Win Forensics(File)

 

Win Forensics
Win forensics in non-volatile information 
http://systw.net/note/af/sblog/more.php?id=318
Win forensics in volatile information http://systw.net/note/af/sblog/more.php?id=316
Win forensics in file  http://systw.net/note/af/sblog/more.php?id=317
Registry http://systw.net/note/af/sblog/more.php?id=178
Windows Executable File http://systw.net/note/af/sblog/more.php?id=306


Common windows file analysis source
undeleted file
recycle bin
IE temp file
Windows tmep file %system%/temp/
Documents and Settings, ex.recent cookie

refer
http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view

...................................................................................................................

 

 

Analysis of Windows Prefetch

Prefetch: record when execute which process for improve performance
Store dir: windowsprefetch

common analysis tool as below
Analysis of Windows Prefetch
Prefetch-Parser
LastActivityView

 

....................................................................................................

Analysis of shortcut files

Extension of shortcut file is .ink
it provides information about files or network shares that the user had accessed
common analysis tool like FTK,WFA,...etc

 

........................................................................................................

Analysis of Metadata for Office and PDF

Common analysis tool as below
FOCA: for word
Office-metadata-parser:
Word Extractor:把word內的字解出來
refer
https://www.elevenpaths.com/labstools/foca/index.html
http://redwolfcomputerforensics.com/

ps:
most file don't have metadata, metadata is usually in root directory of NTFS/FAT

ps
GUID (global unique identifier)
a unique identity for an entity such as a Word document
refer
https://en.wikipedia.org/wiki/Globally_unique_identifier

 

..........................................................................................................

Analysis of Image

Smart phone拍照常會帶經緯度資訊並放在照片的metadata,可被exiftool看到
common analysis tool like ExifTool,...etc
refer
http://www.sno.phy.queensu.ca/~phil/exiftool/

 

.........................................................................................................

Analysis of File Signature


判斷檔案本身與extension(副檔名)是否一致
common method is examine the file header/file signature.
collecting information from the first 20 bytes of a file to determine the type.
extension is windows identifies which application to open a file.

File signature
代表特定檔案的專屬字元組合
common file signature as below
EXE: 4D 5A
JPG: FF D8 FF E0
doc of Microsoft Office document: D0 CF 11 E0 A1 B1 1A E1
refer
www.garykessler.net/library/file_sigs.html

Common analysis tool as below
ExifTool
TrID: File Identifier
HxD
ProDiscover
010editor
refer
http://mark0.net/soft-trid-e.html

010editor
A GUI tool can read hex of file
supporting Windows and Linux
supporting various file format by download templates from online
http://www.sweetscape.com/010editor/templates/

HxD
windows GUI tool
A tool can read hex of file to observe file signature

ps:
Windows 列印處理程序通常支援 5 種資料類型。
最常用的是 EMF及 RAW
ps
EMF(增強型中繼檔)
大多數 Windows 程式的預設資料類型。使用 EMF,列印文件會變更為比 RAW 更便於攜帶的中繼檔格式,並且通常可在任何印表機上列印出來。EMF 檔案通常比包含相同列印工作的 RAW 檔案要小。
RAW
Windows 程式以外之用戶端的預設資料類型。RAW 資料類型告知多工緩衝處理器在列印之前完全不要變更列印工作
refer
https://msdn.microsoft.com/zh-tw/library/cc776042(v=ws.10).aspx

 

............................................................................................

Analysis of Browser

IE
cache: C:usersAppDataLocalMicrosoftWindowsTemporary Internet FilesLowContent.IE5
history: C:usersAppDataLocalMicrosoftWindowsHistory
cookie: C:usersAppDataLocalMicrosoftWindowsCookies

Firefox
cache:C:usersAppDataLocalMozillaFirefoxProfilesumuq8upn.defaultcache
history:C:usersAppDataRoamingMozillaFirefoxProfilesumuq8upn.defaultplaces.sqlite
cookie:C:usersAppDataRoamingMozillaFirefoxProfilesumuq8upn.defaultcookies.sqllite

Chrome
history,cookie,cache,bookmarks: C:usersAppDataLocalGoogleChromeUser DataDefault


Common tool:
browserviewhistory.exe
iecookiesview, iecacheview,iehistoryview
mozillacookiesview,..etc
chromecookiesview,...etc

 

2015-10-23 14:03:41發表 2015-11-01 08:50:27修改   

數據分析
程式開發
計算機組織與結構
資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識

資訊安全解決方案
資訊安全威脅
Cisco security
Cisco network
Cisco layer3
Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net