SlideShare a Scribd company logo

Windows forensic

Download as PPTX, PDF
MD SAQUIB KHAN
MD SAQUIB KHAN

Windows forensic, Registry Forensic, Recycle Bin Forensic, Prefetch file, Hiberfil.sys, Paging file, thumbs.db, Info2, SID, $R-file, $I-file

Education
1 of 34
Windows Forensic MD Saquib Nasir Khan (JONK) DEA- Data64 www.malc0de.org
CONTENTS • Recycle Bin Forensics • Analyzing Prefetch File • Analyzing Hiberfil.sys File • Analyzing Paging File • Analyzing thumbs.db file • Registry Analysis www.malc0de.org
Introduction • Using forensics techniques and tools to gather digital evidence from a device or pc running on Microsoft Windows. • Different versions of Windows OS, Win XP, 7, Vista, 8, 8.1, 10 • With every version new features of forensic importance has been discovered. • Some Areas include: Windows Registry, Live Acquisition, System files, Cache, Prefetch, ADS etc. www.malc0de.org
Recycle Bin Forensics • RECYCLER folder for Windows XP • $Recycle.Bin folder for Windows 7 or Windows Vista,(C:) • “$RECYCLE.BIN” Other Drive • The subfolder is named with the user’s SID and contains its own INFO file, making it possible to determine which user account was used to delete a file www.malc0de.org
When a file is deleted, it results in three steps: – 1) the deletion of the file’s folder entry in the folder in which the file resided – 2) the creation of a new folder entry for the file in the Recycle Bin – 3) the addition of information about the file in a hidden system file named INFO (or INFO2 depending on windows systems) in the Recycle Bin www.malc0de.org
Every file sent to the recycle bin is renamed in the following format D[ orginal drive letter of file][index no][original extension] E.g. hw1.txt residing in C:My Documents was sent to empty recycle bin » Its new name is DC0.txt www.malc0de.org
SID • According to the Microsoft Developer Network (2009), the SID is an alpha-numeric string that is used by Windows to uniquely identify an object - like a user or a group • “S” means the string is a Security Identifie • “1” refers to the Revision Level. (This value has always been 1) • “5” is the identifier for the Authority Level or “IdentifierAuthority” • “500” at the end of the string, is the Domain or Local Computer Identifier • The “500” at the end is known as the Relative ID, and in this case, “500” means the user is a system administrator www.malc0de.org
Forensic Importance of SID • HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows NT www.malc0de.org
SID • If there are three users and four drives, • there will be four folders named $Recycle.Bin (one on each drive) • And within each of these $Recycle.Bin folders will be three sub-folders with names that correspond to the SID of each of the three users www.malc0de.org
METADATA ANALYSIS • Inside recycle bin folder there are two sub folder – DC1.txt and INFO2 – DC1.txt contain the original file – Info2 Contain Metadata – There is only one INFO2 file for each user‟s Recycle Bin, where all of the metadata for all of the files/folders that are found in that Recycle Bin is stored. www.malc0de.org
EXTRA “TRASH” IN THE BIN • desktop.ini (file is a hidden Windows system file that provides information to Windows Explorer about how to display the contents of a folder. ) • directory named “.” (dot) • “..” (dot-dot) directory www.malc0de.org
$R-file and $I-file • If a file that is deleted was originally in a folder that no longer exists, How it will restore? • When a folder is sent to the Recycle Bin, it too has the “deleted” and “created” time-stamp, but when it is restored, it only retains the “created” time-stamp, and never gains the “modified” or “accessed” time-stamp, unlike what happens with a file. • If the restored file is deleted again, a new $I-file and $R-file are generated. • There will be an $Ifile and $R-file for the folder and there will also be a $I-file and $R-file for each file that was in the deleted folder www.malc0de.org
SHADOW COPIES • Volume Shadow Copy Service www.malc0de.org
PREFETCH FILES SuperFetch • The Prefetching process tries to speed the boot process and application startup • The Prefetching process monitors the first 10 seconds of application startup www.malc0de.org
Forensic • Identify whether the system has been enabled the Prefetching process • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetCo ntrolSessionManagerMemoryManagementPrefetc hParameters • “0” means “disabled • “1” means “application launch Prefetching enabled • “2” means “boot Prefetching enabled” • “3” means “application launch and boot enabled (default www.malc0de.org
www.malc0de.org
www.malc0de.org
