Lecture-1-Windows-Artefacts.pdf
- 2. © Pearson Education Computer Forensics: Principles and Practices 2 Objectives Conduct efficient and effective investigations of Windows systems Find user data and profiles in Windows folders Locate system artifacts in Windows systems
- 3. © Pearson Education Computer Forensics: Principles and Practices 3 Introduction In many cases you may have gigabytes or even terabytes of data that must be searched for evidence. Maximize efficiency of the search by showing default locations of file storage.
- 4. © Pearson Education Computer Forensics: Principles and Practices 4 Investigating Windows Systems Activities of the user result in user data User profiles Program files Temporary files (temp files) Special application-level files
- 5. © Pearson Education Computer Forensics: Principles and Practices 5 Investigating Windows Systems (Cont.) System data and artifacts are generated by the operating system Metadata Windows system registry Event logs or log files Swap files Printer spool Recycle Bin
- 6. © Pearson Education Computer Forensics: Principles and Practices 6 Investigating Windows Systems (Cont.) Identify the operating systems of a target hard drive by: Operating system folder names The folder for the Recycle Bin The construction of the user root folders because of the differences in the way user data is kept
- 7. © Pearson Education Computer Forensics: Principles and Practices 7 Finding User Data and Profiles in Windows Folders Documents and Settings / Users folders Contains a user root folder for each user account created on the computer Windows NT and above automatically install Administrator All users Default user (hidden)
- 8. © Pearson Education Computer Forensics: Principles and Practices 8 Finding User Data and Profiles in Windows Folders (Cont.) Data stored in the user root folder: Desktop settings, such as wallpaper, screensavers, color schemes, and themes Internet customizations, such as the homepage, favorites, and history Application parameters and data, such as e-mail and upgrades Personal files and folders, such as My Documents, My Pictures, and so on
- 9. © Pearson Education Computer Forensics: Principles and Practices 9 Finding User Data and Profiles in Windows Folders (Cont.) Some of the subfolders in the user root folder include: Application data (hidden) Cookies Desktop Favorites Local Settings (hidden) My Documents NetHood (hidden)
- 10. © Pearson Education Computer Forensics: Principles and Practices 10 Finding User Data and Profiles in Windows Folders (Cont.)
- 11. © Pearson Education Computer Forensics: Principles and Practices 11 Location of User Root Folders Operating System (Platform) User Root Folder Location Windows 9x <partition>:WINDOWSProfilesuserid USER.DAT file Windows NT <partition>:WINNTProfilesuserid NTUSER.DAT file Windows 2000 and Windows XP <partition>:Documents and Settingsuserid NTUSER.DAT file Windows 7/8/10 <partition>:Usersuserid NTUser.DAT
- 12. © Pearson Education Computer Forensics: Principles and Practices 12 Location of User Root Folders
- 13. © Pearson Education Computer Forensics: Principles and Practices 13 In Practice: Temp Internet Files Provide Valuable E-Evidence
- 14. © Pearson Education Computer Forensics: Principles and Practices 14 Investigating System Artifacts Types of metadata Descriptive: describes a resource for purposes such as discovery and identification Structural: indicates how compound objects are put together Administrative: provides information to help manage a resource, such as when it was created, last accessed, and modified
- 15. © Pearson Education Computer Forensics: Principles and Practices 15 Investigating System Artifacts (Cont.) Registry Can reveal current and past applications, as well as programs that start automatically at bootup Viewing the registry requires a registry editor Event logs track system events Application log tracks application events Security log shows logon attempts System log tracks events such as driver failures
- 16. © Pearson Education Computer Forensics: Principles and Practices 16 Investigating System Artifacts (Cont.) Swap file/page file Used by the system as virtual memory Can provide the investigator with a snapshot of volatile memory Print spool May contain enhanced metafiles of print jobs Recycle Bin/Recycler Stores files the user has deleted
- 17. © Pearson Education Computer Forensics: Principles and Practices 17 Investigating System Artifacts (Cont.) - Thumbs.DB
- 18. © Pearson Education Computer Forensics: Principles and Practices 18 Investigating System Artifacts (Cont.) - Print spool Select 41 bytes
- 19. © Pearson Education Computer Forensics: Principles and Practices 19 Investigating System Artifacts (Cont.) - Print spool
- 20. © Pearson Education Computer Forensics: Principles and Practices 20 Investigating System Artifacts (Cont.) - Recycle Bin/Recycler
- 21. © Pearson Education Computer Forensics: Principles and Practices 21 Investigating System Artifacts (Cont.) – link files & recent used files
- 22. © Pearson Education Computer Forensics: Principles and Practices 22 Investigating System Artifacts (Cont.) – Store points
- 23. © Pearson Education Computer Forensics: Principles and Practices 23 Investigating System Artifacts (Cont.) – Logs Windows NT, 2000, XP maintain log files System Log Application Log Security Log
- 24. © Pearson Education Computer Forensics: Principles and Practices 24 Investigating System Artifacts (Cont.) – Logs Live System: Use Event Viewer
- 25. © Pearson Education Computer Forensics: Principles and Practices 25 Investigating System Artifacts (Cont.) – Logs Event Viewer Event Viewer
- 26. © Pearson Education Computer Forensics: Principles and Practices 26 Investigating System Artifacts (Cont.) – Logs from forensics duplicate (Windows/System32/Config/) SecEvent.evt AppEvent.evt SysEvent.evt
- 27. © Pearson Education Computer Forensics: Principles and Practices 27 Investigating System Artifacts (Cont.) – $ Logfile $Logfile entry in the MFT contains the log of all file system transactions Deletion of a file leaves several entries in $Logfile Not unusual to find files that are no longer on the disk Shows that file was used by the system
- 28. © Pearson Education Computer Forensics: Principles and Practices 28 Investigating System Artifacts (Cont.) – Temporary Files Temporary files Files with extension tmp Created by many applications Emails with large attachments: Attachments are probably stored as temp files. (Depends on email system.) Look for file extensions .tmp
- 29. © Pearson Education Computer Forensics: Principles and Practices 29 Investigating System Artifacts (Cont.) – Internet Explorer Internet Explorer (as well as other browsers) use a cache. index.dat contains internet explorer cached websites.
- 30. © Pearson Education Computer Forensics: Principles and Practices 30 Investigating System Artifacts (Cont.) – Temporary Files
- 31. © Pearson Education Computer Forensics: Principles and Practices 31 Investigating System Artifacts (Cont.) - Recycle Bin/Recycler
- 32. © Pearson Education Computer Forensics: Principles and Practices 32 Investigating System Artifacts (Cont.) – Swap Files Windows 2000 & WinXP & Above Pagefile.sys Windows 98 Win386.swp
- 33. © Pearson Education Computer Forensics: Principles and Practices 33 Summary Search times can be reduced through the use of default folders and operating system artifacts The skill level of the user will determine whether this is an effective use of time in the case
- 34. © Pearson Education Computer Forensics: Principles and Practices 34 34 Questions? Majdi.Owda@aaup.edu