SlideShare une entreprise Scribd logo

Windows 10 Forensics: OS Evidentiary Artefacts

Télécharger en tant que PPTX, PDF
Brent Muir
Brent Muir

OS and application forensic artefacts related to Windows 10.

Technologie
1  sur  43
Windows 10 Forensics OS Evidentiary Artefacts Version 1.5 (Build 10240) Brent Muir – 2015
Topics OS Artefacts : ▫ File Systems / Partitions ▫ Registry Hives ▫ Event Logs ▫ Prefetch ▫ Shellbags ▫ LNK Shortcuts ▫ Thumbcache ▫ Recycle Bin ▫ Volume Shadow Copies ▫ Windows Indexing Service ▫ Cortana (Search) ▫ Notification Centre ▫ Picture Password Application Artefacts: ▫ Windows Store ▫ Edge Browser (previously Spartan)  Legacy Internet Explorer ▫ Email (Mail application) ▫ Unified Communication  Twitter  Skype  OneDrive ▫ Microsoft Office Apps  Word  Excel  PowerPoint  OneNote ▫ Maps
Part 1
File Systems / Partitions • Supported File Systems: ▫ NTFS, Fat32, ExFat • Default Partition structure: ▫ “Windows” – core OS (NTFS) ▫ “Recovery” (NTFS) ▫ “Reserved” ▫ “System” – UEFI (Fat32) ▫ “Recovery Image” (NTFS)
Registry Hives • Registry hives format has not changed ▫ Can be examined with numerous tools (e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.) • Location of important registry hives: ▫ Usersuser_nameNTUSER.DAT ▫ WindowsSystem32configDEFAULT ▫ WindowsSystem32configSAM ▫ WindowsSystem32configSECURITY ▫ WindowsSystem32configSOFTWARE ▫ WindowsSystem32configSYSTEM
Event Logs • EVTX log format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Location of EVTX logs: ▫ WindowsSystem32winevtLogs
Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-Store%4Operational.evtx Source EventID Category Function Microsoft- Windows-Install- Agent 2002 2001 Installing application Windows- ApplicationModel- Store-SDK 5 5 Search query strings (e.g. query=twitter)
Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-AppXDeploymentServer%4Operational.evtx Source EventID Category Function Microsoft- Windows- AppXDeploy ment-Server 10002 3 Application deployment
Prefetch • Location of Prefetch files: ▫ WindowsPrefetch
Shellbags • NTUSER.dat ▫ SOFTWAREMicrosoftWindowsShellBags • UsrClass.dat
LNK Shortcuts • LNK format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Useful fields: ▫ Hostname ▫ MAC Address ▫ Volume ID ▫ Owner SID ▫ MAC Times
Thumbcache • Location of Thumbcache files: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsExplorer
Recycle Bin • Recycle Bin artefacts have not changed ▫ $I  Still provides original file name and path ▫ $R  Original file
Volume Shadow Copies • vssadmin tool still provides list of current VSCs
Windows Indexing Service • Windows indexing service is an evidentiary gold mine ▫ Potentially storing emails and other binary items  Great as dictionary list for password cracking • Stored in an .EDB file ▫ Can be interpreted by EseDbViewer, ESEDatabaseView or X- Ways Forensics  If “dirty” dismount, need to use esentutl.exe • In Windows 10 stored in the following directory: ▫ C:ProgramDataMicrosoftSearchDataApplicationsWindo wsWindows.edb
Cortana • Windows 10 features “Cortana”, a personal assistant, which expands upon the unified search platform introduced in Windows 8, ▫ Search encompasses local files, Windows Store & online content ▫ Can set reminders ▫ Can initiate contact (e.g. write emails) • Cortana Databases (EDBs): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxAp pDataIndexed DBIndexedDB.edb ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxLoc alStateESEDatabase_CortanaCoreInstanceCortanaCireDb.dat  Interesting Tables:  LocationTriggers ▫ Latitude/Longitude and Name of place results  Geofences ▫ Latitude/Longitude for where location based reminders are triggered  Reminders ▫ Creation and completion time (UNIX numeric value)
Cortana • The following databases contain a list of contacts synched from email accounts: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg.tx t
Notification Centre • The following databases contain a list of notifications: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsNotificationsappdb.dat  Toast notifications are stored in embedded XML
Picture Password • “Picture Password” is an alternate login method where gestures on top of a picture are used as a password • This registry key details the path to the location of the “Picture Password” file: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionAuthenticationLogonUIPicturePassworduser_GUID • Path of locally stored Picture Password file: ▫ C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDRe adOnlyPicturePasswordbackground.png
Part 2
Applications (Apps) • Applications (Apps) that utilise the Metro Modern UI are treated differently to programs that work in desktop mode • Apps are installed in the following directory: ▫ Program FilesWindowsApps • Settings and configuration DBs are located in following directories: ▫ Usersuser_nameAppDataLocalPackagespackage_nameLocalSt ate  Two DB formats:  SQLite DBs (.SQL)  Jet DBs (.EDB)
Windows Store • Apps are purchased/installed via the Windows Store • During the Insider Preview their was a Beta Store which contained Windows 10 –compatible Apps (e.g. Microsoft Office Apps) • Registry key of installed applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreApplications • List of deleted applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreDeleted
Edge Browser • New web browser and rendering engine (Spartan) • Same as IE10, records no longer stored in Index.DAT files, stored in EDB • Edge settings are stored in the following file: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxxACMicroso ftEdgeUserDefaultDataStoreDatanouser1xxxxxDBStorespartan.edb • Edge cache stored in the following directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxAC#!001M icrosoftEdgeCache • Last active browsing session stored: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxACMicrosoft EdgeUserDefaultRecoveryActive
Browser History Records • Edge (and IE) history records stored in the following database: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsWebCacheWebCacheV01.dat  This is actually an .EDB file  Can be interpreted by EseDbViewer or ESEDatabaseView  Might be a “dirty” dismount, need to use esentutl.exe  Database also stores Cookies
Internet Explorer (legacy) • Internet Cache stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCache • Internet Cookies stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCookies
Email (Mail application) • Body of emails are stored in TXT or HTML format ▫ Can be analysed by a number of tools ▫ Stored in the following directory:  Usersuser_nameAppDataLocalCommsUnistoredata • Metadata of emails are stored in the following DB (EDB format): ▫ Usersuser_nameAppDataLocalCommsUnistoreDBstore.vol  Attachments  Email header  Contact information
Unified Communication • Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default): ▫ Appears to be scaled back from Windows 8.x (less integrated as previous People App) • UC settings are stored in the following DB: ▫ Usersuser_nameAppDataLocalPackagesmicro soft.windowscommunicationsapps…LocalStatelivec omm.edb
Unified Communication • Interesting Tables: ▫ Account  SourceID  List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn)  DomainTag  Username for each account ▫ Contact  List of synched contacts across all account platforms ▫ Event  Calendar entries (including birthdays of contacts if synched to Windows Live) and locations ▫ MeContact  Further details about owner accounts ▫ Person and PersonLink  Further details about each contact including what account they link back to (e.g Skype)
Unified Communication • Locally cached contact entries are stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxxLocalStateIndexedLiveCommxxxxxxxxxx PeopleAddressBook • Contact photos are stored in this directory (JPGs): ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxLocalStateLiveCommxxxxxxxxUserTiles
Twitter App • History DB located in following file: ▫ Usersuser_nameAppDataLocalPackagesxxxx.Twitte r_xxxxxxxLocalStatetwitter_user_idtwitter.sqlite • SQLite3 format DB ▫ 11 Tables in DB  Relevant tables:  messages – holds tweets & DMs  search_queries – holds searches conducted in Twitter app by user  statuses – lists latest tweets from accounts being followed  users – lists user account and accounts being followed by user
Twitter App • Settings located in file: ▫ Usersuser_nameAppDataLocalPackagesxx xxx.Twitter_xxxxSettingssettings.dat  Includes user name (@xxxxx)  Details on profile picture URL  Twitter ID number
Skype App (legacy) • The Skype App was discontinued with Windows 10 ▫ Windows 10 prompts you to download the desktop Skype application
OneDrive App • Built-in by default, API allows all programs to save files in OneDrive • List of Synced items located in file: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsOneDrivesettingsxxxxxxxx.dat • Locally cached items are stored in directory: ▫ Usersuser_nameOneDrive
Microsoft Office Apps • With the release of the Windows Insider program Microsoft introduced the Office Mobile Apps ▫ If you have a valid Office365 account then you can edit and create documents  Otherwise these Apps are read-only
Word App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
Excel App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
PowerPoint App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateAppDataLocalOffice16.0Mru ServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
OneNote App • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Of fice.OneNote_xxxxLocalStateAppDataLocalOneNote1 6.0 • Files stored as xxxx.bin extension ▫ Encoded binary files ▫ Embedded graphics such as PNG or JPG
Maps App • Recent places stored in this file (XML): ▫ Usersuser_nameAppDataLocalPackagesM icrosoft.WindowsMaps_xxxxLocalStateGraph xxxxMe00000000.ttl  Latitude/Longitude  Dates modified (searched)
Part 3
Memory Acquisition • WinPMEM (tested versions 1.6.2 & 2.0.1) ▫ Run as Administrator  Has to extract driver to local temp location  V1.6.2 running process ~10MB  V2.0.1 running process ~80MB • FTK Imager ▫ Run as Administrator  Running process ~15MB
Live Disk Acquisition • FTK Imager ▫ Can be used for Physical or Logical acquisition • X-Ways Forensics ▫ Can be used for Physical or Logical acquisition
Resources • FTK Imager ▫ http://accessdata.com/product-download?/support/product- downloads • Nirsoft ESEDatabaseView ▫ http://www.nirsoft.net/utils/ese_database_view.html • RegistryBrowser ▫ https://lockandcode.com/software/registry_browser • WinPMEM ▫ https://github.com/google/rekall/releases

