SlideShare a Scribd company logo

Chetan-Mining_Digital_Evidence_in_Microsoft_Windows

Download as PPT, PDF
G
guest66dc5f

The document discusses various digital forensic techniques for analyzing a Windows system to uncover evidence. It outlines 10 different avenues of analysis including NTFS attributes, the registry, prefetch files, print spool files, the recycle bin, thumbs.db, event logs, internet history files, shortcut files, and system restore points. Each technique is briefly described with examples of how they can be used to answer questions about "who, when, why and how" on a system.

Economy & FinanceTechnology
1 of 44
Downloaded 118 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Mining Digital Evidence in Microsoft Windows – Answering Who, When, Why and How?
Agenda CSI Computer Crime and Security Survey, 2007 What is Computer Forensics? Laws of computer Forensics 10 Forensics avenues in Windows XP
A Quick CSI-FBI 2007 Survey Summary The average annual loss in 2007 - $350,424 Average annual loss in the previous year - $168,000. Not since the 2004 report have average losses been this high! 46% of the overall respondents said that they had suffered a security incident. Almost one-fifth (18 percent) of those respondents who suffered one or more kinds of security incident further said they’d suffered a “ targeted attack ” Financial fraud - the source of the greatest financial losses.
CSI Computer Crime and Security Survey Insider abuse of network access or e-mail - the most prevalent security problem – 59% percent of respondents Virus incidents – 52% percent of respondents Dollar Amount Losses Financial Fraud - $21,124,750 Virus (Worms / Spyware) - $8,391,800 Theft of Confidential Data - $5,685,000 Insider abuse of resources - $2,889,700 Total losses for 2007 - $ 66,930,950
CSI Computer Crime and Security Survey How many Incidents in the past twelve months?
Computer Forensics – the laws First Law of Computer Forensics There is evidence of every action. Harlan Carvey’s Corollary : Once you understand what actions or conditions create or modify an artifact, then the absence of that artifact is itself an artifact.
Tip of the “Digital” Iceberg Data as seen by a casual observer using common tools (Explorer Window, cmd shell, web browser etc. ) Data as seen by Forensic Investigators using his sophisticated toolkit. May include deleted data, hidden data, unauthorized information and records of illegal activity!
Mining Windows XP
Windows XP – Market Share 92.69% of the people surfing the Web use Windows on PCs Windows XP’s share - 79.32% Windows Vista – 7.38% Source: http://marketshare.hitslink.com
10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) Restore Point Forensics
10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) Restore Point Forensics
Mining NTFS Attributes MFT entry
Mining $logfile $Logfile entry in the MFT contains the log of all file system transactions The deletion of a file leaves several entries in $Logfile It is not unusual to find files that are no longer on the disk Also shows that the file was used by the system Encase $logfile parser Enscript
Mining NTFS timestamps NTFS has four timestamps: Creation time Last accessed time Last written time Last Modification time Windows 64-Bit Time Stamp It is an 8-byte string (64 bits), its most significant value is 01h, which is located at the far right of the string as it is stored in little endian. The FN and SIA attributes
10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore Points
Windows Registry Registry files are essentially databases containing information and settings for Hardware Software Users Preferences A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data. In Windows 98, the registry files are named User.dat and System.dat. In Windows Millennium Edition, the registry files are named Classes.dat, User.dat, and System.dat. In Win XP, the registry files are available in C:\windows\system32\config folder
Mining Windows Registry Multiple forensic avenues in the registry! System and User-specific settings UserAssist MuiCache MRU Lists ProgramsCache StreamMRU Shellbags Usbstor IE passwords and many more! Demo
10 Forensics avenues in Windows XP NTFS attributes Registry Files Prefetch Files (.pf) Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore Points
The Prefetch feature Microsoft created a Prefetch cache to improve boot and application launch time. By caching commonly used applications the OS can determine to apportion system resources in anticipation that the user will access the application. When an application is launched the system updates an entry in the path C:/Windows/Prefetch with the name of the application and a file extension (.pf).
The Prefetch feature The file contains among other items the last time that the file was modified as a 64bit HEX value time, and increments an integer on how many times the application has been run. Analyze Prefetch – Mount Image Pro (MIP) + read-only image + WFA.exe Demo
Mining Prefetch – wfa.exe
10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore points
Print Spooler Files On Windows XP, systems you would find these two files in the C:\Windows\System32\spool\Printers folder. .SPL -   The print job’s spooled data is contained in a spool file. .SHD - The shadow file contains the job settings
PA Spool Viewer – view .shd files Splview.exe - available at http:// undocprint.printassociates.com This tool allows you to view the metadata of the print job!
