Forensics of a Windows system Alfredo Reino, CISSP, MCSE, CCNA Systems Engineer Pharma Global Informatics F. Hoffmann-La Roche F. Hoffmann – La Roche A Global Healthcare Leader One of the leading research-intensive healthcare groups Core businesses are pharmaceuticals and diagnostics
Alfredo Reino, CISSP, MCSE, CCNA
Pharma Global Informatics
F. Hoffmann-La Roche
Computer forensics is the process of investigating data storage devices and/or data processing equipment typically a home computer, laptop, server, office workstation, or removeable media such as compact discs, to determine if the equipment has been used for illegal, unauthorized, or unusual activities. It can also include monitoring a network for the same purpose. They must do so in a fashion that adheres to the standards of evidence that is admissible in a court of law.
lan / dmz
external environmentForensics scope and environment
do you have all the relevant information?
mount -o ro,loop,nodev,noexec victim.hda8.dd /t
dd if=/dev/sda | nc 10.0.0.1 9000
dd if=\\.\PhysicalDrive0 bs=2k | nc -w 3 10.0.0.1 9000
pull the plug!
dd if=\\.\PhysicalMemory | nc -w 3 10.0.0.1 9000
Key -> CurrentControlSet\Control\Windows\ShutdownTime
LastWrite : Tue Aug 2 12:06:56 2005
Value : ShutdownTime;REG_BINARY;c4 96 a0 ad 5a 97 c5 01
- check this registry key (for each user!)