Recommandé

Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows ForensicsPrince Boonlia
 

Recommandé

Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows ForensicsPrince Boonlia
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Windows Registry
Windows RegistryWindows Registry
Windows Registryprimeteacher32
 
File system
File systemFile system
File systemHarleen Johal
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensicsn|u - The Open Security Community
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
IBM QRadar WinCollector - Managed Vs Stand Alone
IBM QRadar WinCollector - Managed Vs Stand AloneIBM QRadar WinCollector - Managed Vs Stand Alone
IBM QRadar WinCollector - Managed Vs Stand AloneMuhammad Abdel Aal
 
File System FAT And NTFS
File System FAT And NTFSFile System FAT And NTFS
File System FAT And NTFSInocentshuja Ahmad
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts MD SAQUIB KHAN
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Raidprep
RaidprepRaidprep
RaidprepCTIN
 

Contenu connexe

Tendances

Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
IBM QRadar WinCollector - Managed Vs Stand Alone
IBM QRadar WinCollector - Managed Vs Stand AloneIBM QRadar WinCollector - Managed Vs Stand Alone
IBM QRadar WinCollector - Managed Vs Stand AloneMuhammad Abdel Aal
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts MD SAQUIB KHAN
 

Tendances (20)

Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Windows Registry
Windows RegistryWindows Registry
Windows Registry
 
File system
File systemFile system
File system
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
IBM QRadar WinCollector - Managed Vs Stand Alone
IBM QRadar WinCollector - Managed Vs Stand AloneIBM QRadar WinCollector - Managed Vs Stand Alone
IBM QRadar WinCollector - Managed Vs Stand Alone
 
