Professional Documents
Culture Documents
DF Module 4 Final
DF Module 4 Final
DF Module 4 Final
Investigating Unix Systems - Reviewing Pertinent Logs, Performing Keyword Searches, Reviewing Relevant Files, Identifying Unauthorized User
Accounts or Groups, Identifying Rogue Processes, Checking for Unauthorized Access Points, Analyzing
CONDUCTING A WINDOWS INVESTIGATION
After you’ve set up your forensic workstation with the proper tools and
recorded the low-level partition data from the target image, you are ready to
conduct your investigation. The following basic investigative steps are required
for a formal examination of a target system:
● Review all pertinent logs.
● Perform keyword searches.
● Review relevant files.
● Identify unauthorized user accounts or groups.
● Identify rogue processes and services.
● Look for unusual or hidden files/directories.
● Check for unauthorized access points.
● Examine jobs run by the Scheduler service.
● Analyze trust relationships.
● Review security identifiers.
WHERE EVIDENCE RESIDES ON WINDOWS SYSTEMS
● Volatile data in kernel structures
● Slack space, where you can obtain information from previously deleted files that are
unrecoverable
● Slack space is the unused space at the end of a file cluster. For example, if the cluster
size is 4 KB and the file size is 3 KB, there will be 1 KB of slack space left in the
cluster.
● Free or unallocated space, where you can obtain previously deleted files, including
damaged or inaccessible clusters
● The logical file system
● The event logs
● The Registry, which you should think of as an enormous log file
● Application logs not managed by the Windows Event Log Service
● The swap files, which harbor information that was recently located in system
RAM (named pagefile.sys on the active partition)
● Special application-level files, such as Internet Explorer’s Internet history files
(index.dat), Netscape’s fat.db, the history.hst file, and the browser cache
● Temporary files created by many applications
● The Recycle Bin (a hidden, logical file structure where recently deleted items can
be found)
● The printer spool
● Sent or received email, such as the .pst files for Outlook mail
Recycle Bin Forensics
● Windows recycle bin was first introduced in windows 95 which contains files that
have been deleted by users.
● For instance when a user deletes the file the file directly goes into recycle bin
without deleting it permanently.
● This is the default behaviour of windows.
Besides this you can also delete permanently by pressing the shift key it will delete
the file without moving into recycle bin.
● Recycle bin can hold artifacts which are consider valuable source for digital
evidence.
Different version of windows have different recycle bin filename and location.
In windows NT/2000/XP the INFO2 file was still present. But now in recycler folder it’s with a sub folder called SID(Security
Identifier)
C:\RECYCLER\SID*\INFO2
so whenever user deletes a file it creates SID file. Each SID subfolder contains its own info2 file
From windows Vista and later the recycler path was renamed as C:\$Recycle.Bin\SID*\$I and C:\$Recyecle.Bin\SID*\$R where
$I contains meta data of the deleted file and $R contains actual deleted file.
Now it discards the need of INFO2 which was in older versions of windows.
Inside a Recycle Bin you may find files which begin with either '$I' or '$R'. A file
beginning with '$I' will contain data about a file that has been deleted
The first file begins with the value “$R” followed by a random string – this file
contains the actual contents of the recycled file.
Parse Application
Run $I File menu Select CSV file , it will return CSV file of all parsed files
In Windows Vista, two files are created when a file is deleted into the recycle bin
–Both file have the same random looking name, but the names are preceded with a
“$R” or “$I”
–The file with the “$R” at the beginning of the name is actually the data of the deleted file
–The file with the “$I” at the beginning of the name contains the path of where the file
originally resided, as well as the date and time it was deleted
Case study: Viewing Recycle Bin using EnCase How do you view recycle bin using
EnCase?
–(you do not have to acquire the disk)
–Locate recycle bin using EnCase –
Locate the systems ids
–Locate the deleted files
USB Device Forensics
Windows keeps a history log of all previously connected USB devices along with their
connection times in addition to the associated user account which installs them. The
Windows registry also stores important technical information for each connected USB
device such as vendor ID, product ID, revision, and serial number.
Windows stores USB history-related information using five registry keys, where each
key offers a different piece of information about the connected device. By merging
this information together, investigators will have an idea of how an offender has used
removable devices such as a USB to conduct/facilitate his/her actions.
1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR Here
you will find all USB devices that have been plugged into the operating system since its
installation. It shows the USB vendor ID (manufacturer name), product ID, and the device
serial number
(note that if the second character of the device serial number is “&,” it means the
connected device does not have a serial number and the device ID has been generated by the
system). See Figure 8.1 for a list of previously connected USB devices on the author’s
machine.
History of USB connected devices
2. HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices The
MountedDevices subkey stores the drive letter allocations; it
matches the serial number of a USB device to a given drive letter
or volume that was mounted when the USB device was inserted.
3.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentV
ersion\Explorer\MountPoints2 This key will record which user was
logged into Windows when a specific USB device was connected.
The key also includes the “Last Write Time” for each device that
was connected to the system.
4. HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Enum\Usb This key holds
technical information about each connected USB device in addition to the last time the
subject USB was connected to the investigated computer.
5. Identify the first time device was connected: Check this file at
\Windows\inf\setupapi.dev.log for Windows Vista, 7, and 8, and at
\Windows\inf\setupapi.upgrade.log for Windows 10.
On Windows XP, this file will be located at \Windows\setupapi.log. Search in this file for a
particular USB device’s serial number to learn when it was first connected to the subject
system (in local time).
To automate the process of finding information about the current
and previous USB connected devices, you can download a free tool
by Nirsoft that can perform all the tasks we just did manually; this
tool is called USBDeview
(www.nirsoft.net/utils/usb_devices_view.html ).
To conclude this section, a USB device connected through an MTP connection needs
special treatment to acquire its traces from a Windows machine; consult your computer
forensic software documentation for the availability of such a feature.
ADDITIONAL READING