EMF Spool viewer – view .spl files EMF Spool Viewer  - available at http://www.codeproject.com/dotnet/EMFSpoolViewer/EMFSpoolViewer.zip   This tool allows you to view the actual spooled pages!
10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore Points
Mining the Recycle bin The INFO2 file contains records that correspond to each deleted file in the Recycle Bin; each record contains the record number, the drive designator, the timestamp of when the file was moved to the Recycle Bin, the file size, file’s original name and full path, in both ASCII and Unicode. Files sent to the Recycle Bin are maintained according to a specific naming convention D<original drive letter of file><#>.<original extension> Demo
10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore Points
Mining Thumbs.db Thumbs.db contains cached thumbnails of the images in a folder. OLE embedded data present in the Thumbs.db file In many cases, the images may have been deleted from the directory but they may still be available in the thumbs.db cache! Tools: Encase Windows File Analyzer Accessdata FTK Demo
10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History File Shortcut files (.lnk) System Restore Points
Event Logs Windows event logs provide crucial insight into the happenings in the system Using event logs in conjunction with other forensic avenue such a registry data (Userassist, Muicache, MRU Lists etc.) can help reconstructing the past events on the system. Three types of event logs: Application System Security
Mining event logs… What the logs can tell u: Unsuccessful logon attempts Successful Privilege escalation attempts System time was changed Logon time restriction violation Logon/logoff times Successful/unsuccessful object access Default Windows security settings is to log nothing at all! Unfortunately, event logs only record the Netbios name and not the IP address! Demo
10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files Shortcut files (.lnk) System Restore Points
Tracing Internet Activity Internet Browsers leave detailed history on Hard drive which can show all sites visited and all graphics viewed. An individual's web browsing activity often provides investigative leads during most investigations. We can reconstruct an individual’s web browsing activity using sophisticated tools such as Encase, NetAnalysis and WebHistorian The predominant two web browsers encountered during computer related investigations are Microsoft's Internet Explorer (IE) and Firefox/Mozilla/Netscape family
Mining Internet Explorer IE maintains rich logging of a user’s browsing activities which allow for creating a web profile of the suspect. IE has three separate logging facilities that can be used to reconstruct the suspect’s web browsing activities. History of visited URLs Cookies Temporary Internet Files In many cases, the web profiling has lead to successful conviction of pedophiles!
Mining Mozilla Firefox Mozilla Firefox stores the Internet activity in the following folder: C:\Documents and Settings\<user name>\Application Data \Mozilla\Firefox\Profiles\<random text>\Cache There are three types of files in this directory: A Cache Map File Three Cache Block Files Separate Cache Data Files Demo
10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files Shortcut files (.lnk) System Restore Points
Mining shortcut files Link files refer to or link to target files which can be applications, directories, documents, or data files. The data contained inside a link file describes the various attributes of the target file. A link file contains: the complete path to the target file the volume label and volume serial number on which the target file or folder exists - this can be useful for connecting a file to a unique volume! the file’s size in bytes the MAC time stamps of the target file!!!
Mining shortcut files… Media type (fixed/removable) Working directory MAC address Remote share name May be found in unallocated clusters and swap space May indicate that data was copied to a removable media! Encase link parser EnScript Windows File Analyzer Demo
10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files Shortcut files (.lnk) System Restore Points
The restore point feature Rp.log is the restore point log file is located within the restore point (RPxx) directory. This restore point log contains a value indicating the type of the restore point, a descriptive name for the restore point creation event (i.e, application or device driver installation, application uninstall etc. ) the 64-bit FILETIME object indicating when the restore point was created
The restore point feature Change.log.x files Record changes to key application files When a change is detected, the original filename is entered into the change.log file along with a sequence number and other necessary information,such as the type of change that occurred (file deletion, change of file attributes, or change of content). Sometimes the entire file may be preserved (Axxxxxx.ext format)! Each change.log.x file consists of a number of change log records Ref: Windows Forensic Analysis by Harlan Carvey
Mining restore points What restore points can tell: Installation or removal of an application Changes to the system time Remnants of deleted/uninstalled applications Remnants of deleted files Evidence of files being accessed in the past Demo
Queries are welcome!

