Win Forensics
Win forensics in non-volatile information
https://systw.net/note/af/sblog/more.php?id=318
Win forensics in volatile information
https://systw.net/note/af/sblog/more.php?id=316
Win forensics in file
https://systw.net/note/af/sblog/more.php?id=317
Registry
https://systw.net/note/af/sblog/more.php?id=178
Windows Executable File
https://systw.net/note/af/sblog/more.php?id=306
Common non-volatile information source
- slack space
- swap file
- unallocated clusters
- unused partitions
- hidden partitions
…………………………………………………………………………………………………………………………
File in system32 Anaysis
1.Examine below
- latest time and date of the installation
- service packs,patches,subdirectories update
2.Give priority to recently dated files
> cd c:/%systemroot%/system32
> dir /o:d
ps:
dir /od /tc /a 可用建立日期排序
dir /tc 看檔案時間
……………………………………………………………………………………….
Analysis of Index.dat
index.dat include Cookie, History, Temporary Internet File, User Data in IE,…etc
IE and file manager record all file information in index.dat
analysis tool: WFA,…etc
refer
tool include WFA.exe(Windows File Analyzer)
refer
http://www.mitec.cz/wfa.html
………………………………………………………………………………………
Analysis of Device
windows have data to recrod when device plug in and unplug
analysis tool: devcon, usbdeview,…etc
ex:
Show Non-Present Devices in Device Manager
> set devmgr_show_nonpresent_devices=1
> devmgmt.msc
USBDeview
third party tool
顯示曾經用過那些usb設備的資訊
ex:
Connecting To external SYSTEM registry file
#USBDeview.exe /regfile “c:\temp\regfiles\SYSTEM”
refer
USB History Viewing
http://forensicswiki.org/wiki/USB_History_Viewing
http://www.nirsoft.net/utils/usb_devices_view.html
…………………………………………………………………………………………..
Analysis of Windows Search Index
index file name is windows.edb in Windows 7
the file is protect by WSearch
file path: C:\ProgramData\Microsoft\SearchData\Applications\Windows\Windows.edb
analysis tool: ESEDatabaseview,…etc
refer
http://www.forensicswiki.org/wiki/Windows_Desktop_Search
Get windows.edb method
method 1
1.net stop WSearch, 2copy Windows.edb to otehr directory
method2
off-line analysis
………………………………………………………………………………………..
Analysis of Hidden Partition
hidden partitions
看不到的磁區
Common analysis tool
partition logic
DriveSpy
..etc
……………………………………………………………………………………..
Analysis of Hidden ADS
隱藏程式的一種技巧
Common analysis tool: Stream Armor
refer
ADS of NTFS
https://systw.net/note/af/sblog/more.php?id=301
ADS
http://cyrilwang.blogspot.tw/2009/06/alternate-data-streams.html
………………………………………………………………………………..
Analysis of Slack Space
若檔案小於檔案系統的最小單位,其餘的空間稱為slack space
Common analysis tool: DriveSpy
…………………………………………………………………………….
Analysis of Virtual Memory
swap file is a space for virtual memory
on windows, swap file is a hidden file called pagefile.sys
analysis tool: x-way forensics,…etc
Swapfile contain many information as below:
files opened and files contents
online charts
websites visited
emails sent and received
hidden running process
…omit…
Swapfile path configuration
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manger\Memory Management
…………………………………………………………………………
Analysis of NetBIOS
nbtstat
Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).
NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ]
nbtstat -n
-n(names) : Lists local NetBIOS names.
display as below
VMware Network Adapter VMnet1:
Node IpAddress: [192.168.157.1] Scope Id: []
NetBIOS Local Name Table
Name Type Status
---------------------------------------------
RAYMOND <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
Local Area Connection* 7:
Node IpAddress: [0.0.0.0] Scope Id: []
No names in cache
Ethernet:
Node IpAddress: [0.0.0.0] Scope Id: []
No names in cache
Wi-Fi:
Node IpAddress: [192.168.100.133] Scope Id: []
NetBIOS Local Name Table
Name Type Status
---------------------------------------------
RAYMOND <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
Bluetooth Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []
No names in cache
refer
https://msdn.microsoft.com/zh-tw/library/cc757216(v=ws.10).aspx