Scribd
Upload
18 views30 pages

Lecture 17 - 2021

Uploaded by

bikrammondal840
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views30 pages

Lecture 17 - 2021

Uploaded by

bikrammondal840
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

CST 2580

Digital Incident Scene Investigation


&
Analysis
Lecture 15

Examination
System Activity

David Neilson
This Week
• Examination
• System time
• Windows Registry
• Logs
• Attached devices
• Pagefile.sys & Hiberfile.sys

© Middlesex University This week | 2


System vs User Activity

• Activity on a typical digital system consists of two


major components;
• System Activity
• User Activity that takes place in the background without
the direct input or knowledge of the user
• E.g. system registry and config, event logs

• User Activity
• Activity that is related to the actions of specific users
• Media files, communication,

© Middlesex University Presentation title | 13


System Information
• Most forensic software suites are able to produce a
summary of basic system information which would be
regarded to be of interest and value to any case
• The data that they show can be regarded as key
identifiers of the system from which you are examining
• Data is usually extracted from the relevant registry keys
• Therefore it is a good idea to include them in any forensic
report.
• Can also have value for future work if case is continued or
reopened
• This data can be used in larger investigations to also
show the footprint of the suspect device throughout the
internet or cloud connections.
© Middlesex University Presentation title | 3
System Information – User Accounts
• The software will also usually create a list of user
accounts that can be found on the system.
• They provide details of the the user accounts and
permissions
• SID – Security Identifier
• Login Name
• Creation timestamp
• Number of logins
• Each one of these user accounts should be processed to
ensure that all locations can be processes
• This will allow recovery of the USER.DAT file which is the
registry file tracking a user’s activity.
• There is one in each user account.
© Middlesex University Presentation title | 4
System Account Manager

© Middlesex University Presentation title | 5


System Time
• Timestamps reported by the file system are dependent
upon the file system where the data is stored
• FAT file systems records the tie provided by its host
system
• Commonly referred to as local time
• NTFS uses Coordinated Universal Time – UTC Time
• Primary method by which world regulates and agrees on
current time
• Is set as the same as GMT and is not affected by daylight
saving time
• Widely used e.g. weather, aviation, internet protocols

© Middlesex University Presentation title | 10


World Time Zones

© Middlesex University Presentation title | 11


Establish local time
• So how can we establish what the local time is?
• Usually case date will be in same time zone to the
examination so this will be known

• NTFS uses these time zones as offsets which are stored


as a value in a registry key
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Time Zones
• This offset is then used to translate the UTC times in to
local times for the system.

© Middlesex University Presentation title | 12


Windows Registry
• The windows registry is a collection of files and
configuration settings that are essential to the smooth
running of the host OS
• What type of information is stored here?
• System Information e.g. OS version, settings etc
• User information e.g. user accounts, permissions
• Application information e.g. installed apps and config
settings
• Activity History e.g. user and system activity, MRU lists
• Each key as a value called last write time – This can be
critical in establishing when the value was changed

© Middlesex University Presentation title | 14


Registry Files
• System Registry Files
• Location = \Windows\System32\config\
• Main Keys = SAM, Security, Software, System

• User Registry Files


• Current user data is used when viewing registry natively.
• Win XP - Location = \Documents and Settings\{User}NTUSER.DAT
• Win 7/8/10 Location = \Users\{user}\NTUSER.DAT

© Middlesex University Presentation title | 15


Main files
• SAM
• Security Accounts Manager – contains details of all user accounts
and hashed passwords – some tools allow recovery
• Security
• Relates to security of system – enforces security policies
• Software
• Application settings and Windows settings. Mostly used by
application and system installers
• System
• Details of Windows system setup, connected devices etc
• User.data
• User settings, MRU lists etc

© Middlesex University Presentation title | 16


Registry Structure
• Consists of 5 main hives;
• .HKEY_CLASSES_ROOT (HKCR): This hive stores information
about drag and drop rules, program short cuts, the user interface,
and related items.
• HKEY_CURRENT_USER (HKCU): It stores information about the
currently logged on user including desktop settings, user folders,
etc.
• HKEY_LOCAL_MACHINE (HKLM): This can also be important to a
forensic investigation. It contains those settings common to the
entire machine, regardless of the individual user.
• HKEY_USERS (HKU): It has profiles for all the users including their
individual settings.
• 5.HKEY_CURRENT_CONFIG (HCU): This hive contains the
current system configuration.

