 09762310104 www.pardhasaradhi.info [email_address]
Upcoming SlideShare
Loading in …5
×

Windows forensic artifacts

1,001 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,001
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
34
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Windows forensic artifacts

  1. 1. Windows Forensic Artifacts http://null.co.in/ http://nullcon.net/ Pardhasaradhi.ch a.k.a babloo 09762310104 [email_address]
  2. 2. http://null.co.in/ http://nullcon.net/ Agenda Introduction Steps of forensics investigation Rules of Forensics investigations Terminology Windows Artifacts Browser artifacts Tools which can be used Evidence gathering Without Tools
  3. 3. http://null.co.in/ http://nullcon.net/ Introduction to Forensics <ul><ul><li>It is the application of computer investigation and analysis techniques to gather evidence </li></ul></ul><ul><ul><li>It is also called as cyber forensics </li></ul></ul><ul><ul><li>The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it. </li></ul></ul>
  4. 4. http://null.co.in/ http://nullcon.net/ Steps of Forensics
  5. 5. http://null.co.in/ http://nullcon.net/ Rules of Forensics investigation <ul><ul><li>Never mishandle Evidence </li></ul></ul><ul><ul><li>Never trust the subject operating system </li></ul></ul><ul><ul><li>Never work on original evidence </li></ul></ul><ul><ul><li>Never work on original evidence </li></ul></ul>
  6. 6. http://null.co.in/ http://nullcon.net/ Terminology C <ul><li>Cloning </li></ul><ul><ul><li>Storing contents of one disk to another </li></ul></ul><ul><li>Imaging </li></ul><ul><ul><li>Storing of contents of a disk to a image / disk </li></ul></ul><ul><li>Carving </li></ul><ul><ul><li>Process of extracting data from the disk / image </li></ul></ul><ul><li>File Slack </li></ul><ul><li>The space between the end of a file and the end of the disk cluster it is stored in. </li></ul><ul><li>Unallocated Space </li></ul><ul><ul><li>Free space which is available to write the data </li></ul></ul><ul><li>Steganography </li></ul><ul><ul><li>A technique of hiding text in images </li></ul></ul><ul><li>Orphan </li></ul><ul><li>A file that was once associated with a program that still remains on the </li></ul><ul><li>Computer even after the program has been uninstalled. </li></ul>
  7. 7. http://null.co.in/ http://nullcon.net/ Windows Artifacts <ul><li>Thumbs.db </li></ul><ul><li>Index.dat </li></ul><ul><li>Hiberfil.sys </li></ul><ul><li>System volume information </li></ul><ul><li>Pagefile.sys </li></ul><ul><li>Prefetch </li></ul><ul><li>Sticky notes </li></ul><ul><li>NTUSER.dat and Usrclass.dat </li></ul><ul><li>Event Logs and audit logs </li></ul>
  8. 8. http://null.co.in/ http://nullcon.net/ Browser artifacts in Windows Default auto bookmarks location for Firefox C:Users......AppDataRoamingMozillaFirefoxProfiles,,,,.default Default location Saved Passwords C:Users...AppDataRoamingMozillaFirefoxProfilesl6jq0hlt.defaultKey3.db C:Users...AppDataRoamingMozillaFirefoxProfilesl6jq0hlt.defaultsignons.Sqllite
  9. 9. http://null.co.in/ http://nullcon.net/ Using a Dump File We can get User details System Activity Almost every thing using third party tools
  10. 10. http://null.co.in/ http://nullcon.net/ Tools Can be used FTK Encase DFF ADDONS Parbens Stegosuite Volatility TZwork sbag
  11. 11. http://null.co.in/ http://nullcon.net/ Without tools How can we extract the data ? USB devices :: HKLMSystemControlset00xEnumUSBSTOR what Information can be found Vendor ID, Product ID, Revision, Device ID / Serial Number Mounted Devices HKLMSystemMounted Devices What information can be found This key views each drive connected to the system 
  12. 12. http://null.co.in/ http://nullcon.net/ Task manager Event logs Network and performance monitor Task scheduler Windows Update history System files MAC table Commands in cli / Powershell Computer management Regedit Msconfig Prefetch
  13. 13. Thank You Pardhasaradhi.ch 09762310104 www.pardhasaradhi.info [email_address]

×