DFIR Blog
  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity

Blog

Windows Forensics Basics

5/10/2017

 
Windows Forensics:
Cache Memory and History Analysis:
IE:
  • Content.IE5 Files – Temporary internet files
  • AppData Folders – Contain Cookies
  • History Folder
IE Cookies View Tool – for Analysis
Firefox:
Md5 Hash
  • 32 digit -128 bit Message digest
  • Non collision resistant
  • Checks the integrity of the tool
Recycle Bin:
  • File is deleted – Sub Directory is created
  • Recycler
  • Remember Convention for Recycler <Drive Name – Hash>
  • Info2 contains the records related to the data.
Restore Points:
  • RP.Log filename
Change.log.x files
  • Format: Axxxxx.ext
  • X is sequence number and ext is extension of the file.
Prefetch:
  • Prefetch files leaves traces and can collect data from it.
Shortcut Files
  • Use .lnk files
File Signature Analysis:
  • Collect information from first 20 bytes of a file
  • Mac Time Stamp: Modification, Access and Change time. Managed by OS  in UTC Format
Static Analysis
  • You’ll not open the file- Just open it in some application and review the data.
Dynamic Analysis:
  • You'll execute the file in order to analyze it.
  • Create a Test Environment and Process of Testing malware
Meta Data investigation:
  • Data about data
  • Descriptive Metadata
  • Structural Metadata
Windows Events:
  • Logs Day to day  Events
  • Event log maintains this data.
  • Command – wevtutil
  • Events files are databases- related to System, Security and Application
  • Storage location: SysEvent.evt
Popular event ID:
  • Event ID 4902 – Modification of Audit Policy
ISS Log:
  • Exyymmdd.log
  • Ex refers to extended format
DHCP Server Logs:
  • Format
Firewall Logs:
                Pfirewall.log
Windows Password:
Active Directory - NTDS.DID –
For a System is SAM (System Account Manager) File – System32 Config, Additional Copy in repair folder.
  • Password is stored in HASH format
LMNAM –it’s outdates
NTLM V2 is the latest version used by windows:
Sigverif:  Shows unsigned drivers
  • CurrPorts – Similar to NetStat -a

 
 
​

Comments are closed.

    Mac Forensics
    Windows Forensics
    Forensic Tools

    Categories

    All
    Attack
    Bash
    Bigdata
    Corporate
    Ctf
    Data
    Digital Forensics
    Docker
    EDR
    Forensics
    Hacking
    Hadoop
    HDFS
    Health Care
    Linux
    Memory
    Network
    Network Forensics
    PCIP
    SQL
    Windows
    Wireshark

    Archives

    January 2023
    October 2019
    September 2019
    July 2019
    June 2019
    May 2019
    March 2019
    April 2018
    March 2018
    February 2018
    July 2017
    June 2017
    May 2017
    November 2015
    October 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015

    RSS Feed

  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity