More Related Content
Similar to Computer Investigator - brief introduction
Similar to Computer Investigator - brief introduction (20)
Recently uploaded
Recently uploaded (20)
Computer Investigator - brief introduction
- 2. + Computer Forensic specialisations • File Systems Forensics • Memory Forensics • Network Forensics • Malware Analysis • OS Specific (aka Windows Forensics, *uix) • Incident Response • Mobile Forensics • Internet Forensics • Registry Forensics • Hardware & Electronics • Here you can read more on forensic specialisations Get experience in as many as you can, them specialise! 2
- 9. + Data Erasure and Wiping - DETECTION “wipe” “sanit” “clean” “nuke” “shred” “scrub” “kill” “eliminat” “delete” “erase” At least search for strings in registries and allocated space 9
- 10. + Shellbags • Windows uses a set of Registry keys known as "shellbags" to maintain the size, view, icon, and position of a window • BUT only when using Explorer framework *** • a Shellbag sub-key for a specific directory shows that the specific user account once visited that folder (NTUSER and UsrClass are account specific) • Last write timestamps identify when that folder was first visited or last updated • Folder Names can suggest the story 10
- 11. + Shellbags (continued) • Windows XP • HKEY_USERS{USERID}SoftwareMicrosoftWindowsShell • HKEY_USERS{USERID}SoftwareMicrosoftWindowsShellNoRoam • Found in NTUSER.dat • Windows 7 • HEKY_USERS{USERID}Local SettingsSoftwareMicrosoftWindowsShell • Found in UsrClass.dat 11
- 12. + Shellbag parsers • TZworks Sbag.exe (can pipe | to Excel) • Yogesh Khatri's Bag Parser.Enscript & Shell Bag Parser.Enscript • Willi Ballenthin's shellbags.py (Written in Python, very good) • X-Ways Forensics tool (If you lucky to have it at you disposal) • Many other tools 12
- 13. + Wipers and Erasers do not delete everything • They don’t normally clean up after themselves • They leave certain areas behind that forensic examiner can use • log2timeline – build a timeline of events from the areas wipers didn’t touch. • Written in Perl, works on Mac, Linux and Windows (Active Perl). • For not so confident with command line, there is GUI version with similar but not all capabilities glog2timeline 13
- 14. + Time Line of events (log2timeline) • evt - Parse the content of a Windows 2k/ XP/2k3 Event Log • evtx - Parse the content of a Windows XML Event Log (EVTX) file • exif - Extract metadata information from files using ExifTool • ff_bookmark - Parse the content of a Firefox bookmark file • firefox2 - Parse the content of a Firefox 2 browser history • firefox3 - Parse the content of a Firefox 3 history file • iehistory - Parse the content of an index.dat file containg IE history • chrome - Parse the content of a Chrome history file • opera - Parse the content of an Opera's global history file • mactime - Parse the content of a body file in the mactime format • mcafee - Parse the content of a log file • pdf - Parse some of the available PDF document metadata • prefetch - Parse the content of the Prefetch directory • recycler - Parse the content of the recycle bin directory • restore - Parse the content of the restore point directory • setupapi - Parse the content of the SetupAPI log file in Windows XP • userassist - Parses the NTUSER.DAT registry file • win_link - Parse the content of a Windows shortcut file (or a link file) • xpfirewall - Parse the content of a XP Firewall log 14
- 21. + Windows Registries and ROT13 • Some registries (UserAssist for example) are “encrypted” in ROT13 • ROT13 encoded “HRZR_EHACNGU:P:AFYBBXHC.RKR.” • Decoded “UEME_RUNPATH:C:NSLOOKUP.EXE.” • AccessData Registry Viewer and some other tools decode automatically • You can use online tools to decode ROT13 • http://decode.org/ 21
- 23. + Wear Leveling • wear leveling – that is, spreading the write cycles among different sectors. • Wear leveling is typically done with a "flash translation layer" that maps logical sectors (or LBAs) to physical pages. Most FTLs are contained within the SSD device and are not accessible to end users. • Implemented differently by each manufacturer • MD5/SHA1 hashes may be different every time you calculate them on the device, even via the writeblocker. • Why writeblocker wouldn't help? How to deal with this issue? 23
- 24. + TRIM • SSDs (Solid State Drive) implement TRIM command which is used to inform the disk (block device) that sectors are no longer used. • Erase the content of unused sectors when not under heavy load to speed up next write cycle • Implemented in FIRMWARE • Some SSDs are using internal garbage collecting process (Sandforce chips) • You cannot stop it! Your worst enemy? 24
- 25. + Trim (depicted) 25 Image from Milan Broz’s blog http://asalor.blogspot.com.au/2011/08/trim-dm- crypt-problems.html
- 26. + Useful Free Tools • https://www.tzworks.net/download_links.php • http://technet.microsoft.com/en-us/sysinternals • http://www.mandiant.com/resources/download/highlighter • https://www.mandiant.com/resources/download/redline • https://www.volatilesystems.com/default/volatility • http://www.eventlogxp.com/ • http://log2timeline.net/ 26
- 27. + Commercial Tools – TOP list • http://arsenalrecon.com/ (Registry Recon) • http://www.transend.com/ products_transend_migrator_forensic_edition.asp • http://www.accessdata.com/products/digital-forensics/triage • http://www.x-ways.net/forensics/index-m.html • http://forensic.belkasoft.com/en/ • http://www.magnetforensics.com/software/internet-evidence-finder/ 27
- 28. + Online Resources • https://www.metascan-online.com/en • https://www.virustotal.com/ • http://www.x-ways.net/winhex/kb/ • http://www.forensicswiki.org/wiki/Main_Page • http://windowsir.blogspot.com/ • http://writeblocked.org/ • http://www.forensicfocus.com/computer-forensics-forums 28 For more information or computer forensic training or services please contact Elvidence