1 Lecture 6 Forensic Analysis of Windows Systems (contd. after lecture 4) Prof. Shamik Sengupta Office 4210N

Slides:



Advertisements
Similar presentations
The Windows File System and Windows Explorer To move around the file system and examine your files or get to one you want (say, to modify, delete or copy.
Advertisements

Microsoft Office 2007-Illustrated Introductory, Windows Vista Edition Windows XP Unit B.
Computing Fundamentals Module Lesson 5 — File Management with Windows Explorer Computer Literacy BASICS.
MODULE 4 File and Folder Management. Creating file and folder A computer file is a resource for storing information, which is available to a computer.
Interfacing with Computer Associate Degree in Education (ADE) Lecture 04 Sajid Riaz.
Lesson 3: File Management. 2 Learning Objectives After studying this lesson, you will be able to:  Browse files on the computer  Open files from a folder.
Return to the Office 2007 web page Lesson 3: Managing Computer Files.
Using Folders to Organize Files
CGS 1060 Introduction to MicroComputer Usage Chapter 1 Windows 7
XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
Chapter 8 Managing Files.
Operating System & Application Files BACS 371 Computer Forensics.
Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.
OS and Application Files BACS 371 Computer Forensics.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Laboratory Exercise # 3 – Basic File Management Office Productivity Tools 1 Laboratory Exercise # 3 Basic File Management Objectives: At the end of the.
Microsoft Office Illustrated Fundamentals Unit B: Understanding File Management.
With Internet Explorer 8© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 Go! with Internet Explorer 8 Getting Started.
With Windows 7 Comprehensive© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Windows 7 Comprehensive.
Chapter 7 Working with Files.
Computer Literacy BASICS: A Comprehensive Guide to IC 3, 5 th Edition Lesson 3 Windows File Management 1 Morrison / Wells / Ruffolo.
Computer Basics.  Be sure to check with your school’s Network Administrator and/or Handbook before you make changes to your school computer.
INTRODUCTION TO OPERATING SYSTEMS. An operating system is a program that controls the overall activity of a computer. Like an orchestra conductor an operating.
Prerequisites Essentials of Microsoft Windows By Robert T. Grauer Maryann Barber.
Project 3 File, Document, Folder Management, Windows XP Explorer Windows XP Service Pack 2 Edition Comprehensive Concepts and Techniques.
Operating Systems Concepts 1/e Ruth Watson Chapter 2 Chapter 2 Windows File and Environment Ruth Watson.
Microsoft Office 2003 Illustrated Introductory with Programs, Files, and Folders Working.
TERMS TO KNOW. Desktop This does not mean a computer desktop vs. a laptop. You probably keep a number of commonly used items on your desk at home such.
Getting Started with Application Software
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
1. Chapter 9 Maintaining Documents 3 Managing Files As with physical documents, folders, and filing cabinets, electronic files and folders must be well.
1 2 Lab 2: Organizing Your Work. 2 Competencies 3 After completing this lab, you will know how to: 1. Use Explorer to manage files. 2. Copy files. 3.
With Windows 7 Introductory© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 Windows 7 Introductory Chapter 2 Managing Libraries Folders, Files.
Copyright © 2008 Pearson Prentice Hall. All rights reserved. 11 Committed to Shaping the Next Generation of IT Experts. Windows XP Robert Grauer, Lynn.
Computing Fundamentals Module Lesson 3 — Changing Settings and Customizing the Desktop Computer Literacy BASICS.
With Windows 7 Introductory© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 Windows 7 Introductory Chapter 3 Advanced File Management and Advanced.
Project 6 Advanced File and Web Searching. 2 CHAPTER OBJECTIVES  Begin a new file or folder search, save a search, and find a file using a saved search.
Computing Fundamentals Module Lesson 10 — File Management with Windows Explorer Computer Literacy BASICS.
XP New Perspectives on Windows 2000 Professional Windows 2000 Tutorial 2 1 Microsoft Windows 2000 Professional Tutorial 2 – Working With Files.
Windows and File Management
Microsoft Office XP Illustrated Introductory, Enhanced with Programs, Files, and Folders Working.
XP Browser and Basics COM111 Introduction to Computer Applications.
Unit 2—Using the Computer Lesson 9 Windows and File Management.
AL A. LAURIO Teacher Microsoft Windows Vista. DESKTOP is the main screen area that you see after you turn on your computer and log on to Windows. it serves.
Computer Literacy BASICS: A Comprehensive Guide to IC 3, 5 th Edition Lesson 3 Windows File Management 1 Morrison / Wells / Ruffolo.
CMPF124 Personal Productivity With Information Technology Chapter 1 – Part 2 Introduction to Windows Operating Systems Manipulating Windows GUI CMPF 124.
CHAPTER 7 Exploring Microsoft Windows 7. Learning Objectives Identify the parts of the Windows 7 desktop Use common Windows elements Navigate Windows.
XP New Perspectives on Microsoft Windows XP Tutorial 2 1 Microsoft Windows XP Working with Files Tutorial 2.
Operating Systems. Define OS Operating System is a type of system software. Operating system software includes instructions that allow a computer to run.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Computer Literacy BASICS: A Comprehensive Guide to IC 3, 5 th Edition Lesson 3 Windows File Management 1 Morrison / Wells / Ruffolo.
Pasewark & Pasewark 1 Windows Vista Lesson 1 Windows Vista Basics Microsoft Office 2007: Introductory.
Chapter 2 – Introduction to Windows Operating System II Manipulating Windows GUI 1CMPF112 Computing Skills for Engineers.
Unit Unit 4 – Windows OS File Structure Introducing Your Computer Widows File Types, Trees & Explorer.
Windows 7 and file management
Computer Literacy BASICS
Getting Started with Application Software
Computing Fundamentals
Microsoft Windows 7 - Illustrated
Computer Literacy BASICS
Understanding File Management
Lesson 9 Windows Management
Chapter 8 Managing Files.
Microsoft Windows 7 Basics
New Perspectives on Windows XP
Windows file management
University of Warith AL-Anbiya’a
Microsoft Office Illustrated Fundamentals
TERMS AND CONDITIONS   These PowerPoint slides are a tool for lecturers, and as such: YOU MAY add content to the slides, delete content from the slides,
Presentation transcript:

1 Lecture 6 Forensic Analysis of Windows Systems (contd. after lecture 4) Prof. Shamik Sengupta Office 4210N Fall 2010

What we will cover today  Forensic analysis of Windows systems –Learning where to look –Understanding compound file types –Viewing the structure –Recover and Analyze  Hands-on Practice 2

3 The Recycle Bin  Understanding how the recycle bin works is critically important for forensic examiners –Stores many significant info which is usually overlooked at the time of examination  The recycle bin is a system folder of Windows –Operates in accordance with different rules than those govern standard folders –The folder is named as –“Recycled” in Windows 95/98 –“Recycler” in Windows NT/2000/XP  E.g., open a dos window and go to c drive –Type cd recycler –It will open up the recycle bin folder

4 The Recycle Bin (Continued)  E.g. recycler folder in XP

5 The Recycle Bin (Continued)  When a file is deleted, it is moved to the Recycle Bin –On windows NT/2000/XP, the first time a user puts a file in the recycle bin, a subfolder is created in c:\recycler –The subfolder is named with the user’s SID and contains its own INFO file, making it possible to determine which user account was used to delete a file  When a file is deleted, it results in three steps: –1) the deletion of the file’s folder entry in the folder in which the file resided –2) the creation of a new folder entry for the file in the Recycle Bin –3) the addition of information about the file in a hidden system file named INFO (or INFO2 depending on windows systems) in the Recycle Bin

6 The Recycle Bin (Continued)  E.g. recycler folder in XP

7 The Recycle Bin (Continued)  So, although Windows does not store the deletion date and time of a file in its folder entry –Windows records the date and time of deletion in the INFO file when a user sends a file to the Recycle Bin  Other information stored in the recycle bin include: –The file’s location prior to being sent to the Recycle Bin –It’s index number in the Recycle Bin –It’s order in the Recycle Bin –0 assigned to the first file in the Recycle Bin after the Recycle Bin is emptied –Its new filename in the Recycle Bin –Every file sent to the recycle bin is renamed in the following format –D[orginal drive letter of file][index no][original extension] –E.g. hw1.txt residing in C:\My Documents was sent to empty recycle bin –Its new name is DC0.txt

