Windows Forensic MD Saquib Nasir Khan (JONK) DEA- Data64

Slides:



Advertisements
Similar presentations
Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
Advertisements

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.
Return to the Office 2007 web page Lesson 3: Managing Computer Files.
Chapter 3: Configuring the Windows Vista Environment.
Registry Analysis What is it? What does it contain?
Registry Structure What is it? What does it contain?
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Operating System & Application Files BACS 371 Computer Forensics.
OS and Application Files BACS 371 Computer Forensics.
Capturing Computer Evidence Extracting Information.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Microsoft Office Illustrated Fundamentals Unit B: Understanding File Management.
1 Lecture 6 Forensic Analysis of Windows Systems (contd. after lecture 4) Prof. Shamik Sengupta Office 4210N
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
Chapter 7 Working with Files.
COMP1321 Digital Infrastructure Richard Henson February 2012.
IT Essentials: PC Hardware and Software 1 Chapter 7 Windows NT/2000/XP Operating Systems.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
INTRODUCTION TO OPERATING SYSTEMS. An operating system is a program that controls the overall activity of a computer. Like an orchestra conductor an operating.
1 Microsoft Windows Internals, 4 ed Chapter 4. Management Mechanisms The Registry 謝承璋 2008 年 05 月 07 日.
SIR SONS IN RETIREMENT Computer User Group.
Tutorial 11 Installing, Updating, and Configuring Software
Ch 11. Services A service is a specialized program that performs a function to support other programs Many services operate at a very low level – Interacting.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
1 Chapter Overview Configuring and Troubleshooting the Display Configuring Power Management Configuring Operating System Settings Configuring and Troubleshooting.
Gorman, Stubbs, & CEP Inc. 1 Introduction to Operating Systems Lesson 4 Microsoft Windows XP.
Windows NT Chapter 13 Key Terms By Bill Ward NT Versions NT Workstation n A desktop PC that both accesses a network and works as a stand alone PC NT.
5. Windows System Artifacts Part 1. Topics Deleted data Hibernation Files Registry.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
Windows Vista Inside Out Chapter 24 – Recovering From an Computer Crash Last modified am.
Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 23 – The Registry.
Configuring Data Protection Chapter 12 powered by dj.
The Windows Registry as a forensic resource Harlan Carvey /$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi: /j.diin
Windows and File Management
Microsoft Office XP Illustrated Introductory, Enhanced with Programs, Files, and Folders Working.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
IT Essentials 1 Chapter 5 Windows 9x Operating Systems.
®® Microsoft Windows 7 for Power Users Tutorial 1 Exploring the Windows 7 Operating System.
Managing Services and Registry Chapter 16 powered by dj.
Digital Communication Systems Comp Functions of the Operating System.
Computer Literacy BASICS: A Comprehensive Guide to IC 3, 5 th Edition Lesson 3 Windows File Management 1 Morrison / Wells / Ruffolo.
Registry Forensics COEN 152 / 252. Registry: A Wealth of Information Information that can be recovered include:  System Configuration  Devices on the.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
Windows Vista Configuration MCTS : NTFS Security Features and File Sharing.
A+ Guide to Managing and Maintaining Your PC, 7e Chapter 2 Introducing Operating Systems.
Working with Disks Lesson 4.
Understanding File Management
Windows XP File Systems
Understanding Operating System Configurations
An Examination of the Windows™ Registry
File Management.
Basic Computing for Teachers
Registry 101 Registry 201 SAM artifacts
Exploring the UNIX File System and File Security
Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools
Booting Up 15-Nov-18 boot.ppt.
Chapter 8 Managing Files.
Windows Under the Hood Chapter 13.
Windows Registry: Introduction
CIS MS Windows Operating System
Microsoft Office Illustrated Fundamentals
Partitioning & Formatting
Instructor Materials Chapter 5: Windows Installation
Windows Operating System
Presentation transcript:

Windows Forensic MD Saquib Nasir Khan (JONK) DEA- Data64

CONTENTS Recycle Bin Forensics Analyzing Prefetch File Analyzing Hiberfil.sys File Analyzing Paging File Analyzing thumbs.db file Registry Analysis

Introduction Using forensics techniques and tools to gather digital evidence from a device or pc running on Microsoft Windows. Different versions of Windows OS, Win XP, 7, Vista, 8, 8.1, 10 With every version new features of forensic importance has been discovered. Some Areas include: Windows Registry, Live Acquisition, System files, Cache, Prefetch, ADS etc.

