SlideShare une entreprise Scribd logo

Lecture #31 : Windows Forensics

D
Dr. Ramchandra Mangrulkar

ASSDF : Module 6

Ingénierie
1  sur  31
Télécharger pour lire hors ligne
Lecture #30: Windows Forensics Dr.Ramchandra Mangrulkar October 5, 2020 Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 1 / 25
Forensics Analysis of Windows System Three Major Components of Proper Forensics Analysis Strong Understanding of FAT and NT file systems Understanding of Windows Artefacts Use of Proper Computer forensics Software Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 2 / 25
Forensics Analysis of Windows System Three Major Components of Proper Forensics Analysis Strong Understanding of FAT and NT file systems Understanding of Windows Artefacts Use of Proper Computer forensics Software Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 2 / 25
Forensics Analysis of Windows System Three Major Components of Proper Forensics Analysis Strong Understanding of FAT and NT file systems Understanding of Windows Artefacts Use of Proper Computer forensics Software Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 2 / 25
Objectives of Windows Forensics Collect volatile and nonvolatile information Perform Windows memory analysis Perform Windows registry analysis Perform Windows file analysis Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 3 / 25
Objectives of Windows Forensics Collect volatile and nonvolatile information Perform Windows memory analysis Perform Windows registry analysis Perform Windows file analysis Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 3 / 25
Objectives of Windows Forensics Collect volatile and nonvolatile information Perform Windows memory analysis Perform Windows registry analysis Perform Windows file analysis Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 3 / 25
Objectives of Windows Forensics Collect volatile and nonvolatile information Perform Windows memory analysis Perform Windows registry analysis Perform Windows file analysis Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 3 / 25
Volatile information System time Logged-on user(s) Open files Network information Network connections Process information Process-to-port mapping Process memory Network status Clipboard contents Service/driver information Command history Mapped drives Shares Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 4 / 25
Volatile information : System time The first piece of information an investigator should collect when investigating an incident is the system time. The system time gives context to the information collected later in the investigation and enables an investigator to establish an accurate timeline of events that have occurred on the system. Not only is the current system time important for the investigator, but the amount of time that the system has been running, or the uptime, Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 5 / 25
Volatile information : Logged-on user(s) an investigator needs to find out which users are logged on to the system. people who are logged on locally (via the console or keyboard) as well as remotely (such as via the net use command or via a mapped share). such as the user context of a running process, the owner of a file, or the last access times on files. Security Event Log, particularly if the appropriate auditing has been enabled Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 6 / 25
Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 7 / 25
Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 8 / 25
Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 9 / 25
Volatile information : Open Files The following are some of the tools and commands an investigator can use to determine what files are open: Net File: The net file command displays the names of all open shared files on a system and the number of file locks, and closes individual shared files and removes file locks. PsFile: PsFile is a command-line application that shows a list of files on a system that are open remotely. It also allows a user to close open files either by name or by file identifier. Openfiles: This command is used to list or disconnect a Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 10 / 25
Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 11 / 25
Volatile information : Network Statistics When connections are made to other systems using NetBIOS communications, the systems will maintain a list of other systems they have connected to. By viewing the contents of the name table cache, an investigator might be able to determine other systems that have been affected. the investigator should collect information regarding network connections which can expire over time. An investigator might approach a system and, after an initial look, determine that the attacker is still logged into the system. This information can provide important clues and add context to other information that the investigator has collected. Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 12 / 25
Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 13 / 25
Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 14 / 25
Volatile information : Process Information A process is a section or instance of an application or program that is being run sequentially. When viewing the running processes in the Task Manager, the investigator can see some information about each process. However, there is much more information not visible in Task Manager. investigator needs to know about running processes: • The full path to the executable image (.exe file) • The command line used to launch the process, if any • The amount of time that the process has been running • The security/user context that the process is running in • Which modules the process has loaded • The memory contents of the process Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 15 / 25
Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 16 / 25
Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 17 / 25
Volatile information : Process to Port Mapping When there is a network connection open on a system, some process must be responsible for and must be using that connection. That is, every network connection and open port is associated with a process. A port is a logical connection that allows data to be sent from one application to another directly. Several tools are available to an investigator to retrieve this process-to-port mapping. Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 18 / 25
Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 19 / 25
The clipboard is simply an area of memory where data can be stored for later use. Most Windows applications provide this functionality through the Edit option on the menu bar. Clicking Edit reveals a drop-down menu with choices like Cut, Copy, and Paste. The clipboard is often used to facilitate moving data in some fashion—between documents or between application windows on the desktop Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 20 / 25
Demo : PASTE Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 20 / 25
Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 21 / 25
Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 22 / 25
Demo : doskey /history Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 23 / 25
Nonvolatile information : Nonvolatile information is kept on secondary storage devices and persists after a system is powered down. It is nonperishable and can be collected after the volatile information is collected. The following are some of the specific types of nonvolatile information investigators collect: Hidden files Slack space Swap files Index.dat files Metadata Hidden ADS (alternate data streams) Windows Search index Unallocated clusters Unused partitions Hidden partitions Registry settings v Connected devices Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 24 / 25
Nonvolatile information : MAC Times dir/TC dir/TA dir/TW Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 25 / 25

