1 / 38

BACS 371 Computer Forensics

BACS 371 Computer Forensics. Operating System & Application Files. Software. Forensic evidence can be found in a number of places within a Windows system. Operating Systems Recycle Bin Temp Directory Backup Files Printer Spool Files Windows Registry Swapping/Paging Applications

nay
Download Presentation

BACS 371 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BACS 371Computer Forensics Operating System & Application Files

  2. Software Forensic evidence can be found in a number of places within a Windows system. • Operating Systems • Recycle Bin • Temp Directory • Backup Files • Printer Spool Files • Windows Registry • Swapping/Paging • Applications • Temporary Internet Files • Temp Files • Application Specific Files

  3. Making Hidden Files Visible • In order to “see” many of the hidden files needed for forensics, you need to set folder properties appropriately. For the C: drive, select this option Uncheck this option

  4. Recycle Bin (pre-Vista) • When you delete a file in Windows Explorer or My Computer, the file appears in the Recycle Bin. The file remains in the Recycle Bin until you empty the Recycle Bin or restore the file. • Older files are also removed from the Recycle Bin when newer files are deleted and the Recycle Bin exceeds the maximum size allocated in Recycle Bin properties. • Each hard disk contains a hidden folder named Recycled. This folder contains files deleted in Windows Explorer or My Computer, or in Windows- based programs. • When you delete a file, the complete path and file name is stored in a hidden file on the computer. This file has different names and locations depending on the OS. It is called Info or Info2in the Recycled folder. The deleted file is renamed, using the following syntax: • D<original drive letter of file><#>.<original extension> • Examples: • New File Name: Dc1.txt = (C drive, second file deleted, a .txt file) • INFO file path: C:\Windows\Desktop\Books.txt • New File Name: De7.doc = (E drive, eighth file deleted, a .doc file) • INFO file path: E:\Winword\Letter to Rosemary.doc

  5. Recycle Bin (Vista & Windows 7)1 • In Windows 7 and Vista, Microsoft did away with the INFO2 file and completely changed the way files were named and indexed within the Recycle Bin.  • The new Recycle Bin is located in a hidden directory named \$Recycle.Bin\%SID%, where %SID% is the SID of the user that performed the deletion.  • When files are moved into the Recycle Bin, the original file is renamed to $R followed by a set of random characters, but maintaining the original file extension.  At the same time a new file beginning with $I followed by the same set of random characters given to the $R file and the same extension, is created; this file contains the original filename/path, original file size, and the date and time that the file was moved to the Recycle Bin.  • All of the $I files are exactly 544 bytes long.

  6. Hidden Recycler Directory (pre-Vista)

  7. INFO2 File (pre-Vista)

  8. Hidden Recycler Directory (post-Vista)

  9. Hidden Recycler Directory (post-Vista)

  10. Temp Directory

  11. Backup (pre-Vista) Search for BACKUP.LOG

  12. Backup (post-Vista) • The backup program allows you to specify where backup files are stored (backup.log).

  13. Spool Files • Simultaneous Peripheral Operations On-Line • Temporary files used during input/output operations • Typically used to allow printers to run in the “background” • Typically deleted after print job is complete • May be Printer specific – check settings for Server Properties

  14. WinXP Spool File Default

  15. While Printing After Printing

  16. Windows Registry • A database which stores • Hardware and software configuration information • User preferences (incl user name and passwords) • Setup information • Viewed with Regedit(www.microsoft.com/windows/reskits/default.asp) • Can be used to view • Last person to log on • Most recently accessed files • Most recently accessed devices • Application specific information • Internet sites accessed • Recent files • Chat rooms accessed • …

  17. Windows Registry Hives • HKEY_CLASSES_ROOT – file extensions, association info • HKEY_CURRENT_USER – config info for currently logged in user • HKEY_LOCAL_MACHINE – majority of info about software on macine • SAM • SECURITY • SOFTWARE • SYSTEM • HKEY_USERS – user specific info about current user • HKEY_CURRENT_CONFIG – info about current configuration

  18. Windows Registry Hives • A registry “hive” is a logical group of keys, subkeys, and values that define the profile of a user. • A new hive is created each time a new user is created (and logs on the first time). • A user’s hive contains specific registry information about the user’s application settings, desktop, environment, network connections, and printers. • User profile hives are located under the HKEY_USERS key.

  19. Registry Files REGEDIT /L: (system.dat) /R: (user.dat) /E outfile.txt

  20. Windows XP Registry

  21. WinXP Registry • \Windows\System32\Config • Run…Regedit

  22. Windows 7 Registry

  23. Registry Entries

  24. Most Recently Used (MRU) Listings HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\Open Find

  25. Registry – Uninstall Key May show software installed currently Or in the past on system

  26. Registry – Date Last Used Registry Key for file execution - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

  27. ROT13 • http://en.wikipedia.org/wiki/ROT13 • http://www.rot13.com/index.php

  28. ROT13 Translation

  29. Temporary Internet Files • Internet Explorer History File (index.dat) • http://www.mandiant.com/webhistorian.htm

  30. INDEX.DAT Files

  31. INDEX.DAT

  32. URL - (Local File)-The URL from which the file came, including the original file name on that website.User Name-The Windows User name logged on at the time the file was saved.Last Accessed-The date and time the URL was last accessed by the client.Last Modified-The date and time of content last modified on server.Last Checked-Last synch time.Expires-A field that con be optionally specified by the website designer for certain files which are "session" files - ones that expire at the end of the browsing session at that site. (Most files will be "persistent") The website indicates when the browser should discard the cache entry and go back to the web site.Hits-Reflects how many accesses have been made to that URL. It can get go up from redirects or cookie redirects to add sites. Use Count-Reflects how many users have used the cache entry in a shared cache on Windows 98 systems with multiple user profiles set up.On Windows 2000/XP, it is almost always 0, because each user gets his own set of index.dat files.

  33. INDEX.DAT Decoded

  34. Temporary Internet Files Directory • Internet Explorer saves copies of many things that are displayed on the screen when you surf the web. • These include: • downloads • images (including embedded images on web-pages) • cached pages • cookies • etc….. • This is a good source of evidence.

  35. Page/Swap File • Persistent • Temporary Determine by: HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Session Manager\ Memory Management\ClearPageFileAtShutdown 0 = do not overwrite 1 = overwrite

  36. Overwrite Page File at Shutdown?

  37. Application Temporary Files Search *.tmp

  38. Application Specific Files • Specific database, backup, or temporary files used by applications

More Related