SlideShare a Scribd company logo

Desktop Forensics: Windows

G
Gol D Roger

This document discusses Windows forensics and provides details on the Windows boot sequence. It describes the six phases of the Windows boot process: 1) Power-On Self Test, 2) Initial Startup, 3) Boot Loader, 4) Hardware Detection and Configuration, 5) Kernel Loading, and 6) User Logon. Key Windows data structures like the NTFS file system, Windows Registry, and Windows Event Log are also summarized. The document outlines where forensic analysts can find artifacts of user activities on a Windows system, such as in volatile memory, hidden files, slack space, and the Windows Search index.

Technology
1 of 62
Download to read offline
Desktop Forensics: Windows Part II.A. Techniques and Tools: Computer Forensics CSF: Forensics Cyber-Security Fall 2015 Nuno Santos
Summary 2015/16CSF - Nuno Santos2 }  Windows forensics }  Windows boot sequence }  Relevant Windows data structures }  Artifacts of user activities
Remember were we are 2015/16CSF - Nuno Santos3 1. Storage stack forensics 2. Operating system forensics Hardware CPU RAM I/O Software Application Operating System Application Application
Importance of operating system forensics 2015/16CSF - Nuno Santos4 }  Ultimately, in a forensic examination, we’re investigating the actions of a person }  Almost every event or action on a system is the result of a user either doing something (or not doing something) }  Many of such events introduce changes to the system state that are supervised by the operating system (OS) }  OS forensics helps understand how system changes correlate to events resulting from the actions of somebody in the real world 1) action 2) OS state change! 3) OS forensics
Operating systems we will be focusing on 2015/16CSF - Nuno Santos5 }  Desktop platforms: Windows }  Server platforms: Linux }  Mobile platforms: Android Today! We will learn methods and techniques to help us extract and interpret data of investigative value from computers running Windows operating system
Windows versions 2015/16CSF - Nuno Santos6 }  There are many versions of windows out there }  Some of the older versions are outdated and are no longer used: }  Windows 9x, NT, ME, 2000 }  In home, corporate, and government environments it’s far more likely to find newer versions }  >= Windows XP }  We will cover the newer recent versions of Windows, focusing on their common features
Windows boot sequence 2015/16CSF - Nuno Santos7
Windows startup: Why relevant for forensics? 2015/16CSF - Nuno Santos8 1.  Interrupt the boot process to view and document the CMOS configuration 2.  Explain which files were altered in the startup process }  E.g., if an evidentiary system was accidentally booted, demonstrate that no user-created files were modified 3.  Determine which version of the OS was running and when was installed 4.  Examine the startup process for signs of tampering }  E.g., important when investigating malware
Motivation example: From the case files 2015/16CSF - Nuno Santos9 A recent examination of a server and analysis of its web logs confirmed that the system had indeed been compromised.The logs provided a suspicious IP address, the operating system used in the compromise (Windows XP), and the suspect’s web browser.The IP address led investigators to an ISP, and eventually to a suspect in the intrusion. However, the suspect denied all involvement in the compromise and stated that this computer was running Windows 98 (as has always been the case).This was of course discouraging news for investigators, who were sure they had their man. Investigators began forensics examination of the suspect’s computer A search of the hard drive revealed a deleted boot.ini file that appeared to have been deleted mere days after the compromise of the web server, clearly showing that Windows XP Professional had been installed on the system, thereby punching a hole in the suspect’s story
Startup in Windows NT and later 2015/16CSF - Nuno Santos10 }  All NTFS computers perform the following steps when the computer is turned on: 1.  Power-on self test (POST) 2.  Initial startup 3.  Boot loader 4.  Hardware detection and configuration 5.  Kernel loading 6.  User logon Windows-specific code
Phase 1: Power-On Self Test (POST) 2015/16CSF - Nuno Santos11 1.  Power supply performs self-test 2.  CPU loads the ROM BIOS code 3.  ROM BIOS performs a basic test of central hardware 4.  BIOS checks adapters requiring own ROM BIOS routines 5.  ROM BIOS checks if this is a cold boot or a warm boot }  Cold boot (startup from a powered-down state): a full POST }  Warm boot (restart of a system that is already on): the memory test portion of the POST is switched off 6.  POST tests the video card and video memory, and displays configuration information or any errors 7.  BIOS reads configuration information stored in CMOS
Phase 2: Initial startup 2015/16CSF - Nuno Santos12 }  The BIOS examines the disk for a master boot record (MBR) }  With a valid MBR loaded into memory, the BIOS transfers control of the boot process to the partition loader code
Phase 3: Boot loader 2015/16CSF - Nuno Santos13 }  The NTLDR system file controls loading of Windows 1.  Initial boot-loader phase: }  NTLDR switches the CPU to protected mode and turns memory paging on }  Loads file system drivers to allow file loading from various file systems 2.  Operating system selection: }  If BOOT.INI exists and contains entries multiple OS, NTLDR stops booting, displays a menu of choices, and waits the user to make a selection }  user can press F8 to display various boot options (e.g., “Safe Mode”) An example of a boot.ini file:
Phase 3: Boot loader (cont.) 2015/16CSF - Nuno Santos14 }  Boot menu example: User can select from various boot options by pressing F8 during the boot process (same for >=Win XP)
Phase 4: Hardware detection and configuration 2015/16CSF - Nuno Santos15 1.  NTLDR locates and loads the DOS-based NTDETECT.COM program to perform hardware detection 2.  If multiple hardware profile, NTLDR will stop at this point and display the Hardware Profiles/Configuration Recovery menu 3.  After the user selects a hardware configuration, NTLDR begins loading the XP kernel (NTOSKRNL.EXE)
Phase 5: Kernel loading 2015/16CSF - Nuno Santos16 1.  NTOSKRNL goes through two phases in its boot process: }  Phase 0: The hardware abstraction layer (HAL) is loaded (hal.dll) and called to prepare the interrupt controller }  Phase 1: All executive subsystems are reinitialized (e.g., cache manager, process manager, I/O manager) 2.  I/O Manager starts loading all the system driver files 3.  Win32k.sys switches the screen into graphics mode 4.  Services subsystem starts services marked as Auto Start 5.  Once all devices and services are started, the boot is deemed successful, and this configuration is saved as the last known good configuration
Phase 6: User logon 2015/16CSF - Nuno Santos17 }  The WINLOGON.EXE file starts the logon process }  Login manager responsible for all login and logout procedures }  The Local Security Authority (LSASS.EXE) process displays the logon dialog box