More Related Content

PDF
Stegano Forensics
Chiawei Wang
 
PPT
Uniform Domain Name Dispute Resolution
libertyluver
 
PPT
Open source intelligence
balakumaran779
 
PDF
Csc1401 lecture07 -external memory
IIUM
 
PPT
Malware forensics
Sameera Amjad
 
PPTX
Types of Hard Disk
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
PPTX
Memory forensics
Sunil Kumar
 
PPTX
seim.pptx
fatima117475
 
Stegano Forensics
Chiawei Wang
 
Uniform Domain Name Dispute Resolution
libertyluver
 
Open source intelligence
balakumaran779
 
Csc1401 lecture07 -external memory
IIUM
 
Malware forensics
Sameera Amjad
 
Types of Hard Disk
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
Memory forensics
Sunil Kumar
 
seim.pptx
fatima117475
 

What's hot (20)

PDF
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
PPTX
Denial of service
garishma bhatia
 
PPTX
Computer forensics ppt
Nikhil Mashruwala
 
PPT
Windowsforensics
Santosh Khadsare
 
PPTX
Intrusion detection and prevention system
Nikhil Raj
 
PPT
Firewalls
Ram Dutt Shukla
 
PPT
Network security and protocols
Online
 
PPTX
Introduction to Cyber Forensics Module 1
Anpumathews
 
PDF
Network forensics
ArthyR3
 
PPT
Registry Forensics
Somesh Sawhney
 
PDF
Email Forensics
Gol D Roger
 
PPTX
Ntfs and computer forensics
Gaurav Ragtah
 
PDF
Windows 7 forensics event logs-dtl-r3
CTIN
 
PPTX
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
PPT
Computer Forensic
Tawhidur Rahman
 
PPTX
Windows Registry
primeteacher32
 
PPTX
Malware analysis
Prakashchand Suthar
 
PPTX
Presentation on samba server
Veeral Bhateja
 
PDF
Wired and Wireless Network Forensics
Savvius, Inc
 
PPT
Network forensics1
Santosh Khadsare
 
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
Denial of service
garishma bhatia
 
Computer forensics ppt
Nikhil Mashruwala
 
Windowsforensics
Santosh Khadsare
 
Intrusion detection and prevention system
Nikhil Raj
 
Firewalls
Ram Dutt Shukla
 
Network security and protocols
Online
 
Introduction to Cyber Forensics Module 1
Anpumathews
 
Network forensics
ArthyR3
 
Registry Forensics
Somesh Sawhney
 
Email Forensics
Gol D Roger
 
Ntfs and computer forensics
Gaurav Ragtah
 
Windows 7 forensics event logs-dtl-r3
CTIN
 
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
Computer Forensic
Tawhidur Rahman
 
Windows Registry
primeteacher32
 
Malware analysis
Prakashchand Suthar
 
Presentation on samba server
Veeral Bhateja
 
Wired and Wireless Network Forensics
Savvius, Inc
 
Network forensics1
Santosh Khadsare
 
Ad

Viewers also liked (9)

PPTX
Digital forensics research: The next 10 years
Shekh Md Mehedi Hasan
 
PPT
Digital Forensics
Nicholas Davis
 
PDF
Alphorm.com Support de la Formation Windows 10 Troubleshootings partie 1
Alphorm
 
PPTX
Computer forensics
deaneal
 
PPTX
Digital forensics
Roberto Ellis
 
PPTX
An introduction to Windows 10
Cynoteck Technology Solutions Private Limited
 
PPTX
Windows 10
KrishnaTeja Siva
 
PPTX
10 Tips for Making Beautiful Slideshow Presentations by www.visuali.se
Edahn Small
 
PDF
Windows 10 in 10 Minutes
Hemant Prasad
 
Digital forensics research: The next 10 years
Shekh Md Mehedi Hasan
 
Digital Forensics
Nicholas Davis
 
Alphorm.com Support de la Formation Windows 10 Troubleshootings partie 1
Alphorm
 
Computer forensics
deaneal
 
Digital forensics
Roberto Ellis
 
An introduction to Windows 10
Cynoteck Technology Solutions Private Limited
 
Windows 10
KrishnaTeja Siva
 
10 Tips for Making Beautiful Slideshow Presentations by www.visuali.se
Edahn Small
 
Windows 10 in 10 Minutes
Hemant Prasad
 
Ad

Similar to Chetan-Mining_Digital_Evidence_in_Microsoft_Windows (20)

