{"id":341,"date":"2015-10-23T19:15:20","date_gmt":"2015-10-23T11:15:20","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=341"},"modified":"2023-10-30T19:29:57","modified_gmt":"2023-10-30T11:29:57","slug":"win-forensicsnonvolatile","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/341","title":{"rendered":"Win Forensics(NonVolatile)"},"content":{"rendered":"\n<p><strong>Win Forensics<\/strong><br>Win forensics in non-volatile information<br><a href=\"https:\/\/systw.net\/note\/af\/sblog\/more.php?id=318\">https:\/\/systw.net\/note\/af\/sblog\/more.php?id=318<\/a><br>Win forensics in volatile information<br><a href=\"https:\/\/systw.net\/note\/af\/sblog\/more.php?id=316\">https:\/\/systw.net\/note\/af\/sblog\/more.php?id=316<\/a><br>Win forensics in file<br><a href=\"https:\/\/systw.net\/note\/af\/sblog\/more.php?id=317\">https:\/\/systw.net\/note\/af\/sblog\/more.php?id=317<\/a><br>Registry<br><a href=\"https:\/\/systw.net\/note\/af\/sblog\/more.php?id=178\">https:\/\/systw.net\/note\/af\/sblog\/more.php?id=178<\/a><br>Windows Executable File<br><a href=\"https:\/\/systw.net\/note\/af\/sblog\/more.php?id=306\">https:\/\/systw.net\/note\/af\/sblog\/more.php?id=306<\/a><\/p>\n\n\n\n<p><br><strong>Common non-volatile information source<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>slack space<\/li>\n\n\n\n<li>swap file<\/li>\n\n\n\n<li>unallocated clusters<\/li>\n\n\n\n<li>unused partitions<\/li>\n\n\n\n<li>hidden partitions<\/li>\n<\/ul>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>File in system32 Anaysis<\/strong><\/h2>\n\n\n\n<p><strong>1.Examine below<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>latest time and date of the installation<\/li>\n\n\n\n<li>service packs,patches,subdirectories update<\/li>\n<\/ul>\n\n\n\n<p><strong>2.Give priority to recently dated files<\/strong><br>&gt; cd c:\/%systemroot%\/system32<br>&gt; dir \/o:d<br>ps:<br>dir \/od \/tc \/a \u53ef\u7528\u5efa\u7acb\u65e5\u671f\u6392\u5e8f<br>dir \/tc \u770b\u6a94\u6848\u6642\u9593<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Analysis of Index.dat<\/strong><\/h2>\n\n\n\n<p><br>index.dat include Cookie, History, Temporary Internet File, User Data in IE,&#8230;etc<br>IE and file manager record all file information in index.dat<br>analysis tool: WFA,&#8230;etc<\/p>\n\n\n\n<p>refer<br>tool include WFA.exe(Windows File Analyzer)<br>refer<br>http:\/\/www.mitec.cz\/wfa.html<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Analysis of Device<\/strong><\/h2>\n\n\n\n<p><br>windows have data to recrod when device plug in and unplug<br>analysis tool: devcon, usbdeview,&#8230;etc<br>ex:<br>Show Non-Present Devices in Device Manager<br>&gt; set devmgr_show_nonpresent_devices=1<br>&gt; devmgmt.msc<\/p>\n\n\n\n<p><strong>USBDeview<\/strong><br>third party tool<br>\u986f\u793a\u66fe\u7d93\u7528\u904e\u90a3\u4e9busb\u8a2d\u5099\u7684\u8cc7\u8a0a<br>ex:<br>Connecting To external SYSTEM registry file<br>#USBDeview.exe \/regfile &#8220;c:\\temp\\regfiles\\SYSTEM&#8221;<br>refer<br>USB History Viewing  <br>http:\/\/forensicswiki.org\/wiki\/USB_History_Viewing  <br>http:\/\/www.nirsoft.net\/utils\/usb_devices_view.html<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Analysis of Windows Search Index<\/strong><\/h2>\n\n\n\n<p><br>index file name is windows.edb in Windows 7<br>the file is protect by WSearch<br>file path: C:\\ProgramData\\Microsoft\\SearchData\\Applications\\Windows\\Windows.edb<br>analysis tool: ESEDatabaseview,&#8230;etc<br>refer<br>http:\/\/www.forensicswiki.org\/wiki\/Windows_Desktop_Search<br><br><strong>Get