File System FAT And NTFS
File System FAT And NTFSFile System FAT And NTFS
File System FAT And NTFS
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts
 

En vedette

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Raidprep
RaidprepRaidprep
RaidprepCTIN
 
File Management Presentation
File Management PresentationFile Management Presentation
File Management PresentationSgtMasterGunz
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows RegistryChandra Pr. Singh
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumOWASP Khartoum
 
F Database
F DatabaseF Database
F DatabaseCTIN
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on TwitterYansi Keim
 
Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGEduardo Chavarro
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformBasis Technology
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!Nearpod
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XPRupesh Kumar
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Mark Matienzo
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for InvestigatorsCase IQ
 

En vedette (20)

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Raidprep
RaidprepRaidprep
Raidprep
 
File Management Presentation
File Management PresentationFile Management Presentation
File Management Presentation
 
Cheatsheet of msdos
Cheatsheet of msdosCheatsheet of msdos
Cheatsheet of msdos
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registry
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
 
F Database
F DatabaseF Database
F Database
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on Twitter
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
 
Netcat cheat sheet
Netcat cheat sheetNetcat cheat sheet
Netcat cheat sheet
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
Digital forensic upload
Digital forensic uploadDigital forensic upload
Digital forensic upload
 

Similaire à Windows 10 Forensics: OS Evidentiary Artefacts

Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Brent Muir
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsMarco Alamanni
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
Windows 10 Data Recovery
Windows 10 Data RecoveryWindows 10 Data Recovery
Windows 10 Data RecoveryRemo Recover
 
IIS 6 - General System Administration Overview
IIS 6 - General System Administration OverviewIIS 6 - General System Administration Overview
IIS 6 - General System Administration OverviewInformation Technology
 
Unesco information storage and retrievals tools
Unesco information storage and retrievals toolsUnesco information storage and retrievals tools
Unesco information storage and retrievals toolsLiaquat Rahoo
 
Bri forum advanced web interface customizations
Bri forum advanced web interface customizationsBri forum advanced web interface customizations
Bri forum advanced web interface customizationsCCOSTAN
 
Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007KarlFrank99
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8David Chou
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxJohnnyPlasten
 
Implemeting Sencha Ext JS in Drupal
Implemeting Sencha Ext JS in Drupal Implemeting Sencha Ext JS in Drupal
Implemeting Sencha Ext JS in Drupaldrupalsydney
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsSam Bowne
 
Advanced Web Interface Customizations - BriForum 2010
Advanced Web Interface Customizations - BriForum 2010Advanced Web Interface Customizations - BriForum 2010
Advanced Web Interface Customizations - BriForum 2010shoesing
 

Similaire à Windows 10 Forensics: OS Evidentiary Artefacts (20)

Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifacts
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating Applications
 
Windows 10 Data Recovery
Windows 10 Data RecoveryWindows 10 Data Recovery
Windows 10 Data Recovery
 
IIS 6 - General System Administration Overview
IIS 6 - General System Administration OverviewIIS 6 - General System Administration Overview
IIS 6 - General System Administration Overview
 
windows.pptx
windows.pptxwindows.pptx
windows.pptx
 
Scaling / optimizing search on netlog
Scaling / optimizing search on netlogScaling / optimizing search on netlog
Scaling / optimizing search on netlog
 
Unesco information storage and retrievals tools
Unesco information storage and retrievals toolsUnesco information storage and retrievals tools
Unesco information storage and retrievals tools
 
Bri forum advanced web interface customizations
Bri forum advanced web interface customizationsBri forum advanced web interface customizations
Bri forum advanced web interface customizations
 
Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007
 
Where to save my data, for devs!
Where to save my data, for devs!Where to save my data, for devs!
Where to save my data, for devs!
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X Systems
 
Windows 1809 Timeline
Windows 1809 TimelineWindows 1809 Timeline
Windows 1809 Timeline
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 
Implemeting Sencha Ext JS in Drupal
Implemeting Sencha Ext JS in Drupal Implemeting Sencha Ext JS in Drupal
Implemeting Sencha Ext JS in Drupal
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X Systems
 
Advanced Web Interface Customizations - BriForum 2010
Advanced Web Interface Customizations - BriForum 2010Advanced Web Interface Customizations - BriForum 2010
Advanced Web Interface Customizations - BriForum 2010
 

Plus de Brent Muir

Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5Brent Muir
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service AttacksBrent Muir
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security IssuesBrent Muir
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersBrent Muir
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013Brent Muir
 
Malware Spam February 2013
Malware Spam February 2013Malware Spam February 2013
Malware Spam February 2013Brent Muir
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBrent Muir
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013Brent Muir
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingBrent Muir
 

Plus de Brent Muir (14)

Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security Issues
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying Markers
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013
 
Malware Spam February 2013
Malware Spam February 2013Malware Spam February 2013
Malware Spam February 2013
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual box
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
 

Dernier

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Dernier (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Windows 10 Forensics: OS Evidentiary Artefacts

  • 1. Windows 10 Forensics OS Evidentiary Artefacts Version 1.5 (Build 10240) Brent Muir – 2015
  • 2. Topics OS Artefacts : ▫ File Systems / Partitions ▫ Registry Hives ▫ Event Logs ▫ Prefetch ▫ Shellbags ▫ LNK Shortcuts ▫ Thumbcache ▫ Recycle Bin ▫ Volume Shadow Copies ▫ Windows Indexing Service ▫ Cortana (Search) ▫ Notification Centre ▫ Picture Password Application Artefacts: ▫ Windows Store ▫ Edge Browser (previously Spartan)  Legacy Internet Explorer ▫ Email (Mail application) ▫ Unified Communication  Twitter  Skype  OneDrive ▫ Microsoft Office Apps  Word  Excel  PowerPoint  OneNote ▫ Maps
  • 4. File Systems / Partitions • Supported File Systems: ▫ NTFS, Fat32, ExFat • Default Partition structure: ▫ “Windows” – core OS (NTFS) ▫ “Recovery” (NTFS) ▫ “Reserved” ▫ “System” – UEFI (Fat32) ▫ “Recovery Image” (NTFS)
  • 5. Registry Hives • Registry hives format has not changed ▫ Can be examined with numerous tools (e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.) • Location of important registry hives: ▫ Usersuser_nameNTUSER.DAT ▫ WindowsSystem32configDEFAULT ▫ WindowsSystem32configSAM ▫ WindowsSystem32configSECURITY ▫ WindowsSystem32configSOFTWARE ▫ WindowsSystem32configSYSTEM
  • 6. Event Logs • EVTX log format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Location of EVTX logs: ▫ WindowsSystem32winevtLogs
  • 7. Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-Store%4Operational.evtx Source EventID Category Function Microsoft- Windows-Install- Agent 2002 2001 Installing application Windows- ApplicationModel- Store-SDK 5 5 Search query strings (e.g. query=twitter)
  • 8. Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-AppXDeploymentServer%4Operational.evtx Source EventID Category Function Microsoft- Windows- AppXDeploy ment-Server 10002 3 Application deployment
  • 9. Prefetch • Location of Prefetch files: ▫ WindowsPrefetch
  • 11. LNK Shortcuts • LNK format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Useful fields: ▫ Hostname ▫ MAC Address ▫ Volume ID ▫ Owner SID ▫ MAC Times
  • 12. Thumbcache • Location of Thumbcache files: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsExplorer
  • 13. Recycle Bin • Recycle Bin artefacts have not changed ▫ $I  Still provides original file name and path ▫ $R  Original file
  • 14. Volume Shadow Copies • vssadmin tool still provides list of current VSCs