Contamination concerns with Windows XP 2015/16CSF - Nuno Santos18 }  When you start a Windows XP NTFS workstation, several files are accessed immediately }  The last access date and time stamp for the files change to the current date and time }  May destroy any potential evidence }  E.g., that shows when a Windows workstation was last used }  Determining which files are changed upon startup and shutdown can be done using some forensic tools }  http://forensicswiki.org/wiki/Files_changed_at_boot:Windows_XP
Relevant Windows data structures 2015/16CSF - Nuno Santos19
Relevant Windows data structures 2015/16CSF - Nuno Santos20 }  NTFS (covered in previous classes) }  Windows Registry }  Windows Event Log
Windows Registry 2015/16CSF - Nuno Santos21 }  The Registry is the heart and soul of Windows OSes and a wealth of information can be recovered: }  System configuration }  Devices on the system }  User names }  Personal settings and browser preferences }  Web browsing activity }  Files opened }  Programs executed }  Passwords
Registry’s official definition 2015/16CSF - Nuno Santos22 }  Microsoft defines the Registry thus: “A central hierarchical database used in Microsoft Windows 9x, Windows CE, Windows NT, and Windows 2000 used to store information necessary to configure the system for one or more users, applications and hardware devices.” https://support.microsoft.com/en-us/kb/256986
Registry access activity 2015/16CSF - Nuno Santos23 }  Virtually everything done in Windows refers to or is recorded into the Registry }  The RegMon program can be used to display registry activity in real time }  Registry access barely remains idle: the registry is referenced in one way or another with every action taken by the user
Registry history 2015/16CSF - Nuno Santos24 }  Learning the registry’s history helps understand its structure }  The Registry was first introduced with Windows 95 }  The Registry replaces configuration files used in MSDOS: }  config.sys: to load device drivers and the }  autoexec.bat: to run startup programs and set env variables }  It also replaces initialization (.ini) files introduced in Win 3.0 }  win.ini and system.ini store user settings and OS parameters
Problems overcome by the Registry 2015/16CSF - Nuno Santos25 }  Proliferation of INI files }  Slow access }  No standards }  Fragmented
Structure of the Windows Registry 2015/16CSF - Nuno Santos26 }  The Registry can be seen as a unified file system
Registry hives 2015/16CSF - Nuno Santos27 }  A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data }  Each time a new user logs on, a new hive is created for that user with a separate file for the user profile }  User's app settings, desktop, environment, network connections, and printers }  User profile hives are located under the HKEY_USERS key }  'HKEY’ is an abbreviation for Handle to a Key
Root key functions 2015/16CSF - Nuno Santos28 }  HKEY_LOCAL_MACHINE (HKLM) }  Contains system-wide hardware settings and configuration information (e.g., list of drives mounted on the system) }  HKEY_USERS (HKU) }  Contains the root of all user profiles that exist on the system }  HKEY_CLASSES_ROOT (HKCR) }  Ensures the correct program opens when executed in Windows Explorer }  HKEY_CURRENT_USER (HKCU) }  Contains the profile (settings) of the user who is currently logged in }  HKEY_CURRENT_CONFIG (HCU) }  Information about the HW profile used by the computer during start up “real”; others are shortcuts
Hive’s supporting files 2015/16CSF - Nuno Santos29 }  Hives have sets of supporting files }  Most of them located in: %SystemRoot%System32Config     }  These files are updated each time a user logs on Registry hive Supporting files HKEY_CURRENT_CONFIG   System, System.alt, System.log, System.sav HKEY_CURRENT_USER   Ntuser.dat, Ntuser.dat.log HKEY_LOCAL_MACHINESAM   Sam, Sam.log, Sam.sav HKEY_LOCAL_MACHINESecurity   Security, Security.log, Security.sav HKEY_LOCAL_MACHINESoftware   Software, Software.log, Software.sav HKEY_LOCAL_MACHINESystem   System, System.alt, System.log, System.sav
Some important hives 2015/16CSF - Nuno Santos30 Filename Location Content ntuser.dat ach user has an individual user.dat file in windowsprofilesuser account Documents and Settings user account Protected storage area for user Most Recently Used (MRU) files User preference settings Default Windowssystem32config System settings SAM Windowssystem32config User account management and security settings Security Windowssystem32config Security settings Software Windowssystem32config All installed programs and their settings System Windowssystem32config System settings
Registry data types 2015/16CSF - Nuno Santos31
Relevant Windows data structures 2015/16CSF - Nuno Santos32 }  NTFS (covered in previous classes) }  Windows Registry }  Windows Event Log
Windows Event Log 2015/16CSF - Nuno Santos33 }  Whenever an event, such as a user logging on or off, occurs, the operating system logs the event }  An event can be any occurrence that the OS or a program wants to keep track of or alert the user about }  Windows has a centralized log service to allow apps and OS to report events that have taken place }  Application (example: Database message) }  System (example: driver failure) }  Security (example: Logon attempt, file access)
Structure of the Event Log 2015/16CSF - Nuno Santos34 }  The Event Log can be seen using a specific system tool
Event format 2015/16CSF - Nuno Santos35 }  Events have a specific format and meaning
Example of detailed event tracking 2015/16CSF - Nuno Santos36 }  Detailed Event tracking can include the following events: }  #528 – Successful Login (The user authenticate to the system) }  #592 – A new process has been created (application is launched) }  #560 – Object Open (a file is requested) }  #567 – Object Access (the file is modified and saved) }  #564 – Object Deleted }  #562 – Handle Closed (the file has been closed) }  #593 – A Process Has Exited (the application was terminated)
Artifacts of user activitites 2015/16CSF - Nuno Santos37
Where to find information about user activities 2015/16CSF - Nuno Santos38 }  Volatile information }  Open network connections }  Running processes }  … }  Non-volatile information }  Hidden files }  Slack space }  Swap files }  Index.dat files }  Hidden ADS }  Windows Search index }  Unallocated clusters }  Unused partitions }  Hidden partitions }  Registry settings }  Windows event logs }  … Underlined: covered when we discussed file system forensics
Artifacts of user activities 2015/16CSF - Nuno Santos39 }  Volatile information }  Registry information }  More non-volatile information
System time & logged-on users 2015/16CSF - Nuno Santos40 }  System time }  Logged-on users }  determine who is logged on to the system: locally or remotely
Open files 2015/16CSF - Nuno Santos41 }  If users logged into a system remotely, investigators should also see what files they have open, if any