PDF
AntiForensics - Leveraging OS and File System Artifacts.pdf
ekobelasting
 
PDF
windows-forensics-analysis-v-1.0-4_2.pdf
AmineBesrour
 
PPT
Vista Forensics
CTIN
 
PPTX
Disk forensics for the lazy and the smart
Jeff Beley
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
PPTX
Msra 2011 windows7 forensics-troyla
CTIN
 
ODT
Operating System Forensics
ArunJS5
 
PPTX
Windows forensic
MD SAQUIB KHAN
 
PPTX
Forensicating windows Artifacts investigation without event logs
Renzon Cruz
 
PPTX
Windows Forensics
Prince Boonlia
 
PPTX
Digital Forensics (compter) lab 2 2023.pptx
moehab2020
 
PDF
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
PDF
Lecture-1-Windows-Artefacts.pdf
ssuserfd0132
 
PDF
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
PDF
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
PDF
Free Computer Forensic Software's list - by Forensic Control
raiyankhair47
 
PDF
MNSEC 2018 - Windows forensics
MNCERT
 
PPS
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
ClubHack
 
PDF
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
PPTX
3170725_Unit-4.pptx
YashPatel132112
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
ekobelasting
 
windows-forensics-analysis-v-1.0-4_2.pdf
AmineBesrour
 
Vista Forensics
CTIN
 
Disk forensics for the lazy and the smart
Jeff Beley
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
Msra 2011 windows7 forensics-troyla
CTIN
 
Operating System Forensics
ArunJS5
 
Windows forensic
MD SAQUIB KHAN
 
Forensicating windows Artifacts investigation without event logs
Renzon Cruz
 
Windows Forensics
Prince Boonlia
 
Digital Forensics (compter) lab 2 2023.pptx
moehab2020
 
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
Lecture-1-Windows-Artefacts.pdf
ssuserfd0132
 
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
Free Computer Forensic Software's list - by Forensic Control
raiyankhair47
 
MNSEC 2018 - Windows forensics
MNCERT
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
ClubHack
 
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
3170725_Unit-4.pptx
YashPatel132112
 

More from guest66dc5f (20)

PPT
Os Timed Original
guest66dc5f
 
PPT
Control your entire house with your iPhone
guest66dc5f
 
PPT
Awesome car collection
guest66dc5f
 
PPT
Freaky car number plates
guest66dc5f
 
PDF
David-FPGA
guest66dc5f
 
PPT
Sunil-Hacking_firefox
guest66dc5f
 
PDF
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
 
PDF
WHITEPAPER-7_years_of_Indian_Cyber_Law
guest66dc5f
 
PPT
Rohas-7_years_of_indian_cyber_laws
guest66dc5f
 
PDF
David-FPGA
guest66dc5f
 
PDF
Shreeraj-Hacking_Web_2
guest66dc5f
 
PPT
Dror-Crazy_toaster
guest66dc5f
 
PDF
Ajit-Legiment_Techniques
guest66dc5f
 
PPT
Varun-Subtle_Security_flaws
guest66dc5f
 
PPT
CostofWarinIraq
guest66dc5f
 
PDF
NR-golf-sept07
guest66dc5f
 
PDF
NR-golf-sept07
guest66dc5f
 
PDF
golf
guest66dc5f
 
PDF
longisland_golf_07
guest66dc5f
 
PDF
GolfLakeCity_002
guest66dc5f
 
Os Timed Original
guest66dc5f
 
Control your entire house with your iPhone
guest66dc5f
 
Awesome car collection
guest66dc5f
 
Freaky car number plates
guest66dc5f
 
David-FPGA
guest66dc5f
 
Sunil-Hacking_firefox
guest66dc5f
 
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
 
WHITEPAPER-7_years_of_Indian_Cyber_Law
guest66dc5f
 
Rohas-7_years_of_indian_cyber_laws
guest66dc5f
 
David-FPGA
guest66dc5f
 
Shreeraj-Hacking_Web_2
guest66dc5f
 
Dror-Crazy_toaster
guest66dc5f
 
Ajit-Legiment_Techniques
guest66dc5f
 
Varun-Subtle_Security_flaws
guest66dc5f
 
CostofWarinIraq
guest66dc5f
 
NR-golf-sept07
guest66dc5f
 
NR-golf-sept07
guest66dc5f
 
golf
guest66dc5f
 
longisland_golf_07
guest66dc5f
 
GolfLakeCity_002
guest66dc5f
 

Recently uploaded (20)