Hibernate is a feature of many computer operating systems where the contents of RAM are written to non-volatile storage such as a hard disk, as a file or on a separate partition, before powering off the computer. The computer uses the Hiberfil.sys file to store a copy of the system memory on the hard disk when the hybrid sleep setting is turned on. The Hiberfil.sys hidden system file is located in the root folder of the drive where the operating system is installed and Windows Kernel Power Manager reserves this file when you install Microsoft Windows. The size of this file is approximately equal to the amount of random access memory (RAM) that is installed on the computer. ANALYZING HIBERFIL.SYS FILES www.malc0de.org
A page file is a hidden file or files on the hard disk that the operating system uses to hold parts of programs and data files that do not fit in memory. Virtual memory comprises the paging file and physical memory or random access memory (RAM). Windows moves data from the paging file to memory as needed, and it moves data from memory to the paging file to make room for new data. By default, Windows stores the paging file on the boot partition (the partition that contains the operating system and its support files). The default paging file size is equal to 1.5 times the total RAM. ANALYZING PAGING FILES www.malc0de.org
The computer can be configured to clear the paging file at shutdown. For this the data value of the ClearPageFileAtShutdown value in the following registry key must be set to a value of 1: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management ANALYZING PAGING FILES www.malc0de.org
Thumbs.db is a hidden file used by Windows to store thumbnail images of the files in a folder. It is then used to display thumbnails when a folder is in Thumbnails view. Deleting images from a folder does not remove the thumbnail from the thumbs.db database cache. This makes the thumbs.db file useful from a forensic point of view. FTex is useful utility for thumbs.db analysis. ANALYZING THUMBS.DB FILES www.malc0de.org
Registry Hive • The five most hierarchal folders are called hives and begin with .HKEY (an abbreviation for Handle to a Key). • Although five hives can be seen, only two of these are actually real, HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM). • The other three are shortcuts or aliases to branches within one of the two hives. www.malc0de.org
REGISTRY ANALYSIS www.malc0de.org
The structure of the Registry www.malc0de.org
HIVE KEY: HKEY_LOCAL_MACHINE (HKLM) It is the first master key.Contains all of the configuration setting of a computer. When a computer startups, the local machine settings will boot before the individual user settings.The HKEY_LOCAL_MACHINE key has the following subkeys: HARDWARE SAM SECURITY SOFTWARE SYSTEM REGISTRY ANALYSIS www.malc0de.org
Registry keys of forensic value MRU Most-recently-used key maintains a list of recently opened files(e.g. .txt, .pdf, .htm, .jpg) or saved files from within a web browser (including IE and Firefox). OpenSaveMRU contain far more entries related to previously opened or saved files (including the 10 most recent ones). HKCUSoftwareMicro softWindowsCurrent VersionExplorerCom Dlg32 OpenSaveMRU www.malc0de.org
HKLMSYSTEMCurrentControlSet EnumUSBSTOR This key contains addition information about list of mounted USB storage devices, including external memory cards. Mounted USB Storage Devices REGISTRY ANALYSIS www.malc0de.org
Device ID • The device ID for a specific device identified. • It should be noted that not all USB thumb drives will have a serial number. www.malc0de.org
REGISTRY ANALYSIS ShutDownTime HKLMSystemControlSet001ControlWindows www.malc0de.org
Autostart locations • Used by a great many pieces of malware to remain persistent on the victim system. • Example: HKEY_CURRENT_USERSoftwareMicros- oftWindowsCurrentVersionRun www.malc0de.org
Wireless SSIDs • SSIDs (service set identifiers) • This shows you which wireless networks you’ve connected to, and if you travel and make use of the ubiquitous wireless hotspots, you’ll see quite a few entries there. www.malc0de.org
Registry: A Wealth of Information Information that can be recovered include: – System Configuration – Devices on the System – User Names – Personal Settings and Browser Preferences – Web Browsing Activity – Files Opened – Programs Executed – Passwords www.malc0de.org
www.malc0de.org
Registry Organization • Root Keys – HKEY_CLASSES_ROOT (HKCR) • Contains information in order that the correct program opens when executing a file with Windows Explorer. – HKEY_CURRENT_USER (HKCU) • Contains the profile (settings, etc) about the user that is logged in. – HKEY_LOCAL_MACHINE (HKLM) • Contains system-wide hardware settings and configuration information. – HKEY_USERS (HKU) • Contains the root of all user profiles that exist on the system. – HKEY_CURRENT_CONFIG (HKCC) • Contains information about the hardware profile used by the computer during start up. • Sub Keys – These are essentially sub directories that exist under the Root Keys. www.malc0de.org

