Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Slides:



Advertisements
Similar presentations
Putting It All Together 1.  Maintaining a Hard Drive Ch 4 Lab  Hardware cleaning tips ▪ Microsoft Tips Microsoft Tips ▪ Computer Hope Tips Computer.
Advertisements

Module 1: Installing Windows XP Professional
Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 7 HARDENING SERVERS.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 8: Troubleshooting Storage Devices and Display Devices.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
A+ Guide to Managing and Maintaining Your PC, 7e
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Operating System & Application Files BACS 371 Computer Forensics.
MS System Setup Securing A System. Use Automatic Updates For a workstation or server, schedule the updates to occur regularly. –Control panel click on.
OS and Application Files BACS 371 Computer Forensics.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Mastering Windows Network Forensics and Investigation Chapter 11: Text Based Logs.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Installing Windows Vista Lesson 2. Skills Matrix Technology SkillObjective DomainObjective # Performing a Clean Installation Set up Windows Vista as the.
1 Chapter Overview Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
Chapter 6 Enumeration Modified Objectives  Describe the enumeration step of security testing  Enumerate Microsoft OS targets  Enumerate NetWare.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
ACCESSDATA® FORENSICS Windows 7 Registry Artifacts
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
IT Essentials: PC Hardware and Software 1 Chapter 7 Windows NT/2000/XP Operating Systems.
MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features.
Operating Systems Review. 5 Purposes of an Operating System Provide User Interface Communicate with Hardware Create and Manage a File System Network Support.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Installing Microsoft Windows Server 2008 Lesson 2.
Chapter 7 Microsoft Windows XP. Windows XP Versions XP Home XP Home XP Professional XP Professional XP Professional 64-Bit XP Professional 64-Bit XP Media.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.
Introducing, Installing, and Upgrading Windows 7 Lesson 7.
Networking Security Chapter 8 powered by dj. Chapter Objectives  Explain various security threats  Monitor security in Windows Vista  Explain basic.
Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.
Mastering Windows Network Forensics and Investigation Chapter 11: Text-Based Logs.
File Recovery and Forensics
A+ Guide to Software Managing, Maintaining and Troubleshooting THIRD EDITION Chapter 8 Managing and Supporting Windows XP.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Chapter 8 Implementing Disaster Recovery and High Availability Hands-On Virtual Computing.
Troubleshooting Windows Vista Security Chapter 4.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
Module 14: Configuring Server Security Compliance
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
5. Windows System Artifacts Part 1. Topics Deleted data Hibernation Files Registry.
Chapter 3 Managing Disk and File Systems. File Storage Basics Windows XP supports two types of storage Basic Dynamic Basic storage system Centers on partitioning.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.
Windows Vista Inside Out Ch 10: Ch 10: Security Essentials Last modified
Windows Vista Inside Out Chapter 24 – Recovering From an Computer Crash Last modified am.
Module 1: Installing Microsoft Windows XP Professional.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 7 Windows 7 Security Features.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
NetTech Solutions Security and Security Permissions Lesson Nine.
Managing Applications, Services, Folders, and Libraries Lesson 4.
IS493 INFORMATION SECURITY TUTORIAL # 1 (S ) ASHRAF YOUSSEF.
Understand Permissions LESSON Security Fundamentals.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 7 Windows 7 Security Features.
Labs. Session 1 Lab: Installing and Configuring Windows 7 Exercise 1: Migrating Settings by Using Windows Easy Transfer Exercise 2: Configuring a Reference.
Working with Disks Lesson 4.
Understanding Operating System Configurations
Presentation transcript:

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence

Evidence in Software Key: HKLM\SOFTWARE %SystemRoot%\system32\config\software Installed software Other locations for installed software –HKLM\SOFTWARE\Microsoft\Windows\CurrentVersio n\App Paths –HKLM\SOFTWARE\Microsoft\Windows\CurrentVersio n\Uninstall

Evidence in Software Key: Last Logon –HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Banners –HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Action Center & Firewall Settings: Action Center –Advises user if firewall off, anti-virus not installed or out of date, or if updates not turned on or out of date –Settings stored in: HKLM\SOFTWARE\Microsoft\Security Center OR HKCU\SOFTWARE\Microsoft\ Windows\CurrentVersion\ActionCenter

Windows XP Security Center Settings: ValueDataDescription AntiVirusDisableNotify0User will be notified. 1User will not be notified. FirewallDisableNotify0User will be notified. 1User will not be notified. UpdatesDisableNotify0User will be notified. 1User will not be notified.