  • 15. Windows Indexing Service • Windows indexing service is an evidentiary gold mine ▫ Potentially storing emails and other binary items  Great as dictionary list for password cracking • Stored in an .EDB file ▫ Can be interpreted by EseDbViewer, ESEDatabaseView or X- Ways Forensics  If “dirty” dismount, need to use esentutl.exe • In Windows 10 stored in the following directory: ▫ C:ProgramDataMicrosoftSearchDataApplicationsWindo wsWindows.edb
  • 16. Cortana • Windows 10 features “Cortana”, a personal assistant, which expands upon the unified search platform introduced in Windows 8, ▫ Search encompasses local files, Windows Store & online content ▫ Can set reminders ▫ Can initiate contact (e.g. write emails) • Cortana Databases (EDBs): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxAp pDataIndexed DBIndexedDB.edb ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxLoc alStateESEDatabase_CortanaCoreInstanceCortanaCireDb.dat  Interesting Tables:  LocationTriggers ▫ Latitude/Longitude and Name of place results  Geofences ▫ Latitude/Longitude for where location based reminders are triggered  Reminders ▫ Creation and completion time (UNIX numeric value)
  • 17. Cortana • The following databases contain a list of contacts synched from email accounts: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg.tx t
  • 18. Notification Centre • The following databases contain a list of notifications: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsNotificationsappdb.dat  Toast notifications are stored in embedded XML
  • 19. Picture Password • “Picture Password” is an alternate login method where gestures on top of a picture are used as a password • This registry key details the path to the location of the “Picture Password” file: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionAuthenticationLogonUIPicturePassworduser_GUID • Path of locally stored Picture Password file: ▫ C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDRe adOnlyPicturePasswordbackground.png
  • 21. Applications (Apps) • Applications (Apps) that utilise the Metro Modern UI are treated differently to programs that work in desktop mode • Apps are installed in the following directory: ▫ Program FilesWindowsApps • Settings and configuration DBs are located in following directories: ▫ Usersuser_nameAppDataLocalPackagespackage_nameLocalSt ate  Two DB formats:  SQLite DBs (.SQL)  Jet DBs (.EDB)
  • 22. Windows Store • Apps are purchased/installed via the Windows Store • During the Insider Preview their was a Beta Store which contained Windows 10 –compatible Apps (e.g. Microsoft Office Apps) • Registry key of installed applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreApplications • List of deleted applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreDeleted
  • 23. Edge Browser • New web browser and rendering engine (Spartan) • Same as IE10, records no longer stored in Index.DAT files, stored in EDB • Edge settings are stored in the following file: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxxACMicroso ftEdgeUserDefaultDataStoreDatanouser1xxxxxDBStorespartan.edb • Edge cache stored in the following directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxAC#!001M icrosoftEdgeCache • Last active browsing session stored: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxACMicrosoft EdgeUserDefaultRecoveryActive
  • 24. Browser History Records • Edge (and IE) history records stored in the following database: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsWebCacheWebCacheV01.dat  This is actually an .EDB file  Can be interpreted by EseDbViewer or ESEDatabaseView  Might be a “dirty” dismount, need to use esentutl.exe  Database also stores Cookies
  • 25. Internet Explorer (legacy) • Internet Cache stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCache • Internet Cookies stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCookies
  • 26. Email (Mail application) • Body of emails are stored in TXT or HTML format ▫ Can be analysed by a number of tools ▫ Stored in the following directory:  Usersuser_nameAppDataLocalCommsUnistoredata • Metadata of emails are stored in the following DB (EDB format): ▫ Usersuser_nameAppDataLocalCommsUnistoreDBstore.vol  Attachments  Email header  Contact information