Open network connections 2015/16CSF - Nuno Santos42 }  Netstat allows a user to collect information regarding network connections on a Windows system
More volatile information 2015/16CSF - Nuno Santos43 }  Process information }  Discover what processes are running on a potentially compromised system }  Process-to-port mapping }  When there is a network connection open, find out which process is responsible for and using that connection }  Network status }  Is the system connected or not? Collect NIC information }  Clipboard contents }  Something a user copies to the clipboard on a Monday may still be there on Thursday }  Command history }  To recover the command history (if an attacker clears the screen)
Artifacts of user activities 2015/16CSF - Nuno Santos44 }  Volatile information }  Registry information }  More non-volatile information
MRU lists 2015/16CSF - Nuno Santos45 }  MRU ('most recently used’) lists contain entries made due to specific actions performed by the user }  There’s numerous MRU lists located throughout various Registry keys RunMRU:When a user types a command into the 'Run' box via the Start menu, the entry is added to this Registry key
MRU lists: Another example 2015/16CSF - Nuno Santos46 }  BagMRU: contains information of last visited folders
2015/16CSF - Nuno Santos47 MRU lists: Examples…
UserAssist 2015/16CSF - Nuno Santos48 }  UserAssist key: indicate last accessed system objects }  E.g., Control Panel applets, shortcut files, programs, etc. }  HCUSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist  
UserAssist (cont.) 2015/16CSF - Nuno Santos49 }  We can gain a better understanding of what types of files or applications have been accessed on a particular system, e.g.: }  The decoded value shows a potential amount of information: }  name of user profile - 'Cpt. Krunch' - from which the .exe was executed }  researching 'p2ktools.exe', it is used for managing Motorola cell phones }  user has p2ktools folder in parent directory called 'Razor programs’ }  tells both location and indicator that the suspect has a Motorola Razor cell phone
Autorun locations 2015/16CSF - Nuno Santos50 }  Registry keys that launch programs or apps during boot }  E.g., in a system intrusion, autorun locations could reveal the installation of a trojan backdoor }  List of common autorun locations: HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce   HKLMSoftwareMicrosoftWindowsCurrentVersionpoliciesExplorerRun   HKLMSoftwareMicrosoftWindowsCurrentVersionRun   HKCUSoftwareMicrosoftWindows  NTCurrentVersionWindowsRun   HKCUSoftwareMicrosoftWindowsCurrentVersionRun     HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce   (ProfilePath)Start  MenuProgramsStartup  
USB devices 2015/16CSF - Nuno Santos51 }  Anytime a device is connected to the Universal Serial Bus (USB), drivers are queried and the device's information is stored into the Registry (i.e., thumb drives)
USB devices: Case study 2015/16CSF - Nuno Santos52 1. Department manager alleges that individual copied confidential information on DVD. 2. No DVD burner was issued or found. 3. Laptop was analyzed. 4. Found USB device entry in registry: PLEXTOR DVDR PX-708A 5. Found software key for Nero - Burning ROM in registry 6.Therefore, looked for and found Nero compilation files (.nrc). Found other compilation files, including ISO image files. 7. Image files contained DVD-format and AVI format versions of copyrighted movies. Conclusion: No evidence that company information was burned to disk. However, laptop was used to burn copyrighted material and employee had lied.
Application-specific information 2015/16CSF - Nuno Santos53 }  E.g., the Internet Explorer uses the Registry a lot }  Under the HKCUSoftwareMicrosoftInternet  Explorer  key
Application-specific information (cont.) 2015/16CSF - Nuno Santos54 }  From previous example, an examiner could conclude: }  the user possibly has a gmail and hotmail email address }  engages in online banking at tdbanknorth }  is interested in digital forensic websites }  perhaps go to college at Champlain }  has been researching apartments in the area }  …
More Registry artifacts 2015/16CSF - Nuno Santos55 }  System information }  Computer name, OS version, last shutdown time }  Time zone information }  important for establishing a timeline of activity on the system }  Wireless SSIDs }  list of service set identifiers (SSIDs) to which it has connected }  Shares }  Remotely shared resources, e.g., disk volumes (can be hidden) }  Audit policy }  Indicates types of events recorded in the Event Log }  Mounted devices }  Information about devices and volumes mounted on NTFS }  Users }  account creation time, names, last login time, last failed login attempt, account expiration, etc. }  …
More Registry artifacts 2015/16CSF - Nuno Santos56 }  System information }  Computer name, OS version, last shutdown time }  Time zone information }  important for establishing a timeline of activity on the system }  Wireless SSIDs }  list of service set identifiers (SSIDs) to which it has connected }  Shares }  Remotely shared resources, e.g., disk volumes (can be hidden) }  Audit policy }  Indicates types of events recorded in the Event Log }  Mounted devices }  Information about devices and volumes mounted on NTFS }  Users }  account creation time, names, last login time, last failed login attempt, account expiration, etc. }  … Homework Locate the Registry keys where this information can be found.
Artifacts of user activities 2015/16CSF - Nuno Santos57 }  Volatile information }  Registry potpourri }  More non-volatile information
Recycle Bin 2015/16CSF - Nuno Santos58 }  The Recycle Bin allows user to retrieve and restore files that have been deleted }  The user’s deleted file is placed within the file under a subdirectory named with the user’s security ID, e.g., }  C:RECYCLERS-1-5-21-1454471165-630328440-725345543-1003
Interesting files 2015/16CSF - Nuno Santos59 }  Link files }  .LNK files: shortcuts that point to another file or folder }  May indicate the user opened a file; contains file’s details }  Prefetch files }  .PF files are a specialized file type, to speed up the running of programs }  Contains info about the last time the program was executed }  Installed programs }  Thumbnail cache files }  thumbs.db: thumb cache of files browsed in the Thumbnails view }  Printer files }  Contain information about printing jobs }  Pagefile.sys and Hiberfil.sys }  The swap file and the file for storing RAM contents upon hybernation
Conclusions 2015/16CSF - Nuno Santos60 }  Windows is the most widely available operating system on desktop platforms }  Due to its central role in setting up and supervising the system, Windows maintains valuable data structures for forensic investigators: the Registry, and the Event Log }  By analyzing these and over volatile / non-volatile pieces of information, investigators can gather a wealth of information about user activities on the computer
References 2015/16CSF - Nuno Santos }  Primary bibliography }  [Carrier 2005], Chapter 17 61
Next class CSF - Nuno Santos }  Server forensics: Linux 2015/1662