Recycle Bin Forensics RECYCLER folder for Windows XP $Recycle.Bin folder for Windows 7 or Windows Vista,(C:\) “$RECYCLE.BIN” Other Drive The subfolder is named with the user’s SID and contains its own INFO file, making it possible to determine which user account was used to delete a file

When a file is deleted, it results in three steps: – 1) the deletion of the file’s folder entry in the folder in which the file resided – 2) the creation of a new folder entry for the file in the Recycle Bin – 3) the addition of information about the file in a hidden system file named INFO (or INFO2 depending on windows systems) in the Recycle Bin

Every file sent to the recycle bin is renamed in the following format D[ orginal drive letter of file][index no][original extension] E.g. hw1.txt residing in C:\My Documents was sent to empty recycle bin » Its new name is DC0.txt

SID According to the Microsoft Developer Network (2009), the SID is an alpha-numeric string that is used by Windows to uniquely identify an object - like a user or a group “S” means the string is a Security Identifie “1” refers to the Revision Level. (This value has always been 1) “5” is the identifier for the Authority Level or “IdentifierAuthority” “500” at the end of the string, is the Domain or Local Computer Identifier The “500” at the end is known as the Relative ID, and in this case, “500” means the user is a system administrator

Forensic Importance of SID HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows NT\

SID If there are three users and four drives, there will be four folders named $Recycle.Bin (one on each drive) And within each of these $Recycle.Bin folders will be three sub-folders with names that correspond to the SID of each of the three users

METADATA ANALYSIS Inside recycle bin folder there are two sub folder – DC1.txt and INFO2 – DC1.txt contain the original file – Info2 Contain Metadata – There is only one INFO2 file for each user‟s Recycle Bin, where all of the metadata for all of the files/folders that are found in that Recycle Bin is stored.

EXTRA “TRASH” IN THE BIN desktop.ini (file is a hidden Windows system file that provides information to Windows Explorer about how to display the contents of a folder. ) directory named “.” (dot) “..” (dot-dot) directory

$R-file and $I-file If a file that is deleted was originally in a folder that no longer exists, How it will restore? When a folder is sent to the Recycle Bin, it too has the “deleted” and “created” time-stamp, but when it is restored, it only retains the “created” time-stamp, and never gains the “modified” or “accessed” time-stamp, unlike what happens with a file. If the restored file is deleted again, a new $I-file and $R-file are generated. There will be an $Ifile and $R-file for the folder and there will also be a $I-file and $R-file for each file that was in the deleted folder

SHADOW COPIES Volume Shadow Copy Service

PREFETCH FILES SuperFetch The Prefetching process tries to speed the boot process and application startup The Prefetching process monitors the first 10 seconds of application startup

Forensic Identify whether the system has been enabled the Prefetching process HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Co ntrol\SessionManager\MemoryManagement\Prefetc hParameters “0” means “disabled “1” means “application launch Prefetching enabled “2” means “boot Prefetching enabled” “3” means “application launch and boot enabled (default

Hibernate is a feature of many computer operating systems where the contents of RAM are written to non-volatile storage such as a hard disk, as a file or on a separate partition, before powering off the computer. The computer uses the Hiberfil.sys file to store a copy of the system memory on the hard disk when the hybrid sleep setting is turned on. The Hiberfil.sys hidden system file is located in the root folder of the drive where the operating system is installed and Windows Kernel Power Manager reserves this file when you install Microsoft Windows. The size of this file is approximately equal to the amount of random access memory (RAM) that is installed on the computer. ANALYZING HIBERFIL.SYS FILES

