| Uploader: | Mobilewo |
| Date Added: | 29.11.2015 |
| File Size: | 31.80 Mb |
| Operating Systems: | Windows NT/2000/XP/2003/2003/7/8/10 MacOS 10/X |
| Downloads: | 34438 |
| Price: | Free* [*Free Regsitration Required] |
A Forensic Analysis Of The Windows Registry | blogger.com
Sep 05, · NTFS uses the Master File Table (MFT) as a database to keep track of files. We can use the MFT to investigate data and find detailed information about files. In this example I use FTK Imager to find a picture (JPEG file) in Windows 7. STARTING FTK IMAGER. Open the Physical Drive of my computer in FTK Imager. How to view hidden NTFS files. browser choose "Add device to case" from the File menu and select the drive letter or image file you wish to view. Pick 'Forensics mode' when adding local hard drive as a device. The example below compares the file listing, in Windows Explorer, from an image file that has been mounted to a drive letter to the. Prefetch Forensics. In this post, I will give an overview of Windows Prefetch files and its value during forensic investigations. At a high level description, Windows Prefetch is a memory management feature introduced in Windows XP and Windows Server It is used to speed up the Windows boot process and the application startup process.
Forensics where find downloaded files
In essence, the paper will discuss various types of Registry 'footprints' and delve into examples of what crucial information forensics where find downloaded files be obtained by performing an efficient and effective forensic examination. Many of the Registry keys that are imperative and relevant to an examination will also be discussed. Acknowledgments This paper is primarily a product of research, but may also serve as a reference to a Windows registry examination.
For the sake of simplicity, there will only be reference to the Windows XP operating system - Even though earlier versions of Windows utilize the Registry, contain similar characteristics, and even apply many of the same concepts. The reasons XP was chosen to be discussed over other versions of Windows is because it remains popular and very widely used among average computer users, thus the chance of encountering it in a forensic examination is higher.
Windows XP is still very current and much of the same information can still be applied to previous versions of Windows, forensics where find downloaded files.
The illustrations throughout this paper are intended to provide a better understanding of the subject being discussed. All of the screenshot images contained in this paper were captured from the Forensics where find downloaded files XP system in which the research was conducted on. The P2P client programs that were downloaded, installed, used, forensics where find downloaded files, and examined were for the purpose of research use only.
Searches were conducted and files were downloaded from these networks, not to engage in illegal or malicious activity, but to help provide a better understanding of the software's architecture and how it utilizes the Windows Registry from a forensics standpoint. Introduction The Importance of a Registry Examination Today's society relies heavily on computers and the internet to accomplish everyday tasks, which includes practically everything from communicating and shopping online to banking and investing.
It is much more common to send or receive an email than a physical letter. Along with the increasing use of computers and the internet, forensics where find downloaded files, comes a little problem called computer crime-- facetiously speaking.
Computer crimes forensics where find downloaded files exorbitant issues in today's society. Including, but certainly not limited to - fraud, identity theft, phishing, network infiltration, DoS attacks, piracy of copyrighted material, and CP.
With computer crimes on the rise, it is becoming extremely crucial for law enforcement officers and digital forensic examiners to understand computer systems and be able to examine them efficiently and effectively. In order to do this a study of how operating systems work must be explored from the inside out.
The Registry is the heart and soul of the Microsoft Windows XP operating system and an exponential amount of information can be derived from it. History First, it is important to understand what the Registry is, why it exists, and the types of information it contains. Virtually everything done in Windows refers to or is recorded into the Registry.
A program called RegMon by Sysinternals can be used to display registry activity in real time. After running this program it is apparent that registry access barely remains idle. The Registry is referenced in one way or another with every action taken by the user. The Microsoft knowledge database and also the Microsoft Computer Dictionary, Fifth Edition, define the registry as: A central hierarchical database used in Microsoft Forensics where find downloaded files 9x, Windows CE, Windows NT, and Windows used to store information necessary to configure the system for one or more users, applications and hardware devices.
The Registry was first introduced with Windows 95 and has been incorporated into many Microsoft operating systems since. Although some versions slightly differ, they all are essentially composed of the same structure and serve the main purpose as a configuration database.