PPTX
The discussion on the Economic in transportation .pptx
awanganiqkmal191
 
PDF
Topic Globalisation and Lifelines of National Economy.pdf
ridamten1423
 
PDF
Understanding University Research Expenditures (1)_compressed.pdf
Innovosource
 
PDF
Dr Tran Quoc Bao the first Vietnamese speaker at GITEX DigiHealth Conference ...
Gorman Bain Capital
 
PPTX
social-studies-subject-for-high-school-globalization.pptx
villanuevajoealfred
 
PDF
caregiving tools.pdf...........................
cyrilbotor
 
PPT
E commerce busin and some important issues
AssadLeo1
 
DOCX
marketing plan Elkhabiry............docx
ramadanantar44
 
PDF
illuminati Uganda brotherhood agent in Kampala call 0756664682,0782561496
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
PDF
1a In Search of the Numbers ssrn 1488130 Oct 2009.pdf
Better Financial Education
 
PDF
discourse-2025-02-building-a-trillion-dollar-dream.pdf
Shujjat Ahmed
 
PPTX
Introduction to Managemeng Chapter 1..pptx
BettyMonizB
 
PDF
Chapter 9 IFRS Ed-Ed4_2020 Intermediate Accounting
AhmadRamadhan422095
 
PPTX
Session 3. Time Value of Money.pptx_finance
2023mb21003
 
PDF
Why Ignoring Passive Income for Retirees Could Cost You Big.pdf
Enterprise world
 
PDF
Bladex Earnings Call Presentation 2Q2025
Bladex
 
PPTX
Antihypertensive_Drugs_Presentation_Poonam_Painkra.pptx
marrow02abhishek
 
PPTX
Introduction to Essence of Indian traditional knowledge.pptx
souravpoddarhith
 
PPTX
FL INTRODUCTION TO AGRIBUSINESS CHAPTER 1
raquipoarthea
 
PDF
way to join Real illuminati agent 0782561496,0756664682
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
The discussion on the Economic in transportation .pptx
awanganiqkmal191
 
Topic Globalisation and Lifelines of National Economy.pdf
ridamten1423
 
Understanding University Research Expenditures (1)_compressed.pdf
Innovosource
 
Dr Tran Quoc Bao the first Vietnamese speaker at GITEX DigiHealth Conference ...
Gorman Bain Capital
 
social-studies-subject-for-high-school-globalization.pptx
villanuevajoealfred
 
caregiving tools.pdf...........................
cyrilbotor
 
E commerce busin and some important issues
AssadLeo1
 
marketing plan Elkhabiry............docx
ramadanantar44
 
illuminati Uganda brotherhood agent in Kampala call 0756664682,0782561496
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
1a In Search of the Numbers ssrn 1488130 Oct 2009.pdf
Better Financial Education
 
discourse-2025-02-building-a-trillion-dollar-dream.pdf
Shujjat Ahmed
 
Introduction to Managemeng Chapter 1..pptx
BettyMonizB
 
Chapter 9 IFRS Ed-Ed4_2020 Intermediate Accounting
AhmadRamadhan422095
 
Session 3. Time Value of Money.pptx_finance
2023mb21003
 
Why Ignoring Passive Income for Retirees Could Cost You Big.pdf
Enterprise world
 
Bladex Earnings Call Presentation 2Q2025
Bladex
 
Antihypertensive_Drugs_Presentation_Poonam_Painkra.pptx
marrow02abhishek
 
Introduction to Essence of Indian traditional knowledge.pptx
souravpoddarhith
 
FL INTRODUCTION TO AGRIBUSINESS CHAPTER 1
raquipoarthea
 
way to join Real illuminati agent 0782561496,0756664682
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 

