Win Forensics
Win forensics in non-volatile information https://systw.net/note/af/sblog/more.php?id=318
Win forensics in volatile information https://systw.net/note/af/sblog/more.php?id=316
Win forensics in file https://systw.net/note/af/sblog/more.php?id=317
Registry https://systw.net/note/af/sblog/more.php?id=178
Windows Executable File https://systw.net/note/af/sblog/more.php?id=306
Common windows file analysis source
undeleted file
recycle bin
IE temp file
Windows tmep file %system%/temp/
Documents and Settings, ex.recent cookie
refer
http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view
…………………………………………………………………………………………………….
Analysis of Windows Prefetch
Prefetch: record when execute which process for improve performance
Store dir: windowsprefetch
common analysis tool as below
Analysis of Windows Prefetch
Prefetch-Parser
LastActivityView
……………………………………………………………………………………….
Analysis of shortcut files
Extension of shortcut file is .ink
it provides information about files or network shares that the user had accessed
common analysis tool like FTK,WFA,…etc
…………………………………………………………………………………………..
Analysis of Metadata for Office and PDF
Common analysis tool as below
FOCA: for word
Office-metadata-parser:
Word Extractor:把word內的字解出來
refer
https://www.elevenpaths.com/labstools/foca/index.html
http://redwolfcomputerforensics.com/
ps:
most file don’t have metadata, metadata is usually in root directory of NTFS/FAT
ps
GUID (global unique identifier)
a unique identity for an entity such as a Word document
refer
https://en.wikipedia.org/wiki/Globally_unique_identifier
…………………………………………………………………………………………….
Analysis of Image
Smart phone拍照常會帶經緯度資訊並放在照片的metadata,可被exiftool看到
common analysis tool like ExifTool,…etc
refer
http://www.sno.phy.queensu.ca/~phil/exiftool/
……………………………………………………………………………………………
Analysis of File Signature
判斷檔案本身與extension(副檔名)是否一致
common method is examine the file header/file signature.
collecting information from the first 20 bytes of a file to determine the type.
extension is windows identifies which application to open a file.
File signature
代表特定檔案的專屬字元組合
common file signature as below
EXE: 4D 5A
JPG: FF D8 FF E0
doc of Microsoft Office document: D0 CF 11 E0 A1 B1 1A E1
refer
www.garykessler.net/library/file_sigs.html
Common analysis tool as below
ExifTool
TrID: File Identifier
HxD
ProDiscover
010editor
refer
http://mark0.net/soft-trid-e.html
010editor
A GUI tool can read hex of file
supporting Windows and Linux
supporting various file format by download templates from online
http://www.sweetscape.com/010editor/templates/
HxD
windows GUI tool
A tool can read hex of file to observe file signature
ps:
Windows 列印處理程序通常支援 5 種資料類型。
最常用的是 EMF及 RAW
ps
EMF(增強型中繼檔)
大多數 Windows 程式的預設資料類型。使用 EMF,列印文件會變更為比 RAW 更便於攜帶的中繼檔格式,並且通常可在任何印表機上列印出來。EMF 檔案通常比包含相同列印工作的 RAW 檔案要小。
RAW
Windows 程式以外之用戶端的預設資料類型。RAW 資料類型告知多工緩衝處理器在列印之前完全不要變更列印工作
refer
https://msdn.microsoft.com/zh-tw/library/cc776042(v=ws.10).aspx
………………………………………………………………………………..
Analysis of Browser
IE
cache: C:\users\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
history: C:\users\AppData\Local\Microsoft\Windows\History
cookie: C:\users\AppData\Local\Microsoft\Windows\Cookies
Firefox
cache:C:\users\AppData\Local\MozillaFirefox\Profile\sum\uq8upn.defaultcache
history:C:\users\AppData\Roaming\MozillaFirefox\Profile\sum\uq8upn.defaultplaces.sqlite
cookie:C:\users\AppData\Roaming\MozillaFirefox\Profile\sum\uq8upn.defaultcookies.sqllite
Chrome
history,cookie,cache,bookmarks: C:\users\AppData\Local\Google\Chrome\User Data\Default
Common tool:
browserviewhistory.exe
iecookiesview, iecacheview,iehistoryview
mozillacookiesview,..etc
chromecookiesview,…etc