OS and Application Files BACS 371 Computer Forensics.

Slides:



Advertisements
Similar presentations
Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
Advertisements

Welcome to Keyboarding Pro DELUXE ® Get Started Get Started Create Your Student Record Create Your Student Record The Main Menu The Main Menu Send Files.
Discovering Computers Fundamentals, Third Edition CGS 1000 Introduction to Computers and Technology Fall 2006.
Interfacing with Computer Associate Degree in Education (ADE) Lecture 04 Sajid Riaz.
Windows XP Basics OVERVIEW Next.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.
A Quick Review of Unit 2 – Using Windows 7 Computing Fundamentals © CCI Learning Solutions.
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
Chapter 3: Configuring the Windows Vista Environment.
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
Lab 03 Windows Operating Systems (Cont.). PYP002 Preparatory Computer ScienceWindows Operating System2 Objectives Develop a good understanding of 1. The.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Operating System & Application Files BACS 371 Computer Forensics.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Chapter 7 Working with Files.
Chapter Three OPERATING SYSTEMS.
Your Interactive Guide to the Digital World Discovering Computers 2012.
ACCESSDATA® FORENSICS Windows 7 Registry Artifacts
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Using Group Policy to Manage User Environments. Overview Introduction to Managing User Environments Introduction to Administrative Templates Assigning.
Session 5: Working with MySQL iNET Academy Open Source Web Development.
Tutorial 11 Installing, Updating, and Configuring Software
Microsoft Office Illustrated Brief File Management Understanding.
6.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 6: Administering User Accounts.
JavaScript, Fourth Edition
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Welcome to Keyboarding Pro DELUXE ® Get Started Get Started Create Your Student Record Create Your Student Record The Main Menu The Main Menu Send Files.
WindowsXP Explorer The Explorer is a used to organize and control the files and folders of the different storage systems such as the hard drive, floppy.
Gorman, Stubbs, & CEP Inc. 1 Introduction to Operating Systems Lesson 4 Microsoft Windows XP.
Copyright © 2008 Pearson Prentice Hall. All rights reserved. 11 Committed to Shaping the Next Generation of IT Experts. Windows XP Robert Grauer, Lynn.
Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Windows NT Chapter 13 Key Terms By Bill Ward NT Versions NT Workstation n A desktop PC that both accesses a network and works as a stand alone PC NT.
5. Windows System Artifacts Part 1. Topics Deleted data Hibernation Files Registry.
Computing Fundamentals Module Lesson 3 — Changing Settings and Customizing the Desktop Computer Literacy BASICS.
Exploring Microsoft Office 2007
STATE MANAGEMENT.  Web Applications are based on stateless HTTP protocol which does not retain any information about user requests  The concept of state.
XP New Perspectives on Windows 2000 Professional Windows 2000 Tutorial 2 1 Microsoft Windows 2000 Professional Tutorial 2 – Working With Files.
Lesson 12: Using the Recycle Bin deleting files or folders what the Recycle Bin is restoring files from the Recycle Bin emptying the Recycle Bin identifying.
Lesson 9: Windows Management Ms. Tracy Digital Literacy.
Microsoft Office XP Illustrated Introductory, Enhanced with Programs, Files, and Folders Working.
IT Essentials 1 Chapter 5 Windows 9x Operating Systems.
Understanding and Using the Registry Chapter Twenty Two.
Your Digital Technology Briefcase My information…when and where I need it.
IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.
FILE MANAGEMENT Computer Basics 1.3. FILE EXTENSIONS.txt.pdf.jpg.bmp.png.zip.wav.mp3.doc.docx.xls.xlsx.ppt.pptx.accdb.
CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 7 Under the Windows Desktop McGraw-Hill.
Registry Forensics COEN 152 / 252. Registry: A Wealth of Information Information that can be recovered include:  System Configuration  Devices on the.
XP New Perspectives on Microsoft Windows XP Tutorial 2 1 Microsoft Windows XP Working with Files Tutorial 2.
THE WINDOWS OPERATING SYSTEM Computer Basics 1.2.
1 Lesson 9 Windows Management Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.
Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.
Lab 03: Outputs and File Management Soran Bilbas soranbilbas.epu.edu.krd Technical Business Management 4 February 2016.
Windows Forensic MD Saquib Nasir Khan (JONK) DEA- Data64
Working with Windows 7 at CERN
Computing Fundamentals
Installing Software Tutorial 11.
Lesson 9 Windows Management
User Profiles.
Windows Registry: Introduction
Windows Operating System
Presentation transcript:

OS and Application Files BACS 371 Computer Forensics

Software  Operating Systems  Recycle Bin  Temp Directory  Backup Files  Printer Spool Files  Windows Registry  Swapping/Paging  Applications  Temporary Internet Files  Temp Files  Application Specific Files