Recommended

Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
Gol D Roger
 
8 0-os file-system management
8 0-os file-system management8 0-os file-system management
8 0-os file-system management
Gol D Roger
 
8 1-os file system implementation
8 1-os file system implementation8 1-os file system implementation
8 1-os file system implementation
Gol D Roger
 
Mca ii os u-5 unix linux file system
Mca ii os u-5 unix linux file systemMca ii os u-5 unix linux file system
Mca ii os u-5 unix linux file system
Rai University
 
Ch11 file system interface
Ch11 file system interfaceCh11 file system interface
Ch11 file system interface
Abdullah Al Shiam
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOs
Divye Kapoor
 
Ch11 file system implementation
Ch11 file system implementationCh11 file system implementation
Ch11 file system implementation
Abdullah Al Shiam
 
Linux file system
Linux file systemLinux file system
Linux file system
Midaga Mengistu
 

Recommended

Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
Gol D Roger
 
8 0-os file-system management
8 0-os file-system management8 0-os file-system management
8 0-os file-system management
Gol D Roger
 
8 1-os file system implementation
8 1-os file system implementation8 1-os file system implementation
8 1-os file system implementation
Gol D Roger
 
Mca ii os u-5 unix linux file system
Mca ii os u-5 unix linux file systemMca ii os u-5 unix linux file system
Mca ii os u-5 unix linux file system
Rai University
 
Ch11 file system interface
Ch11 file system interfaceCh11 file system interface
Ch11 file system interface
Abdullah Al Shiam
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOs
Divye Kapoor
 
Ch11 file system implementation
Ch11 file system implementationCh11 file system implementation
Ch11 file system implementation
Abdullah Al Shiam
 
Linux file system
Linux file systemLinux file system
Linux file system
Midaga Mengistu
 
11.file system implementation
11.file system implementation11.file system implementation
11.file system implementation
Senthil Kanth
 
Linux file system nevigation
Linux file system nevigationLinux file system nevigation
Linux file system nevigation
hetaldobariya
 
Implementation of Pipe in Linux
Implementation of Pipe in LinuxImplementation of Pipe in Linux
Implementation of Pipe in Linux
Tushar B Kute
 
Process and Threads in Linux - PPT
Process and Threads in Linux - PPTProcess and Threads in Linux - PPT
Process and Threads in Linux - PPT
QUONTRASOLUTIONS
 
File systemimplementationfinal
File systemimplementationfinalFile systemimplementationfinal
File systemimplementationfinal
marangburu42
 
The structure of process
The structure of processThe structure of process
The structure of process
Abhaysinh Surve
 
OSCh21
OSCh21OSCh21
OSCh21
Joe Christensen
 
The sysfs Filesystem
The sysfs FilesystemThe sysfs Filesystem
The sysfs Filesystem
Jeff Yana
 
Internal representation of file chapter 4 Sowmya Jyothi
Internal representation of file chapter 4 Sowmya JyothiInternal representation of file chapter 4 Sowmya Jyothi
Internal representation of file chapter 4 Sowmya Jyothi
Sowmya Jyothi
 
Chapter 10 - File System Interface
Chapter 10 - File System InterfaceChapter 10 - File System Interface
Chapter 10 - File System Interface
Wayne Jones Jnr
 
Processes in unix
Processes in unixProcesses in unix
Processes in unix
miau_max
 
Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging Techniques
YourHelper1
 
2nd unit part 1
2nd unit part 12nd unit part 1
2nd unit part 1
Pavan Illa
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O
YourHelper1
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
Andrew Case
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/O
YourHelper1
 
Unix kernal
Unix kernalUnix kernal
Unix kernal
Shehrevar Davierwala
 
LINUX System Call Quick Reference
LINUX System Call Quick ReferenceLINUX System Call Quick Reference
LINUX System Call Quick Reference
wensheng wei
 
Pipes in Windows and Linux.
Pipes in Windows and Linux.Pipes in Windows and Linux.
Pipes in Windows and Linux.
Junaid Lodhi
 
Chapter 1 Introduction to Operating System Concepts
Chapter 1 Introduction to Operating System ConceptsChapter 1 Introduction to Operating System Concepts
Chapter 1 Introduction to Operating System Concepts
MeenalJabde
 
Ch04 system administration
Ch04 system administration Ch04 system administration
Ch04 system administration
Raja Waseem Akhtar
 
Ch04
Ch04Ch04
Ch04
Raja Waseem Akhtar
 

More Related Content

What's hot

11.file system implementation
11.file system implementation11.file system implementation
11.file system implementation
Senthil Kanth
 
Linux file system nevigation
Linux file system nevigationLinux file system nevigation
Linux file system nevigation
hetaldobariya
 
Implementation of Pipe in Linux
Implementation of Pipe in LinuxImplementation of Pipe in Linux
Implementation of Pipe in Linux
Tushar B Kute
 
Process and Threads in Linux - PPT
Process and Threads in Linux - PPTProcess and Threads in Linux - PPT
Process and Threads in Linux - PPT
QUONTRASOLUTIONS
 
File systemimplementationfinal
File systemimplementationfinalFile systemimplementationfinal
File systemimplementationfinal
marangburu42
 
The structure of process
The structure of processThe structure of process
The structure of process
Abhaysinh Surve
 
OSCh21
OSCh21OSCh21
OSCh21
Joe Christensen
 
The sysfs Filesystem
The sysfs FilesystemThe sysfs Filesystem
The sysfs Filesystem
Jeff Yana
 
Internal representation of file chapter 4 Sowmya Jyothi
Internal representation of file chapter 4 Sowmya JyothiInternal representation of file chapter 4 Sowmya Jyothi
Internal representation of file chapter 4 Sowmya Jyothi
Sowmya Jyothi
 
Chapter 10 - File System Interface
Chapter 10 - File System InterfaceChapter 10 - File System Interface
Chapter 10 - File System Interface
Wayne Jones Jnr
 
Processes in unix
Processes in unixProcesses in unix
Processes in unix
miau_max
 
Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging Techniques
YourHelper1
 
2nd unit part 1
2nd unit part 12nd unit part 1
2nd unit part 1
Pavan Illa
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O
YourHelper1
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
Andrew Case
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/O
YourHelper1
 
Unix kernal
Unix kernalUnix kernal
Unix kernal
Shehrevar Davierwala
 
LINUX System Call Quick Reference
LINUX System Call Quick ReferenceLINUX System Call Quick Reference
LINUX System Call Quick Reference
wensheng wei
 
Pipes in Windows and Linux.
Pipes in Windows and Linux.Pipes in Windows and Linux.
Pipes in Windows and Linux.
Junaid Lodhi
 
Chapter 1 Introduction to Operating System Concepts
Chapter 1 Introduction to Operating System ConceptsChapter 1 Introduction to Operating System Concepts
Chapter 1 Introduction to Operating System Concepts
MeenalJabde
 

What's hot (20)

11.file system implementation
11.file system implementation11.file system implementation
11.file system implementation
 
Linux file system nevigation
Linux file system nevigationLinux file system nevigation
Linux file system nevigation
 
Implementation of Pipe in Linux
Implementation of Pipe in LinuxImplementation of Pipe in Linux
Implementation of Pipe in Linux
 
Process and Threads in Linux - PPT
Process and Threads in Linux - PPTProcess and Threads in Linux - PPT
Process and Threads in Linux - PPT
 
File systemimplementationfinal
File systemimplementationfinalFile systemimplementationfinal
File systemimplementationfinal
 
The structure of process
The structure of processThe structure of process
The structure of process
 
OSCh21
OSCh21OSCh21
OSCh21
 
The sysfs Filesystem
The sysfs FilesystemThe sysfs Filesystem
The sysfs Filesystem
 
Internal representation of file chapter 4 Sowmya Jyothi
Internal representation of file chapter 4 Sowmya JyothiInternal representation of file chapter 4 Sowmya Jyothi
Internal representation of file chapter 4 Sowmya Jyothi
 
Chapter 10 - File System Interface
Chapter 10 - File System InterfaceChapter 10 - File System Interface
Chapter 10 - File System Interface
 
Processes in unix
Processes in unixProcesses in unix
Processes in unix
 
Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging Techniques
 
2nd unit part 1
2nd unit part 12nd unit part 1
2nd unit part 1
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/O
 
Unix kernal
Unix kernalUnix kernal
Unix kernal
 
LINUX System Call Quick Reference
LINUX System Call Quick ReferenceLINUX System Call Quick Reference
LINUX System Call Quick Reference
 
Pipes in Windows and Linux.
Pipes in Windows and Linux.Pipes in Windows and Linux.
Pipes in Windows and Linux.
 
