Win Forensics(NonVolatile)

Win Forensics
Win forensics in non-volatile information
http://systw.net/note/af/sblog/more.php?id=318
Win forensics in volatile information
http://systw.net/note/af/sblog/more.php?id=316
Win forensics in file
http://systw.net/note/af/sblog/more.php?id=317
Registry
http://systw.net/note/af/sblog/more.php?id=178
Windows Executable File
http://systw.net/note/af/sblog/more.php?id=306


Common non-volatile information source
slack space
swap file
unallocated clusters
unused partitions
hidden partitions

..........................................................................................................................................

File in system32 Anaysis

 

1.Examine below
latest time and date of the installation
service packs,patches,subdirectories update

2.Give priority to recently dated files
> cd c:/%systemroot%/system32
> dir /o:d
ps:
dir /od /tc /a 可用建立日期排序
dir /tc 看檔案時間

 

....................................................................................................

Analysis of Index.dat


index.dat include Cookie, History, Temporary Internet File, User Data in IE,...etc
IE and file manager record all file information in index.dat
analysis tool: WFA,...etc

refer
tool include WFA.exe(Windows File Analyzer)
refer
http://www.mitec.cz/wfa.html

 

 

...................................................................................................

Analysis of Device


windows have data to recrod when device plug in and unplug
analysis tool: devcon, usbdeview,...etc
ex:
Show Non-Present Devices in Device Manager
> set devmgr_show_nonpresent_devices=1
> devmgmt.msc

USBDeview
third party tool
顯示曾經用過那些usb設備的資訊
ex:
Connecting To external SYSTEM registry file
#USBDeview.exe /regfile "c:tempregfilesSYSTEM"

refer
USB History Viewing
http://forensicswiki.org/wiki/USB_History_Viewing
http://www.nirsoft.net/utils/usb_devices_view.html

 


........................................................................................................

Analysis of Windows Search Index


index file name is windows.edb in Windows 7
the file is protect by WSearch
file path: C:ProgramDataMicrosoftSearchDataApplicationsWindowsWindows.edb
analysis tool: ESEDatabaseview,...etc
refer
http://www.forensicswiki.org/wiki/Windows_Desktop_Search

Get windows.edb method
method 1
1.net stop WSearch, 2copy Windows.edb to otehr directory
method2
off-line analysis

 

.....................................................................................................

Analysis of Hidden Partition

hidden partitions
看不到的磁區

Common analysis tool
partition logic
DriveSpy
..etc


..................................................................................................
Analysis of Hidden ADS

 

隱藏程式的一種技巧
Common analysis tool: Stream Armor


refer
ADS of NTFS
https://systw.net/note/af/sblog/more.php?id=301
ADS
http://cyrilwang.blogspot.tw/2009/06/alternate-data-streams.html

 

............................................................................................

Analysis of Slack Space

若檔案小於檔案系統的最小單位,其餘的空間稱為slack space
Common analysis tool: DriveSpy


........................................................................................

Analysis of Virtual Memory 

 

 

swap file is a space for virtual memory
on windows, swap file is a hidden file called pagefile.sys
analysis tool: x-way forensics,...etc

Swapfile contain many information as below:
files opened and files contents
online charts
websites visited
emails sent and received
hidden running process
...omit...

Swapfile path configuration
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession MangerMemory Management


....................................................................................

Analysis of NetBIOS

nbtstat
Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).
NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ]

nbtstat -n
-n(names) : Lists local NetBIOS names.
display as below
VMware Network Adapter VMnet1:
Node IpAddress: [192.168.157.1] Scope Id: []
NetBIOS Local Name Table
Name Type Status
---------------------------------------------
RAYMOND <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
Local Area Connection* 7:
Node IpAddress: [0.0.0.0] Scope Id: []
No names in cache
Ethernet:
Node IpAddress: [0.0.0.0] Scope Id: []
No names in cache
Wi-Fi:
Node IpAddress: [192.168.100.133] Scope Id: []
NetBIOS Local Name Table
Name Type Status
---------------------------------------------
RAYMOND <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
Bluetooth Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []
No names in cache


refer
https://msdn.microsoft.com/zh-tw/library/cc757216(v=ws.10).aspx

 

2015-10-23 14:23:07發表 2015-10-23 14:30:57修改   

數據分析
程式開發
計算機組織與結構
資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識

資訊安全解決方案
資訊安全威脅
Cisco security
Cisco network
Cisco layer3
Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net