  • 27. Unified Communication • Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default): ▫ Appears to be scaled back from Windows 8.x (less integrated as previous People App) • UC settings are stored in the following DB: ▫ Usersuser_nameAppDataLocalPackagesmicro soft.windowscommunicationsapps…LocalStatelivec omm.edb
  • 28. Unified Communication • Interesting Tables: ▫ Account  SourceID  List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn)  DomainTag  Username for each account ▫ Contact  List of synched contacts across all account platforms ▫ Event  Calendar entries (including birthdays of contacts if synched to Windows Live) and locations ▫ MeContact  Further details about owner accounts ▫ Person and PersonLink  Further details about each contact including what account they link back to (e.g Skype)
  • 29. Unified Communication • Locally cached contact entries are stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxxLocalStateIndexedLiveCommxxxxxxxxxx PeopleAddressBook • Contact photos are stored in this directory (JPGs): ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxLocalStateLiveCommxxxxxxxxUserTiles
  • 30. Twitter App • History DB located in following file: ▫ Usersuser_nameAppDataLocalPackagesxxxx.Twitte r_xxxxxxxLocalStatetwitter_user_idtwitter.sqlite • SQLite3 format DB ▫ 11 Tables in DB  Relevant tables:  messages – holds tweets & DMs  search_queries – holds searches conducted in Twitter app by user  statuses – lists latest tweets from accounts being followed  users – lists user account and accounts being followed by user
  • 31. Twitter App • Settings located in file: ▫ Usersuser_nameAppDataLocalPackagesxx xxx.Twitter_xxxxSettingssettings.dat  Includes user name (@xxxxx)  Details on profile picture URL  Twitter ID number
  • 32. Skype App (legacy) • The Skype App was discontinued with Windows 10 ▫ Windows 10 prompts you to download the desktop Skype application
  • 33. OneDrive App • Built-in by default, API allows all programs to save files in OneDrive • List of Synced items located in file: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsOneDrivesettingsxxxxxxxx.dat • Locally cached items are stored in directory: ▫ Usersuser_nameOneDrive
  • 34. Microsoft Office Apps • With the release of the Windows Insider program Microsoft introduced the Office Mobile Apps ▫ If you have a valid Office365 account then you can edit and create documents  Otherwise these Apps are read-only
  • 35. Word App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
  • 36. Excel App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
  • 37. PowerPoint App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateAppDataLocalOffice16.0Mru ServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
  • 38. OneNote App • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Of fice.OneNote_xxxxLocalStateAppDataLocalOneNote1 6.0 • Files stored as xxxx.bin extension ▫ Encoded binary files ▫ Embedded graphics such as PNG or JPG
  • 39. Maps App • Recent places stored in this file (XML): ▫ Usersuser_nameAppDataLocalPackagesM icrosoft.WindowsMaps_xxxxLocalStateGraph xxxxMe00000000.ttl  Latitude/Longitude  Dates modified (searched)
  • 41. Memory Acquisition • WinPMEM (tested versions 1.6.2 & 2.0.1) ▫ Run as Administrator  Has to extract driver to local temp location  V1.6.2 running process ~10MB  V2.0.1 running process ~80MB • FTK Imager ▫ Run as Administrator  Running process ~15MB
  • 42. Live Disk Acquisition • FTK Imager ▫ Can be used for Physical or Logical acquisition • X-Ways Forensics ▫ Can be used for Physical or Logical acquisition
  • 43. Resources • FTK Imager ▫ http://accessdata.com/product-download?/support/product- downloads • Nirsoft ESEDatabaseView ▫ http://www.nirsoft.net/utils/ese_database_view.html • RegistryBrowser ▫ https://lockandcode.com/software/registry_browser • WinPMEM ▫ https://github.com/google/rekall/releases

Notes de l'éditeur

  1. Virtualising a stored image
  2. Connected WiFi networks   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\ \ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{5352E92B-EE0A-4E57-B761-A775DDE0A317}\
  3. Windows 10 shipped with IE11 (and Edge) - Legacy mode X-Ways can also interpret EDB
  4. Windows 8 shipped with IE10, now able to get IE11 X-Ways can also interpret EDB
  5. Cheat sheet