Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Extracting and analyzing browser,email and IM artifactsMarco Alamanni
This is a draft presentation of a video lesson taken from the course "Digital forensics with Kali Linux" published by Packt Publishing in May 2017: https://www.packtpub.com/networking-and-servers/digital-forensics-kali-linux.
In this presentation we are going to take a look at how to take advantage of the tools installed on Kali Linux to extract and analyze artifacts related to some of the most common Internet activities, that are web browsing, email and instant messaging.
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
April 29, 2018 Remember that you must enter the answers t.docxtarifarmarie
April 29, 2018
Remember that you must enter the answers to your questions in Canvas. This file has been provided to allow
you to perform the hands-on tasks before starting the Canvas quiz. Also remember that this is a test, and you
are required to do your own work. It’s open book and open note, but you must NOT collaborate with any other
students, or receive outside assistance.
1. This is a "real" test, which means you must do your own work. It's an open book test, so you can use any
resources such as books, your notes, or the computer. However, you must do your own work. This means
that you must not ask other students, instructors, acquaintances, paid consultants, Facebook friend s, etc.
for help. Any violations of the CBC Academic Honesty Policy will result in a failing grade for the course.
(NOTE - There are several question on this test that require looking up data, such as the speed of various
memory types. If you don't want to memorize this information you can look it up.)
If you use any Internet resources, make sure that you do NOT copy and paste information unless
instructed. You can use the Internet, but you must put all answers in your own words. You will receive no
credit for any answers with copied material.
The test must be completed by 11:59 on the due date to receive full credit. Late tests will be accepted, but
only for seven calendar days after the original due date. Late tests will automatically lose 10 points. La te
tests will not be accepted after 7 days and you will fail the class.
A. I agree
B. I disagree
2. What is Registry?
A. A hierarchical database used by every computer to store settings and data
B. A hierarchical database used by computers running Windows to store settings and data
C. A relational database used by every computer to store settings and data
D. A relational database used by computers running Windows to store settings and data
3. True or False. Any program that runs on Windows will store all of i t’s data in registry.
1. True
2. False
4. Which of the following methods can be used to add or change registry data?
1. Use regedit to manually create or edit a registry key
2. Use a program such as any application in Windows Control Panel
3. Write a program that uses one the registry API functions
4. All of the above
5. True or False. All of the data in registry is stored in files when Windows shuts down gracefully.
1. True
2. False
6. Which registry key holds the list of URLs the currently logged on user typed into Internet Explorer? (Note
- HK is an abbreviation for HKEY)
1. HK_CLASSES_ROOT\Software\Microsoft\Internet Explorer\TypedUrls
2. HK_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\TypedUrls
3. HK_CURRENT_CONFIG\Software\Microsoft\Internet Explorer\TypedUrls
4. HK_ USERs\Software\Microsoft\Internet Explorer\TypedUrls
5. HK_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedUrls
6. None of the.
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Extracting and analyzing browser,email and IM artifactsMarco Alamanni
This is a draft presentation of a video lesson taken from the course "Digital forensics with Kali Linux" published by Packt Publishing in May 2017: https://www.packtpub.com/networking-and-servers/digital-forensics-kali-linux.
In this presentation we are going to take a look at how to take advantage of the tools installed on Kali Linux to extract and analyze artifacts related to some of the most common Internet activities, that are web browsing, email and instant messaging.
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
April 29, 2018 Remember that you must enter the answers t.docxtarifarmarie
April 29, 2018
Remember that you must enter the answers to your questions in Canvas. This file has been provided to allow
you to perform the hands-on tasks before starting the Canvas quiz. Also remember that this is a test, and you
are required to do your own work. It’s open book and open note, but you must NOT collaborate with any other
students, or receive outside assistance.
1. This is a "real" test, which means you must do your own work. It's an open book test, so you can use any
resources such as books, your notes, or the computer. However, you must do your own work. This means
that you must not ask other students, instructors, acquaintances, paid consultants, Facebook friend s, etc.
for help. Any violations of the CBC Academic Honesty Policy will result in a failing grade for the course.
(NOTE - There are several question on this test that require looking up data, such as the speed of various
memory types. If you don't want to memorize this information you can look it up.)