A page file is a hidden file or files on the hard disk that the operating system uses to hold parts of programs and data files that do not fit in memory. Virtual memory comprises the paging file and physical memory or random access memory (RAM). Windows moves data from the paging file to memory as needed, and it moves data from memory to the paging file to make room for new data. By default, Windows stores the paging file on the boot partition (the partition that contains the operating system and its support files). The default paging file size is equal to 1.5 times the total RAM. ANALYZING PAGING FILES

The computer can be configured to clear the paging file at shutdown. For this the data value of the ClearPageFileAtShutdown value in the following registry key must be set to a value of 1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management ANALYZING PAGING FILES

Thumbs.db is a hidden file used by Windows to store thumbnail images of the files in a folder. It is then used to display thumbnails when a folder is in Thumbnails view. Deleting images from a folder does not remove the thumbnail from the thumbs.db database cache. This makes the thumbs.db file useful from a forensic point of view.FTex is useful utility for thumbs.db analysis. ANALYZING THUMBS.DB FILES

Registry Hive The five most hierarchal folders are called hives and begin with.HKEY (an abbreviation for Handle to a Key). Although five hives can be seen, only two of these are actually real, HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM). The other three are shortcuts or aliases to branches within one of the two hives.

REGISTRY ANALYSIS

The structure of the Registry

HIVE KEY: HKEY_LOCAL_MACHINE (HKLM) It is the first master key.Contains all of the configuration setting of a computer. When a computer startups, the local machine settings will boot before the individual user settings.The HKEY_LOCAL_MACHINE key has the following subkeys: HARDWARESAMSECURITYSOFTWARESYSTEM REGISTRY ANALYSIS

Registry keys of forensic value MRU Most-recently-used key maintains a list of recently opened files(e.g..txt,.pdf,.htm,.jpg) or saved files from within a web browser (including IE and Firefox). OpenSaveMRU contain far more entries related to previously opened or saved files (including the 10 most recent ones). HKCU\Software\Micro soft\Windows\Current Version\Explorer\Com Dlg32\ OpenSaveMRU

HKLM\SYSTEM\CurrentControlSet\ Enum\USBSTOR This key contains addition information about list of mounted USB storage devices, including external memory cards. Mounted USB Storage Devices REGISTRY ANALYSIS

Device ID The device ID for a specific device identified. It should be noted that not all USB thumb drives will have a serial number.

REGISTRY ANALYSIS ShutDownTime HKLM\System\ControlSet001\Control\Windows

Autostart locations Used by a great many pieces of malware to remain persistent on the victim system. Example: HKEY_CURRENT_USER\Software\Micros- oft\Windows\CurrentVersion\Run

Wireless SSIDs SSIDs (service set identifiers) This shows you which wireless networks you’ve connected to, and if you travel and make use of the ubiquitous wireless hotspots, you’ll see quite a few entries there.

Registry: A Wealth of Information Information that can be recovered include: –System Configuration –Devices on the System –User Names –Personal Settings and Browser Preferences –Web Browsing Activity –Files Opened –Programs Executed –Passwords

Registry Organization Root Keys –HKEY_CLASSES_ROOT (HKCR) Contains information in order that the correct program opens when executing a file with Windows Explorer. –HKEY_CURRENT_USER (HKCU) Contains the profile (settings, etc) about the user that is logged in. –HKEY_LOCAL_MACHINE (HKLM) Contains system-wide hardware settings and configuration information. –HKEY_USERS (HKU) Contains the root of all user profiles that exist on the system. –HKEY_CURRENT_CONFIG (HKCC) Contains information about the hardware profile used by the computer during start up. Sub Keys – These are essentially sub directories that exist under the Root Keys.