The primary purpose of config. In addition to replacing DOS configuration files, the Registry also replaces text-based initialization. This very basic history of the Windows Registry, why it was implemented, and some of its functions are the core fundamentals of understanding the structure and what each part of the Registry pertains to.
Structure of the Windows Registry By opening the Registry Editor by typing 'regedit' in the run windowthe Registry can be seen as one unified 'file system'. The left-hand pane, also known as the key pane contains an organized listing of what appear to be folders. The other three are shortcuts or aliases to branches within one of the two hives. Each of these five hives is composed of keys, which contain values and subkeys, forensics where find downloaded files.
Values are the names of certain items within a key, which uniquely identify specific values pertaining to the operating system, forensics where find downloaded files, or to applications that depend upon that value.
A common analogy that is often used to help understand the structure of the Windows Registry is a comparison between it and the Windows Explorer file system, forensics where find downloaded files, both are very similar in their structures. The key pane of the Registry is much like the hierarchical structure of the left-hand pane in the Windows Explorer file system.
The keys and subkeys located within the five main hives are similar to folders and subfolders of Windows Explorer, and a key's value is similar to a file within a folder. In the right-hand pane of the Windows Registry - a value's name is similar to a file's name, its type is similar to a file's extension, and its data is similar to the actual contents of a file. Beside forensics where find downloaded files root key is their commonly referred to abbreviation in parenthesis, which will frequently be referred to as throughout the paper.
It also contains further details on drag-and-drop rules, shortcuts, and information on the user interface. It includes a list of drives mounted on the system and generic configurations of installed hardware and applications. The tool used in this paper to analyze and navigate the registry is Registry Editor regedit.
Registry Editor is free and available on any installation of Microsoft Windows XP with administrator privileges. Registry Examination Forensics where find downloaded files Registry as a Log All Registry keys contain a value associated with them called the 'LastWrite' time, forensics where find downloaded files, which is very similar to the last modification time of a file.
The LastWrite time is updated when a registry key has been created, modified, accessed, or deleted. Unfortunately, only the LastWrite time of a registry key can be obtained, where as a LastWrite time for the registry value cannot. Knowing the LastWrite time of a key can allow a forensic analyst to infer the approximate date or time an event occurred.
And although one may know the last time a Registry key was modified, it still remains difficult to determine what value was actually changed.
Using the Registry as a log is most helpful in the correlation between the LastWrite time of a Registry key and other sources of information, such as MAC modified, accessed, or created times found within the file system.
However, a comprehensive discussion of that process is outside the scope of this paper. Autorun Locations Autorun locations are Registry keys that launch programs or applications during the boot process.
It is generally a good practice to look here depending on the case of examination. For instance, if a computer is suspected to have been involved in a system intrusion case, autorun locations should be looked at.
If the user denies their involvement then it's possible their own system was compromised and used to initiate the attack. In a case such as this, the autorun locations could prove that the system had a trojan backdoor installed leaving it vulnerable for an attacker to use at their discretion.
There are numerous MRU lists located throughout various Registry keys. The Registry maintains these lists of items incase the user returns to them in the future. It is basically similar to how the history and cookies act to a web browser.
When a user types a command into the 'Run' box via the Start menu, the entry is added to this Registry key. The chronological order of applications executed via 'Run' can be determined by looking at the Data column of the 'MRUList' value.
The first letter of this is 'g', which tells us that the last command typed in the 'Run' window was to execute notepad. Also, the Forensics where find downloaded files time of the RunMRU key will correlate with the last application executed in 'Run', or in this case application 'g'.
With the information provided from the RunMRU key, forensics where find downloaded files, an examiner can gain a better understanding of the user they are investigating and the applications that are being used.
In reference to Figure 2, it is apparent the user has sufficient knowledge of the Windows operating system - based on applications that have been executed, such as msconfig, cmd, forensics where find downloaded files, sysedit, and regedit. Each subkey records values that pertain to specific objects the user has accessed on the system, such as Control Panel applets, shortcut files, programs, etc.
