data64- windows forensics
TRANSCRIPT
![Page 1: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/1.jpg)
•
Windows Forensics 1
![Page 2: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/2.jpg)
WINDOWS FORENSICS
BY CATALYST
![Page 3: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/3.jpg)
CONTENTS• Registry Analysis• Recycle bin Analysis• Hiberfil.sys file Analysis• Paging File Analysis• Prefetch Analysis• Thumb.db Analysis
Windows Forensics 3
![Page 4: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/4.jpg)
REGISTRY ANALYSIS
• The Registry is a database used to store settings and options for the 32/64 bit versions of Microsoft Windows .
• It contains information and settings for all the hardware, software, users, and preferences of the PC.
• It was First introduced in Windows 95.
• Whenever a user makes changes to a Control Panel settings, or File Associations, System Policies, or installed software, the changes are reflected and stored in the Registry.
• Virtually everything done in Windows refers to or is recorded into the Registry.
Windows Forensics 4
What is Registry ??
![Page 5: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/5.jpg)
• To EDIT Registry files run Regedit.exe
REGISTRY ANALYSIS
Windows Forensics 5
Value DataTypeValue Name
Content Pane
Key Pane
Sub keys
Root Keys
![Page 6: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/6.jpg)
1.HKEY_CLASSES_ROOT (HKCR) {alias HKLM\Software\Class}
2.HKEY_CURRENT_USER (HKCU) {alias HKLM\Software\Classes}
3.HKEY_LOCAL_MACHINE (HKLM)
4.HKEY_USERS (HKU)
5.HKEY_CURRENT_CONFIG (HCU) {alias HKLM\Config\profile }
Windows Forensics 6
REGISTRY ANALYSIS HIVES
These files are saved in systemroot\System32\Config and updated with each login.
![Page 7: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/7.jpg)
• OpenSaveMRU maintains a list of recently opened or saved files.
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ OpenSaveMRU
• RunMRU maintains the commands typed in “Run” Dialog Box
• HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU
Windows Forensics 7
REGISTRY ANALYSIS Most Recently Used [ MRU ]
![Page 8: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/8.jpg)
• This key also maintains list of files recently executed or opened through Windows Explorer.
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Forensics 8
REGISTRY ANALYSIS Recent Docs
![Page 9: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/9.jpg)
• The paging file (usually C:\pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown.
• ClearPagefileAtShutdown specify whether Windows should clear off the paging file when the computer shutdowns.
Windows Forensics 9
REGISTRY ANALYSIS Windows Virtual Memory [Paging File] Configuaration
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management
![Page 10: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/10.jpg)
• This key contains recent search terms using Windows default search.
• Subkey 5603 contains search terms for finding folders and filenames.
• Subkey 5604 contains search terms for finding words or phrases in a file.
• HKCU \Software\Microsoft\Search Assistant\ACMru
Windows Forensics 10
REGISTRY ANALYSIS Recent Search Terms
![Page 11: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/11.jpg)
• Each sub key in this key represent an installed program in the computer.
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
Windows Forensics 11
REGISTRY ANALYSIS Installed Programs
![Page 12: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/12.jpg)
• What is Recycle Bin?• When you delete a file, the complete path and file name is stored in a
hidden file called Info or Info2 (Windows 98) in the Recycled folder.• Deleting a single file from Recycle bin Changes the first byte of the
record in INFO2 file to 00.• Removable Device does not have recycle bin.• The deleted file is renamed, using the following syntax:
D <original drive letter of file><#>.<original extension>
Windows Forensics 12
RECYCLE BIN ANALYSIS
![Page 13: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/13.jpg)
Windows Forensics 13
RECYCLE BIN ANALYSISTools for analysis
Windows File Analyzer Recuva
![Page 14: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/14.jpg)
Frequently Used application are logged in a Special Folder Speed up their Start by noting which sector from the disk
will be Required directly upon Start.Sored in a Directory “C:\Windows\Prefetch”Named as: < Executable File Name> - XXXXXXXX .pf
XXXXX is the hash of the location from where it was run.
Windows Forensics 14
PREFETCH FILE ANALYSIS
![Page 15: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/15.jpg)
Windows Forensics 15
PREFETCH FILE ANALYSISTools for analysis
![Page 16: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/16.jpg)
Windows Forensics 16
HIBERFIL.SYS ANALYSIS
• Hibernation mode ??• The computer uses the Hiberfil.sys file to store a copy
of the system memory on the hard disk when the hybrid sleep setting is turned on.• The Hiberfil.sys hidden system file • Hiberfil.sys ≥ RAM [Size]• The Hibernation file is compressed.
![Page 17: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/17.jpg)
Windows Forensics 17
HIBERFIL.SYS ANALYSIS
![Page 18: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/18.jpg)
• A page file is a hidden file or files on the hard disk that the operating system uses to hold parts of programs and data files that do not fit in memory.
• Virtual memory comprises the paging file and physical memory or random access memory (RAM).
• Windows moves data from the paging file to memory as needed, and it moves data from memory to the paging file to make room for new data.
• By default, Windows stores the paging file on the boot partition (the partition that contains the operating system and its support files). The default paging file size is equal to 1.5 times the total RAM.
Windows Forensics 18
PAGING FILE ANALYSIS
![Page 19: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/19.jpg)
Windows Forensics 19
PAGING FILE ANALYSIS
![Page 20: DATA64- Windows Forensics](https://reader036.vdocument.in/reader036/viewer/2022062405/5552ebdcb4c90584028b46db/html5/thumbnails/20.jpg)
Windows Forensics 20
Any Queries ?