Chetan-Mining_Digital_Evidence_in_Microsoft_Windows

  • 1. Mining Digital Evidence in Microsoft Windows – Answering Who, When, Why and How?
  • 2. Agenda CSI Computer Crime and Security Survey, 2007 What is Computer Forensics? Laws of computer Forensics 10 Forensics avenues in Windows XP
  • 3. A Quick CSI-FBI 2007 Survey Summary The average annual loss in 2007 - $350,424 Average annual loss in the previous year - $168,000. Not since the 2004 report have average losses been this high! 46% of the overall respondents said that they had suffered a security incident. Almost one-fifth (18 percent) of those respondents who suffered one or more kinds of security incident further said they’d suffered a “ targeted attack ” Financial fraud - the source of the greatest financial losses.
  • 4. CSI Computer Crime and Security Survey Insider abuse of network access or e-mail - the most prevalent security problem – 59% percent of respondents Virus incidents – 52% percent of respondents Dollar Amount Losses Financial Fraud - $21,124,750 Virus (Worms / Spyware) - $8,391,800 Theft of Confidential Data - $5,685,000 Insider abuse of resources - $2,889,700 Total losses for 2007 - $ 66,930,950
  • 5. CSI Computer Crime and Security Survey How many Incidents in the past twelve months?
  • 6. Computer Forensics – the laws First Law of Computer Forensics There is evidence of every action. Harlan Carvey’s Corollary : Once you understand what actions or conditions create or modify an artifact, then the absence of that artifact is itself an artifact.
  • 7. Tip of the “Digital” Iceberg Data as seen by a casual observer using common tools (Explorer Window, cmd shell, web browser etc. ) Data as seen by Forensic Investigators using his sophisticated toolkit. May include deleted data, hidden data, unauthorized information and records of illegal activity!
  • 9. Windows XP – Market Share 92.69% of the people surfing the Web use Windows on PCs Windows XP’s share - 79.32% Windows Vista – 7.38% Source: http://marketshare.hitslink.com
  • 10. 10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) Restore Point Forensics
  • 11. 10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) Restore Point Forensics
  • 13. Mining $logfile $Logfile entry in the MFT contains the log of all file system transactions The deletion of a file leaves several entries in $Logfile It is not unusual to find files that are no longer on the disk Also shows that the file was used by the system Encase $logfile parser Enscript
  • 14. Mining NTFS timestamps NTFS has four timestamps: Creation time Last accessed time Last written time Last Modification time Windows 64-Bit Time Stamp It is an 8-byte string (64 bits), its most significant value is 01h, which is located at the far right of the string as it is stored in little endian. The FN and SIA attributes
  • 15. 10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore Points
  • 16. Windows Registry Registry files are essentially databases containing information and settings for Hardware Software Users Preferences A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data. In Windows 98, the registry files are named User.dat and System.dat. In Windows Millennium Edition, the registry files are named Classes.dat, User.dat, and System.dat. In Win XP, the registry files are available in C:\windows\system32\config folder
  • 17. Mining Windows Registry Multiple forensic avenues in the registry! System and User-specific settings UserAssist MuiCache MRU Lists ProgramsCache StreamMRU Shellbags Usbstor IE passwords and many more! Demo
  • 18. 10 Forensics avenues in Windows XP NTFS attributes Registry Files Prefetch Files (.pf) Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore Points
  • 19. The Prefetch feature Microsoft created a Prefetch cache to improve boot and application launch time. By caching commonly used applications the OS can determine to apportion system resources in anticipation that the user will access the application. When an application is launched the system updates an entry in the path C:/Windows/Prefetch with the name of the application and a file extension (.pf).
  • 20. The Prefetch feature The file contains among other items the last time that the file was modified as a 64bit HEX value time, and increments an integer on how many times the application has been run. Analyze Prefetch – Mount Image Pro (MIP) + read-only image + WFA.exe Demo
  • 22. 10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore points
  • 23. Print Spooler Files On Windows XP, systems you would find these two files in the C:\Windows\System32\spool\Printers folder. .SPL -   The print job’s spooled data is contained in a spool file. .SHD - The shadow file contains the job settings
  • 24. PA Spool Viewer – view .shd files Splview.exe - available at http:// undocprint.printassociates.com This tool allows you to view the metadata of the print job!
  • 25. EMF Spool viewer – view .spl files EMF Spool Viewer  - available at http://www.codeproject.com/dotnet/EMFSpoolViewer/EMFSpoolViewer.zip   This tool allows you to view the actual spooled pages!
  • 26. 10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore Points