Recommended

Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
Gol D Roger
 

Recommended

Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
Gol D Roger
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
anupriti
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
ParminderKaurBScHons
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
Brent Muir
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicTawhidur Rahman
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques أحلام انصارى
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Vidoushi B-Somrah
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
 
Active Directory Domain Services Installation & Configuration - Windows Ser...
Active Directory Domain Services Installation & Configuration - Windows Ser...Active Directory Domain Services Installation & Configuration - Windows Ser...
Active Directory Domain Services Installation & Configuration - Windows Ser...
Adel Alghamdi
 
Install Windows Server 2012 Step-by-Step
Install Windows Server 2012 Step-by-StepInstall Windows Server 2012 Step-by-Step
Install Windows Server 2012 Step-by-Step
Mehdi Poustchi Amin
 

More Related Content

What's hot

Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
anupriti
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
Brent Muir
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Vidoushi B-Somrah
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
 

What's hot (20)

Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 

Viewers also liked

Active Directory Domain Services Installation & Configuration - Windows Ser...
Active Directory Domain Services Installation & Configuration - Windows Ser...Active Directory Domain Services Installation & Configuration - Windows Ser...
Active Directory Domain Services Installation & Configuration - Windows Ser...
Adel Alghamdi
 
Install Windows Server 2012 Step-by-Step
Install Windows Server 2012 Step-by-StepInstall Windows Server 2012 Step-by-Step
Install Windows Server 2012 Step-by-Step
Mehdi Poustchi Amin
 
Install Windows Server 2008 Step-by-Step
Install Windows Server 2008 Step-by-StepInstall Windows Server 2008 Step-by-Step
Install Windows Server 2008 Step-by-Step
Mehdi Poustchi Amin
 
Windows 2008 basics
Windows 2008 basicsWindows 2008 basics
Windows 2008 basicsanilinvns
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)Security Bootcamp
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
Prince Boonlia
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS
 
HITCON CTF 2016導覽
HITCON CTF 2016導覽HITCON CTF 2016導覽
HITCON CTF 2016導覽
HITCON GIRLS
 
HITCON GIRLS Malware Analysis
HITCON GIRLS Malware AnalysisHITCON GIRLS Malware Analysis
HITCON GIRLS Malware Analysis
Hacks in Taiwan (HITCON)
 
CTF 經驗分享
CTF 經驗分享CTF 經驗分享
CTF 經驗分享
Hacks in Taiwan (HITCON)
 
Servers
ServersServers
Servers
Srinath Dhayalamoorthy
 
HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS 成大講座 惡意程式分析(Turkey)HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS
 

Viewers also liked (20)

Active Directory Domain Services Installation & Configuration - Windows Ser...
Active Directory Domain Services Installation & Configuration - Windows Ser...Active Directory Domain Services Installation & Configuration - Windows Ser...
Active Directory Domain Services Installation & Configuration - Windows Ser...
 
Install Windows Server 2012 Step-by-Step
Install Windows Server 2012 Step-by-StepInstall Windows Server 2012 Step-by-Step
Install Windows Server 2012 Step-by-Step
 
Install Windows Server 2008 Step-by-Step
Install Windows Server 2008 Step-by-StepInstall Windows Server 2008 Step-by-Step
Install Windows Server 2008 Step-by-Step
 
Windows 2008 basics
Windows 2008 basicsWindows 2008 basics
Windows 2008 basics
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
 
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
 
HITCON CTF 2016導覽
HITCON CTF 2016導覽HITCON CTF 2016導覽
HITCON CTF 2016導覽
 
HITCON GIRLS Malware Analysis
HITCON GIRLS Malware AnalysisHITCON GIRLS Malware Analysis
HITCON GIRLS Malware Analysis
 
CTF 經驗分享
CTF 經驗分享CTF 經驗分享
CTF 經驗分享
 
Servers
ServersServers
Servers
 
HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS 成大講座 惡意程式分析(Turkey)HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS 成大講座 惡意程式分析(Turkey)
 

Similar to Windows forensic

Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"EPAM Systems
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009ClubHack
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
Mem forensic
Mem forensicMem forensic
Mem forensic
Chong-Kuan Chen
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
AliAshraf68199
 
Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsNatraj G
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Trace File Database admanistartion and manegment
Trace File Database admanistartion and manegmentTrace File Database admanistartion and manegment
Trace File Database admanistartion and manegment
Kainat Ilyas
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
Anton Chuvakin
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
Sam Bowne
 
Linux fundamentals
Linux fundamentalsLinux fundamentals
Linux fundamentalsRaghu nath
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linux
RajKumar Rampelli
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
Nikos Gkogkos
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profit
ssusera432ea1
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
Rian Yulian
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
Vandana Salve
 
Introduction to Operating Systems.pptx
Introduction to Operating Systems.pptxIntroduction to Operating Systems.pptx
Introduction to Operating Systems.pptx
MohamedSaied877003
 

Similar to Windows forensic (20)

Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows Programs
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Trace File Database admanistartion and manegment
Trace File Database admanistartion and manegmentTrace File Database admanistartion and manegment
Trace File Database admanistartion and manegment
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
 
Linux fundamentals
Linux fundamentalsLinux fundamentals
Linux fundamentals
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linux
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profit
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
 
Introduction to Operating Systems.pptx
Introduction to Operating Systems.pptxIntroduction to Operating Systems.pptx
Introduction to Operating Systems.pptx
 

Recently uploaded

1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
Ashokrao Mane college of Pharmacy Peth-Vadgaon
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
Jisc
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Atul Kumar Singh
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
Nguyen Thanh Tu Collection
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
EduSkills OECD
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
Vikramjit Singh
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
kaushalkr1407
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
Celine George
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
Peter Windle
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
RaedMohamed3
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 

Recently uploaded (20)