Chapter 1 Introduction to Operating System Concepts
Chapter 1 Introduction to Operating System ConceptsChapter 1 Introduction to Operating System Concepts
Chapter 1 Introduction to Operating System Concepts
 

Similar to Desktop Forensics: Windows

Ch04 system administration
Ch04 system administration Ch04 system administration
Ch04 system administration
Raja Waseem Akhtar
 
Ch04
Ch04Ch04
Ch04
Raja Waseem Akhtar
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
dkaya
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
ClubHack
 
Tarea - 3 Actividad intermedia trabajo colaborativo 2
Tarea - 3 Actividad intermedia trabajo colaborativo 2Tarea - 3 Actividad intermedia trabajo colaborativo 2
Tarea - 3 Actividad intermedia trabajo colaborativo 2
HectorFabianPintoOsp
 
Os functions
Os functionsOs functions
Os functions
Pushpraj Patel
 
Amr Chap 08 Operating Systems & Utility Programs
Amr Chap 08 Operating Systems & Utility ProgramsAmr Chap 08 Operating Systems & Utility Programs
Amr Chap 08 Operating Systems & Utility Programs
sharing notes123
 
Linux startup
Linux startupLinux startup
Linux startup
Amin Hashemi
 
Modern Personal ComputerBoot up ProcessThe boot up process i.docx
Modern Personal ComputerBoot up ProcessThe boot up process i.docxModern Personal ComputerBoot up ProcessThe boot up process i.docx
Modern Personal ComputerBoot up ProcessThe boot up process i.docx
raju957290
 
Lec9chap8f04
Lec9chap8f04Lec9chap8f04
Lec9chap8f04
screaminc
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensics
MNCERT
 
It04 roshan basnet
It04 roshan basnetIt04 roshan basnet
It04 roshan basnet
rosu555
 
Functions of OS.ppt
Functions of OS.ppt Functions of OS.ppt
Functions of OS.ppt
JunaidAkbar37
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
AliAshraf68199
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
Brent Muir
 
JSAC2022_2_kobayashi_en.pdf
JSAC2022_2_kobayashi_en.pdfJSAC2022_2_kobayashi_en.pdf
JSAC2022_2_kobayashi_en.pdf
Algustionesa Yoshi
 
Configuring startup and troubleshooting startup issues
Configuring startup and troubleshooting startup issuesConfiguring startup and troubleshooting startup issues
Configuring startup and troubleshooting startup issues
elboob2025
 
Chapter -2 Operating-System and its Structures
Chapter -2 Operating-System and its StructuresChapter -2 Operating-System and its Structures
Chapter -2 Operating-System and its Structures
Chandrakant Divate
 

Similar to Desktop Forensics: Windows (20)

Ch04 system administration
Ch04 system administration Ch04 system administration
Ch04 system administration
 
Ch04
Ch04Ch04
Ch04
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
 
Tarea - 3 Actividad intermedia trabajo colaborativo 2
Tarea - 3 Actividad intermedia trabajo colaborativo 2Tarea - 3 Actividad intermedia trabajo colaborativo 2
Tarea - 3 Actividad intermedia trabajo colaborativo 2
 
Os functions
Os functionsOs functions
Os functions
 
Amr Chap 08 Operating Systems & Utility Programs
Amr Chap 08 Operating Systems & Utility ProgramsAmr Chap 08 Operating Systems & Utility Programs
Amr Chap 08 Operating Systems & Utility Programs
 
Linux startup
Linux startupLinux startup
Linux startup
 
Modern Personal ComputerBoot up ProcessThe boot up process i.docx
Modern Personal ComputerBoot up ProcessThe boot up process i.docxModern Personal ComputerBoot up ProcessThe boot up process i.docx
Modern Personal ComputerBoot up ProcessThe boot up process i.docx
 
Lec9chap8f04
Lec9chap8f04Lec9chap8f04
Lec9chap8f04
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensics
 
It04 roshan basnet
It04 roshan basnetIt04 roshan basnet
It04 roshan basnet
 
Functions of OS.ppt
Functions of OS.ppt Functions of OS.ppt
Functions of OS.ppt
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
JSAC2022_2_kobayashi_en.pdf
JSAC2022_2_kobayashi_en.pdfJSAC2022_2_kobayashi_en.pdf
JSAC2022_2_kobayashi_en.pdf
 
Configuring startup and troubleshooting startup issues
Configuring startup and troubleshooting startup issuesConfiguring startup and troubleshooting startup issues
Configuring startup and troubleshooting startup issues
 
Chapter -2 Operating-System and its Structures
Chapter -2 Operating-System and its StructuresChapter -2 Operating-System and its Structures
Chapter -2 Operating-System and its Structures
 

More from Gol D Roger

Seizing Electronic Evidence & Best Practices – Secret Service
Seizing Electronic Evidence & Best Practices – Secret ServiceSeizing Electronic Evidence & Best Practices – Secret Service
Seizing Electronic Evidence & Best Practices – Secret Service
Gol D Roger
 
Cybercrimeandforensic 120828021931-phpapp02
Cybercrimeandforensic 120828021931-phpapp02Cybercrimeandforensic 120828021931-phpapp02
Cybercrimeandforensic 120828021931-phpapp02
Gol D Roger
 
Deep Web
Deep WebDeep Web
Deep Web
Gol D Roger
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
Gol D Roger
 
Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...
Gol D Roger
 
HTTPs Strict Transport Security
HTTPs Strict Transport Security HTTPs Strict Transport Security
HTTPs Strict Transport Security
Gol D Roger
 
IT Passport Examination.
IT Passport Examination.IT Passport Examination.
IT Passport Examination.
Gol D Roger
 
Basic configuration fortigate v4.0 mr2
Basic configuration fortigate v4.0 mr2Basic configuration fortigate v4.0 mr2
Basic configuration fortigate v4.0 mr2
Gol D Roger
 
windows server 2012 R2
windows server 2012 R2windows server 2012 R2
windows server 2012 R2
Gol D Roger
 
Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfe
Gol D Roger
 
10 things group policy preferences does better
10 things group policy preferences does better10 things group policy preferences does better
10 things group policy preferences does better
Gol D Roger
 

More from Gol D Roger (11)

Seizing Electronic Evidence & Best Practices – Secret Service
Seizing Electronic Evidence & Best Practices – Secret ServiceSeizing Electronic Evidence & Best Practices – Secret Service
Seizing Electronic Evidence & Best Practices – Secret Service
 
Cybercrimeandforensic 120828021931-phpapp02
Cybercrimeandforensic 120828021931-phpapp02Cybercrimeandforensic 120828021931-phpapp02
Cybercrimeandforensic 120828021931-phpapp02
 
Deep Web
Deep WebDeep Web
Deep Web
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...
 