Recycle Bin (pre-Vista)  When you delete a file in Windows Explorer or My Computer, the file appears in the Recycle Bin. The file remains in the Recycle Bin until you empty the Recycle Bin or restore the file.  Older files are also removed from the Recycle Bin when newer files are deleted and the Recycle Bin exceeds the maximum size allocated in Recycle Bin properties.  Each hard disk contains a hidden folder named Recycled. This folder contains files deleted in Windows Explorer or My Computer, or in Windows- based programs.  When you delete a file, the complete path and file name is stored in a hidden file on the computer. This file has different names and locations depending on the OS. It is called Info or Info2 in the Recycled folder. The deleted file is renamed, using the following syntax:  D.  Examples:  New File Name: Dc1.txt = (C drive, second file deleted, a.txt file)  INFO file path: C:\Windows\Desktop\Books.txt  New File Name: De7.doc = (E drive, eighth file deleted, a.doc file)  INFO file path: E:\Winword\Letter to Rosemary.doc

Recycle Bin (Vista & Windows 7) 1  In Windows 7 and Vista, Microsoft did away with the INFO2 file and completely changed the way files were named and indexed within the Recycle Bin.  The new Recycle Bin is located in a hidden directory named \$Recycle.Bin\%SID%, where %SID% is the SID of the user that performed the deletion.  When files are moved into the Recycle Bin, the original file is renamed to $R followed by a set of random characters, but maintaining the original file extension. At the same time a new file beginning with $I followed by the same set of random characters given to the $R file and the same extension, is created; this file contains the original filename/path, original file size, and the date and time that the file was moved to the Recycle Bin.  All of the $I files are exactly 544 bytes long.

Hidden Recycler Directory (pre-Vista)

INFO2 File

Hidden Recycler Directory (post-Vista)

Temp Directory

Backup Search for BACKUP.LOG

Spool Files  Simultaneous Peripheral Operations On-Line  Temporary files used during input/output operations  Typically used to allow printers to run in the “background”  Typically deleted after print job is complete  May be Printer specific – check settings for Server Properties

WinXP Spool File Default

While Printing After Printing

Windows Registry  A database which stores  Hardware and software configuration information  User preferences (incl user name and passwords)  Setup information  Viewed with Regedit (  Can be used to view  Last person to log on  Most recently accessed files  Most recently accessed devices  Application specific information Internet sites accessed Recent files Chat rooms accessed …

WinXP Registry Hives  HKEY_CLASSES_ROOT  HKEY_CURRENT_USER  HKEY_LOCAL_MACHINE  HKEY_USERS  HKEY_CURRENT_CONFIG Created from files located at \WINDOWS\System32\Config  SAM  SECURITY  SOFTWARE  SYSTEM

Registry Files “In Use” “Backup”Win95“Backup”Win98/MeWinXP In C:\WINDOWS\SYSTEM32\ CONFIG\ System.DATUser.DATSytem.DA0User.DA0RB001.CABRB002.CABRB003.CABRB004.CABRB005.CABSystemSoftwareSamSecurityDefault REGEDIT /L: (system.dat) /R: (user.dat) /E outfile.txt

Windows XP Registry FilenameLocationContents ntuser.dat \Documents and Settings\ \Documents and Settings\ (One for each user on system)  Protected Storage  Most Recently Used  User Preferences Default\Windows\system32\config System Settings SAM\Windows\system32\config User account management and security settings Security\Windows\system32\config Security Settings Software\Windows\system32\config All installed programs, their settings, and any usernames and passwords associated with them System\Windows\system32\config System Settings

WinXP Registry  \Windows\System32\Config  Run…Regedit

Windows 7 Registry

Registry Entries

Most Recently Used (MRU) Listings HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\Open Find

Registry – Uninstall Key May show software installed currently Or in the past on system

Registry – Date Last Used Registry Key for file execution - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

ROT13  

ROT13 Translation

Temporary Internet Files  Internet Explorer History File (index.dat) 

INDEX.DAT Files

INDEX.DAT

URL - (Local File) -The URL from which the file came, including the original file name on that website. User Name -The Windows User name logged on at the time the file was saved. Last Accessed -The date and time the URL was last accessed by the client. Last Modified -The date and time of content last modified on server. Last Checked -Last synch time. Expires -A field that con be optionally specified by the website designer for certain files which are "session" files - ones that expire at the end of the browsing session at that site. (Most files will be "persistent") The website indicates when the browser should discard the cache entry and go back to the web site. Hits -Reflects how many accesses have been made to that URL. It can get go up from redirects or cookie redirects to add sites. Use Count -Reflects how many users have used the cache entry in a shared cache on Windows 98 systems with multiple user profiles set up. On Windows 2000/XP, it is almost always 0, because each user gets his own set of index.dat files.

INDEX.DAT Decoded

Temporary Internet Files Directory  Internet Explorer saves copies of many things that are displayed on the screen when you surf the web.  These include:  downloads  images (including embedded images on web-pages)  cached pages  cookies  etc…..  This is a good source of evidence.

Page/Swap File  Persistent  Temporary Determine by: HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Session Manager\ Memory Management\ClearPageFileAtShutdown 0 = do not overwrite 1 = overwrite

Overwrite Page File at Shutdown?

Application Temporary Files  Search *.tmp

Application Specific Files  Specific database, backup, or temporary files used by applications

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.