Windows 7 Action Center Settings: Key NameFunction 100Virus protection 101Network firewall 102Spyware and related protection 103Windows updates 104Internet security alerts Registry Key Prefix Description Notification Disabled Notification Enabled

Security Center & Firewall Settings: Windows Firewall –Released with XP Service Pack 2 –Firewall is on by default –Powerful logging utility, but is off by default in Windows XP Settings stored in registry –HKLM\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPoli cy

Firewall Settings: Settings stored in registry –Subkey “DomainProfile” for domain –Subkey “StandardProfile” for local machine –Subkeys under each of the above: “AuthorizedApplications “ “GloballyOpenPorts” –Subkey under each of the above: “List” – lists settings in plain text

Restore Point Registry Hive Files: Restore points started with XP / ME Snapshot of system files taken every 24 hrs or when software installed, update installed, or when unsigned driver installed – User can create! Stored for up to 90 days if disk space available

Restore Point Registry Hive Files: Settings stored in registry at: –HKLM\Software\Microsoft\WindowsNT \CurrentVersion\SystemRestore Restore points stored in –C:\System Volume Information\restore{GUID}\RP## –## is sequentially numbered restore points

Restore Point Registry Hive Files: Registry hive files stored under snapshot folder and are renamed Hive File NameRestore Point Hive Filename SAM_REGISTRY_MACHINE_SAM SECURITY_REGISTRY_MACHINE_SECURITY SOFTWARE_REGISTRY_MACHINE_SOFTWARE SYSTEM_REGISTRY_MACHINE_SYSTEM NTUSER.DAT_REGISTRY_USER_NTUSER_SID

Volume Shadow Copy Service Greater number of file types are tracked in VSC – Entire Volume! Every file that changed since the last snapshot is included in VSC restore point Still located in System Volume Information folder but with different name

Volume Shadow Copy Service Registry key tracking the monitored volumes: HKLM\Software\Microsoft\WindowsNT\CurrentVersion\SPP \Clients\{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513} Access VSC by using vssadmin command and creating symbolic link The conduct analysis as if the data was it’s own logical volume

Security Identifiers: SID is a security identifier SID is a unique identifier in that no two SIDs Windows grants or denies access and privileges to system objects based on access control lists (ACLs), which in turn use the SID as a means of identifying users, groups, and machines, since each has its own unique SID

Security Identifiers: SID’s to User mapping is stored in SAM for a local logon In a domain, SID to User resolution is stored in Active Directory on Domain Controller Backdoor to resolving SID to User in a domain setting at key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

User Activities: NTUSER.DAT contains user specific settings about installed software For pre-IE7, Protected Storage System Provider contains encrypted values for MSIE “Autocomplete” and stored user names and passwords For post-IE7 autocomplete information is stored in IntelliForms –HKCU\Software\Microsoft\Internet Explorer\IntelliForms\

User Activities: MRU’s “most recently used” –RunMRU –MRUList HKCU\Software\Microsoft\Windows\Curr entVersion\Explorer\RecentDocs HKCU\Software\Microsoft\Internet Explorer\TypedURLs

User Activities: UserAssist key –HKCU\Software\Microsoft\Windows\Current Version\Explorer\UserAssist –Value names under “Count” stored in ROT13 –2nd dWord value is count starting at 5 (Windows XP, Vista, 2003, 2008) or 1 (Windows 7) –Last eight bytes 64 bit Windows timestamp indicating last time user launched

LSA Secrets: LSA stands for Local Security Authority SECURITY\Policy\Secrets Contains security information regarding various service accounts and other accounts necessary for Windows and is stored by the service control manager Tools to extract: –Lsadump2.exe –Cain

IP Addresses: Stored in registry HKLM\SYSTEM\CurrentControlSet\Servi ces\Tcpip\Parameters\Interfaces Subkeys are interfaces and appear with GUID names Static vs Dynamic addresses

Time Zone Offsets: NTFS stores timestamps in GMT Windows displays time to user based on local host time zone offset. Time zone offset stored in registry –HKLM\SYSTEM\CurrentControlSet\Control \TimeZoneInformation

Startup Locations: Many locations within Windows where programs or code runs with Windows boot, user logon, etc Registry alone contains dozens of locations and methods Windows configuration files can also be used to run code List of these locations is extensive

Startup Locations: If you know what the bad code is and its file name it’s easier to search registry and Windows configuration files for file name When unknown, use tools such as –EnCase Scan Registry Enscript –Autoruns by Sysinternals

Where are auditing settings stored? In most cases you won’t be able to open the LSS applet to determine auditing level on live system Stored in registry: HKLM\SECURITY\Policy\PolAdtEv