SlideShare uma empresa Scribd logo

Windows Forensics

Prince Boonlia
Prince Boonlia

Few Aspects of Windows Forensics. Small things that we normally overlook

EducaçãoTecnologia
1 de 26
Shri Few More Aspects of Forensics Boonlia Prince Komal Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia
Recycle Bin Analysis Location of Recycle Bin file/ Files Operating System File Location System Windows 95/98/ME FAT32 C:RecycledINFO2 Windows NT/2K/XP NTFS C:Recycler<USER SID>INFO2 Windows Vista/ 7 NTFS C:$Recycle.Bin<USER SID>
Changes With Vista Windows XP/2K/NT/ME/ 98/95 Windows Vista/7
INFO2 File structure
INFO2 File structure Cont.
$Rxxxxxxx.abc $Ixxxxxxx.abc Deletion Time File Name File Size Windows Vista / 7
The $I File Structure
Windows Prefetching
Basics of Prefetching Implemented with Windows XP Windows Memory manager component Super fetch and ready boost with Windows vista Boot V/S Application Prefetching Demo for functioning of Prefetching
Prefetch file in Windows XP
Prefetch File in Vista and Windows 7
Thumbnails 96 X 96 pixel thumbnails Windows XP Option to choose thumbnail size anywhere on the slider Windows Vista and 7
Storage in Windows XP (Thumbs.db) Can not Identify the user who used it Deleted with the deletion of the folder Only 96 X 96 Pixel Thumbnails Tool: Thumbs_Viewer.exe Demo: Manually recreating thumbnail with hex editor
Thumbnails in Vista and Windows 7 Central location for all thumbnails C:Users<USER>AppDataLocalMicrosoftWindowsExplorer Cache files based on maximum pixel thumbnail 32 X 32 (Max) Pixel Thumbnail in thumbcache_32.db Index File to link Unique ID in Cache file to Windows Index C:ProgramDataMicrosoftSearchDataApplicationsWindowsWindows.edb Generation of Thumbs.db in case of Access from network
Thumbnails in Vista and Windows 7 Entry In Thumbnail Cache file
Entries in Thumbcache_IDX, Thumbcache_32, Thumbcache_96, Thumbcache_256 files Thumbcache_IDX Thumbcache_32 Thumbcache_96 Thumbcache_256
Rebuilding the Cache Find filename Look up the data location and path of the in ThumbCache_32 file and match the image file TuhumbnailCacheID Look up the data location Find in ThumbCache_96 file Take Data block, ThumbnailCac and match the Identify file type TuhumbnailCacheID heID for and reconstruct Windows.edb Look up the data location Thumbnail in ThumbCache_256 file and match the TuhumbnailCacheID Find Corresponding Data location in Look up the data location cache files in in ThumbCache_1024 file Thumbcache_IDX and match the TuhumbnailCacheID Reconstruct Thumbnail
Windows Volume Shadow copy Ever wonder how System Restore works? Volume shadow Copy services monitor system and changes Copies changed sectors in 16KB blocks and keep it in a file Copies on: Automatic schedule time, System restore point creation, installation of new package. Can carry data that has been deleted, wiped or encrypted later
Exploring Shadow Copies Explore with VSSadmin Mount with DOSDEV.exe Lets share shadow copy net share shadow=.HarddiskVolumeShadowCopy5
Time Line analysis (Thanks to Rob lee for his awesome research) Basic Time line: (File system time line) File Time Time Modified Accessed Created Metadata System Stored as stored as Modified FAT Local Since Jan 1, Modified Accessed in Created in 1980 in multiple multiple of multiple of of 2 Day (Time 10 ms seconds ususally midnight) NTFS UTC 100 Neno Modified Accessed $MFT Date seconds (FILETIME) (FILE TIME) Modified Created since Jan 1, (Matadata (File Birth) 1601 changed) (FILETIME) Disable Last Access time: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystemNtfsDisableLastAccessUpdate to 1.
Why Timeline analysis Extremely difficult for a malware to handle all times Almost impossible for attacker not to hide the time line evidences Spread across system and multiple of time lines Helps in presenting the entire picture of all the happenings on the system
How Various times behave
Screen Taken from Rob Lee Presentation
Lets Use $FILENAME to avoid win32 API
File Timeline MRU File Download Browser History analysis (Open/Save/Run) Mail analysis Malware analysis Log Analysis Conducting an examination Program Prefetch Open/RunMRU Run MRU User Assist Execution Thumbnail Recycle Bin File Existance Search MRU analysis analysis Browser artifacts Shadow Copy First and last Volume name USB Keys USB Serials time used User who used it Path in MRU and Drive letter File Creation Thumbnails for Time line Shadow copy Recent file MRUs Lnk file analysis image and other and change analysis files Was A Security Regedit Registry key Registry slack execution Regedit Prefetch Shadow file descriptor on the keys deleted? Unallocated Recycle Bin Volume Shadow Recent file list File deletion space analysis copy and lnk Various MRUs Strings Time stamp Time line Execution of Check for neno Volume Shadow tempering analysis program second value copy System Backdoor Network Super time line Connection presence and compromise? forensics analysis analysis analysis Encryption Temp locations Page file analysis Various Memory analysis Rainbow tables LM Hash attack for decrypted attacks for key presence password attacks files
Questions? Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia

Recomendados

Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
Somesh Sawhney
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows Forensics
Dr. Ramchandra Mangrulkar
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 

Recomendados

Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
Somesh Sawhney
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows Forensics
Dr. Ramchandra Mangrulkar
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
Gol D Roger
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
somutripathi
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
Prince Boonlia
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
Sudeshna Basak
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Vikas Jain
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigation
Online
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
SCREAM138
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
OECLIB Odisha Electronics Control Library
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
n|u - The Open Security Community
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
Brent Muir
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7
RIAH ENCARNACION
 

Mais conteúdo relacionado

Mais procurados

Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
somutripathi
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
Sudeshna Basak
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 

Mais procurados (20)

Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigation
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 

Destaque

Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
CTIN
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
CTIN
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
CTIN
 
Nra
NraNra
Nra
CTIN
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
CTIN
 
Raidprep
RaidprepRaidprep
Raidprep
CTIN
 

Destaque (20)

WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7
 
Digital forensic upload
Digital forensic uploadDigital forensic upload
Digital forensic upload
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
Windows 7-cheat-sheet
Windows 7-cheat-sheetWindows 7-cheat-sheet
Windows 7-cheat-sheet
 
File carving tools
File carving toolsFile carving tools
File carving tools
 
Nra
NraNra
Nra
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Cheatsheet of msdos
Cheatsheet of msdosCheatsheet of msdos
Cheatsheet of msdos
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on Twitter
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
File system
File systemFile system
File system
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!
 
Raidprep
RaidprepRaidprep
Raidprep
 

Semelhante a Windows Forensics

Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Tidy up for mac
Tidy up for macTidy up for mac
Tidy up for mac
anna ardis
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Rand
phanleson
 
Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5
sabtolinux
 
Ch11 OS
Ch11 OSCh11 OS
Ch11 OS
C.U
 
Distributed File System
Distributed File SystemDistributed File System
Distributed File System
Ntu
 

Semelhante a Windows Forensics (20)

Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Tidy up for mac
Tidy up for macTidy up for mac
Tidy up for mac
 
Section02-Structures.ppt
Section02-Structures.pptSection02-Structures.ppt
Section02-Structures.ppt
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Rand
 
Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5
 
DFSNov1.pptx
DFSNov1.pptxDFSNov1.pptx
DFSNov1.pptx
 
Ch11 OS
Ch11 OSCh11 OS
Ch11 OS
 
OSCh11
OSCh11OSCh11
OSCh11
 
OS_Ch11
OS_Ch11OS_Ch11
OS_Ch11
 
Introduction to Unix
Introduction to UnixIntroduction to Unix
Introduction to Unix
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malware
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
 
Rhel1
Rhel1Rhel1
Rhel1
 
Distributed File System
Distributed File SystemDistributed File System
Distributed File System
 
Linux 4 you
Linux 4 youLinux 4 you
Linux 4 you
 
Chapter 10 - File System Interface
Chapter 10 - File System InterfaceChapter 10 - File System Interface
Chapter 10 - File System Interface
 
File
FileFile
File
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
file management_osnotes.ppt
file management_osnotes.pptfile management_osnotes.ppt
file management_osnotes.ppt
 

Último

1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Último (20)

UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 

Windows Forensics

  • 1. Shri Few More Aspects of Forensics Boonlia Prince Komal Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia
  • 2. Recycle Bin Analysis Location of Recycle Bin file/ Files Operating System File Location System Windows 95/98/ME FAT32 C:RecycledINFO2 Windows NT/2K/XP NTFS C:Recycler<USER SID>INFO2 Windows Vista/ 7 NTFS C:$Recycle.Bin<USER SID>
  • 3. Changes With Vista Windows XP/2K/NT/ME/ 98/95 Windows Vista/7
  • 6. $Rxxxxxxx.abc $Ixxxxxxx.abc Deletion Time File Name File Size Windows Vista / 7
  • 7. The $I File Structure
  • 9. Basics of Prefetching Implemented with Windows XP Windows Memory manager component Super fetch and ready boost with Windows vista Boot V/S Application Prefetching Demo for functioning of Prefetching
  • 10. Prefetch file in Windows XP
  • 11. Prefetch File in Vista and Windows 7
  • 12. Thumbnails 96 X 96 pixel thumbnails Windows XP Option to choose thumbnail size anywhere on the slider Windows Vista and 7
  • 13. Storage in Windows XP (Thumbs.db) Can not Identify the user who used it Deleted with the deletion of the folder Only 96 X 96 Pixel Thumbnails Tool: Thumbs_Viewer.exe Demo: Manually recreating thumbnail with hex editor
  • 14. Thumbnails in Vista and Windows 7 Central location for all thumbnails C:Users<USER>AppDataLocalMicrosoftWindowsExplorer Cache files based on maximum pixel thumbnail 32 X 32 (Max) Pixel Thumbnail in thumbcache_32.db Index File to link Unique ID in Cache file to Windows Index C:ProgramDataMicrosoftSearchDataApplicationsWindowsWindows.edb Generation of Thumbs.db in case of Access from network
  • 15. Thumbnails in Vista and Windows 7 Entry In Thumbnail Cache file
  • 16. Entries in Thumbcache_IDX, Thumbcache_32, Thumbcache_96, Thumbcache_256 files Thumbcache_IDX Thumbcache_32 Thumbcache_96 Thumbcache_256
  • 17. Rebuilding the Cache Find filename Look up the data location and path of the in ThumbCache_32 file and match the image file TuhumbnailCacheID Look up the data location Find in ThumbCache_96 file Take Data block, ThumbnailCac and match the Identify file type TuhumbnailCacheID heID for and reconstruct Windows.edb Look up the data location Thumbnail in ThumbCache_256 file and match the TuhumbnailCacheID Find Corresponding Data location in Look up the data location cache files in in ThumbCache_1024 file Thumbcache_IDX and match the TuhumbnailCacheID Reconstruct Thumbnail
  • 18. Windows Volume Shadow copy Ever wonder how System Restore works? Volume shadow Copy services monitor system and changes Copies changed sectors in 16KB blocks and keep it in a file Copies on: Automatic schedule time, System restore point creation, installation of new package. Can carry data that has been deleted, wiped or encrypted later
  • 19. Exploring Shadow Copies Explore with VSSadmin Mount with DOSDEV.exe Lets share shadow copy net share shadow=.HarddiskVolumeShadowCopy5
  • 20. Time Line analysis (Thanks to Rob lee for his awesome research) Basic Time line: (File system time line) File Time Time Modified Accessed Created Metadata System Stored as stored as Modified FAT Local Since Jan 1, Modified Accessed in Created in 1980 in multiple multiple of multiple of of 2 Day (Time 10 ms seconds ususally midnight) NTFS UTC 100 Neno Modified Accessed $MFT Date seconds (FILETIME) (FILE TIME) Modified Created since Jan 1, (Matadata (File Birth) 1601 changed) (FILETIME) Disable Last Access time: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystemNtfsDisableLastAccessUpdate to 1.
  • 21. Why Timeline analysis Extremely difficult for a malware to handle all times Almost impossible for attacker not to hide the time line evidences Spread across system and multiple of time lines Helps in presenting the entire picture of all the happenings on the system
  • 23. Screen Taken from Rob Lee Presentation
  • 24. Lets Use $FILENAME to avoid win32 API
  • 25. File Timeline MRU File Download Browser History analysis (Open/Save/Run) Mail analysis Malware analysis Log Analysis Conducting an examination Program Prefetch Open/RunMRU Run MRU User Assist Execution Thumbnail Recycle Bin File Existance Search MRU analysis analysis Browser artifacts Shadow Copy First and last Volume name USB Keys USB Serials time used User who used it Path in MRU and Drive letter File Creation Thumbnails for Time line Shadow copy Recent file MRUs Lnk file analysis image and other and change analysis files Was A Security Regedit Registry key Registry slack execution Regedit Prefetch Shadow file descriptor on the keys deleted? Unallocated Recycle Bin Volume Shadow Recent file list File deletion space analysis copy and lnk Various MRUs Strings Time stamp Time line Execution of Check for neno Volume Shadow tempering analysis program second value copy System Backdoor Network Super time line Connection presence and compromise? forensics analysis analysis analysis Encryption Temp locations Page file analysis Various Memory analysis Rainbow tables LM Hash attack for decrypted attacks for key presence password attacks files
  • 26. Questions? Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia