Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Slides:



Advertisements
Similar presentations
Windows XP System Restore July 22 nd, 2006 CAEUG Meeting.
Advertisements

Module 1: Installing Windows XP Professional
Lesson 17: Configuring Security Policies
Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
A+ Guide to Managing and Maintaining Your PC, 7e
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Operating System & Application Files BACS 371 Computer Forensics.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
OS and Application Files BACS 371 Computer Forensics.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Mastering Windows Network Forensics and Investigation Chapter 11: Text Based Logs.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Installing Windows Vista Lesson 2. Skills Matrix Technology SkillObjective DomainObjective # Performing a Clean Installation Set up Windows Vista as the.
1 Chapter Overview Planning an Audit Policy Implementing an Audit Policy Using Event Viewer.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
ACCESSDATA® FORENSICS Windows 7 Registry Artifacts
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
IT Essentials: PC Hardware and Software 1 Chapter 7 Windows NT/2000/XP Operating Systems.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
1 Microsoft Windows Internals, 4 ed Chapter 4. Management Mechanisms The Registry 謝承璋 2008 年 05 月 07 日.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.
Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Chapter Six Windows XP Security and Access Controls.
Mastering Windows Network Forensics and Investigation Chapter 11: Text-Based Logs.
File Recovery and Forensics
A+ Guide to Software Managing, Maintaining and Troubleshooting THIRD EDITION Chapter 8 Managing and Supporting Windows XP.
C HAPTER 6 NTFS PERMISSIONS & SECURITY SETTING. INTRODUCTION NTFS provides performance, security, reliability & advanced features that are not found in.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
Troubleshooting Windows Vista Security Chapter 4.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 22 Local Security Polcies 1.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
Module 14: Configuring Server Security Compliance
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Windows NT Chapter 13 Key Terms By Bill Ward NT Versions NT Workstation n A desktop PC that both accesses a network and works as a stand alone PC NT.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 7 Under the Windows Desktop McGraw-Hill.
Windows Vista Inside Out Chapter 24 – Recovering From an Computer Crash Last modified am.
Module 1: Installing Microsoft Windows XP Professional.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.
Overview Managing a DHCP Database Monitoring DHCP
Module 15 Managing Windows Server® 2008 Backup and Restore.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
NetTech Solutions Supporting Local Users and Groups Lesson Three.
NetTech Solutions Security and Security Permissions Lesson Nine.
Managing Applications, Services, Folders, and Libraries Lesson 4.
Understand Permissions LESSON Security Fundamentals.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 7 Under the Windows Desktop McGraw-Hill.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 7 Under the Windows Desktop McGraw-Hill.
Lesson 6: Controlling Access to Local Hardware and Applications
Automating Installations by Using the Microsoft Windows 2000 Setup Manager Create setup scripts simply and easily. Create and modify answer files and UDFs.
Lesson 16-Windows NT Security Issues
Bethesda Cybersecurity Club
Presentation transcript:

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence

August 28, 2015 © Wiley Inc All Rights Reserved 2 Chapter Topics: Evidence in Software Key Security Center & Firewall Settings Restore Point Registry Hive Files Security Identifiers User Activities

August 28, 2015 © Wiley Inc All Rights Reserved 3 Chapter Topics: LSA Secrets IP Addresses Time Zone Offsets Startup Locations Auditing Settings (Bonus material not in text!)

August 28, 2015 © Wiley Inc All Rights Reserved 4 Evidence in Software Key: HKLM\SOFTWARE %SystemRoot%\system32\config\software Installed software Other locations for installed software –HKLM\SOFTWARE\Microsoft\Windows\CurrentVersio n\App Paths –HKLM\SOFTWARE\Microsoft\Windows\CurrentVersio n\Uninstall

August 28, 2015 © Wiley Inc All Rights Reserved 5 Evidence in Software Key: Last Logon –HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Banners –HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

August 28, 2015 © Wiley Inc All Rights Reserved 6 Security Center & Firewall Settings: Security Center –Advises user if firewall off, anti-virus not installed or out of date, or if updates not turned on or out of date –Settings stored in HKLM\SOFTWARE\Microsoft\Security Center

August 28, 2015 © Wiley Inc All Rights Reserved 7 Security Center Settings: ValueDataDescription AntiVirusDisableNotify0User will be notified. 1User will not be notified. FirewallDisableNotify0User will be notified. 1User will not be notified. UpdatesDisableNotify0User will be notified. 1User will not be notified.

