advance digital forensic
Download
Skip this Video
Download Presentation
Advance Digital Forensic

Loading in 2 Seconds...

play fullscreen
1 / 19

Advance Digital Forensic - PowerPoint PPT Presentation


  • 531 Views
  • Uploaded on

Advance Digital Forensic. Agenda. What is Computer Forensic? Gathering evidence from windows memory Advance registry forensic. Analyzing network data to collect evidence. Computer Forensics – the laws. First Law of Computer Forensics There is evidence of every action.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Advance Digital Forensic' - Faraday


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
agenda
Agenda
  • What is Computer Forensic?
  • Gathering evidence from windows memory
  • Advance registry forensic.
  • Analyzing network data to collect evidence
computer forensics the laws
Computer Forensics – the laws
  • First Law of Computer Forensics

There is evidence of every action.

  • Harlan Carvey’s Corollary :Once you understand what actions or conditions create or modify an artifact, then the absence of that artifact is itself an artifact.
tip of the digital iceberg
Tip of the “Digital” Iceberg

Data as seen by a casual observer using common tools (Explorer Window, cmd shell, web browser etc. )

Data as seen by Forensic Investigators using his sophisticated toolkit. May include deleted data, hidden data, unauthorized information and records of illegal activity!

windows memory forensic
Windows Memory Forensic
  • Extracting windows login credentials from RAM image.
  • Extracting running processes.
  • Extracting user assist keys from RAM
  • Viewing registry keys for all open process.
extracting windows login credentials from ram image
Extracting windows login credentials from RAM image.
  • Volatility modules used
  • hivescan {python volatility hivescan -f <filename>}
  • hivelist {python volatility hivelist -f <filename> -o <offset value>
  • Hashdump {volatility hashdump -f <filename> (-y System Hive Offset)(-s SAM Hive Offset)
  • Use of CAIN & Abel to crack the hashes obtained.
extracting user assist keys from ram
Extracting user assist keys from RAM
  • Load the image in Encase and search for the keyword HRZR_EHACNGU {which is “UEME_RUNPATH”}. Keywords are HRZR_EHACNGU.*[\.]rkr

HRZR_EHACNGU.*[\.]yax

  • Decrypt the results using ROT13-decryptor.
windows registry
Windows Registry
  • Registry files are essentially databases containing information and settings for
    • Hardware
    • Software
    • Users
    • Preferences
  • A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data.
  • In Windows 98, the registry files are named User.dat and System.dat.
  • In Windows Millennium Edition, the registry files are named Classes.dat, User.dat, and System.dat.
  • In Win XP, the registry files are available in C:\windows\system32\config folder
mining windows registry
Mining Windows Registry
  • Multiple forensic avenues in the registry!
    • System and User-specific settings
    • UserAssist
    • MuiCache
    • MRU Lists
    • ProgramsCache
    • StreamMRU
    • Shellbags
    • Usbstor
    • IE passwords
    • and many more!
mining windows registry11
Mining Windows Registry
  • Multiple forensic avenues in the registry!
    • System and User-specific settings- NTUSER.DAT
    • UserAssist - HKCU/software/microsoft/windows/currentversion/Explorer/UserAssist
    • MuiCache - HKCU/Software/Microsoft/Windows/ShellNoRoam/MUICache
    • MRU Lists - HKCU/software/microsoft/windows/currentversion/Explorer/RunMRU
    • ProgramsCache –HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/StartPage
    • StreamMRU - HKCU/software/microsoft/windows/currentversion/Explorer/StreamMRU
    • Shellbags – HKCU/Software/Microsoft/Windows/Shell/BagMRU
    • Usbstor - HKLM/System/CurrentControlSet/Enum/USBStor
    • and many more!
  • Demo
tools to analyze registry
Tools to analyze registry
  • Regripper {open source tool. Developed by Harlen Carvey. Coding is done in PERL language}
  • Windows registry analyzer
  • Windows registry recovery.
  • Timestamp Dcode.
overall approach
Overall approach
  • Study the network architecture.
  • Determine network traffic capture mechanisms at appropriate points and get a copy of the capture file.
  • Determine devices that should/could be generating logs, especially those that are pertinent to case in hand.
  • Determine vendors of these devices.
  • Determine logging functionality, and logging configuration.
  • Assemble appropriate log analysis tools, and objectives of the analysis
    • String searches
    • Pattern searches
tools for analyzing captured network traffic
Tools for analyzing captured network traffic
  • Network Miner
  • Netwitness
  • Wireshark
  • Winhex
slide19
Thank you!

Questions and Answers!!

Kush Wadhwa, EnCE, CEH, RHCE

Contact Number : +919717188544

Email Address: - kushwadhwa@gmail.com

ad