data64- windows forensics
Post on 13-May-2015
291 Views
Preview:
TRANSCRIPT
•
Windows Forensics 1
WINDOWS FORENSICS
BY CATALYST
CONTENTS• Registry Analysis• Recycle bin Analysis• Hiberfil.sys file Analysis• Paging File Analysis• Prefetch Analysis• Thumb.db Analysis
Windows Forensics 3
REGISTRY ANALYSIS
• The Registry is a database used to store settings and options for the 32/64 bit versions of Microsoft Windows .
• It contains information and settings for all the hardware, software, users, and preferences of the PC.
• It was First introduced in Windows 95.
• Whenever a user makes changes to a Control Panel settings, or File Associations, System Policies, or installed software, the changes are reflected and stored in the Registry.
• Virtually everything done in Windows refers to or is recorded into the Registry.
Windows Forensics 4
What is Registry ??
• To EDIT Registry files run Regedit.exe
REGISTRY ANALYSIS
Windows Forensics 5
Value DataTypeValue Name
Content Pane
Key Pane
Sub keys
Root Keys
1.HKEY_CLASSES_ROOT (HKCR) {alias HKLM\Software\Class}
2.HKEY_CURRENT_USER (HKCU) {alias HKLM\Software\Classes}
3.HKEY_LOCAL_MACHINE (HKLM)
4.HKEY_USERS (HKU)
5.HKEY_CURRENT_CONFIG (HCU) {alias HKLM\Config\profile }
Windows Forensics 6
REGISTRY ANALYSIS HIVES
These files are saved in systemroot\System32\Config and updated with each login.
• OpenSaveMRU maintains a list of recently opened or saved files.
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ OpenSaveMRU
• RunMRU maintains the commands typed in “Run” Dialog Box
• HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU
Windows Forensics 7
REGISTRY ANALYSIS Most Recently Used [ MRU ]
• This key also maintains list of files recently executed or opened through Windows Explorer.
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Forensics 8
REGISTRY ANALYSIS Recent Docs
• The paging file (usually C:\pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown.
• ClearPagefileAtShutdown specify whether Windows should clear off the paging file when the computer shutdowns.
Windows Forensics 9
REGISTRY ANALYSIS Windows Virtual Memory [Paging File] Configuaration
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management
• This key contains recent search terms using Windows default search.
• Subkey 5603 contains search terms for finding folders and filenames.
• Subkey 5604 contains search terms for finding words or phrases in a file.
• HKCU \Software\Microsoft\Search Assistant\ACMru
Windows Forensics 10
REGISTRY ANALYSIS Recent Search Terms
• Each sub key in this key represent an installed program in the computer.
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
Windows Forensics 11
REGISTRY ANALYSIS Installed Programs
• What is Recycle Bin?• When you delete a file, the complete path and file name is stored in a
hidden file called Info or Info2 (Windows 98) in the Recycled folder.• Deleting a single file from Recycle bin Changes the first byte of the
record in INFO2 file to 00.• Removable Device does not have recycle bin.• The deleted file is renamed, using the following syntax:
D <original drive letter of file><#>.<original extension>
Windows Forensics 12
RECYCLE BIN ANALYSIS
Windows Forensics 13
RECYCLE BIN ANALYSISTools for analysis
Windows File Analyzer Recuva
Frequently Used application are logged in a Special Folder Speed up their Start by noting which sector from the disk
will be Required directly upon Start.Sored in a Directory “C:\Windows\Prefetch”Named as: < Executable File Name> - XXXXXXXX .pf
XXXXX is the hash of the location from where it was run.
Windows Forensics 14
PREFETCH FILE ANALYSIS
Windows Forensics 15
PREFETCH FILE ANALYSISTools for analysis
Windows Forensics 16
HIBERFIL.SYS ANALYSIS
• Hibernation mode ??• The computer uses the Hiberfil.sys file to store a copy
of the system memory on the hard disk when the hybrid sleep setting is turned on.• The Hiberfil.sys hidden system file • Hiberfil.sys ≥ RAM [Size]• The Hibernation file is compressed.
Windows Forensics 17
HIBERFIL.SYS ANALYSIS
• A page file is a hidden file or files on the hard disk that the operating system uses to hold parts of programs and data files that do not fit in memory.
• Virtual memory comprises the paging file and physical memory or random access memory (RAM).
• Windows moves data from the paging file to memory as needed, and it moves data from memory to the paging file to make room for new data.
• By default, Windows stores the paging file on the boot partition (the partition that contains the operating system and its support files). The default paging file size is equal to 1.5 times the total RAM.
Windows Forensics 18
PAGING FILE ANALYSIS
Windows Forensics 19
PAGING FILE ANALYSIS
Windows Forensics 20
Any Queries ?
top related