This document summarizes Windows forensic artifacts and tools that can be used for forensic investigations. It discusses the steps of a forensic investigation, rules to follow, common Windows artifacts like event logs and browser artifacts, and tools that can extract user details and system activity from a disk image or memory dump. Examples of artifacts that can be examined without tools include mounted devices, USB storage details, task manager history, event logs and system files.

1. Windows Forensic Artifacts http://null.co.in/ http://nullcon.net/ Pardhasaradhi.ch a.k.a babloo 09762310104 [email_address]

2. http://null.co.in/ http://nullcon.net/ Agenda Introduction Steps of forensics investigation Rules of Forensics investigations Terminology Windows Artifacts Browser artifacts Tools which can be used Evidence gathering Without Tools

3. http://null.co.in/ http://nullcon.net/ Introduction to Forensics It is the application of computer investigation and analysis techniques to gather evidence It is also called as cyber forensics The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.

4. http://null.co.in/ http://nullcon.net/ Steps of Forensics

5. http://null.co.in/ http://nullcon.net/ Rules of Forensics investigation Never mishandle Evidence Never trust the subject operating system Never work on original evidence Never work on original evidence

6. http://null.co.in/ http://nullcon.net/ Terminology C Cloning Storing contents of one disk to another Imaging Storing of contents of a disk to a image / disk Carving Process of extracting data from the disk / image File Slack The space between the end of a file and the end of the disk cluster it is stored in. Unallocated Space Free space which is available to write the data Steganography A technique of hiding text in images Orphan A file that was once associated with a program that still remains on the Computer even after the program has been uninstalled.

7. http://null.co.in/ http://nullcon.net/ Windows Artifacts Thumbs.db Index.dat Hiberfil.sys System volume information Pagefile.sys Prefetch Sticky notes NTUSER.dat and Usrclass.dat Event Logs and audit logs

8. http://null.co.in/ http://nullcon.net/ Browser artifacts in Windows Default auto bookmarks location for Firefox C:\Users\......\AppData\Roaming\Mozilla\Firefox\Profiles\,,,,.default Default location Saved Passwords C:\Users\...\AppData\Roaming\Mozilla\Firefox\Profiles\l6jq0hlt.default\Key3.db C:\Users\...\AppData\Roaming\Mozilla\Firefox\Profiles\l6jq0hlt.default\signons.Sqllite

9. http://null.co.in/ http://nullcon.net/ Using a Dump File We can get User details System Activity Almost every thing using third party tools

10. http://null.co.in/ http://nullcon.net/ Tools Can be used FTK Encase DFF ADDONS Parbens Stegosuite Volatility TZwork sbag

11. http://null.co.in/ http://nullcon.net/ Without tools How can we extract the data ? USB devices :: HKLM\System\Controlset00x\Enum\USBSTOR what Information can be found Vendor ID, Product ID, Revision, Device ID / Serial Number Mounted Devices HKLM\System\Mounted Devices What information can be found This key views each drive connected to the system

12. http://null.co.in/ http://nullcon.net/ Task manager Event logs Network and performance monitor Task scheduler Windows Update history System files MAC table Commands in cli / Powershell Computer management Regedit Msconfig Prefetch

13. Thank You Pardhasaradhi.ch 09762310104 www.pardhasaradhi.info [email_address]