1. Lecture #30: Windows Forensics
Dr.Ramchandra Mangrulkar
October 5, 2020
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 1 / 25
2. Forensics Analysis of Windows System
Three Major Components of Proper Forensics Analysis
Strong Understanding of FAT and NT file systems
Understanding of Windows Artefacts
Use of Proper Computer forensics Software
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 2 / 25
3. Forensics Analysis of Windows System
Three Major Components of Proper Forensics Analysis
Strong Understanding of FAT and NT file systems
Understanding of Windows Artefacts
Use of Proper Computer forensics Software
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 2 / 25
4. Forensics Analysis of Windows System
Three Major Components of Proper Forensics Analysis
Strong Understanding of FAT and NT file systems
Understanding of Windows Artefacts
Use of Proper Computer forensics Software
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 2 / 25
5. Objectives of Windows Forensics
Collect volatile and nonvolatile information
Perform Windows memory analysis
Perform Windows registry analysis
Perform Windows file analysis
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 3 / 25
6. Objectives of Windows Forensics
Collect volatile and nonvolatile information
Perform Windows memory analysis
Perform Windows registry analysis
Perform Windows file analysis
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 3 / 25
7. Objectives of Windows Forensics
Collect volatile and nonvolatile information
Perform Windows memory analysis
Perform Windows registry analysis
Perform Windows file analysis
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 3 / 25
8. Objectives of Windows Forensics
Collect volatile and nonvolatile information
Perform Windows memory analysis
Perform Windows registry analysis
Perform Windows file analysis
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 3 / 25
9. Volatile information
System time
Logged-on user(s)
Open files
Network information
Network connections
Process information
Process-to-port mapping
Process memory
Network status
Clipboard contents
Service/driver information
Command history
Mapped drives
Shares
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 4 / 25
10. Volatile information : System time
The first piece of information an investigator should collect when
investigating an incident is the system time.
The system time gives context to the information collected later
in the investigation and enables an investigator to establish an
accurate timeline of events that have occurred on the system.
Not only is the current system time important for the
investigator, but the amount of time that the system has been
running, or the uptime,
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 5 / 25
11. Volatile information : Logged-on user(s)
an investigator needs to find out which users are logged on to
the system.
people who are logged on locally (via the console or keyboard)
as well as remotely (such as via the net use command or via a
mapped share).
such as the user context of a running process, the owner of a
file, or the last access times on files.
Security Event Log, particularly if the appropriate auditing has
been enabled
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 6 / 25
15. Volatile information : Open Files
The following are some of the tools and commands an
investigator can use to determine what files are open:
Net File: The net file command displays the names of all open
shared files on a system and the number of file locks, and closes
individual shared files and removes file locks.
PsFile: PsFile is a command-line application that shows a list of
files on a system that are open remotely. It also allows a user to
close open files either by name or by file identifier.
Openfiles: This command is used to list or disconnect a
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 10 / 25
17. Volatile information : Network Statistics
When connections are made to other systems using NetBIOS
communications, the systems will maintain a list of other
systems they have connected to.
By viewing the contents of the name table cache, an investigator
might be able to determine other systems that have been
affected.
the investigator should collect information regarding network
connections which can expire over time.
An investigator might approach a system and, after an initial
look, determine that the attacker is still logged into the system.
This information can provide important clues and add context to
other information that the investigator has collected.
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 12 / 25
20. Volatile information : Process Information
A process is a section or instance of an application or program
that is being run sequentially. When viewing the running
processes in the Task Manager, the investigator can see some
information about each process.
However, there is much more information not visible in Task
Manager.
investigator needs to know about running processes:
• The full path to the executable image (.exe file)
• The command line used to launch the process, if any
• The amount of time that the process has been running
• The security/user context that the process is running in
• Which modules the process has loaded
• The memory contents of the process
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 15 / 25
23. Volatile information : Process to Port Mapping
When there is a network connection open on a system, some
process must be responsible for and must be using that
connection. That is, every network connection and open port is
associated with a process.
A port is a logical connection that allows data to be sent from
one application to another directly. Several tools are available to
an investigator to retrieve this process-to-port mapping.
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 18 / 25
25. The clipboard is simply an area of memory where data can be
stored for later use. Most Windows applications provide this
functionality through the Edit option on the menu bar.
Clicking Edit reveals a drop-down menu with choices like Cut,
Copy, and Paste.
The clipboard is often used to facilitate moving data in some
fashion—between documents or between application windows on
the desktop
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 20 / 25
29. Demo : doskey /history
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 23 / 25
30. Nonvolatile information :
Nonvolatile information is kept on secondary storage devices and
persists after a system is powered down. It is nonperishable and can
be collected after the volatile information is collected. The following
are some of the specific types of nonvolatile information investigators
collect:
Hidden files
Slack space
Swap files
Index.dat files
Metadata
Hidden ADS (alternate data streams)
Windows Search index
Unallocated clusters
Unused partitions
Hidden partitions
Registry settings v Connected devices
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 24 / 25
31. Nonvolatile information : MAC Times
dir/TC
dir/TA
dir/TW
Dr.Ramchandra Mangrulkar Lecture #30: Windows Forensics October 5, 2020 25 / 25