null Pune November'11 Meet

1. Windows Forensic Artifacts http://null.co.in/ http://nullcon.net/ Pardhasaradhi.ch a.k.a babloo 09762310104 [email_address]

2. http://null.co.in/ http://nullcon.net/ Agenda Introduction Steps of forensics investigation Rules of Forensics investigations Terminology Windows Artifacts Browser artifacts Tools which can be used Evidence gathering Without Tools

4. http://null.co.in/ http://nullcon.net/ Steps of Forensics

8. http://null.co.in/ http://nullcon.net/ Browser artifacts in Windows Default auto bookmarks location for Firefox C:sers.....ppDataoamingozillairefoxrofiles,,,.default Default location Saved Passwords C:sers..ppDataoamingozillairefoxrofiles6jq0hlt.defaultey3.db C:sers..ppDataoamingozillairefoxrofiles6jq0hlt.defaultignons.Sqllite

9. http://null.co.in/ http://nullcon.net/ Using a Dump File We can get User details System Activity Almost every thing using third party tools

10. http://null.co.in/ http://nullcon.net/ Tools Can be used FTK Encase DFF ADDONS Parbens Stegosuite Volatility TZwork sbag

11. http://null.co.in/ http://nullcon.net/ Without tools How can we extract the data ? USB devices :: HKLMystemontrolset00xnumSBSTOR what Information can be found Vendor ID, Product ID, Revision, Device ID / Serial Number Mounted Devices HKLMystemounted Devices What information can be found This key views each drive connected to the system

12. http://null.co.in/ http://nullcon.net/ Task manager Event logs Network and performance monitor Task scheduler Windows Update history System files MAC table Commands in cli / Powershell Computer management Regedit Msconfig Prefetch

13. Thank You Pardhasaradhi.ch 09762310104 www.pardhasaradhi.info [email_address]