Module 06 - Windows Forensics-1
Module 06 - Windows Forensics-1
Module 06 - Windows Forensics-1
Windows Forensics
5 NIDS Ali GHORBEL
2024-25 [email protected]
Course Outline
Module objectives
3
Introduction to OS Forensics
Windows, Mac, and Linux are the three most widely used
operating systems (OSes). Thus, the probability for an investigator
to come across these OSes at the crime scene is very high.
Performing OS forensics to uncover the underlying evidence is
a challenging task as it requires the investigator to have thorough
knowledge of these Oses
To conduct a successful digital forensic examination in
Windows, Mac, and Linux, one should be familiar with their
working, commands or methodologies, in order to be able to
extract volatile and non-volatile data with OS-specific tools
Collect
System uptime provides an idea of when an exploit attempt might have been
successful
Collecting Logged-On Users
Syntax:
psloggedon [- ] [-l] [-x] [\\computername | username]
Collecting Logged-On Users
Syntax:
net sessions [\\<ComputerName>] [/delete] [/list]
Collecting Logged-On Users
Syntax:
net sessions [\\<ComputerName>] [/delete] [/list]
Collecting Logged-On Users
LogonSessions Tool: It lists the currently active logon sessions and,if the -p option is
specified, the processes running in each session are listed
Syntax:
logonsessions [-c[t]] [-p]
Collect information about the files opened by the intruder using remote login
net file command displays details of open shared files on a server, such as a name,
ID, and the number of each file locks, if any. It also closes individually shared files and
removes file locks.
Syntax:
net file [ID [/close]]
Collecting Open Files: Using NetworkOpenedFiles
NetworkOpenedFiles
Source: https://www.nirsoft.net
It is a utility for Windows OS that lists all the files currently opened on the host
system through remote login
It displays the Filename, Computer and Username, Permission information
(Read/Write/Create), Locks count, File Size, File Attributes, etc.
Collecting Network Information
Intruders after gaining access to a remote
system, try to discover other systems that are
available on the network
Syntax:
nbtstat [-a RemoteName] [-A IP address] [-c] [-n][-r] [-R] [-RR] [-s] [-S] [interval]
Collecting Network Information
Collecting information about the network connections running to and from the
victim system allows to locate logged attacker, IRCbot communication, worms logging
into Command and Control server
Netstat with –ano switch displays details of the TCP and UDP network connections
including listening ports, and the identifiers
Syntax:
netstat [-a] [-e] [-n] [-o] [-p <Protocol>] [-r] [-s] [<Interval>]
Process Information
Syntax:
netstat –a -n -o
Examining Process Memory
Running processes could be suspicious
or malicious in nature
Process Explorer can be used to check if
the process is malicious/suspicious
Process Explorer shows information
about opened or loaded handles and DLLs
processes
If the process is suspicious, it gathers
more information by dumping the memory
used by the process using tools such as
ProcDump and Process Dumper
The tool comes with built-in VirusTotal
support to check whether the running
process is malicious
Collecting Network Status
Collect information of the network interface
cards (NICs) of a system to know whether the
system is connected to a wireless access point
and what IP address is being used
Tools for the network status detection are:
ipconfig command
PromiscDetect tool
Promqry tool
Such data usually resides in hard drive (swap file, slack space,
unallocated drive space, etc.)
7
Windows Search Index Analysis
Windows Search Index uses ESE data
storage technology to store its data
7
Slack Space
Memory
Investigating the data present in the registry help forensic investigators obtain
information on software installed and hardware driver’s configuration settings,
track suspicious user activity, etc.
The volatile hives are captured during live analysis of the system while the
non-volatile hives are stored on the hard drive
Windows Registry
HKEY_USERS: It contains all the actively loaded user profiles for that system
Various components of the registry called “cells” have a specific structure and
contain specific type of information
Types of cells:
Windows Registry Forensic Analysis
Cache, Cookie,
and History Recorded in
Web Browsers
42
Cache, Cookie, and History Analysis
ChromeCacheView is a
small utility that reads
the cache folder of
Google Chrome and
displays the list of all
It displays
files the stored in
currently
information
the cache such as
URL, Content Type, File
Size, Last Accessed
Time, Expiration Time,
Server Name, and
Server Response
https://www.nirsoft.net
Cache, Cookie, and History Analysis: Google Chrome
Windows Files
and Metadata
48
Examine Windows Files and Metadata
Rp.log is the restore point log file located within the restore point
(RPxx) directory
It includes value indicating the type of the restore point; a
descriptive name for the restore point creation event, and the 64-bit
FILETIME object indicating when the restore point was created
System restore points are created when applications and unsigned
drivers are installed, when an auto update installation and a restore
operation are performed
Description of the event that caused the restore point creation is
written to the rp.log file, and this log file helps the investigator to notice
the date when the application was installed or removed
System Restore Points (Rp.log Files)
File changes are recorded in the change.log files, which are located in
the restore point directories
Changes to the monitored files are detected by the restore point file
system driver, the original filename is entered into the change.log file
along with sequence number, type of change occurred, etc.
Monitored file is preserved and copied to the restore point directory
and renamed in the format Axxxxxxx.ext, where x represents a
sequence number and .ext is the file’s original extension
First change.log file is appended with a sequence number and a new
change.log file is created when the system is restarted
Prefetch Files
When a user installs an application, runs it, and deletes it, traces of
that application can be found in the Prefetch directory
DWORD value at the offset 144 within the file corresponds to the
number of times the application is launched
DWORD value at the offset 120 within the file corresponds to the last
time of the application run, this value is stored in UTC format
Information from .pf file can be correlated with the registry or Event
Log information to determine who was logged on to the system, who
was running which applications, etc
Prefetch Files
The most commonly known metadata about files on Windows systems are
the files’ MAC times; MAC stands for modified, accessed, and created
The MAC times are time stamps that refer to the time at which the file was
last modified, last accessed, and originally created
MAC times are managed by the OS depending on the file system used
On the FAT file system, times are stored based on the local time of the
computer system
NTFS file system stores MAC times in Coordinated Universal Time (UTC)
format
Investigate the way the timestamps are displayed, based on various move
and copy actions
Metadata in Different File Systems
Module Summary