1 / 87

Computer Forensics

Computer Forensics. Chapter 3. Understanding the Windows Registry. *. Understanding the Windows Registry. Registry A database that stores hardware and software configuration information, network connections, user preferences, and setup information

leigh
Télécharger la présentation

Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Forensics Chapter 3

  2. Understanding the Windows Registry *

  3. Understanding the Windows Registry • Registry • A database that stores hardware and software configuration information, network connections, user preferences, and setup information • For investigative purposes, the Registry can contain valuable evidence • To view the Registry, you can use: • Regedit (Registry Editor) program for Windows 9x systems • Regedt32 for Windows 2000 and XP

  4. Exploring the Organization of the Windows Registry • Registry terminology: • Registry • Registry Editor • HKEY • Key • Subkey • Branch • Value • Default value • Hives

  5. Exploring the Organization of the Windows Registry (continued)

  6. Exploring the Organization of the Windows Registry (continued)

  7. Understanding Microsoft Startup Tasks *

  8. Understanding Microsoft Startup Tasks • Learn what files are accessed when Windows starts • This information helps you determine when a suspect’s computer was last accessed • Important with computers that might have been used after an incident was reported

  9. Startup in Windows NT and Later • All Windows NT computers perform the following steps when the computer is turned on: • Power-on self test (POST) • Initial startup • Boot loader • Hardware detection and configuration • Kernel loading • User logon

  10. Startup Process for Windows Vista • Uses the new Extensible Firmware Interface ( EFI) as well as the older BIOS sys-tem. • NT Loader (NTLDR) has been replaced by three boot utilities • Bootmgr.exe—displays list of operating systems • Winload.exe—loads kernel, HAL, and drivers • Winresume.exe—restarts Vista after hibernation • See link Ch 6g

  11. Startup Files for Windows XP • NT Loader (NTLDR) • Boot.ini • BootSect.dos • NTDetect.com • NTBootdd.sys • Ntoskrnl.exe • Hal.dll • Pagefile.sys • Device drivers

  12. Startup in Windows NT and Later (continued) • Windows XP System Files

  13. Startup in Windows NT and Later (continued) • Contamination Concerns with Windows XP • When you start a Windows XP NTFS workstation, several files are accessed immediately • The last access date and time stamp for the files change to the current date and time • Destroys any potential evidence • That shows when a Windows XP workstation was last used

  14. Startup in Windows 9x/Me • System files in Windows 9x/Me containing valuable information can be altered easily during startup • Windows 9x and Windows Me have similar boot processes • Windows 9x OSs have two modes: • DOS protected-mode interface (DPMI) • Protected-mode GUI

  15. Startup in Windows 9x/Me (continued) • The system files used by Windows 9x have their origin in MS-DOS 6.22 • Io.sys communicates between a computer’s BIOS, the hardware, and the OS kernel • If F8 is pressed during startup, Io.sys loads the Windows Startup menu • Msdos.sys is a hidden text file containing startup options for Windows 9x • Command.com provides a command prompt when booting to MS-DOS mode (DPMI)

  16. Understanding MS-DOS Startup Tasks *

  17. Understanding MS-DOS Startup Tasks • Two files are used to configure MS-DOS at startup: • Config.sys • A text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration • Autoexec.bat • A batch file containing customized settings for MS-DOS that runs automatically • Io.sys is the first file loaded after the ROM bootstrap loader finds the disk drive

  18. Understanding MS-DOS Startup Tasks (continued) • Msdos.sys is the second program to load into RAM immediately after Io.sys • It looks for the Config.sys file to configure device drivers and other settings • Msdos.sys then loads Command.com • As the loading of Command.com nears completion, Msdos.sys looks for and loads Autoexec.bat

  19. Other Disk Operating Systems • Control Program for Microprocessors (CP/M) • First nonspecific microcomputer OS • Created by Digital Research in 1970 • 8-inch floppy drives; no support for hard drives • Digital Research Disk Operating System (DR-DOS) • Developed in 1988 to compete with MS-DOS • Used FAT12 and FAT16 and had a richer command environment

  20. Other Disk Operating Systems (continued) • Personal Computer Disk Operating System (PC-DOS) • Created by Microsoft under contract for IBM • PC-DOS works much like MS-DOS