If you use any Internet resources, make sure that you do NOT copy and paste information unless
instructed. You can use the Internet, but you must put all answers in your own words. You will receive no
credit for any answers with copied material.
The test must be completed by 11:59 on the due date to receive full credit. Late tests will be accepted, but
only for seven calendar days after the original due date. Late tests will automatically lose 10 points. La te
tests will not be accepted after 7 days and you will fail the class.
A. I agree
B. I disagree
2. What is Registry?
A. A hierarchical database used by every computer to store settings and data
B. A hierarchical database used by computers running Windows to store settings and data
C. A relational database used by every computer to store settings and data
D. A relational database used by computers running Windows to store settings and data
3. True or False. Any program that runs on Windows will store all of i t’s data in registry.
1. True
2. False
4. Which of the following methods can be used to add or change registry data?
1. Use regedit to manually create or edit a registry key
2. Use a program such as any application in Windows Control Panel
3. Write a program that uses one the registry API functions
4. All of the above
5. True or False. All of the data in registry is stored in files when Windows shuts down gracefully.
1. True
2. False
6. Which registry key holds the list of URLs the currently logged on user typed into Internet Explorer? (Note
- HK is an abbreviation for HKEY)
1. HK_CLASSES_ROOT\Software\Microsoft\Internet Explorer\TypedUrls
2. HK_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\TypedUrls
3. HK_CURRENT_CONFIG\Software\Microsoft\Internet Explorer\TypedUrls
4. HK_ USERs\Software\Microsoft\Internet Explorer\TypedUrls
5. HK_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedUrls
6. None of the.
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
2. Windows Registry
◦ Structure
◦ Properties
◦ Examples
Timeline Analysis
Web Browsers
◦ Internet Explorer
◦ FireFox
3.
4. DOS
◦ config.sys & autoexec.bat
Windows 3.0
◦ INI file
Windows 3.1
◦ Start of the idea of a central repository
Windows 95 and beyond
◦ Establishment and expansion of the registry
5. Registry
◦ A database that stores hardware and software
configuration information, network connections, user
preferences, and setup information
For investigative purposes, the Registry
can contain valuable evidence
To view the Registry, you can use:
◦ Regedit (Registry Editor) program for Windows 9x systems
◦ Regedt32 for Windows 2000 and XP
6. At the physical level
◦ Files called hives
◦ Located in: %SYSTEMROOT%System32config
Keys (analogous to folders)
Values (analogous to files)
Hierarchy:
◦ Hives
Keys
Values
9. HKEY_USERS – all loaded user data
HKEY_CURRENT_USER – currently logged on user
(NTUSER.DAT)
HKEY_LOCAL_MACHINE – array of software and
hardware settings
HKEY_CURRENT_CONFIG – hardware and software
settings at start-up
HKEY_CLASSES_ROOT – contains information about
application needs to be used to open files
12. Information that can be recovered
include:
◦ System Configuration
◦ Devices on the System
◦ User Names
◦ Personal Settings and Browser Preferences
◦ Web Browsing Activity
◦ Files Opened
◦ Programs Executed
◦ Passwords
13.
14.
15. The Windows Registry utilizes a
alphanumeric combination to uniquely
identify a security principal or security
group.
The Security ID (SID) is used to identify the
computer system.
The Relative ID (RID) is used to identity the
specific user on the computer system.
The SID appears as:
◦ S-1-5-21-927890586-3685698554-67682326-
1005
16. SID (security identifier)
◦ Well-known SIDs
SID: S-1-0 Name: Null Authority
SID: S-1-5-2 Name: Network
◦ S-1-5-21-2553256115-2633344321-
4076599324-1006
S string is SID
1 revision number
5 authority level (from 0 to 5)
21-2553256115-2633344321-4076599324 - domain or
local computer identifier
1006 RID – Relative identifier
Local SAM resolves SID for locally
authenticated users (not domain users)
◦ Use recycle bin to check for owners
17.
18. Internet Explorer
◦ IE auto logon and password
◦ IE search terms
◦ IE settings
◦ Typed URLs
◦ Auto-complete passwords
19.
20. A “Most Recently Used List” contains entries made due to specific actions
performed by the user. There are numerous MRU list locations throughout
various Registry keys.