Recommandé

Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Oldsun
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
primeteacher32
 
Network forensic
Network forensicNetwork forensic
Network forensic
Manjushree Mashal
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 

Recommandé

Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Oldsun
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
primeteacher32
 
Network forensic
Network forensicNetwork forensic
Network forensic
Manjushree Mashal
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
Marco Alamanni
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
SumeraHangi
 
Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case Study
MyAssignmenthelp.com
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
 
System Event Logs
System Event LogsSystem Event Logs
System Event Logs
primeteacher32
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Cyber forensics question bank
Cyber forensics question bankCyber forensics question bank
Cyber forensics question bank
ArthyR3
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
Jake K.
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and Investigation
Neha Raju k
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
Milap Oza
 
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
IJCSIS Research Publications
 
Lecture #32: Forensic Duplication
Lecture #32: Forensic DuplicationLecture #32: Forensic Duplication
Lecture #32: Forensic Duplication
Dr. Ramchandra Mangrulkar
 

Contenu connexe

Tendances

04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
Milap Oza
 

Tendances (20)

Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
 
Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case Study
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
System Event Logs
System Event LogsSystem Event Logs
System Event Logs
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Cyber forensics question bank
Cyber forensics question bankCyber forensics question bank
Cyber forensics question bank
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and Investigation
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 

Similaire à Lecture #31 : Windows Forensics

Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
IJCSIS Research Publications
 
Report_Ruag-Espionage-Case
Report_Ruag-Espionage-CaseReport_Ruag-Espionage-Case
Report_Ruag-Espionage-Case
Alexander Rogan
 
Linux Operating System Resembles Unix Operating. System
Linux Operating System Resembles Unix Operating. SystemLinux Operating System Resembles Unix Operating. System
Linux Operating System Resembles Unix Operating. System
Olga Bautista
 
Techniques in Computer Forensics: A Recovery Perspective
Techniques in Computer Forensics: A Recovery PerspectiveTechniques in Computer Forensics: A Recovery Perspective
Techniques in Computer Forensics: A Recovery Perspective
CSCJournals
 
The purpose of this research was to analyze Microsoft Windows event .pdf
The purpose of this research was to analyze Microsoft Windows event .pdfThe purpose of this research was to analyze Microsoft Windows event .pdf
The purpose of this research was to analyze Microsoft Windows event .pdf
anil0878
 

Similaire à Lecture #31 : Windows Forensics (20)

Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
 
Lecture #32: Forensic Duplication
Lecture #32: Forensic DuplicationLecture #32: Forensic Duplication
Lecture #32: Forensic Duplication
 
Report on forensics tools
Report on forensics toolsReport on forensics tools
Report on forensics tools
 
Report_Ruag-Espionage-Case
Report_Ruag-Espionage-CaseReport_Ruag-Espionage-Case
Report_Ruag-Espionage-Case
 
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
 
Linux Operating System Resembles Unix Operating. System
Linux Operating System Resembles Unix Operating. SystemLinux Operating System Resembles Unix Operating. System
Linux Operating System Resembles Unix Operating. System
 
ISC 3523 Research Methods.docx
ISC 3523 Research Methods.docxISC 3523 Research Methods.docx
ISC 3523 Research Methods.docx
 
Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to
 
FINDING FORENSIC ARTIFACTS FROM WINDOW REGISTRY
FINDING FORENSIC ARTIFACTS FROM WINDOW REGISTRYFINDING FORENSIC ARTIFACTS FROM WINDOW REGISTRY
FINDING FORENSIC ARTIFACTS FROM WINDOW REGISTRY
 
Lecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part ILecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part I
 