  21. Determining What Data to Collect and Analyze *

  22. Determining What Data to Collect and Analyze • Examining and analyzing digital evidence depends on: • Nature of the case • Amount of data to process • Search warrants and court orders • Company policies • Scope creep • Investigation expands beyond the original description • Right of full discovery of digital evidence

  23. Approaching Computer Forensics Cases • Some basic principles apply to almost all computer forensics cases • The approach you take depends largely on the specific type of case you’re investigating • Basic steps for all computer forensics investigations • For target drives, use only recently wiped media that have been reformatted • And inspected for computer viruses

  24. Approaching Computer Forensics Cases (continued) • Basic steps for all computer forensics investigations (continued) • Inventory the hardware on the suspect’s computer and note the condition of the computer when seized • Remove the original drive from the computer • Check date and time values in the system’s CMOS • Record how you acquired data from the suspect drive • Process the data methodically and logically

  25. Approaching Computer Forensics Cases (continued) • Basic steps for all computer forensics investigations (continued) • List all folders and files on the image or drive • If possible, examine the contents of all data files in all folders • Starting at the root directory of the volume partition • For all password-protected files that might be related to the investigation • Make your best effort to recover file contents

  26. Approaching Computer Forensics Cases (continued) • Basic steps for all computer forensics investigations (continued) • Identify the function of every executable (binary or .exe) file that doesn’t match known hash values • Maintain control of all evidence and findings, and document everything as you progress through your examination

  27. Refining and Modifying the Investigation Plan • Considerations • Determine the scope of the investigation • Determine what the case requires • Whether you should collect all information • What to do in case of scope creep • The key is to start with a plan but remain flexible in the face of new evidence

  28. Using AccessData Forensic Toolkit to Analyze Data • Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs • FTK can analyze data from several sources, including image files from other vendors • FTK produces a case log file • Searching for keywords • Indexed search • Live search • Supports options and advanced searching techniques, such as stemming

  29. Using AccessData Forensic Toolkit to Analyze Data (continued)

  30. Using AccessData Forensic Toolkit to Analyze Data (continued)

  31. Using AccessData Forensic Toolkit to Analyze Data (continued) • Analyzes compressed files • You can generate reports • Using bookmarks

  32. Using AccessData Forensic Toolkit to Analyze Data (continued)

  33. Locating and Recovering Graphics Files *

  34. Locating and Recovering Graphics Files • Operating system tools • Time consuming • Results are difficult to verify • Computer forensics tools • Image headers • Compare them with good header samples • Use header information to create a baseline analysis • Reconstruct fragmented image files • Identify data patterns and modified headers

  35. Identifying Graphics File Fragments • Carving or salvaging • Recovering all file fragments • Computer forensics tools • Carve from slack and free space • Help identify image files fragments and put them together

  36. Repairing Damaged Headers • Use good header samples • Each image file has a unique file header • JPEG: FF D8 FF E0 00 10 • Most JPEG files also include JFIF string • Exercise: • Investigate a possible intellectual property theft by a contract employee of Exotic Mountain Tour Service (EMTS)

  37. Searching for and Carving Data from Unallocated Space

  38. Searching for and Carving Data from Unallocated Space (continued)

  39. Searching for and Carving Data from Unallocated Space (continued) • Steps • Planning your examination • Searching for and recovering digital photograph evidence • Use ProDiscover to search for and extract (recover) possible evidence of JPEG files • False hits are referred to as false positives

  40. Searching for and Carving Data from Unallocated Space (continued)

  41. Searching for and Carving Data from Unallocated Space (continued)

  42. Searching for and Carving Data from Unallocated Space (continued)

  43. Searching for and Carving Data from Unallocated Space (continued)

  44. Searching for and Carving Data from Unallocated Space (continued)

  45. Rebuilding File Headers • Try to open the file first and follow steps if you can’t see its content • Steps • Recover more pieces of file if needed • Examine file header • Compare with a good header sample • Manually insert correct hexadecimal values • Test corrected file

  46. Rebuilding File Headers (continued)

  47. Rebuilding File Headers (continued)

More Related