These lists are maintained in case the user returns to them in the future.
Essentially, their function is similar to how the history and cookies act in a web
browser.
21.
22.
23. The RegRipper is an open-source application for extracting, correlating, and
displaying specific information from Registry hive files from the Windows NT
(2000, XP, 2003, Vista and 7) family of operating systems.
24.
25. Determined by booting into the BIOS
and comparing it with an external
source
◦ Radio Signal Clock or Time Server
CMOS Clock
◦ Complementary Metal Oxide Semiconductor Chip
(CMOS)
◦ Accessed by most OS to determine the time
26. Embedded within the file system or high level
file metadata
Will take into account local time (or not!)
Can confuse an investigation depending on
tool configuration and time zone
Will ask for the time from the BIOS CMOS
27. Programs will ask for the time from the OS
They can bypass the OS and ask for the time
directly from the BIOS
It’s important to check and understand
where a program gets its time details from.
28. MS DOS time/date Format (FAT File System)
Stored as local time
Used for MAC information
32 Bit Structure
◦ Seconds (5 bits from offset 0)
◦ Minutes (6 bits from offset 5)
◦ Hours (5 bits from offset 11)
◦ Days (5 bits from offset 16)
◦ Months (4 bits from offset 21)
◦ Years (7 bits from offset 25)
29. 64 bit number measuring the number of
100ns intervals since 00:00:00, 1st Jan, 1601
◦ 58,000 year lifetime
Stored in the MFT – MAC
30. 32-bit value
Number of seconds elapsed since
◦ 1st January 1970, 00:00:00 GMT
Limit
◦ Monday, December 2nd, 2030 and 19:42:58 GMT
31. Coordinated Universal Time (UTC)
◦ Effectively the same as GMT
Modern OS calculate the difference
between local time and UTC and store
the time/date as UTC
32. 00 DB A2 F7 5C B1 C5 01 (Localtime)
◦ 127703177299680000
00 7B B4 7E 7E B1 C5 01 (GMT)
◦ 127703321299680000
Difference:
◦ 144,000,000,000
Verify:
◦ 144,000,000,000 * 0.0000001 = 14,400
◦ 100 ns = 10 millionth of a second
◦ 3,600 s in 1 hour. 14,400 in 4 hours
◦ = 4 hours
33. ME/XP/Vista/Windows 7
◦ HKEY_Local_Machine/System/Current
ControlSet/Control/TimeZoneInformation/Bias
ActiveTimeBias
◦ Amount of time (+ or -) to add to UTC
◦ StandardName - Time Zone
38. The major browsers (most to least-used):
◦ Internet Explorer – 61.58%
◦ Mozilla Firefox – 24.23%
◦ Everything else! – 14.19% Hitslink.com – February 2010
39. Stores files used in displaying web pages (cache), tracking
pages visited (history) and automatic identification /
authentication (cookies, credentials)
• Viewed pages will retrieve its page code and embedded files (such
as graphics) from the hard drive rather than the server, so the page
loads faster (cache)
• Able to see a record of recently visited pages (history)
• No sign in again at sites that require it, or to specify preferences
again (cookies and credentials). Also cookies are used by the
visited site and other sites to track web browsing, which is a privacy
discussion on its own.
40. For the subject's browsing history
(index.dat and the cache files themselves –
in subdirectories), use Windows Explorer to
look in
C:Documents and Settings<subject User’s ID>Local
SettingsTemporary Internet FilesContent.IE5
C:Users<subject User’sID>AppDataLocalMicrosoft
WindowsTemporary Internet FilesContent.IE5
41. For the subject's browsing history
(index.dat without the cache files), use a
browser (NOT Windows Explorer) or
command prompt to look in
C:Documents and Settings<subject User’s
ID>Local SettingsHistoryHistory.IE5
Daily history:
MSHist01(start)YYYYMMDD(end)YYYYMMDD
Weekly history:
MSHist01(start)YYYYMMDD(end)YYYYMMDD
43. Start of
record
Last modified timestamp
Last accessed timestamp
Start of
URL
Cached
file name
Start
of http
header
Start of user name
44. In IE6, when you select Delete Files, the
cache files are deleted from the hard drive,
but the entries in index.dat are marked
“free” and NOT removed!