HTTPs Strict Transport Security
HTTPs Strict Transport Security HTTPs Strict Transport Security
HTTPs Strict Transport Security
 
IT Passport Examination.
IT Passport Examination.IT Passport Examination.
IT Passport Examination.
 
Basic configuration fortigate v4.0 mr2
Basic configuration fortigate v4.0 mr2Basic configuration fortigate v4.0 mr2
Basic configuration fortigate v4.0 mr2
 
windows server 2012 R2
windows server 2012 R2windows server 2012 R2
windows server 2012 R2
 
Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfe
 
10 things group policy preferences does better
10 things group policy preferences does better10 things group policy preferences does better
10 things group policy preferences does better
 

Recently uploaded

Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 

Recently uploaded (20)

Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 

Desktop Forensics: Windows

  • 1. Desktop Forensics: Windows Part II.A. Techniques and Tools: Computer Forensics CSF: Forensics Cyber-Security Fall 2015 Nuno Santos
  • 2. Summary 2015/16CSF - Nuno Santos2 }  Windows forensics }  Windows boot sequence }  Relevant Windows data structures }  Artifacts of user activities
  • 3. Remember were we are 2015/16CSF - Nuno Santos3 1. Storage stack forensics 2. Operating system forensics Hardware CPU RAM I/O Software Application Operating System Application Application
  • 4. Importance of operating system forensics 2015/16CSF - Nuno Santos4 }  Ultimately, in a forensic examination, we’re investigating the actions of a person }  Almost every event or action on a system is the result of a user either doing something (or not doing something) }  Many of such events introduce changes to the system state that are supervised by the operating system (OS) }  OS forensics helps understand how system changes correlate to events resulting from the actions of somebody in the real world 1) action 2) OS state change! 3) OS forensics
  • 5. Operating systems we will be focusing on 2015/16CSF - Nuno Santos5 }  Desktop platforms: Windows }  Server platforms: Linux }  Mobile platforms: Android Today! We will learn methods and techniques to help us extract and interpret data of investigative value from computers running Windows operating system
  • 6. Windows versions 2015/16CSF - Nuno Santos6 }  There are many versions of windows out there }  Some of the older versions are outdated and are no longer used: }  Windows 9x, NT, ME, 2000 }  In home, corporate, and government environments it’s far more likely to find newer versions }  >= Windows XP }  We will cover the newer recent versions of Windows, focusing on their common features
  • 8. Windows startup: Why relevant for forensics? 2015/16CSF - Nuno Santos8 1.  Interrupt the boot process to view and document the CMOS configuration 2.  Explain which files were altered in the startup process }  E.g., if an evidentiary system was accidentally booted, demonstrate that no user-created files were modified 3.  Determine which version of the OS was running and when was installed 4.  Examine the startup process for signs of tampering }  E.g., important when investigating malware
  • 9. Motivation example: From the case files 2015/16CSF - Nuno Santos9 A recent examination of a server and analysis of its web logs confirmed that the system had indeed been compromised.The logs provided a suspicious IP address, the operating system used in the compromise (Windows XP), and the suspect’s web browser.The IP address led investigators to an ISP, and eventually to a suspect in the intrusion. However, the suspect denied all involvement in the compromise and stated that this computer was running Windows 98 (as has always been the case).This was of course discouraging news for investigators, who were sure they had their man. Investigators began forensics examination of the suspect’s computer A search of the hard drive revealed a deleted boot.ini file that appeared to have been deleted mere days after the compromise of the web server, clearly showing that Windows XP Professional had been installed on the system, thereby punching a hole in the suspect’s story
  • 10. Startup in Windows NT and later 2015/16CSF - Nuno Santos10 }  All NTFS computers perform the following steps when the computer is turned on: 1.  Power-on self test (POST) 2.  Initial startup 3.  Boot loader 4.  Hardware detection and configuration 5.  Kernel loading 6.  User logon Windows-specific code
  • 11. Phase 1: Power-On Self Test (POST) 2015/16CSF - Nuno Santos11 1.  Power supply performs self-test 2.  CPU loads the ROM BIOS code 3.  ROM BIOS performs a basic test of central hardware 4.  BIOS checks adapters requiring own ROM BIOS routines 5.  ROM BIOS checks if this is a cold boot or a warm boot }  Cold boot (startup from a powered-down state): a full POST }  Warm boot (restart of a system that is already on): the memory test portion of the POST is switched off 6.  POST tests the video card and video memory, and displays configuration information or any errors 7.  BIOS reads configuration information stored in CMOS
  • 12. Phase 2: Initial startup 2015/16CSF - Nuno Santos12 }  The BIOS examines the disk for a master boot record (MBR) }  With a valid MBR loaded into memory, the BIOS transfers control of the boot process to the partition loader code
  • 13. Phase 3: Boot loader 2015/16CSF - Nuno Santos13 }  The NTLDR system file controls loading of Windows 1.  Initial boot-loader phase: }  NTLDR switches the CPU to protected mode and turns memory paging on }  Loads file system drivers to allow file loading from various file systems 2.  Operating system selection: }  If BOOT.INI exists and contains entries multiple OS, NTLDR stops booting, displays a menu of choices, and waits the user to make a selection }  user can press F8 to display various boot options (e.g., “Safe Mode”) An example of a boot.ini file:
  • 14. Phase 3: Boot loader (cont.) 2015/16CSF - Nuno Santos14 }  Boot menu example: User can select from various boot options by pressing F8 during the boot process (same for >=Win XP)
  • 15. Phase 4: Hardware detection and configuration 2015/16CSF - Nuno Santos15 1.  NTLDR locates and loads the DOS-based NTDETECT.COM program to perform hardware detection 2.  If multiple hardware profile, NTLDR will stop at this point and display the Hardware Profiles/Configuration Recovery menu 3.  After the user selects a hardware configuration, NTLDR begins loading the XP kernel (NTOSKRNL.EXE)
  • 16. Phase 5: Kernel loading 2015/16CSF - Nuno Santos16 1.  NTOSKRNL goes through two phases in its boot process: }  Phase 0: The hardware abstraction layer (HAL) is loaded (hal.dll) and called to prepare the interrupt controller }  Phase 1: All executive subsystems are reinitialized (e.g., cache manager, process manager, I/O manager) 2.  I/O Manager starts loading all the system driver files 3.  Win32k.sys switches the screen into graphics mode 4.  Services subsystem starts services marked as Auto Start 5.  Once all devices and services are started, the boot is deemed successful, and this configuration is saved as the last known good configuration
