4.6 Attached device analysis

Slides:

Advertisements

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

Advertisements

GCSE ICT Networks & Security..

Tracking USB Devices – Windows 7

Effective Discovery Techniques In Computer Crime Cases.

EFS e-Forensic Services Inc.

MCS IT E-Service USER GUIDE & FLOW DOCUMENTATION.

Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.

Operating System & Application Files BACS 371 Computer Forensics.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

P6 - CONFIGURE THE SOFTWARE. CONFIGURE SOFTWARE Most software can be configured to suit an individual user, for example by changing the appearance of.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

MS Word Lesson Eight Formatting and Sorting Lists Mrs. Brown.

WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA.

Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.

2 Windows 7 – New Features DirectAccess Active Directory authentication without a VPN connection Firewall and NAT friendly with most existing network.

Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.

Managing Windows Server 2008 R2 Lesson 2. Objectives.

6.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 6: Administering User Accounts.

World Leader In Gas Detection & Sensor Technology Stand Alone Calibration Station SM 2000 Series.

Mac Set up and printer installation Vaibhav Pandit A&S IT 11/29/2007.

Input and output (IO) systems Last week we considered the memory management layer of the operating system. This week we will look at another layer of the.

5. Windows System Artifacts Part 1. Topics Deleted data Hibernation Files Registry.

2007 NAGRA Annual Conference June 10-13, 2007 Electronic Bingo Card-minding Devices.

10.1 Silberschatz, Galvin and Gagne ©2005 Operating System Principles 10.4 File System Mounting A file system must be mounted before it can be accessed.

11 WORKING WITH PRINTERS Chapter 10. Chapter 10: WORKING WITH PRINTERS2 TERMINOLOGY PrinterLogical object Print DevicePhysical object Printer DriversSoftware.

The Windows Registry as a forensic resource Harlan Carvey /$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi: /j.diin

11 WORKING WITH PRINTERS Chapter 10. Chapter 10: WORKING WITH PRINTERS2 THE WINDOWS SERVER 2003 PRINTER MODEL  Locally attached printers Printers that.

Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.

Application  Drill  Down Using Batch Posting Concept.

First Looks: Basic Investigations of Windows Vista Lance Mueller

ECG INTEGRATION MAC600 SD Card – EMIS WEB Intelligent Integration GE MAC600 ECG.

DiskGo! USB Flash Drive How-to-Use Guide. Capacity The DiskGo! USB Flash Drive will hold 64MB of data. 64MB of information is equivalent to approximately.

Registry Forensics COEN 152 / 252. Registry: A Wealth of Information Information that can be recovered include:  System Configuration  Devices on the.

18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein.

Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.

Password Cracking COEN 252 Computer Forensics. Social Engineering Perps trick Law enforcement, private investigators can ask. Look for clues: Passwords.

Introducing Windows 95 Session Two. Today’s Agenda u Formatting Disks u Copying Disks u Mapping Network Drives u Connecting to Network Printers.

A+ Guide to Managing and Maintaining Your PC, 7e Chapter 2 Introducing Operating Systems.

How to Install a HP Printer Without the Installation Disk If you lost installation disk and you need to install on another system then you.

How To Uninstall HP Printer Drivers From Your PC?.

Find a Driver For HP 7150 Series Printer in Windows 7, 8 and XP.

Cookies Tutorial Cavisson Systems Inc..

4.4.1 The Operating System.

COEN 252 Computer Forensics

Chapter Objectives In this chapter, you will learn:

USB Printing Scanner Log-In – Two ways Insert USB drive

ImageDiags 2.0 Overview Useful For How it can help you

Installing Printers Most printers are boxed with paper or Styrofoam inserts placed to ensure there is no damage during shipping. Make sure all of these.

Operating Systems & System Software

Networking & Wireless Routers II Driver Installation

Practical Office 2007 Chapter 10

How To Fix Printer Job Stuck in Print Queue?.  Most of the time, the HP printer won’t print from a computer because a print job stuck in the Windows.

Basic operations in Matlab

Introduction to Computers

Introduction to Computers

An Examination of the Windows™ Registry

SYSTEM artifacts SECURITY artifacts SOFTWARE artifacts NTUSER.DAT

5.8 Presentation.

Explain what touch develop is to your students:

[insert Module title here]

OdaStat-G – Getting Started with the OdaLog Type L2

Stand Alone Calibration Station

Windows Registry: Introduction

Accessing Medline filters using NLH Search 2.0

Partitioning & Formatting

Correlating Artifacts

Epson Error Code 0x98 Fix for Epson Error Code 0x98 in USA | Epson support 247.

Presentation transcript:

4.6 Attached device analysis 함다니 꾸스나디 -사이버경찰 학과- 10152154

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers a. Printers There are a number of keys within the Registry that hold information about printer drivers that exist in the system. One of these keys is the following: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers This key lists printer drivers that exist in the system. The investigator can get more information about each printer driver if he accesses the PrinterDriverData sub key. For example, installed date and model name as shown in Figure 17. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers

Journal of Digital Forensics, Security and Law, Vol Journal of Digital Forensics, Security and Law, Vol. 5(4) 20 Figure 17: Valuable forensics elements of printer drive within Windows Registry b. USB Devices Any time a new USB Device is connected to the system, it will leave information about this USB device within the Registry. This information can uniquely identify each USB device connected to the system. The Windows Operating system stores vendor ID, product ID, Revision and Serial No. for each connected USB device. This information can be found in the following Registry key (Carvey & Kleiman, 2007): HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR Figure 18 shows how information about USB devices stored in the previous key. Figure 18: USB device information within Windows Registry.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR

4 Key Artifacts That Need to be Found When Investigating USB Device History The USBSTOR located in the SYSTEM hive (SYSTEM/CurrentControlSet/Enum/USBSTOR) USBSTOR contains details on the vendor and brand of USB device connected, along with the serial number of the device that can be used to match the mounted drive letter, user, and the first and last connected times of the device. The MountedDevices key (SYSTEM/MountedDevices) Allows investigators to match the serial number to a given drive letter or volume that was mounted when the USB device was inserted. It’s possible that the investigator won’t be able to identify the drive letter if several USB devices have been added, since the mapped drive letter only shows the serial number for the most recently mounted device for each letter assigned. The MountPoints2 key found in a user’s NTUSER.dat hive (NTUSER.datSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2) This information will reveal which user was logged in and active when the USB device was connected. MountPoints2 lists all of the device GUIDs that a particular user connected, so you might need to search through each NTUSER.dat hive on the system to identify which user connected a particular device. The USB key in the SYSTEM hive (SYSTEM/CurrentControlSet/Enum/USB) This key provides investigators with vendor and product ID for a given device, but also provides the last time the USB device was connected to the system. Using the last write time for the key of the device serial number, investigators can identify the last time it was connected.