SlideShare uma empresa Scribd logo

Windows Forensics

Prince Boonlia
Prince Boonlia

Few Aspects of Windows Forensics. Small things that we normally overlook

EducaçãoTecnologia
1 de 26
Shri Few More Aspects of Forensics Boonlia Prince Komal Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia
Recycle Bin Analysis Location of Recycle Bin file/ Files Operating System File Location System Windows 95/98/ME FAT32 C:RecycledINFO2 Windows NT/2K/XP NTFS C:Recycler<USER SID>INFO2 Windows Vista/ 7 NTFS C:$Recycle.Bin<USER SID>
Changes With Vista Windows XP/2K/NT/ME/ 98/95 Windows Vista/7
INFO2 File structure
INFO2 File structure Cont.
$Rxxxxxxx.abc $Ixxxxxxx.abc Deletion Time File Name File Size Windows Vista / 7
The $I File Structure
Windows Prefetching
Basics of Prefetching Implemented with Windows XP Windows Memory manager component Super fetch and ready boost with Windows vista Boot V/S Application Prefetching Demo for functioning of Prefetching
Prefetch file in Windows XP
Prefetch File in Vista and Windows 7
Thumbnails 96 X 96 pixel thumbnails Windows XP Option to choose thumbnail size anywhere on the slider Windows Vista and 7
Storage in Windows XP (Thumbs.db) Can not Identify the user who used it Deleted with the deletion of the folder Only 96 X 96 Pixel Thumbnails Tool: Thumbs_Viewer.exe Demo: Manually recreating thumbnail with hex editor
Thumbnails in Vista and Windows 7 Central location for all thumbnails C:Users<USER>AppDataLocalMicrosoftWindowsExplorer Cache files based on maximum pixel thumbnail 32 X 32 (Max) Pixel Thumbnail in thumbcache_32.db Index File to link Unique ID in Cache file to Windows Index C:ProgramDataMicrosoftSearchDataApplicationsWindowsWindows.edb Generation of Thumbs.db in case of Access from network
Thumbnails in Vista and Windows 7 Entry In Thumbnail Cache file
Entries in Thumbcache_IDX, Thumbcache_32, Thumbcache_96, Thumbcache_256 files Thumbcache_IDX Thumbcache_32 Thumbcache_96 Thumbcache_256
Rebuilding the Cache Find filename Look up the data location and path of the in ThumbCache_32 file and match the image file TuhumbnailCacheID Look up the data location Find in ThumbCache_96 file Take Data block, ThumbnailCac and match the Identify file type TuhumbnailCacheID heID for and reconstruct Windows.edb Look up the data location Thumbnail in ThumbCache_256 file and match the TuhumbnailCacheID Find Corresponding Data location in Look up the data location cache files in in ThumbCache_1024 file Thumbcache_IDX and match the TuhumbnailCacheID Reconstruct Thumbnail
Windows Volume Shadow copy Ever wonder how System Restore works? Volume shadow Copy services monitor system and changes Copies changed sectors in 16KB blocks and keep it in a file Copies on: Automatic schedule time, System restore point creation, installation of new package. Can carry data that has been deleted, wiped or encrypted later
Exploring Shadow Copies Explore with VSSadmin Mount with DOSDEV.exe Lets share shadow copy net share shadow=.HarddiskVolumeShadowCopy5
Time Line analysis (Thanks to Rob lee for his awesome research) Basic Time line: (File system time line) File Time Time Modified Accessed Created Metadata System Stored as stored as Modified FAT Local Since Jan 1, Modified Accessed in Created in 1980 in multiple multiple of multiple of of 2 Day (Time 10 ms seconds ususally midnight) NTFS UTC 100 Neno Modified Accessed $MFT Date seconds (FILETIME) (FILE TIME) Modified Created since Jan 1, (Matadata (File Birth) 1601 changed) (FILETIME) Disable Last Access time: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystemNtfsDisableLastAccessUpdate to 1.
Why Timeline analysis Extremely difficult for a malware to handle all times Almost impossible for attacker not to hide the time line evidences Spread across system and multiple of time lines Helps in presenting the entire picture of all the happenings on the system
How Various times behave
Screen Taken from Rob Lee Presentation
Lets Use $FILENAME to avoid win32 API
File Timeline MRU File Download Browser History analysis (Open/Save/Run) Mail analysis Malware analysis Log Analysis Conducting an examination Program Prefetch Open/RunMRU Run MRU User Assist Execution Thumbnail Recycle Bin File Existance Search MRU analysis analysis Browser artifacts Shadow Copy First and last Volume name USB Keys USB Serials time used User who used it Path in MRU and Drive letter File Creation Thumbnails for Time line Shadow copy Recent file MRUs Lnk file analysis image and other and change analysis files Was A Security Regedit Registry key Registry slack execution Regedit Prefetch Shadow file descriptor on the keys deleted? Unallocated Recycle Bin Volume Shadow Recent file list File deletion space analysis copy and lnk Various MRUs Strings Time stamp Time line Execution of Check for neno Volume Shadow tempering analysis program second value copy System Backdoor Network Super time line Connection presence and compromise? forensics analysis analysis analysis Encryption Temp locations Page file analysis Various Memory analysis Rainbow tables LM Hash attack for decrypted attacks for key presence password attacks files
Questions? Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia

Recomendados

Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
ParminderKaurBScHons
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Data recovery
Data recoveryData recovery
Data recovery
Mir Majid
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
Gol D Roger
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printing
leminhvuong
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 

Recomendados

Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
ParminderKaurBScHons
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Data recovery
Data recoveryData recovery
Data recovery
Mir Majid
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
Gol D Roger
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printing
leminhvuong
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Hash function
Hash function Hash function
Hash function
Salman Memon
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Data recovery
Data recoveryData recovery
Data recovery
Abhinav Parihar
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Data Processing - data privacy and sensitive data
Data Processing - data privacy and sensitive dataData Processing - data privacy and sensitive data
Data Processing - data privacy and sensitive data
OpenAIRE
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumeration
leminhvuong
 
Email Security 101 – A Practical Guide For Every Business
Email Security 101 – A Practical Guide For Every Business Email Security 101 – A Practical Guide For Every Business
Email Security 101 – A Practical Guide For Every Business
PECB
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Vidoushi B-Somrah
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Network forensic
Network forensicNetwork forensic
Network forensic
Manjushree Mashal
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
pda forensics
pda forensicspda forensics
pda forensics
saddamhusain hadimani
 
Digital forensic
Digital forensicDigital forensic
Digital forensic
Chandan Sah
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
Brent Muir
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7
RIAH ENCARNACION
 

Mais conteúdo relacionado

Mais procurados

04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumeration
leminhvuong
 
Email Security 101 – A Practical Guide For Every Business
Email Security 101 – A Practical Guide For Every Business Email Security 101 – A Practical Guide For Every Business
Email Security 101 – A Practical Guide For Every Business
PECB
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 

Mais procurados (20)

Hash function
Hash function Hash function
Hash function
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Data recovery
Data recoveryData recovery
Data recovery
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Data Processing - data privacy and sensitive data
Data Processing - data privacy and sensitive dataData Processing - data privacy and sensitive data
Data Processing - data privacy and sensitive data
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumeration
 
Email Security 101 – A Practical Guide For Every Business
Email Security 101 – A Practical Guide For Every Business Email Security 101 – A Practical Guide For Every Business
Email Security 101 – A Practical Guide For Every Business
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
pda forensics
pda forensicspda forensics
pda forensics
 
Digital forensic
Digital forensicDigital forensic
Digital forensic
 

Destaque

Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
CTIN
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
CTIN
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
CTIN
 
Nra
NraNra
Nra
CTIN
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
somutripathi
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
CTIN
 

Destaque (20)

WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7
 
Digital forensic upload
Digital forensic uploadDigital forensic upload
Digital forensic upload
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
Windows 7-cheat-sheet
Windows 7-cheat-sheetWindows 7-cheat-sheet
Windows 7-cheat-sheet
 
File carving tools
File carving toolsFile carving tools
File carving tools
 
Nra
NraNra
Nra
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
 
Cheatsheet of msdos
Cheatsheet of msdosCheatsheet of msdos
Cheatsheet of msdos
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on Twitter
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
File system
File systemFile system
File system
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!
 

Semelhante a Windows Forensics

Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Tidy up for mac
Tidy up for macTidy up for mac
Tidy up for mac
anna ardis
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Rand
phanleson
 
Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5
sabtolinux
 
Ch11 OS
Ch11 OSCh11 OS
Ch11 OS
C.U
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
Distributed File System
Distributed File SystemDistributed File System
Distributed File System
Ntu
 

Semelhante a Windows Forensics (20)

Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Tidy up for mac
Tidy up for macTidy up for mac
Tidy up for mac
 
Section02-Structures.ppt
Section02-Structures.pptSection02-Structures.ppt
Section02-Structures.ppt
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Rand
 
Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5
 
DFSNov1.pptx
DFSNov1.pptxDFSNov1.pptx
DFSNov1.pptx
 
Ch11 OS
Ch11 OSCh11 OS
Ch11 OS
 
OSCh11
OSCh11OSCh11
OSCh11
 
OS_Ch11
OS_Ch11OS_Ch11
OS_Ch11
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Introduction to Unix
Introduction to UnixIntroduction to Unix
Introduction to Unix
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malware
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
 
Rhel1
Rhel1Rhel1
Rhel1
 
Distributed File System
Distributed File SystemDistributed File System
Distributed File System
 
Linux 4 you
Linux 4 youLinux 4 you
Linux 4 you
 
Chapter 10 - File System Interface
Chapter 10 - File System InterfaceChapter 10 - File System Interface
Chapter 10 - File System Interface
 
File
FileFile
File
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 

Último

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Último (20)

Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 

Windows Forensics

  • 1. Shri Few More Aspects of Forensics Boonlia Prince Komal Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia
  • 2. Recycle Bin Analysis Location of Recycle Bin file/ Files Operating System File Location System Windows 95/98/ME FAT32 C:RecycledINFO2 Windows NT/2K/XP NTFS C:Recycler<USER SID>INFO2 Windows Vista/ 7 NTFS C:$Recycle.Bin<USER SID>
  • 3. Changes With Vista Windows XP/2K/NT/ME/ 98/95 Windows Vista/7
  • 6. $Rxxxxxxx.abc $Ixxxxxxx.abc Deletion Time File Name File Size Windows Vista / 7
  • 7. The $I File Structure
  • 9. Basics of Prefetching Implemented with Windows XP Windows Memory manager component Super fetch and ready boost with Windows vista Boot V/S Application Prefetching Demo for functioning of Prefetching
  • 10. Prefetch file in Windows XP
  • 11. Prefetch File in Vista and Windows 7
  • 12. Thumbnails 96 X 96 pixel thumbnails Windows XP Option to choose thumbnail size anywhere on the slider Windows Vista and 7
  • 13. Storage in Windows XP (Thumbs.db) Can not Identify the user who used it Deleted with the deletion of the folder Only 96 X 96 Pixel Thumbnails Tool: Thumbs_Viewer.exe Demo: Manually recreating thumbnail with hex editor
  • 14. Thumbnails in Vista and Windows 7 Central location for all thumbnails C:Users<USER>AppDataLocalMicrosoftWindowsExplorer Cache files based on maximum pixel thumbnail 32 X 32 (Max) Pixel Thumbnail in thumbcache_32.db Index File to link Unique ID in Cache file to Windows Index C:ProgramDataMicrosoftSearchDataApplicationsWindowsWindows.edb Generation of Thumbs.db in case of Access from network
  • 15. Thumbnails in Vista and Windows 7 Entry In Thumbnail Cache file
  • 16. Entries in Thumbcache_IDX, Thumbcache_32, Thumbcache_96, Thumbcache_256 files Thumbcache_IDX Thumbcache_32 Thumbcache_96 Thumbcache_256
  • 17. Rebuilding the Cache Find filename Look up the data location and path of the in ThumbCache_32 file and match the image file TuhumbnailCacheID Look up the data location Find in ThumbCache_96 file Take Data block, ThumbnailCac and match the Identify file type TuhumbnailCacheID heID for and reconstruct Windows.edb Look up the data location Thumbnail in ThumbCache_256 file and match the TuhumbnailCacheID Find Corresponding Data location in Look up the data location cache files in in ThumbCache_1024 file Thumbcache_IDX and match the TuhumbnailCacheID Reconstruct Thumbnail
  • 18. Windows Volume Shadow copy Ever wonder how System Restore works? Volume shadow Copy services monitor system and changes Copies changed sectors in 16KB blocks and keep it in a file Copies on: Automatic schedule time, System restore point creation, installation of new package. Can carry data that has been deleted, wiped or encrypted later
  • 19. Exploring Shadow Copies Explore with VSSadmin Mount with DOSDEV.exe Lets share shadow copy net share shadow=.HarddiskVolumeShadowCopy5
  • 20. Time Line analysis (Thanks to Rob lee for his awesome research) Basic Time line: (File system time line) File Time Time Modified Accessed Created Metadata System Stored as stored as Modified FAT Local Since Jan 1, Modified Accessed in Created in 1980 in multiple multiple of multiple of of 2 Day (Time 10 ms seconds ususally midnight) NTFS UTC 100 Neno Modified Accessed $MFT Date seconds (FILETIME) (FILE TIME) Modified Created since Jan 1, (Matadata (File Birth) 1601 changed) (FILETIME) Disable Last Access time: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystemNtfsDisableLastAccessUpdate to 1.
  • 21. Why Timeline analysis Extremely difficult for a malware to handle all times Almost impossible for attacker not to hide the time line evidences Spread across system and multiple of time lines Helps in presenting the entire picture of all the happenings on the system
  • 23. Screen Taken from Rob Lee Presentation
  • 24. Lets Use $FILENAME to avoid win32 API
  • 25. File Timeline MRU File Download Browser History analysis (Open/Save/Run) Mail analysis Malware analysis Log Analysis Conducting an examination Program Prefetch Open/RunMRU Run MRU User Assist Execution Thumbnail Recycle Bin File Existance Search MRU analysis analysis Browser artifacts Shadow Copy First and last Volume name USB Keys USB Serials time used User who used it Path in MRU and Drive letter File Creation Thumbnails for Time line Shadow copy Recent file MRUs Lnk file analysis image and other and change analysis files Was A Security Regedit Registry key Registry slack execution Regedit Prefetch Shadow file descriptor on the keys deleted? Unallocated Recycle Bin Volume Shadow Recent file list File deletion space analysis copy and lnk Various MRUs Strings Time stamp Time line Execution of Check for neno Volume Shadow tempering analysis program second value copy System Backdoor Network Super time line Connection presence and compromise? forensics analysis analysis analysis Encryption Temp locations Page file analysis Various Memory analysis Rainbow tables LM Hash attack for decrypted attacks for key presence password attacks files
  • 26. Questions? Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.ph p?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia