7th Week Windows _ Internet Forensics PDF
Document Details
Uploaded by Deleted User
Al Yamamah University
Dr. Waleed Halboob
Tags
Summary
This document discusses Windows and web browsing forensics, covering topics such as prefetch files, recycle bin, logging, and storage devices. It also touches upon web cookies, web search, web bookmarks , and digital evidence presentation. This presentation could be suitable for an undergraduate-level computer science course.
Full Transcript
Windows and Web Browsing Forensics نظام مكافحة جرائم المعلوماتية Dr. Waleed Halboob Center of Excellence in Information Assurance (CoEIA) [email protected] Windows Forensics 1. Prefetch files 2. Recycle Bin...
Windows and Web Browsing Forensics نظام مكافحة جرائم المعلوماتية Dr. Waleed Halboob Center of Excellence in Information Assurance (CoEIA) [email protected] Windows Forensics 1. Prefetch files 2. Recycle Bin 3. Logging onto (and off of) a System 4. Storage devices usage 5. Physical locations of time zone and connected networks 6. Installed applications 7. Thumbnail Cache Files 8. Registry 9. LNK files 10. MRU Windows Forensics- Prefetch Files 1. Used by OS to speed up the programs starting process. 2. It will store a list of all the files and DLLs used by the program when started in order to preload these files into the memory when the program starts to make it faster to start. 3. Located at %SystemRoot%\Prefetch 4. Has a “pf” extension. 5. Exercise: Find all.pf files found on your case? Analyze the content of one file and observe what this file is recording? Windows Forensics- Recycle Bin 1. Is nothing more than another folder in Windows. 2. When a file is moved to the Recycle Bin, it is not deleted from the MFT and disk, but rather the pointer to the file is updated to reflect the file’s new logical location. 3. Each system user has his own recycle bin 4. Most, if not all, digital forensics tools consider the recycle bin. 5. Exercise: How files are found in the recycle bin. Windows Forensics- logging 1. Information about when and how a user logs onto a Windows system can be valuable to an investigator. 2. Whether the system presented any type of warning banner to the user Windows Forensics- logging 1. See SANS windows forensics poster for details 2. A lot of logs related to system and user activates are stored in c:\windows\system32\config … try event viewer 3. System registries can also help SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername (DWORD=1 means the name of the last logged on user is not displayed) SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\shutdownwithoutlogon ( DWORD=1 means a user is able to shut down the computer without first logging on) SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\DefaultUserName (String values showing the last username and domain/workgroup/computer logged in plain text) SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\LogonType (DWORD=1 means the Windows Welcome screen is used) Windows Forensics- - Storage Devices Usage 1. Information about USBs usage 2. Also, about PnP drivers 3. Linking these metadata to a crime timeline will indicate if we need to ask & investigates such storages 4. It may lead to another investigation case 5. Professional criminals can use Deep Freeze & external devices 6. Check SANS windows forensics poster Web Browsing Forensic Data – Web Cookies Is a small piece of data sent from a website and stored on the user's computer Which Internet sites were visited and on which dates and times? Also reveal user online activities. Store pieces of personal information such as e-mail username and passwords. What is the name of the cookie? It is value. URL or domain Date and time. Web Browsing Forensic Data – Web Search Shows what the suspect was looking for? It reveals the suspect behavior The keyword used, website (search engine), time, and date are important for digital forensics Web Browsing Forensic Data – Web Bookmarks Suspect interested websites? Helpful if the browsing history is unrecovered. Web Browsing Forensic Data – Issues Data recovery Private browsing Synchronization Web Browsing Forensic Data – Issues Answer Find out visited websites URLs? What is the most popular cookie found in the targeted PC? List all web based search keyword used by the suspect? What are the bookmarked URLs? Digital Evidence Presentation المعلوماتية نظام مكافحة جرائم (reporting) Digital Evidence Presentation Expert witness Technical report Litigation support Data recovery report Digital Evidence Presentation In anyway, a report must be written Some tools support this stage It is a scientific report… All details must be written in such a way that the investigation can re-executed based on the report Digital Evidence Presentation Digital Forensics Report Content Abstract Tools used How the evidence was imaged and analyzed Item #1 o Abstract o Data analyzed Item #2.......... Recommendations
