DATA64- Windows Forensics

•

Windows Forensics 1

WINDOWS FORENSICS

BY CATALYST

CONTENTS• Registry Analysis• Recycle bin Analysis• Hiberfil.sys file Analysis• Paging File Analysis• Prefetch Analysis• Thumb.db Analysis

Windows Forensics 3

REGISTRY ANALYSIS

• The Registry is a database used to store settings and options for the 32/64 bit versions of Microsoft Windows .

• It contains information and settings for all the hardware, software, users, and preferences of the PC.

• It was First introduced in Windows 95.

• Whenever a user makes changes to a Control Panel settings, or File Associations, System Policies, or installed software, the changes are reflected and stored in the Registry.

• Virtually everything done in Windows refers to or is recorded into the Registry.

Windows Forensics 4

What is Registry ??

• To EDIT Registry files run Regedit.exe

REGISTRY ANALYSIS

Windows Forensics 5

Value DataTypeValue Name

Content Pane

Key Pane

Sub keys

Root Keys

1.HKEY_CLASSES_ROOT (HKCR) {alias HKLM\Software\Class}

2.HKEY_CURRENT_USER (HKCU) {alias HKLM\Software\Classes}

3.HKEY_LOCAL_MACHINE (HKLM)

4.HKEY_USERS (HKU)

5.HKEY_CURRENT_CONFIG (HCU) {alias HKLM\Config\profile }

Windows Forensics 6

REGISTRY ANALYSIS HIVES

These files are saved in systemroot\System32\Config and updated with each login.

• OpenSaveMRU maintains a list of recently opened or saved files.

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ OpenSaveMRU

• RunMRU maintains the commands typed in “Run” Dialog Box

• HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU

Windows Forensics 7

REGISTRY ANALYSIS Most Recently Used [ MRU ]

• This key also maintains list of files recently executed or opened through Windows Explorer.

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Forensics 8

REGISTRY ANALYSIS Recent Docs

• The paging file (usually C:\pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown.

• ClearPagefileAtShutdown specify whether Windows should clear off the paging file when the computer shutdowns.

Windows Forensics 9

REGISTRY ANALYSIS Windows Virtual Memory [Paging File] Configuaration

HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management

• This key contains recent search terms using Windows default search.

• Subkey 5603 contains search terms for finding folders and filenames.

• Subkey 5604 contains search terms for finding words or phrases in a file.

• HKCU \Software\Microsoft\Search Assistant\ACMru

Windows Forensics 10

REGISTRY ANALYSIS Recent Search Terms

• Each sub key in this key represent an installed program in the computer.

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.


REGISTRY ANALYSIS Installed Programs

• What is Recycle Bin?• When you delete a file, the complete path and file name is stored in a

hidden file called Info or Info2 (Windows 98) in the Recycled folder.• Deleting a single file from Recycle bin Changes the first byte of the

record in INFO2 file to 00.• Removable Device does not have recycle bin.• The deleted file is renamed, using the following syntax:

D <original drive letter of file><#>.<original extension>


RECYCLE BIN ANALYSIS


RECYCLE BIN ANALYSISTools for analysis

Windows File Analyzer Recuva

Frequently Used application are logged in a Special Folder Speed up their Start by noting which sector from the disk

will be Required directly upon Start.Sored in a Directory “C:\Windows\Prefetch”Named as: < Executable File Name> - XXXXXXXX .pf

XXXXX is the hash of the location from where it was run.


PREFETCH FILE ANALYSIS


PREFETCH FILE ANALYSISTools for analysis


HIBERFIL.SYS ANALYSIS

• Hibernation mode ??• The computer uses the Hiberfil.sys file to store a copy

of the system memory on the hard disk when the hybrid sleep setting is turned on.• The Hiberfil.sys hidden system file • Hiberfil.sys ≥ RAM [Size]• The Hibernation file is compressed.


HIBERFIL.SYS ANALYSIS

• A page file is a hidden file or files on the hard disk that the operating system uses to hold parts of programs and data files that do not fit in memory.

• Virtual memory comprises the paging file and physical memory or random access memory (RAM).

• Windows moves data from the paging file to memory as needed, and it moves data from memory to the paging file to make room for new data.

• By default, Windows stores the paging file on the boot partition (the partition that contains the operating system and its support files). The default paging file size is equal to 1.5 times the total RAM.


PAGING FILE ANALYSIS


PAGING FILE ANALYSIS


Any Queries ?

DATA64- Windows Forensics

Internet

Transcript of DATA64- Windows Forensics