  • 17. Phase 6: User logon 2015/16CSF - Nuno Santos17 }  The WINLOGON.EXE file starts the logon process }  Login manager responsible for all login and logout procedures }  The Local Security Authority (LSASS.EXE) process displays the logon dialog box
  • 18. Contamination concerns with Windows XP 2015/16CSF - Nuno Santos18 }  When you start a Windows XP NTFS workstation, several files are accessed immediately }  The last access date and time stamp for the files change to the current date and time }  May destroy any potential evidence }  E.g., that shows when a Windows workstation was last used }  Determining which files are changed upon startup and shutdown can be done using some forensic tools }  http://forensicswiki.org/wiki/Files_changed_at_boot:Windows_XP
  • 19. Relevant Windows data structures 2015/16CSF - Nuno Santos19
  • 20. Relevant Windows data structures 2015/16CSF - Nuno Santos20 }  NTFS (covered in previous classes) }  Windows Registry }  Windows Event Log
  • 21. Windows Registry 2015/16CSF - Nuno Santos21 }  The Registry is the heart and soul of Windows OSes and a wealth of information can be recovered: }  System configuration }  Devices on the system }  User names }  Personal settings and browser preferences }  Web browsing activity }  Files opened }  Programs executed }  Passwords
  • 22. Registry’s official definition 2015/16CSF - Nuno Santos22 }  Microsoft defines the Registry thus: “A central hierarchical database used in Microsoft Windows 9x, Windows CE, Windows NT, and Windows 2000 used to store information necessary to configure the system for one or more users, applications and hardware devices.” https://support.microsoft.com/en-us/kb/256986
  • 23. Registry access activity 2015/16CSF - Nuno Santos23 }  Virtually everything done in Windows refers to or is recorded into the Registry }  The RegMon program can be used to display registry activity in real time }  Registry access barely remains idle: the registry is referenced in one way or another with every action taken by the user
  • 24. Registry history 2015/16CSF - Nuno Santos24 }  Learning the registry’s history helps understand its structure }  The Registry was first introduced with Windows 95 }  The Registry replaces configuration files used in MSDOS: }  config.sys: to load device drivers and the }  autoexec.bat: to run startup programs and set env variables }  It also replaces initialization (.ini) files introduced in Win 3.0 }  win.ini and system.ini store user settings and OS parameters
  • 25. Problems overcome by the Registry 2015/16CSF - Nuno Santos25 }  Proliferation of INI files }  Slow access }  No standards }  Fragmented
  • 26. Structure of the Windows Registry 2015/16CSF - Nuno Santos26 }  The Registry can be seen as a unified file system
  • 27. Registry hives 2015/16CSF - Nuno Santos27 }  A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data }  Each time a new user logs on, a new hive is created for that user with a separate file for the user profile }  User's app settings, desktop, environment, network connections, and printers }  User profile hives are located under the HKEY_USERS key }  'HKEY’ is an abbreviation for Handle to a Key
  • 28. Root key functions 2015/16CSF - Nuno Santos28 }  HKEY_LOCAL_MACHINE (HKLM) }  Contains system-wide hardware settings and configuration information (e.g., list of drives mounted on the system) }  HKEY_USERS (HKU) }  Contains the root of all user profiles that exist on the system }  HKEY_CLASSES_ROOT (HKCR) }  Ensures the correct program opens when executed in Windows Explorer }  HKEY_CURRENT_USER (HKCU) }  Contains the profile (settings) of the user who is currently logged in }  HKEY_CURRENT_CONFIG (HCU) }  Information about the HW profile used by the computer during start up “real”; others are shortcuts
  • 29. Hive’s supporting files 2015/16CSF - Nuno Santos29 }  Hives have sets of supporting files }  Most of them located in: %SystemRoot%System32Config     }  These files are updated each time a user logs on Registry hive Supporting files HKEY_CURRENT_CONFIG   System, System.alt, System.log, System.sav HKEY_CURRENT_USER   Ntuser.dat, Ntuser.dat.log HKEY_LOCAL_MACHINESAM   Sam, Sam.log, Sam.sav HKEY_LOCAL_MACHINESecurity   Security, Security.log, Security.sav HKEY_LOCAL_MACHINESoftware   Software, Software.log, Software.sav HKEY_LOCAL_MACHINESystem   System, System.alt, System.log, System.sav
  • 30. Some important hives 2015/16CSF - Nuno Santos30 Filename Location Content ntuser.dat ach user has an individual user.dat file in windowsprofilesuser account Documents and Settings user account Protected storage area for user Most Recently Used (MRU) files User preference settings Default Windowssystem32config System settings SAM Windowssystem32config User account management and security settings Security Windowssystem32config Security settings Software Windowssystem32config All installed programs and their settings System Windowssystem32config System settings
  • 32. Relevant Windows data structures 2015/16CSF - Nuno Santos32 }  NTFS (covered in previous classes) }  Windows Registry }  Windows Event Log
  • 33. Windows Event Log 2015/16CSF - Nuno Santos33 }  Whenever an event, such as a user logging on or off, occurs, the operating system logs the event }  An event can be any occurrence that the OS or a program wants to keep track of or alert the user about }  Windows has a centralized log service to allow apps and OS to report events that have taken place }  Application (example: Database message) }  System (example: driver failure) }  Security (example: Logon attempt, file access)
  • 34. Structure of the Event Log 2015/16CSF - Nuno Santos34 }  The Event Log can be seen using a specific system tool
  • 35. Event format 2015/16CSF - Nuno Santos35 }  Events have a specific format and meaning
  • 36. Example of detailed event tracking 2015/16CSF - Nuno Santos36 }  Detailed Event tracking can include the following events: }  #528 – Successful Login (The user authenticate to the system) }  #592 – A new process has been created (application is launched) }  #560 – Object Open (a file is requested) }  #567 – Object Access (the file is modified and saved) }  #564 – Object Deleted }  #562 – Handle Closed (the file has been closed) }  #593 – A Process Has Exited (the application was terminated)
  • 37. Artifacts of user activitites 2015/16CSF - Nuno Santos37
  • 38. Where to find information about user activities 2015/16CSF - Nuno Santos38 }  Volatile information }  Open network connections }  Running processes }  … }  Non-volatile information }  Hidden files }  Slack space }  Swap files }  Index.dat files }  Hidden ADS }  Windows Search index }  Unallocated clusters }  Unused partitions }  Hidden partitions }  Registry settings }  Windows event logs }  … Underlined: covered when we discussed file system forensics
  • 39. Artifacts of user activities 2015/16CSF - Nuno Santos39 }  Volatile information }  Registry information }  More non-volatile information
  • 40. System time & logged-on users 2015/16CSF - Nuno Santos40 }  System time }  Logged-on users }  determine who is logged on to the system: locally or remotely
  • 41. Open files 2015/16CSF - Nuno Santos41 }  If users logged into a system remotely, investigators should also see what files they have open, if any
