{"id":351,"date":"2015-10-23T19:30:00","date_gmt":"2015-10-23T11:30:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=351"},"modified":"2023-10-30T19:33:49","modified_gmt":"2023-10-30T11:33:49","slug":"win-forensicsfile","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/351","title":{"rendered":"Win Forensics(File)"},"content":{"rendered":"\n

Win Forensics
<\/strong>Win forensics in non-volatile information https:\/\/systw.net\/note\/af\/sblog\/more.php?id=318<\/a>
Win forensics in volatile information https:\/\/systw.net\/note\/af\/sblog\/more.php?id=316<\/a>
Win forensics in file  https:\/\/systw.net\/note\/af\/sblog\/more.php?id=317<\/a>
Registry https:\/\/systw.net\/note\/af\/sblog\/more.php?id=178<\/a>
Windows Executable File https:\/\/systw.net\/note\/af\/sblog\/more.php?id=306<\/a><\/p>\n\n\n\n


Common windows file analysis source<\/strong>
undeleted file
recycle bin
IE temp file
Windows tmep file %system%\/temp\/
Documents and Settings, ex.recent cookie<\/p>\n\n\n\n

refer
http:\/\/wenku.baidu.com\/view\/da7fbcd0360cba1aa811da11.html?re=view

…………………………………………………………………………………………………….<\/p>\n\n\n\n

Analysis of Windows Prefetch<\/strong><\/h2>\n\n\n\n

Prefetch: record when execute which process for improve performance
Store dir: windowsprefetch<\/p>\n\n\n\n

common analysis tool as below<\/strong>
Analysis of Windows Prefetch
Prefetch-Parser
LastActivityView<\/p>\n\n\n\n

……………………………………………………………………………………….<\/p>\n\n\n\n

Analysis of shortcut files<\/strong><\/h2>\n\n\n\n

Extension of shortcut file is .ink
it provides information about files or network shares that the user had accessed
common analysis tool like FTK,WFA,…etc<\/p>\n\n\n\n

…………………………………………………………………………………………..<\/p>\n\n\n\n

Analysis of Metadata for Office and PDF<\/strong><\/h2>\n\n\n\n

Common analysis tool as below<\/strong>
FOCA: for word
Office-metadata-parser:
Word Extractor:\u628aword\u5167\u7684\u5b57\u89e3\u51fa\u4f86
refer
https:\/\/www.elevenpaths.com\/labstools\/foca\/index.html
http:\/\/redwolfcomputerforensics.com\/

ps:
most file don’t have metadata, metadata is usually in root directory of NTFS\/FAT

ps
GUID (global unique identifier)
a unique identity for an entity such as a Word document
refer
https:\/\/en.wikipedia.org\/wiki\/Globally_unique_identifier<\/p>\n\n\n\n

…………………………………………………………………………………………….<\/p>\n\n\n\n

Analysis of Image<\/strong><\/h2>\n\n\n\n

Smart phone\u62cd\u7167\u5e38\u6703\u5e36\u7d93\u7def\u5ea6\u8cc7\u8a0a\u4e26\u653e\u5728\u7167\u7247\u7684metadata,\u53ef\u88abexiftool\u770b\u5230
common analysis tool like ExifTool,…etc
refer
http:\/\/www.sno.phy.queensu.ca\/~phil\/exiftool\/<\/p>\n\n\n\n

……………………………………………………………………………………………<\/p>\n\n\n\n

Analysis of File Signature<\/strong><\/h2>\n\n\n\n


\u5224\u65b7\u6a94\u6848\u672c\u8eab\u8207extension(\u526f\u6a94\u540d)\u662f\u5426\u4e00\u81f4
common method is examine the file header\/file signature.
collecting information from the first 20 bytes of a file to determine the type.
extension is windows identifies which application to open a file.<\/p>\n\n\n\n

File signature<\/strong>
\u4ee3\u8868\u7279\u5b9a\u6a94\u6848\u7684\u5c08\u5c6c\u5b57\u5143\u7d44\u5408
common file signature as below
EXE: 4D 5A<\/strong>
JPG: FF D8 FF E0<\/strong>
doc of Microsoft Office document: D0 CF 11 E0 A1 B1 1A E1<\/strong>
refer
www.garykessler.net\/library\/file_sigs.html<\/p>\n\n\n\n

Common analysis tool as below<\/strong>
ExifTool
TrID: File Identifier
HxD
ProDiscover
010editor
refer
http:\/\/mark0.net\/soft-trid-e.html<\/p>\n\n\n\n

010editor<\/strong>
A GUI tool can read hex of file
supporting Windows and Linux
supporting various file format by download templates from online
http:\/\/www.sweetscape.com\/010editor\/templates\/<\/p>\n\n\n\n

HxD<\/strong>
windows GUI tool
A tool can read hex of file to observe file signature<\/p>\n\n\n\n

ps:
Windows \u5217\u5370\u8655\u7406\u7a0b\u5e8f\u901a\u5e38\u652f\u63f4 5 \u7a2e\u8cc7\u6599\u985e\u578b\u3002
\u6700\u5e38\u7528\u7684\u662f EMF\u53ca RAW
ps
EMF<\/strong>(\u589e\u5f37\u578b\u4e2d\u7e7c\u6a94)
\u5927\u591a\u6578 Windows \u7a0b\u5f0f\u7684\u9810\u8a2d\u8cc7\u6599\u985e\u578b\u3002\u4f7f\u7528 EMF\uff0c\u5217\u5370\u6587\u4ef6\u6703\u8b8a\u66f4\u70ba\u6bd4 RAW \u66f4\u4fbf\u65bc\u651c\u5e36\u7684\u4e2d\u7e7c\u6a94\u683c\u5f0f\uff0c\u4e26\u4e14\u901a\u5e38\u53ef\u5728\u4efb\u4f55\u5370\u8868\u6a5f\u4e0a\u5217\u5370\u51fa\u4f86\u3002EMF \u6a94\u6848\u901a\u5e38\u6bd4\u5305\u542b\u76f8\u540c\u5217\u5370\u5de5\u4f5c\u7684 RAW \u6a94\u6848\u8981\u5c0f\u3002
RAW<\/strong>
Windows \u7a0b\u5f0f\u4ee5\u5916\u4e4b\u7528\u6236\u7aef\u7684\u9810\u8a2d\u8cc7\u6599\u985e\u578b\u3002RAW \u8cc7\u6599\u985e\u578b\u544a\u77e5\u591a\u5de5\u7de9\u885d\u8655\u7406\u5668\u5728\u5217\u5370\u4e4b\u524d\u5b8c\u5168\u4e0d\u8981\u8b8a\u66f4\u5217\u5370\u5de5\u4f5c
refer
https:\/\/msdn.microsoft.com\/zh-tw\/library\/cc776042(v=ws.10).aspx<\/p>\n\n\n\n

………………………………………………………………………………..<\/p>\n\n\n\n

Analysis of Browser<\/strong><\/h2>\n\n\n\n

IE<\/strong>
cache: C:\\users\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5
history: C:\\users\\AppData\\Local\\Microsoft\\Windows\\History
cookie: C:\\users\\AppData\\Local\\Microsoft\\Windows\\Cookies<\/p>\n\n\n\n

Firefox<\/strong>
cache:C:\\users\\AppData\\Local\\MozillaFirefox\\Profile\\sum\\uq8upn.defaultcache
history:C:\\users\\AppData\\Roaming\\MozillaFirefox\\Profile\\sum\\uq8upn.defaultplaces.sqlite
cookie:C:\\users\\AppData\\Roaming\\MozillaFirefox\\Profile\\sum\\uq8upn.defaultcookies.sqllite<\/p>\n\n\n\n

Chrome<\/strong>
history,cookie,cache,bookmarks: C:\\users\\AppData\\Local\\Google\\Chrome\\User Data\\Default<\/p>\n\n\n\n


Common tool:<\/strong>
browserviewhistory.exe
iecookiesview, iecacheview,iehistoryview
mozillacookiesview,..etc
chromecookiesview,…etc<\/p>\n","protected":false},"excerpt":{"rendered":"

Win ForensicsWin forensics in …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[11],"tags":[],"class_list":["post-351","post","type-post","status-publish","format-standard","hentry","category-forensics"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=351"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/351\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}