8 The Recycle Bin (Continued)  An INFO file is often effective in confirming or refuting computer user’s explanations regarding the presence or history of computer files recovered from their drives –It contains metadata relating to a particular file such as the date of deletion and the original path –INFO file records tell stories about file histories and the user’s state of mind –Files deleted by the OS do not leave a record in the INFO file –INFO file record indicates that a user knowingly deleted the file  If a user claims a file was downloaded without his notice during internet activity, the file’s location when it was deleted may tend to support or refute that contention –If a user deleted a particular file residing –A) in a default download folder or in the Temporary Internet Files folder –B) My Document\My Favorite Things\My Pictures…

9 The Recycle Bin (Continued)  When the user elects to empty the Recycle Bin, –Windows deletes the file (such as DC0.txt) in the Recycle Bin and also deletes the INFO file –More sophisticated techniques are then needed to recover the files

10 The Recycle Bin in Windows Vista / 7  The contents of the recycle bin has changed in Windows Vista/7  The name of the folder itself has changed to “$Recycle.bin” –Open dos command prompt and go to c drive –Type cd $Recycle.bin  The INFO2 file that is present in Windows 2000/XP/2003 has been removed  In Windows Vista, two files are created when a file is deleted into the recycle bin –Both file have the same random looking name, but the names are preceded with a “$R” or “$I” –The file with the “$R” at the beginning of the name is actually the data of the deleted file –The file with the “$I” at the beginning of the name contains the path of where the file originally resided, as well as the date and time it was deleted

11 Case study: Viewing Recycle Bin using EnCase  How do you view recycle bin using EnCase? –(you do not have to acquire the disk) –Locate recycle bin using EnCase –Locate the systems ids –Locate the deleted files

12 Shortcut Files  The shortcut files refer to shortcut links for quick viewing –Users open a file or folder or start an application program by double clicking on the appropriate shortcut icon  Where are the shortcut files stored –Folder location of shortcut files –Windows\Desktop –Windows\Recent –Windows\Start Menu –Windows\Send to  The existence of shortcut files can serve to support the contention that a user had knowledge that a particular file or application was present on the computer –Although actual files might have been deleted

13 Shortcut Files (Continued)  The Window\Recent menu folder contains shortcut files that point to data files that were opened on the computer –By default 12/15 shortcuts are maintained –REALLY??  The Window\Start menu folder contains shortcut files that point to files and programs that appear on the Start Menu –The shortcut files can provide evidence that an application program, which is no longer present on the computer, was installed at one time –The date and time stamps on the shortcut files can help to identify the date that the installation occurred

Viewing “desktop” and “recent” folder 14

15 Case Example: Shortcut Files A special agent of the Illinois Attorney General’s Office investigated a case involving a CP. The agent located a shortcut file in the Windows\Desktop folder whose target was a screensaver program. Upon examining the screensaver program, the agent found that it caused 30 images depicting CP to be displayed on the computer’s monitor when the shortcut was activated. This example is applicable to the investigation of many forms of computer crime A special agent of the Illinois Attorney General’s Office investigated a case involving a CP. The agent located a shortcut file in the Windows\Desktop folder whose target was a screensaver program. Upon examining the screensaver program, the agent found that it caused 30 images depicting CP to be displayed on the computer’s monitor when the shortcut was activated. This example is applicable to the investigation of many forms of computer crime

16 Case study: Viewing Shortcut files using EnCase  How do you view shortcut files using EnCase? –(you do not have to acquire the disk) –Locate shortcut files –Analyze –The shortcut files also contain the fully qualified paths of the files that they refer to –(one of the greatest features for investigation) –Also known as Symbolic link in EnCase –Try locating this using EnCase Report

17 THUMBS.DB  What is Thumbs.db? –Windows allow the user to set the properties of any folder to allow the viewing of any graphics files in that folder as thumbnails –System files “thumbs.DB” are created with info of these thumbnails –These system files also speed up the processing of graphics hence the reason they were created in the Microsoft operating systems  “thumbs.DB” contains info of each graphics file in the folder –slightly altered headers –A listing of files in the folder and their modification dates are also contained in thumbs.DB file –Compound file  The artifacts can be significant since it is not perfectly synchronized with the actual contents of the folder –The user may delete files from the folder –But thumbs.db can restore the files!!!

18 Case Example: THUMBS.DB  Thumbs.DB file may show that files existed on the volume and it may further show the modification dates of those files even though the files did not exist at the time of the examination In a recent federal criminal investigation, the examiner located a folder containing more than 400 evidentiary images. When the examiner questioned the nature of the thumbs.db file, further analysis showed its function and contents. The file was found to contain more than 900 images, many representing files of evidentiary value that had been deleted from the folder. In a recent federal criminal investigation, the examiner located a folder containing more than 400 evidentiary images. When the examiner questioned the nature of the thumbs.db file, further analysis showed its function and contents. The file was found to contain more than 900 images, many representing files of evidentiary value that had been deleted from the folder.

THUMBS.DB (contd.)  Windows stores the following formats as thumbnails: –JPEG, BMP, GIF, TIF, PDF and HTM  Each thumbnail created in a folder is represented in this thumbs.db database  Each folder with initiated thumbnail views will have thumbs.db file 19

THUMBS.DB (contd.)  The early versions of thumbs.db files (in Windows ME and Windows 2000) contained –the filename –the drive letter, and –path to that image  Later versions, (in Windows XP and onward), store –its filename –But NOT the drive letter and path 20

21 THUMBS.DB in Vista and onward  The thumbnail cache that is used in Windows XP/2003, named THUMBS.DB has been replaced with a centralized thumbs database  Centralized thumbnail database is located in the following folder: –\Users\[User Account Name]\AppData\Local\Microsoft\Windows\Explorer –Inside there are a few files with prefix thumbcache: thumbcache_xxxx.db –You can no longer delete thumbs.db  dmThumbs (a tool for analyzing thumbs.db) –

Thumbs.db (case study)  Let’s do a simple hands-on practice. –We will view some pictures, will delete it afterwards and then see if we can investigate and restore it using EnCase. 22

Other compound files  EnCase Forensic can view the structure of the following types of compound files: –Thumbs.db files –Zip files like.zip,.gzip, and.tar files –Outlook Express (DBX) –Outlook (PST) –Exchange 2000/2003 (EDB) –Lotus Notes (NSF) for versions 4, 5, and 6 –Mac DMG Format –Mac PAX Format –Korean Office Doc 23

24 INDEX.DAT  Internet Explorer caches website that a user visits –When a user visit a site, IE first checks to see if the file is already cached –If a cached file is found, IE uses cached file rather than downloading it –IE stores cached files in the Temporary Internet Files folder –It also assigns each cached file an alphanumeric file name and maps the new file names to the actual filenames in system files  Internet Explorer uses file –Earlier version: MM256.DAT (to store the reference of web pages whose address were less than 257 characters) and MM2048.DAT (for pages whose address were between 257 and 2048 characters) –Newer version: index.dat –Describe each file: URL, dates of modification by server and access by the user

25 Case Example: index.dat In another recent case, detectives investigated a woman’s complaint that she was the victim of stalking by a former boyfriend. The woman claimed that the former boyfriend was sending threatening to her current boyfriend. During investigation, she made another report alleging that she had been the victim of a home invasion during which she was assaulted, and she again identified the suspect as the same ex-boyfriend. When the detectives examined the woman’s computer, they found that the temporary Internet cache files contained references to an America Online account. Further examination of the Internet cache files and the records of America Online showed that the woman had set up an account with a screen name similar to that of the former boyfriend, and had sent the ‘threatening’ message herself. In another recent case, detectives investigated a woman’s complaint that she was the victim of stalking by a former boyfriend. The woman claimed that the former boyfriend was sending threatening to her current boyfriend. During investigation, she made another report alleging that she had been the victim of a home invasion during which she was assaulted, and she again identified the suspect as the same ex-boyfriend. When the detectives examined the woman’s computer, they found that the temporary Internet cache files contained references to an America Online account. Further examination of the Internet cache files and the records of America Online showed that the woman had set up an account with a screen name similar to that of the former boyfriend, and had sent the ‘threatening’ message herself.

Lab Practice  Download abc.zip from class website. –You are given this evidence file. We do not have any idea what does this contain. Can you figure out using EnCase? 26

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.