RSA Monthly Online Fraud Report -- June 2014
RSA Monthly Online Fraud Report -- June 2014RSA Monthly Online Fraud Report -- June 2014
RSA Monthly Online Fraud Report -- June 2014
 
DR FAT
DR FATDR FAT
DR FAT
 
Techniques in Computer Forensics: A Recovery Perspective
Techniques in Computer Forensics: A Recovery PerspectiveTechniques in Computer Forensics: A Recovery Perspective
Techniques in Computer Forensics: A Recovery Perspective
 
Summarization Techniques for Code, Change, Testing and User Feedback - VSS ...
Summarization Techniques for Code, Change, Testing and User Feedback - VSS ...Summarization Techniques for Code, Change, Testing and User Feedback - VSS ...
Summarization Techniques for Code, Change, Testing and User Feedback - VSS ...
 
The purpose of this research was to analyze Microsoft Windows event .pdf
The purpose of this research was to analyze Microsoft Windows event .pdfThe purpose of this research was to analyze Microsoft Windows event .pdf
The purpose of this research was to analyze Microsoft Windows event .pdf
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Auditing.ppt
Auditing.pptAuditing.ppt
Auditing.ppt
 
Malware Analysis: Ransomware
Malware Analysis: RansomwareMalware Analysis: Ransomware
Malware Analysis: Ransomware
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
 
SAMPLE-Linux_2
SAMPLE-Linux_2SAMPLE-Linux_2
SAMPLE-Linux_2
 

Plus de Dr. Ramchandra Mangrulkar

Plus de Dr. Ramchandra Mangrulkar (20)

Blockchain#2.pdf
Blockchain#2.pdfBlockchain#2.pdf
Blockchain#2.pdf
 
Blockchain#1.pdf
Blockchain#1.pdfBlockchain#1.pdf
Blockchain#1.pdf
 
Blockchain#3.pdf
Blockchain#3.pdfBlockchain#3.pdf
Blockchain#3.pdf
 
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
 
LEcture #28-#30
LEcture #28-#30LEcture #28-#30
LEcture #28-#30
 
Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
 
Lecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security BreachLecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security Breach
 
Lecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLSLecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLS
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
 
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
 
Lecture # 14: Salami and Linearization Attacks
Lecture # 14: Salami and Linearization Attacks Lecture # 14: Salami and Linearization Attacks
Lecture # 14: Salami and Linearization Attacks
 
Lecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementLecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity Management
 
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityLecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
 
Lecture #6: Multilevel Security Models
Lecture #6: Multilevel Security ModelsLecture #6: Multilevel Security Models
Lecture #6: Multilevel Security Models
 
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityLecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
 
Lecture #4: Access Control Policies
Lecture #4: Access Control PoliciesLecture #4: Access Control Policies
Lecture #4: Access Control Policies
 
Lecture #3: Defense Strategies and Techniques: Part II
Lecture #3: Defense Strategies and Techniques: Part II Lecture #3: Defense Strategies and Techniques: Part II
Lecture #3: Defense Strategies and Techniques: Part II
 
Lecture #2: Defence Strategies and Techniques (Security): Part I
Lecture #2: Defence Strategies and Techniques (Security): Part ILecture #2: Defence Strategies and Techniques (Security): Part I
Lecture #2: Defence Strategies and Techniques (Security): Part I
 

Dernier

Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Call Girls in Nagpur High Profile
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
Kamal Acharya
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Call Girls in Nagpur High Profile
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
Asst.prof M.Gokilavani
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 

Dernier (20)

PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
Vivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design SpainVivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design Spain
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 

