Download presentation
Presentation is loading. Please wait.
Published byBritton Hill Modified over 8 years ago
1
E-Mail Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry
2
Learning Goal Using RegRipper Tool, you can secure the user's recent activity left in the registry as evidence. Using RegExtract Tool, you can secure the user's recent activity left in the registry as evidence. Using FTK Imager and Forecopy, you can acquire NTUSER.DAT hive file
3
Learing Objectives After learning this class, you will be able to: explain the role of RecentDocs history in investigations. describe tasks in investigating Web Browser crimes and violations. explain the use of windows registry hives. describe some available history computer forensics tools.
4
Today’s Activity Step1: Download the class materials at lecture board at professor’s blog (http://prof.ysu.ac.kr/mjahn).http://prof.ysu.ac.kr/mjahn Step2: Installing the RegExtact Tools. Step3: Installing the forecopy_handy(v1.2) Step4: Acquiring the NTUSER.DAT hive file that has the most recently used documents history. Step5: Find out what are the most recently used documents
5
Today’s Activity Result [ RecentDocs displayed in RegRipper ]
6
Keywords Windows registry NTUSER.DAT hive file RecetDocs & HKEY_USERS root key HKEY_USERS\S-[personal secure ID]\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\RecentDocs
7
What is RecentDocs Investigations ? When starting a forensic examination, a great first artifact to check out is RecentDocs (or Recently Used Documents). By default, Windows will display 15 items in the “My Recent Documents” menu option. This will include.doc,.jpg,.pdf, etc files. This is a great way to get a quick look at what files the subject of your investigation has opened recently.
8
What is RecentDocs Investigations ? [ RecentDocs artifact in Windows Registry Recovery by MiTeC ]
9
What is the last opened file ? If you look at the Data in the “MRUListEx” Value, it will always start with the document that was opened most recently and work it’s way back. In this case, document “08” was opened most recently. Each entry in the “MRUListEx” is four bytes in length. So going back four bytes from “08”, we can see that “07” was the next most recent document opened in this example.
10
Why are RecentDocs Investigations necessary ? Ex. 1) for Law Enforcement officers, this is a great place to look if you have to investigate a suspicious death. Your victim may have actually created a suicide note on their computer and this artifact can help you find it. Ex. 2) For Corporate investigators, your subject may have been snooping around for the recipe of your company’s “Secret Sauce” (or whatever proprietary data you wish to insert here).
11
Why are RecentDocs Investigations necessary ? This RecentDocs Investigation might show the document being opened on your subject’s computer. This can be used to corroborate other evidence obtained during your investigation.
12
Why are RecentDocs Investigations necessary ? The history list provides the forensic investigator with the most recent activity on the system by each user, such as typed URLs in Microsoft Internet Explorer and most recently used Microsoft Word files. The typed URLs in Microsoft Internet Explorer can provide the forensic investigator with potential digital evidence in several types of computer crimes such as child abuse, computer intrusion, murder and harassment.
13
Why are RecentDocs Investigations necessary ? The recent.jpg files and recent.GIF files can provide the forensic investigator with potential digital evidence about opened images in child abuse crime. In identity theft, counterfeiting and terrorism crimes, the criminal may store credit card information which has been used to transfer money in a text or word files. I have mentioned the location of the most recent used word files or.txt file.
14
Forensic Tools of Use AccessData’s Registry ViewerRegistry Viewer Harlan Carvey’s RegRipperRegRipper MiTeC’s Windows Registry RecoveryWindows Registry Recovery
15
What is NTUSER.DAT ? The Ntuser.dat file is a registry file. Each user's Ntuser.dat file contains the registry settings for their individual account. The Windows registry, as described by Microsoft, is a "central hierarchical database" that contains information about the software, hardware and user profiles contained on a computer. Windows is constantly referencing its registry files throughout the course of its operation. The configuration of the "HKEY_CURRENT_USER" branch of the registry is supported by the current user's Ntuser.dat file.
16
How to acquire the history of most recently used Documents? Location –The Ntuser.dat file is in your user folder. – In Windows 8, Windows 7 and Windows Vista, user folders are at C:\Users\USER_NAME.
17
How to acquire the history of most recently used Documents? Location –The Ntuser.dat file is in your user folder. – In Windows 8, Windows 7 and Windows Vista, user folders are at C:\Users\USER_NAME. Viewing –The Ntuser.dat file is a hidden file. Hidden files, as the name implies, cannot be seen unless you configure your folder options to show hidden files. Therefore, if you do not see your Ntuser.dat file when you initially open your user folder, press "Windows-E" to open Windows Explorer and then click "View" on the ribbon bar. Click "Options," and then choose "Change Folder and Search Options." Click the "View" tab in the Folder Options window, select "Show Hidden Files, Folders and Drives" in the Advanced Settings pane and then click "OK."
18
How to acquire the history of most recently used Documents? The Ntuser.dat file is a registry file. Each user's Ntuser.dat file contains the registry settings for their individual account. The Windows registry, as described by Microsoft, is a "central hierarchical database" that contains information about the software, hardware and user profiles contained on a computer. Windows is constantly referencing its registry files throughout the course of its operation. The configuration of the "HKEY_CURRENT_USER" branch of the registry is supported by the current user's Ntuser.dat file.
19
Acquiring ntuser.dat using forecopy_handy(v1.2) forecopy_handy(v1.2
20
Acquiring ntuser.dat using forecopy_handy(v1.2) forecopy_handy(v1.2
21
Final Output
22
Activity
23
Nothing is final until it's final!!, Don't give up so easily. Call me at any time if you need help. I'll help you can do it.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.