5. Windows System Artifacts Part 1. Topics Deleted data Hibernation Files Registry.

Slides:

Advertisements

Similar presentations

Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.

Advertisements

Windows Vista Boot process. All the computer running Windows vista have the same start up sequence: Power-on self test (POST) phase Initial startup phase.

Effective Discovery Techniques In Computer Crime Cases.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Investigating.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.

The Windows Registry Adapted from

Chapter 3: Configuring the Windows Vista Environment.

Registry Analysis What is it? What does it contain?

Registry Structure What is it? What does it contain?

Hands-On Microsoft Windows Server 2008

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Application Repackaging - Naushad Ali T Doddamani.

Operating System & Application Files BACS 371 Computer Forensics.

Working with the Windows XP Registry

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Registry Forensics COEN 152 / 252.

OS and Application Files BACS 371 Computer Forensics.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Windows Tutorial 9 Maintaining Hardware and Software

Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

COMP1321 Digital Infrastructure Richard Henson February 2012.

Lecture 7 Forensic Analysis of Windows Systems (contd.)

© 2015 by McGraw-Hill Education. This proprietary material solely for authorized instructor use. Not authorized for sale or distribution in any manner.

1 Microsoft Windows Internals, 4 ed Chapter 4. Management Mechanisms The Registry 謝承璋 2008 年 05 月 07 日.

SIR SONS IN RETIREMENT Computer User Group.

Tutorial 11 Installing, Updating, and Configuring Software

Ch 11. Services A service is a specialized program that performs a function to support other programs Many services operate at a very low level – Interacting.

6.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 6: Administering User Accounts.

计算机系信息处理实验室 Lecture 6 Management Mechanisms

Windows NT Chapter 13 Key Terms By Bill Ward NT Versions NT Workstation n A desktop PC that both accesses a network and works as a stand alone PC NT.

Overview Introduction to Managing User Environments Introduction to Administrative Templates Using Administrative Templates in Group Policy Assigning Scripts.

Windows Registry Application Developer Issues SIG North Texas PC Users Group January 11, 2003 Daniel Ogden SIG Co-Leader

COMP1321 Digital Infrastructures Richard Henson November 2013.

Windows 7 Inside Out Chapter 21 - Performing Routine Maintenance Last modified

Windows Server 2008 Chapter 3 Last Update

Section 9: Configuring Roaming Profiles and Folder Redirection Managing User Profiles Configuring Folder Redirection Using Folder Redirection and Roaming.

Chapter 3 Configuring the Windows Server 2008 Environment

Windows Vista Inside Out Chapter 24 – Recovering From an Computer Crash Last modified am.

Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 23 – The Registry.

1 Windows 98 Ancillary Systems x The Process Scheduler provides system resources. The Windows Driver Model (WDM) allows Windows 98 and Microsoft Windows.

Windows management Unit objectives: Manage the operating system Configure Task Scheduler Manage resources on your computer Participate in a Remote Assistance.

Supporting Windows 9x Chapter 12 Key Terms By Bill Ward.

IT Essentials 1 Chapter 5 Windows 9x Operating Systems.

Managing Services and Registry Chapter 16 powered by dj.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.

IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.

CSC190 Introduction to Computing Operating Systems and Utility Programs.

ACCESSDATA® FORENSICS Windows 7 Registry Introduction

Registry Forensics COEN 152 / 252. Registry: A Wealth of Information Information that can be recovered include:  System Configuration  Devices on the.

l Overview: Define the purpose of the Registry Identify the permissions provided to protect the registry Identify the key registry values to protect Understand.

Chapter 8 Server Management: Directories & Software Directory Structure Creating A Directory Directory Properties Setup Wizard Registry Installing/Uninstalling.

FORENSICS ANALYSIS OF THE REGISTRY OF WINDOWS 7 “SYSTEM ANALYSIS” 시스템 포렌식 실습 NURHALIMATUSADIAH SYARA 시스템 포렌식 실습.