These values however, are encoded using a ROT- 13 encryption algorithm, sometimes known as a Caesar cipher. This particular encryption technique is quite easy to decipher, as each character is substituted with the forensics where find downloaded files 13 spaces away from it in the ASCII table. Figure 3 - UserAssist Key Figure 3a - ROT cipher decoded With the UserAssist key, a forensic forensics where find downloaded files can gain a better understanding of what types of files or applications have been accessed on a particular system.
Even though these entries are not definitive, for they cannot be associated with a specific date and time, it may still indicate a specific action by the user. For instance, in the example of Figures 3 and 3a the decoded value can show a potential amount of information. First, it tells the name of the user profile - 'Cpt. Krunch' - from which the. Krunch could also indicate a handle or an alias of some sort.
Second, by researching 'p2ktools. Finally, it shows the user has the p2ktools folder in a parent directory called 'Razor programs', which is located on their desktop. Not only does this give the location of where similar programs may reside, but the name of this directory is forensics where find downloaded files good indicator that the suspect has a Motorola Razor cell phone.
If so, that too should be seized for further analysis. Wireless Networks Wireless networks today are popular and are only becoming more popular.
A wireless ethernet card picks up wireless access points within its range, which are identified by their SSID or service set identifier. The contents of these should contain the values 'ActiveSettings' and 'Static '. There may be additional values that begin with 'Static ' and are sequentially numbered. In the binary data forensics where find downloaded files these 'Static ' values are the network SSIDs of all the wireless access points that system has connected to.
This can be seen by right clicking the value and selecting 'modify', as shown in Forensics where find downloaded files 4. Figure 4a - Network settings of SSID 'flynn-net' Based on this wireless network information, a Forensic examiner can determine if a user connected to specific wireless access point, the timeframe, and their IP address they were assigned by the DHCP server. For instance, if it were a case about a child pornography suspect that was war-driving to various network connections and using them illegally, these methods would be very useful.
Given the suspect's computer to run an analysis on would make it possible to see what network connections they were using and the IP address that was assigned to further support a subpoena of the ISP. A computer on a properly configured LAN should be able to display all the users on that network through My Network Place.
This list of users or computers, like many other things, is stored in the Registry. Therefore, even after the user is no longer connected to the Forensics where find downloaded files, the list of devices still remain, including desktop computers, laptops, forensics where find downloaded files printers. The ComputerDescriptions key is useful in determining whether or not a user was connected to certain computers or belonged to a specific LAN.
Figure 5 displays the output of this key. Figure 5 - List of computers associated with on a LAN USB Devices There is sufficient information on this topic to write an entire research paper on, however, for the scope of this paper only the basics will be discussed to show the most relevant Registry keys.
Anytime a device is connected to the Universal Serial Bus USBdrivers are queried and the device's information is stored into the Registry i. This key stores the contents of the product and device ID values of any USB device that has ever been connected to the system.
Figure 6 reveals the contents of this key. All of which can be interpreted - there lists an ipod, two external hard drives, a digital video camcorder, and several different thumb drives, forensics where find downloaded files.
The serial numbers of these devices are a unique value assigned by the manufacturer, much like the MAC address of a network interface card. Therefore, forensics where find downloaded files, a particular USB device can be identified to determine whether or not it has been connected to other Windows systems, forensics where find downloaded files. Not every thumb drive will have a serial number.
How to View Downloads on an iPhone - Where is the iPhone Downloads Folder?
, time: 1:22Forensics where find downloaded files
Sep 05, · NTFS uses the Master File Table (MFT) as a database to keep track of files. We can use the MFT to investigate data and find detailed information about files. In this example I use FTK Imager to find a picture (JPEG file) in Windows 7. STARTING FTK IMAGER. Open the Physical Drive of my computer in FTK Imager. Today we will talk about Electronic Evidence, where you can find in the files. 1. Windows Searches. Windows Search is a desktop search platform that has instant search capabilities for most common file types and data types, and third-party developers can extend . To install the hash sets, you must download the individual zip files (linked above), and unzip them into the OSForensics program data folder. On Vista, Windows 7, Server + & Win10, this would typically be the following folder (you may need to enable viewing of hidden directories to see it or enter it directly into the Explorer address bar).
No comments:
Post a Comment