  • 27. Mining the Recycle bin The INFO2 file contains records that correspond to each deleted file in the Recycle Bin; each record contains the record number, the drive designator, the timestamp of when the file was moved to the Recycle Bin, the file size, file’s original name and full path, in both ASCII and Unicode. Files sent to the Recycle Bin are maintained according to a specific naming convention D<original drive letter of file><#>.<original extension> Demo
  • 28. 10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files (.dat) Shortcut files (.lnk) System Restore Points
  • 29. Mining Thumbs.db Thumbs.db contains cached thumbnails of the images in a folder. OLE embedded data present in the Thumbs.db file In many cases, the images may have been deleted from the directory but they may still be available in the thumbs.db cache! Tools: Encase Windows File Analyzer Accessdata FTK Demo
  • 30. 10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History File Shortcut files (.lnk) System Restore Points
  • 31. Event Logs Windows event logs provide crucial insight into the happenings in the system Using event logs in conjunction with other forensic avenue such a registry data (Userassist, Muicache, MRU Lists etc.) can help reconstructing the past events on the system. Three types of event logs: Application System Security
  • 32. Mining event logs… What the logs can tell u: Unsuccessful logon attempts Successful Privilege escalation attempts System time was changed Logon time restriction violation Logon/logoff times Successful/unsuccessful object access Default Windows security settings is to log nothing at all! Unfortunately, event logs only record the Netbios name and not the IP address! Demo
  • 33. 10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files Shortcut files (.lnk) System Restore Points
  • 34. Tracing Internet Activity Internet Browsers leave detailed history on Hard drive which can show all sites visited and all graphics viewed. An individual's web browsing activity often provides investigative leads during most investigations. We can reconstruct an individual’s web browsing activity using sophisticated tools such as Encase, NetAnalysis and WebHistorian The predominant two web browsers encountered during computer related investigations are Microsoft's Internet Explorer (IE) and Firefox/Mozilla/Netscape family
  • 35. Mining Internet Explorer IE maintains rich logging of a user’s browsing activities which allow for creating a web profile of the suspect. IE has three separate logging facilities that can be used to reconstruct the suspect’s web browsing activities. History of visited URLs Cookies Temporary Internet Files In many cases, the web profiling has lead to successful conviction of pedophiles!
  • 36. Mining Mozilla Firefox Mozilla Firefox stores the Internet activity in the following folder: C:\Documents and Settings\<user name>\Application Data \Mozilla\Firefox\Profiles\<random text>\Cache There are three types of files in this directory: A Cache Map File Three Cache Block Files Separate Cache Data Files Demo
  • 37. 10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files Shortcut files (.lnk) System Restore Points
  • 38. Mining shortcut files Link files refer to or link to target files which can be applications, directories, documents, or data files. The data contained inside a link file describes the various attributes of the target file. A link file contains: the complete path to the target file the volume label and volume serial number on which the target file or folder exists - this can be useful for connecting a file to a unique volume! the file’s size in bytes the MAC time stamps of the target file!!!
  • 39. Mining shortcut files… Media type (fixed/removable) Working directory MAC address Remote share name May be found in unallocated clusters and swap space May indicate that data was copied to a removable media! Encase link parser EnScript Windows File Analyzer Demo
  • 40. 10 Forensics avenues in Windows XP NTFS attributes Registry Files PreFetch Files (.pf) Print Spooler Files Recycle Bin info2 records Thumbs.db Event Logs (.evt) Internet History Files Shortcut files (.lnk) System Restore Points
  • 41. The restore point feature Rp.log is the restore point log file is located within the restore point (RPxx) directory. This restore point log contains a value indicating the type of the restore point, a descriptive name for the restore point creation event (i.e, application or device driver installation, application uninstall etc. ) the 64-bit FILETIME object indicating when the restore point was created
  • 42. The restore point feature Change.log.x files Record changes to key application files When a change is detected, the original filename is entered into the change.log file along with a sequence number and other necessary information,such as the type of change that occurred (file deletion, change of file attributes, or change of content). Sometimes the entire file may be preserved (Axxxxxx.ext format)! Each change.log.x file consists of a number of change log records Ref: Windows Forensic Analysis by Harlan Carvey
  • 43. Mining restore points What restore points can tell: Installation or removal of an application Changes to the system time Remnants of deleted/uninstalled applications Remnants of deleted files Evidence of files being accessed in the past Demo