A+ Guide to IT Technical Support, 9th Edition

Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.

A+ Guide to Managing and Maintaining Your PC, 7e Chapter 2 Introducing Operating Systems.

Windows Forensic MD Saquib Nasir Khan (JONK) DEA- Data64

Windows customization

CCNA 3 v3.1 Module 6 Switch Configuration

Creating a Windows Server 2012 R2 Datacenter Virtual machine

Creating a Windows Server 2016 Datacenter Virtual machine

Investigating Windows Systems

An Examination of the Windows™ Registry

Registry 101 Registry 201 SAM artifacts

Windows Under the Hood Chapter 13.

Windows Registry: Introduction

Registry Root Hives.

Presentation transcript:

5. Windows System Artifacts Part 1

Topics Deleted data Hibernation Files Registry

Deleted Data

Recovering Deleted Data File Carving Allocated space contains active data Deleted files are in unallocated space Useful tools o ProDiscover o FTK or EnCase o Foremost o Recuva o Photorec

Hibernation File

Shutdown Options Sleep – data kept in RAM o Power still on o Documents lost if power fails Hibernate – RAM copied to Hiberfil.sys o Power off o Documents never lost Hybrid Sleep o Default for Windows 7 desktops o Puts open documents and programs on disk o Keeps them in RAM as well for fast wakeup o Documents not lost if power fails

Enabling Hibernation Link Ch 5i

Registry Not in book, but may be on quizzes and Final Exam

Understanding the Structure of the Registry The registry consists of five root keys o HKey_Classes_Root o HKey_Current_User o HKey_Local_Machine o HKey_Users o HKey_Current_Config Or HKCR, HKCU, HKLM, HKU, and HKCC

Subkeys Root keys (sometimes called predefined keys), contain subkeys o Subkeys look like folders in Regedit HKCU has these top-level subkeys: AppEvents, Console, Control Panel, … o A root key and its subkeys form a path o HKCU\Console

Values Every Subkey contains at least one value o But it may show (value not set) The default value (often undefined) Values have name, data type, and data

Hives A key with all its subkeys and values is called a hive The registry is stored on disk as several separate hive files Hive files are read into memory when the operating system starts (or when a new user logs on)

HiveList HKLM\System\CurrentControlSet\ Control\HiveList

Hardware Hive \Registry\Machine\Hardware has no associated disk file Windows 7 creates it fresh each time you turn your system on

HKCR and HKCU These keys are links to items contained in other root keys o HKey_Classes_Root (HKCR) Merged from keys within HKLM\Software\Classes and HKU\sid_Classes o sid is the security identifier of the currently logged on user o HKey_Current_User (HKCU) HKU\sid

Purpose of Registry Database for configuration files Registry artifacts are very valuable for forensics o Search terms o Programs run or installed o Web addresses o Files recently opened o USB devices connected

Acquiring the Registry FTK Imager

Acquired Files

Reference Link Ch 5c

Important Registry Data Control Set Time Zone User Assist USB Store

Control Set A live Registry has an important key named HKLM\System\CurrentCo ntrolSet Contains Time Zone, USBSTOR, and other information

Control Set Acquired image doesn't contain CurrentControlSet It's ephemeral data—not stored in the hive files To determine which ControlSet is current, look in System\Select In this case, ControlSet001 is Current o Link Ch 5a

Time Zone System\ControlSet001\Control\TimeZoneInformatio n o Assuming that ControlSet001 is Current

UserAssist Shows objects the user has accessed To see it, open Users\ Username \NTUSER.DAT Navigate to Software\Microsoft\Windows\CurrentVersion\Explo rer\UserAssist

UserAssist Decoded in Lower Left Pane

RegRipper Link Ch 5k

Ripped Registry

USBSTOR System\ControlSet001\Enum\USBSTOR o Assuming Current Control Set is 1