August 28, 2015 © Wiley Inc All Rights Reserved 8 Security Center & Firewall Settings: Windows Firewall –Released with XP Service Pack 2 –Firewall is on by default –Powerful logging utility, but is off by default Settings stored in registry –HKLM\CurrentControlSet\Services\Shared Access\Parameters\FirewallPolicy

August 28, 2015 © Wiley Inc All Rights Reserved 9 Firewall Settings: Settings stored in registry –Subkey “DomainProfile” for domain –Subkey “StandardProfile” for local machine –Subkeys under each of the above: “AuthorizedApplications “ “GloballyOpenPorts” –Subkey under each of the above: “List” – lists settings in plain text

August 28, 2015 © Wiley Inc All Rights Reserved 10 Restore Point Registry Hive Files: Restore points started with XP / ME Snapshot of system files taken every 24 hrs or when software installed, update installed, or when unsigned driver installed – User can create! Stored for up to 90 days if disk space available

August 28, 2015 © Wiley Inc All Rights Reserved 11 Restore Point Registry Hive Files: Settings stored in registry at: –HKLM\Software\Microsoft\WindowsNT \CurrentVersion\SystemRestore Restore points stored in –C:\System Volume Information\restore{GUID}\RP## –## is sequentially numbered restore points

August 28, 2015 © Wiley Inc All Rights Reserved 12 Restore Point Registry Hive Files: Registry hive files stored under snapshot folder and are renamed Hive File NameRestore Point Hive Filename SAM_REGISTRY_MACHINE_SAM SECURITY_REGISTRY_MACHINE_SECURITY SOFTWARE_REGISTRY_MACHINE_SOFTWARE SYSTEM_REGISTRY_MACHINE_SYSTEM NTUSER.DAT_REGISTRY_USER_NTUSER_SID

August 28, 2015 © Wiley Inc All Rights Reserved 13 Security Identifiers: SID is a security identifier SID is a unique identifier in that no two SIDs Windows grants or denies access and privileges to system objects based on access control lists (ACLs), which in turn use the SID asa means of identifying users, groups, and machines, since each has its own unique SID

August 28, 2015 © Wiley Inc All Rights Reserved 14 Security Identifiers: SID’s to User mapping is stored in SAM for a local logon In a domain, SID to User resolution is stored in Active Directory on Domain Controller Backdoor to resolving SID to User in a domain setting at key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

August 28, 2015 © Wiley Inc All Rights Reserved 15 User Activities: NTUSER.DAT contains user specific settings about installed software Protected Storage System Provider contains encrypted values for MSIE “Autocomplete” and stored user names and passwords MRU’s “most recently used” –RunMRU –MRUList

August 28, 2015 © Wiley Inc All Rights Reserved 16 User Activities: HKCU\Software\Microsoft\Windows\Curr entVersion\Explorer\RecentDocs HKCU\Software\Google\NavClient\1.1\Hi story HKCU\Software\Yahoo\Companion\Sear chHistory HKCU\Software\Microsoft\Internet Explorer\TypedURLs

August 28, 2015 © Wiley Inc All Rights Reserved 17 User Activities: UserAssist key –HKCU\Software\Microsoft\Windows\Current Version\Explorer\UserAssist\{ EF1F-11D DEACF9}\Count –Value names stored in ROT13 –16 byte data string –2nd dWord value is count starting at 5, with first value being hex 06 –Last eight bytes 64 bit Windows timestamp indicating last time user launched

August 28, 2015 © Wiley Inc All Rights Reserved 18 LSA Secrets: LSA stands for Local Security Authority SECURITY\Policy\Secrets Contains security information regarding various service accounts and other accounts necessary for Windows and is stored by the service control manager Tools to extract: –Lsadump2.exe –Cain

August 28, 2015 © Wiley Inc All Rights Reserved 19 IP Addresses: Stored in registry HKLM\SYSTEM\CurrentControlSet\Servi ces\Tcpip\Parameters\Interfaces Subkeys are interfaces and appear with GUID names Static vs DHCP addresses

August 28, 2015 © Wiley Inc All Rights Reserved 20 Time Zone Offsets: NTFS stores timestamps in GMT (UT) Windows displays to user based on local host time zone offset. Time zone offset stored in registry –HKLM\SYSTEM\CurrentControlSet\Control \TimeZoneInformation

August 28, 2015 © Wiley Inc All Rights Reserved 21 Startup Locations: Many locations within Windows where programs or code runs with Windows boot, user logon, etc Registry alone contains dozens of locations and methods Windows configuration files can also be used to run code List of these locations is extensive

August 28, 2015 © Wiley Inc All Rights Reserved 22 Startup Locations: Often you’ll know what the bad code is and its file name – when this is known easier to search registry and Windows configuration files for file name When unknown, use tools such as –EnCase EnScript Case Processor>Scan Registry >AutoStart –Autoruns by Sysinternals

Where are auditing settings stored? In most cases you won’t be able to open the LSS applet to determine auditing level on live system Stored in registry hive file “security” Key: SECURITY\Policy\PolAdtEv

SECURITY\Policy\PolAdtEv

Byte Offset Description 0000 No Auditing / 01 Auditing 04System Events Audit Setting 08Logon Events Audit Setting 12Object Access Audit Setting 16Privilege Use Audit Setting 20Process Tracking Audit Setting 24Policy Change Audit Setting 28Account Management Audit Setting 32Directory Service Access Audit Setting 36Account Logon Audit Setting Byte Value Audit Setting 00No Auditing 01Audit Successes 02Audit Failures 03Audit Success & Failures

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.