1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 

Windows forensic

  • 1. Windows Forensic MD Saquib Nasir Khan (JONK) DEA- Data64 www.malc0de.org
  • 2. CONTENTS • Recycle Bin Forensics • Analyzing Prefetch File • Analyzing Hiberfil.sys File • Analyzing Paging File • Analyzing thumbs.db file • Registry Analysis www.malc0de.org
  • 3. Introduction • Using forensics techniques and tools to gather digital evidence from a device or pc running on Microsoft Windows. • Different versions of Windows OS, Win XP, 7, Vista, 8, 8.1, 10 • With every version new features of forensic importance has been discovered. • Some Areas include: Windows Registry, Live Acquisition, System files, Cache, Prefetch, ADS etc. www.malc0de.org
  • 4. Recycle Bin Forensics • RECYCLER folder for Windows XP • $Recycle.Bin folder for Windows 7 or Windows Vista,(C:) • “$RECYCLE.BIN” Other Drive • The subfolder is named with the user’s SID and contains its own INFO file, making it possible to determine which user account was used to delete a file www.malc0de.org
  • 5. When a file is deleted, it results in three steps: – 1) the deletion of the file’s folder entry in the folder in which the file resided – 2) the creation of a new folder entry for the file in the Recycle Bin – 3) the addition of information about the file in a hidden system file named INFO (or INFO2 depending on windows systems) in the Recycle Bin www.malc0de.org
  • 6. Every file sent to the recycle bin is renamed in the following format D[ orginal drive letter of file][index no][original extension] E.g. hw1.txt residing in C:My Documents was sent to empty recycle bin » Its new name is DC0.txt www.malc0de.org
  • 7. SID • According to the Microsoft Developer Network (2009), the SID is an alpha-numeric string that is used by Windows to uniquely identify an object - like a user or a group • “S” means the string is a Security Identifie • “1” refers to the Revision Level. (This value has always been 1) • “5” is the identifier for the Authority Level or “IdentifierAuthority” • “500” at the end of the string, is the Domain or Local Computer Identifier • The “500” at the end is known as the Relative ID, and in this case, “500” means the user is a system administrator www.malc0de.org
  • 8. Forensic Importance of SID • HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows NT www.malc0de.org
  • 9. SID • If there are three users and four drives, • there will be four folders named $Recycle.Bin (one on each drive) • And within each of these $Recycle.Bin folders will be three sub-folders with names that correspond to the SID of each of the three users www.malc0de.org
  • 10. METADATA ANALYSIS • Inside recycle bin folder there are two sub folder – DC1.txt and INFO2 – DC1.txt contain the original file – Info2 Contain Metadata – There is only one INFO2 file for each user‟s Recycle Bin, where all of the metadata for all of the files/folders that are found in that Recycle Bin is stored. www.malc0de.org
  • 11. EXTRA “TRASH” IN THE BIN • desktop.ini (file is a hidden Windows system file that provides information to Windows Explorer about how to display the contents of a folder. ) • directory named “.” (dot) • “..” (dot-dot) directory www.malc0de.org
  • 12. $R-file and $I-file • If a file that is deleted was originally in a folder that no longer exists, How it will restore? • When a folder is sent to the Recycle Bin, it too has the “deleted” and “created” time-stamp, but when it is restored, it only retains the “created” time-stamp, and never gains the “modified” or “accessed” time-stamp, unlike what happens with a file. • If the restored file is deleted again, a new $I-file and $R-file are generated. • There will be an $Ifile and $R-file for the folder and there will also be a $I-file and $R-file for each file that was in the deleted folder www.malc0de.org
  • 13. SHADOW COPIES • Volume Shadow Copy Service www.malc0de.org
  • 14. PREFETCH FILES SuperFetch • The Prefetching process tries to speed the boot process and application startup • The Prefetching process monitors the first 10 seconds of application startup www.malc0de.org
  • 15. Forensic • Identify whether the system has been enabled the Prefetching process • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetCo ntrolSessionManagerMemoryManagementPrefetc hParameters • “0” means “disabled • “1” means “application launch Prefetching enabled • “2” means “boot Prefetching enabled” • “3” means “application launch and boot enabled (default www.malc0de.org