windows.edb method<\/strong><br>method 1<br>1.net stop WSearch, 2copy Windows.edb to otehr directory<br>method2<br>off-line analysis<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Analysis of Hidden Partition<\/strong><\/h2>\n\n\n\n<p><strong>hidden partitions<\/strong><br>\u770b\u4e0d\u5230\u7684\u78c1\u5340<\/p>\n\n\n\n<p><strong>Common analysis tool<\/strong><br>partition logic<br>DriveSpy<br>..etc<br>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Analysis of Hidden ADS<\/strong><\/h2>\n\n\n\n<p>\u96b1\u85cf\u7a0b\u5f0f\u7684\u4e00\u7a2e\u6280\u5de7<br>Common analysis tool: Stream Armor<\/p>\n\n\n\n<p><br>refer<br>ADS of NTFS<br>https:\/\/systw.net\/note\/af\/sblog\/more.php?id=301<br>ADS<br>http:\/\/cyrilwang.blogspot.tw\/2009\/06\/alternate-data-streams.html<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Analysis of Slack Space<\/strong><\/h2>\n\n\n\n<p>\u82e5\u6a94\u6848\u5c0f\u65bc\u6a94\u6848\u7cfb\u7d71\u7684\u6700\u5c0f\u55ae\u4f4d,\u5176\u9918\u7684\u7a7a\u9593\u7a31\u70baslack space<br>Common analysis tool: DriveSpy<br>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Analysis of Virtual Memory\u00a0<\/strong><\/h2>\n\n\n\n<p>swap file is a space for virtual memory<br>on windows, swap file is a hidden file called pagefile.sys<br>analysis tool: x-way forensics,&#8230;etc<\/p>\n\n\n\n<p><strong>Swapfile contain many information&nbsp;as below:<\/strong><br>files opened and files contents<br>online charts<br>websites visited<br>emails sent and received<br>hidden running process<br>&#8230;omit&#8230;<\/p>\n\n\n\n<p><strong>Swapfile path configuration<\/strong><br>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manger\\Memory Management<br>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Analysis of NetBIOS<\/strong><\/h2>\n\n\n\n<p><strong>nbtstat<\/strong><br>Displays protocol statistics and current TCP\/IP connections using NBT<br>(NetBIOS over TCP\/IP).<br>NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ]<\/p>\n\n\n\n<p><strong>nbtstat -n<\/strong><br>-n(names) : Lists local NetBIOS names.<br>display as below<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>VMware Network Adapter VMnet1:<br>Node IpAddress: &#91;192.168.157.1] Scope Id: &#91;]<br>NetBIOS Local Name Table<br>Name Type Status<br>---------------------------------------------<br>RAYMOND &lt;00> UNIQUE Registered<br>WORKGROUP &lt;00> GROUP Registered<br>Local Area Connection* 7:<br>Node IpAddress: &#91;0.0.0.0] Scope Id: &#91;]<br>No names in cache<br>Ethernet:<br>Node IpAddress: &#91;0.0.0.0] Scope Id: &#91;]<br>No names in cache<br>Wi-Fi:<br>Node IpAddress: &#91;192.168.100.133] Scope Id: &#91;]<br>NetBIOS Local Name Table<br>Name Type Status<br>---------------------------------------------<br>RAYMOND &lt;00> UNIQUE Registered<br>WORKGROUP &lt;00> GROUP Registered<br>Bluetooth Network Connection:<br>Node IpAddress: &#91;0.0.0.0] Scope Id: &#91;]<br>No names in cache<\/code><\/pre>\n\n\n\n<p><br>refer<br>https:\/\/msdn.microsoft.com\/zh-tw\/library\/cc757216(v=ws.10).aspx<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Win ForensicsWin forensics in  &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[11],"tags":[],"class_list":["post-341","post","type-post","status-publish","format-standard","hentry","category-forensics"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/341","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=341"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/341\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=341"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}