IE7 & 8 is more thorough – Selecting Delete
Files removes both the files and the entries
in index.dat (although you can restore the
files themselves as they are not overwritten)
45. • InPrivate does make the forensic examiner’s job more
difficult by not recording items such as typed addresses,
visited links, and forms, queries and passwords entered,
including not recording the “host records” (URLS) in
index.dat. It also deletes the contents of Temporary
Internet Files when the “subject” exits the browsing session.
• However, items (such as the cached filename and page
header information) are still dutifully written to index.dat,
making it still possible for an investigator to infer where the
“subject” has been surfing.
46. For cookies saved on the subject's hard drive
(individual cookie text files), use Windows
Explorer to look in
C:Documents and Settings<subject
User’s ID>Cookies
47. Stores encrypted userIDs and passwords
(AutoComplete) in
HKCUSoftwareMicrosoftInternet
ExplorerIntelliForms SPW, and web
addresses in
HKLMSoftwareMicrosoftProtected
Storage System Provider<subject’s
user ID>
48. Stores encrypted userIDs and passwords
(AutoComplete) in
HKCUSoftwareMicrosoftInternet
ExplorerIntelliFormsStorage2
Encryption has been improved
49. A tool that allows you to take a given
index.dat file and parse it into a readable
/ exportable format
Available at
http://www.mandiant.com/webhistorian.ht
m
50.
51. Pasco is another tool for analysis of the
index.dat files, but this one also runs on
Unix, which is another environment where
you may be running other forensics tools
Does basically the same operation as Web
Historian, outputting to delimited text
files that can be imported elsewhere
52.
53. From the command line (Unix or
Windows):
galleta <option> (filename)
Option: -t (column delimiter – defaults
to tab)
Use > to redirect output into a file
54. IE PassView reads the stored Internet
Explorer credentials from the Windows
Registry and returns the website, userID
and password in columnar format
Note that this will obtain the user
credentials, but not other autocomplete
information such as form fields
You will have to run it on the subject's
computer – not a very good idea, so create
a (forensic) working copy and run it from
there
55. Open source web browser
Evolved from the Netscape Navigator web
browser
Support for images, frames, SSL and
javascript
Full disk cache support
56. Firefox stores its history, downloads, form fields,
cookies, and Identification / Authentication files
in the same location:
C:Documents and Settings<subject User’s
ID>Application DataMozilla
FirefoxProfiles<seemingly random
characters>.default (Windows XP) or
C:Users<subject User’s
ID>AppDataLocalMozilla
FirefoxProfiles<seemingly random
characters>.default (Windows Vista, 7 and
2008)
57. Firefox stores its cache files in a different
location:
C:Documents and Settings<subject User’s
ID>Local SettingsApplication
DataMozilla
FirefoxProfiles<seemingly random
characters>.defaultCache (Windows XP) or
C:Users<subject User’s
ID>AppDataLocalMozilla
FirefoxProfiles<seemingly random
characters>.defaultCache (Windows Vista,
7)
58. Software library that implements a
transactional SQL Database Engine
Used by Firefox to store information in the
files we discussed before
Unlike with earlier Firefox versions, the text
in SQLite format can be read easily within
Firefox
59.
60.
61. On Firefox, the cache information is
stored across 3 types of files: one (1)
cache map file, three (3) cache block files,
and as many additional cache data files as
required to store additional cache data
62. In Firefox, the situation is skewed much
more in favor of the subject. Going to Tools
and selecting Clear Private Data deletes not
only the cache files, but handily removes
the cache map and cache block files, so
tying the files (assuming you could recover
them) to the cache map and blocks
becomes quite a bit more difficult
63.
64.
65. Firefox gives you the option to save your
often-used userIDs and passwords that you
utilize to access websites
Unfortunately for the forensic investigator,
the subject may specify a Master password,
which prevents access to all the other
passwords
FireMaster cracks this master password,
allowing you to access the password list in
the browser or via FirePassword
66. Used with or without the Master Password
(depending on if it’s been set) to see the
websites your subject visited and the
userIDs and passwords s/he used to get in
Much quicker than FireMaster, as you either
don’t have a Master Password or have
already specified it!