  • 18. Hibernate is a feature of many computer operating systems where the contents of RAM are written to non-volatile storage such as a hard disk, as a file or on a separate partition, before powering off the computer. The computer uses the Hiberfil.sys file to store a copy of the system memory on the hard disk when the hybrid sleep setting is turned on. The Hiberfil.sys hidden system file is located in the root folder of the drive where the operating system is installed and Windows Kernel Power Manager reserves this file when you install Microsoft Windows. The size of this file is approximately equal to the amount of random access memory (RAM) that is installed on the computer. ANALYZING HIBERFIL.SYS FILES www.malc0de.org
  • 19. A page file is a hidden file or files on the hard disk that the operating system uses to hold parts of programs and data files that do not fit in memory. Virtual memory comprises the paging file and physical memory or random access memory (RAM). Windows moves data from the paging file to memory as needed, and it moves data from memory to the paging file to make room for new data. By default, Windows stores the paging file on the boot partition (the partition that contains the operating system and its support files). The default paging file size is equal to 1.5 times the total RAM. ANALYZING PAGING FILES www.malc0de.org
  • 20. The computer can be configured to clear the paging file at shutdown. For this the data value of the ClearPageFileAtShutdown value in the following registry key must be set to a value of 1: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management ANALYZING PAGING FILES www.malc0de.org
  • 21. Thumbs.db is a hidden file used by Windows to store thumbnail images of the files in a folder. It is then used to display thumbnails when a folder is in Thumbnails view. Deleting images from a folder does not remove the thumbnail from the thumbs.db database cache. This makes the thumbs.db file useful from a forensic point of view. FTex is useful utility for thumbs.db analysis. ANALYZING THUMBS.DB FILES www.malc0de.org
  • 22. Registry Hive • The five most hierarchal folders are called hives and begin with .HKEY (an abbreviation for Handle to a Key). • Although five hives can be seen, only two of these are actually real, HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM). • The other three are shortcuts or aliases to branches within one of the two hives. www.malc0de.org
  • 24. The structure of the Registry www.malc0de.org
  • 25. HIVE KEY: HKEY_LOCAL_MACHINE (HKLM) It is the first master key.Contains all of the configuration setting of a computer. When a computer startups, the local machine settings will boot before the individual user settings.The HKEY_LOCAL_MACHINE key has the following subkeys: HARDWARE SAM SECURITY SOFTWARE SYSTEM REGISTRY ANALYSIS www.malc0de.org
  • 26. Registry keys of forensic value MRU Most-recently-used key maintains a list of recently opened files(e.g. .txt, .pdf, .htm, .jpg) or saved files from within a web browser (including IE and Firefox). OpenSaveMRU contain far more entries related to previously opened or saved files (including the 10 most recent ones). HKCUSoftwareMicro softWindowsCurrent VersionExplorerCom Dlg32 OpenSaveMRU www.malc0de.org
  • 27. HKLMSYSTEMCurrentControlSet EnumUSBSTOR This key contains addition information about list of mounted USB storage devices, including external memory cards. Mounted USB Storage Devices REGISTRY ANALYSIS www.malc0de.org
  • 28. Device ID • The device ID for a specific device identified. • It should be noted that not all USB thumb drives will have a serial number. www.malc0de.org
  • 30. Autostart locations • Used by a great many pieces of malware to remain persistent on the victim system. • Example: HKEY_CURRENT_USERSoftwareMicros- oftWindowsCurrentVersionRun www.malc0de.org
  • 31. Wireless SSIDs • SSIDs (service set identifiers) • This shows you which wireless networks you’ve connected to, and if you travel and make use of the ubiquitous wireless hotspots, you’ll see quite a few entries there. www.malc0de.org
  • 32. Registry: A Wealth of Information Information that can be recovered include: – System Configuration – Devices on the System – User Names – Personal Settings and Browser Preferences – Web Browsing Activity – Files Opened – Programs Executed – Passwords www.malc0de.org
  • 34. Registry Organization • Root Keys – HKEY_CLASSES_ROOT (HKCR) • Contains information in order that the correct program opens when executing a file with Windows Explorer. – HKEY_CURRENT_USER (HKCU) • Contains the profile (settings, etc) about the user that is logged in. – HKEY_LOCAL_MACHINE (HKLM) • Contains system-wide hardware settings and configuration information. – HKEY_USERS (HKU) • Contains the root of all user profiles that exist on the system. – HKEY_CURRENT_CONFIG (HKCC) • Contains information about the hardware profile used by the computer during start up. • Sub Keys – These are essentially sub directories that exist under the Root Keys. www.malc0de.org