© Middlesex University Presentation title | 17


Main Hives
• The main hives contain a vast list of the Keys and
Subkeys relating to different parts of the OS

© Middlesex University Presentation title | 18


Registry Viewer
• Can be accessed from native Windows system
• From start menu type regedit as I will show

© Middlesex University Presentation title | 19


Devices
• The registry also holds information about devices which
have been connected to machine
• These can be invaluable as it allows connections to be
made between different evidential items
• If we were examining a suspect device and had seen that
a USB with a serial number had been entered into the
machine
• If the actual device is then recovered it allows us to verify
any findings about the device that were discovered
through analysis of the image.
• It can also make investigators aware of other devices
which they need to look out for and which may need to be
recovered
© Middlesex University Presentation title | 6
Connected Devices Location
• The following list shows the registry location for connected
deviced
• SYSTEM\CurrentControlSet\Enum\USBSTOR
• SYSTEM\CurrentControlSet\Enum\USB
• SYSTEM\CurrentControlSet\Enum\SCSI
• SYSTEM\CurrentControlSet\Enum\HID (peripherals)
• It is also possible to find the instance of the first time the
device was plugged in by viewing
• C:\Windows\setupapi.log in Windows XP
• C:\Windows\inf\setupapi.dev.log in Windows 7 onwards

© Middlesex University Presentation title | 7


Most Recently Used Lists - MRU
• A lot of suites also generate what are called Most
Recently Used lists (MRU)
• Registry keeps record of most recently used applications,
documents, URL’s, Search terms etc
• Tend to keep only the most recent 10 items but these are
of high interest to the examiner.
• It represents the most recent activity on the suspect
device since it was seized and has been imaged.
• As each new item enters the list the oldest will leave
meaning it is only useful for recent history.

© Middlesex University Presentation title | 8


Log Files
• Log files can provide a wealth of useful information
• Can also be extremely difficult to read and interpret – poor
config can make this worse
• Amount of data can be overwhelming, but this can make it
hard to remove events for an attacker
• Two main types of log file to be found
• System Logs
• E.g. those created by Operating System e.g. installation records,
event logs
• Application Logs
• E.g. created through use of other software – related to specific
activity of the software

© Middlesex University Presentation title | 20


Event Logs

• Windows Operating System uses event logs to


maintain a record of system activity
• Three main log files all with .evt (WinXP) or .evtx
extension;
• Application
• Security
• System
• Locations
• Windows XP - \Windows\system32\config
• Windows Vista/7/8/10 - \Windows\system32\winevt\Logs

© Middlesex University Presentation title | 21


Event Logs
• Large number of events are stored
• Each type of event has an Event ID
• System – SysEvent
• Keeps log of events logged by the OS
• E.g. hardware changes, device drivers, other system changes
• Security – SecEvent
• E.g. Logon/Logoff activity
• Events logged are determined by system audit policy
• Application – AppEvent
• Significant events by applications using Windows API
• E.g. Application failure

© Middlesex University Presentation title | 22


Windows Event Viewer
• Easily found in Control panel > Administrative tools

© Middlesex University Presentation title | 23


Event Log ID’s
• Event logs make use of a large number of Event ID’s based
on the type of activity
• Examples - System
• System startup
– XP = #6009 / Win 7/8/10 = #12
• System Shutdown
– XP = #6006 / Win 7/8/10 = #13
• Examples – Security
• Login attempt successful = XP = #528 / Win 7/8/10 = #4648/4624
• Logoff attempt unsuccessful = XP =#538 / Win 7/8/10 = #4647/4634
• Logon failure. XP = #529-537, 539 / Win 7/8/10 = #4625
• Password change XP = #627 / Win 7/8/10 = #4723/4614

© Middlesex University Presentation title | 24


Additional research
• Shellbags
• User Assist
• Application logs

© Middlesex University Presentation title | 9


Apple Mac
• The Console application can be used to view event logs
on an Apple Macbook

© Middlesex University Presentation title | 25


Disadvantages

• The event logging service can be disabled in OS


• Data can be modified e.g. Timestamps,
usernames, computer name
• Can be transferred from one machine to another
• Timestamps are recorded using local system
clock so can be inaccurate

© Middlesex University Presentation title | 26


Application Logs
• Logs which are specific to individual applications
• Dependent on specific application in use and the logging
configuration
• FTP Logs
• Web server logs
• Database Logs
• Backup logs
• Anti-virus logs
• Many are text based
• Careful with timestamps – date values may be in
American date format e.g. mm/dd

© Middlesex University Presentation title | 27


Other locations
• Two very important files on Windows systems;
• Hiberfile.sys
• Stores the content of RAM when the device goes into hibernation
• Ensures that system is returned to same state as when it was left
• Pagefile.sys
• Is used as a space for virtual memory
• When contents of RAM are full and in use then this space will be
use.
• These are an extremely valuable resource and could
contain much forensically useful information such as
passwords in plaintext
• Stored as hidden files on Windows systems and their
location is the root directory
© Middlesex University Presentation title | 28
This Weeks Lab Session
• Registry Tutorial
• Event Logs
• User Accounts

© Middlesex University Presentation title | 29


Next Week
• Email analysis

© Middlesex University Presentation title | 30

You might also like