Lecture #31 : Windows Forensics

  • 1. Lecture #30: Windows Forensics Dr.Ramchandra Mangrulkar October 5, 2020 Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 1 / 25
  • 2. Forensics Analysis of Windows System Three Major Components of Proper Forensics Analysis Strong Understanding of FAT and NT file systems Understanding of Windows Artefacts Use of Proper Computer forensics Software Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 2 / 25
  • 3. Forensics Analysis of Windows System Three Major Components of Proper Forensics Analysis Strong Understanding of FAT and NT file systems Understanding of Windows Artefacts Use of Proper Computer forensics Software Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 2 / 25
  • 4. Forensics Analysis of Windows System Three Major Components of Proper Forensics Analysis Strong Understanding of FAT and NT file systems Understanding of Windows Artefacts Use of Proper Computer forensics Software Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 2 / 25
  • 5. Objectives of Windows Forensics Collect volatile and nonvolatile information Perform Windows memory analysis Perform Windows registry analysis Perform Windows file analysis Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 3 / 25
  • 6. Objectives of Windows Forensics Collect volatile and nonvolatile information Perform Windows memory analysis Perform Windows registry analysis Perform Windows file analysis Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 3 / 25
  • 7. Objectives of Windows Forensics Collect volatile and nonvolatile information Perform Windows memory analysis Perform Windows registry analysis Perform Windows file analysis Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 3 / 25
  • 8. Objectives of Windows Forensics Collect volatile and nonvolatile information Perform Windows memory analysis Perform Windows registry analysis Perform Windows file analysis Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 3 / 25
  • 9. Volatile information System time Logged-on user(s) Open files Network information Network connections Process information Process-to-port mapping Process memory Network status Clipboard contents Service/driver information Command history Mapped drives Shares Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 4 / 25
  • 10. Volatile information : System time The first piece of information an investigator should collect when investigating an incident is the system time. The system time gives context to the information collected later in the investigation and enables an investigator to establish an accurate timeline of events that have occurred on the system. Not only is the current system time important for the investigator, but the amount of time that the system has been running, or the uptime, Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 5 / 25
  • 11. Volatile information : Logged-on user(s) an investigator needs to find out which users are logged on to the system. people who are logged on locally (via the console or keyboard) as well as remotely (such as via the net use command or via a mapped share). such as the user context of a running process, the owner of a file, or the last access times on files. Security Event Log, particularly if the appropriate auditing has been enabled Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 6 / 25
  • 12. Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 7 / 25
  • 13. Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 8 / 25
  • 14. Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 9 / 25
  • 15. Volatile information : Open Files The following are some of the tools and commands an investigator can use to determine what files are open: Net File: The net file command displays the names of all open shared files on a system and the number of file locks, and closes individual shared files and removes file locks. PsFile: PsFile is a command-line application that shows a list of files on a system that are open remotely. It also allows a user to close open files either by name or by file identifier. Openfiles: This command is used to list or disconnect a Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 10 / 25
  • 16. Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 11 / 25
  • 17. Volatile information : Network Statistics When connections are made to other systems using NetBIOS communications, the systems will maintain a list of other systems they have connected to. By viewing the contents of the name table cache, an investigator might be able to determine other systems that have been affected. the investigator should collect information regarding network connections which can expire over time. An investigator might approach a system and, after an initial look, determine that the attacker is still logged into the system. This information can provide important clues and add context to other information that the investigator has collected. Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 12 / 25
  • 18. Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 13 / 25
  • 19. Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 14 / 25
  • 20. Volatile information : Process Information A process is a section or instance of an application or program that is being run sequentially. When viewing the running processes in the Task Manager, the investigator can see some information about each process. However, there is much more information not visible in Task Manager. investigator needs to know about running processes: • The full path to the executable image (.exe file) • The command line used to launch the process, if any • The amount of time that the process has been running • The security/user context that the process is running in • Which modules the process has loaded • The memory contents of the process Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 15 / 25
  • 21. Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 16 / 25
  • 22. Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 17 / 25
  • 23. Volatile information : Process to Port Mapping When there is a network connection open on a system, some process must be responsible for and must be using that connection. That is, every network connection and open port is associated with a process. A port is a logical connection that allows data to be sent from one application to another directly. Several tools are available to an investigator to retrieve this process-to-port mapping. Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 18 / 25
  • 24. Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 19 / 25
  • 25. The clipboard is simply an area of memory where data can be stored for later use. Most Windows applications provide this functionality through the Edit option on the menu bar. Clicking Edit reveals a drop-down menu with choices like Cut, Copy, and Paste. The clipboard is often used to facilitate moving data in some fashion—between documents or between application windows on the desktop Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 20 / 25
  • 26. Demo : PASTE Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 20 / 25
  • 27. Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 21 / 25
  • 28. Demo Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 22 / 25
  • 29. Demo : doskey /history Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 23 / 25
  • 30. Nonvolatile information : Nonvolatile information is kept on secondary storage devices and persists after a system is powered down. It is nonperishable and can be collected after the volatile information is collected. The following are some of the specific types of nonvolatile information investigators collect: Hidden files Slack space Swap files Index.dat files Metadata Hidden ADS (alternate data streams) Windows Search index Unallocated clusters Unused partitions Hidden partitions Registry settings v Connected devices Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 24 / 25
  • 31. Nonvolatile information : MAC Times dir/TC dir/TA dir/TW Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 25 / 25