  • 42. Open network connections 2015/16CSF - Nuno Santos42 }  Netstat allows a user to collect information regarding network connections on a Windows system
  • 43. More volatile information 2015/16CSF - Nuno Santos43 }  Process information }  Discover what processes are running on a potentially compromised system }  Process-to-port mapping }  When there is a network connection open, find out which process is responsible for and using that connection }  Network status }  Is the system connected or not? Collect NIC information }  Clipboard contents }  Something a user copies to the clipboard on a Monday may still be there on Thursday }  Command history }  To recover the command history (if an attacker clears the screen)
  • 44. Artifacts of user activities 2015/16CSF - Nuno Santos44 }  Volatile information }  Registry information }  More non-volatile information
  • 45. MRU lists 2015/16CSF - Nuno Santos45 }  MRU ('most recently used’) lists contain entries made due to specific actions performed by the user }  There’s numerous MRU lists located throughout various Registry keys RunMRU:When a user types a command into the 'Run' box via the Start menu, the entry is added to this Registry key
  • 46. MRU lists: Another example 2015/16CSF - Nuno Santos46 }  BagMRU: contains information of last visited folders
  • 47. 2015/16CSF - Nuno Santos47 MRU lists: Examples…
  • 48. UserAssist 2015/16CSF - Nuno Santos48 }  UserAssist key: indicate last accessed system objects }  E.g., Control Panel applets, shortcut files, programs, etc. }  HCUSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist  
  • 49. UserAssist (cont.) 2015/16CSF - Nuno Santos49 }  We can gain a better understanding of what types of files or applications have been accessed on a particular system, e.g.: }  The decoded value shows a potential amount of information: }  name of user profile - 'Cpt. Krunch' - from which the .exe was executed }  researching 'p2ktools.exe', it is used for managing Motorola cell phones }  user has p2ktools folder in parent directory called 'Razor programs’ }  tells both location and indicator that the suspect has a Motorola Razor cell phone
  • 50. Autorun locations 2015/16CSF - Nuno Santos50 }  Registry keys that launch programs or apps during boot }  E.g., in a system intrusion, autorun locations could reveal the installation of a trojan backdoor }  List of common autorun locations: HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce   HKLMSoftwareMicrosoftWindowsCurrentVersionpoliciesExplorerRun   HKLMSoftwareMicrosoftWindowsCurrentVersionRun   HKCUSoftwareMicrosoftWindows  NTCurrentVersionWindowsRun   HKCUSoftwareMicrosoftWindowsCurrentVersionRun     HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce   (ProfilePath)Start  MenuProgramsStartup  
  • 51. USB devices 2015/16CSF - Nuno Santos51 }  Anytime a device is connected to the Universal Serial Bus (USB), drivers are queried and the device's information is stored into the Registry (i.e., thumb drives)
  • 52. USB devices: Case study 2015/16CSF - Nuno Santos52 1. Department manager alleges that individual copied confidential information on DVD. 2. No DVD burner was issued or found. 3. Laptop was analyzed. 4. Found USB device entry in registry: PLEXTOR DVDR PX-708A 5. Found software key for Nero - Burning ROM in registry 6.Therefore, looked for and found Nero compilation files (.nrc). Found other compilation files, including ISO image files. 7. Image files contained DVD-format and AVI format versions of copyrighted movies. Conclusion: No evidence that company information was burned to disk. However, laptop was used to burn copyrighted material and employee had lied.
  • 53. Application-specific information 2015/16CSF - Nuno Santos53 }  E.g., the Internet Explorer uses the Registry a lot }  Under the HKCUSoftwareMicrosoftInternet  Explorer  key
  • 54. Application-specific information (cont.) 2015/16CSF - Nuno Santos54 }  From previous example, an examiner could conclude: }  the user possibly has a gmail and hotmail email address }  engages in online banking at tdbanknorth }  is interested in digital forensic websites }  perhaps go to college at Champlain }  has been researching apartments in the area }  …
  • 55. More Registry artifacts 2015/16CSF - Nuno Santos55 }  System information }  Computer name, OS version, last shutdown time }  Time zone information }  important for establishing a timeline of activity on the system }  Wireless SSIDs }  list of service set identifiers (SSIDs) to which it has connected }  Shares }  Remotely shared resources, e.g., disk volumes (can be hidden) }  Audit policy }  Indicates types of events recorded in the Event Log }  Mounted devices }  Information about devices and volumes mounted on NTFS }  Users }  account creation time, names, last login time, last failed login attempt, account expiration, etc. }  …
  • 56. More Registry artifacts 2015/16CSF - Nuno Santos56 }  System information }  Computer name, OS version, last shutdown time }  Time zone information }  important for establishing a timeline of activity on the system }  Wireless SSIDs }  list of service set identifiers (SSIDs) to which it has connected }  Shares }  Remotely shared resources, e.g., disk volumes (can be hidden) }  Audit policy }  Indicates types of events recorded in the Event Log }  Mounted devices }  Information about devices and volumes mounted on NTFS }  Users }  account creation time, names, last login time, last failed login attempt, account expiration, etc. }  … Homework Locate the Registry keys where this information can be found.
  • 57. Artifacts of user activities 2015/16CSF - Nuno Santos57 }  Volatile information }  Registry potpourri }  More non-volatile information
  • 58. Recycle Bin 2015/16CSF - Nuno Santos58 }  The Recycle Bin allows user to retrieve and restore files that have been deleted }  The user’s deleted file is placed within the file under a subdirectory named with the user’s security ID, e.g., }  C:RECYCLERS-1-5-21-1454471165-630328440-725345543-1003
  • 59. Interesting files 2015/16CSF - Nuno Santos59 }  Link files }  .LNK files: shortcuts that point to another file or folder }  May indicate the user opened a file; contains file’s details }  Prefetch files }  .PF files are a specialized file type, to speed up the running of programs }  Contains info about the last time the program was executed }  Installed programs }  Thumbnail cache files }  thumbs.db: thumb cache of files browsed in the Thumbnails view }  Printer files }  Contain information about printing jobs }  Pagefile.sys and Hiberfil.sys }  The swap file and the file for storing RAM contents upon hybernation
  • 60. Conclusions 2015/16CSF - Nuno Santos60 }  Windows is the most widely available operating system on desktop platforms }  Due to its central role in setting up and supervising the system, Windows maintains valuable data structures for forensic investigators: the Registry, and the Event Log }  By analyzing these and over volatile / non-volatile pieces of information, investigators can gather a wealth of information about user activities on the computer
  • 61. References 2015/16CSF - Nuno Santos }  Primary bibliography }  [Carrier 2005], Chapter 17 61
  • 62. Next class CSF - Nuno Santos }  Server forensics: Linux 2015/1662