DFIR Blog
  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity

Windows Forensics

NTFS - Forensic Artifacts

8/25/2019

 
NTFS was designed to overcome the shortcomings of FAT Filesystem. Some common features are:
  • Mixed Case Support for Filename
  • Long Filenames upto 255 Characters
  • B+ Tree structures for directories
  • POSIX support etc
Default Cluster Size of FAT Filesystem was 64KB leading to lot of slack space wastage. In NTFS, the cluster size is 4KB. Default of Format command is also 4KB but can be changed as per the user interest.

NTFS Transaction Logging / Journling: - NTFS uses a LOG FILE to record changes in the metadata to keep track of state and integrity. This allows to them to understand the system crashes in better way.

USN (Update Sequence Number)/Change Journal: - NTFS keep track of all the files that have changed on the system by USN (Update Sequence Number) Journal or Change Journal. This is a great feature for the tools like antivirus scanners or backup tools. They only have to scan/review the changes/updates items and can perform incremental pass over the drive.

POSIX:- NTFS Supports hard and soft links. Hard link is a single file respond to multiple name.In soft links the another copy gets created but doesn't have data in it just like an alias.

Object ID:-
NTFS uses Object ID to track certain files. You can move the files freely, rename it. etc. The distrubuted link tracking system will update all the links to the file and you'll never lose it.

File Level Encryption:-
It implements file level encryption. Because of this feature you are not able to easily read the files of other uses.

Volume Shadow Copy:- NTFS keeps a backup of your files via the Volume Shadow Copy Feature.

Alternate Data Stream:- Files in windows can have additional content. For example: Files downloaded from internet can be tagged and windows can give you warning before executing it.

Windows Credentials Theft Overview

8/23/2019

 
We will discuss about Windows Credentials Theft in the blog post. This is the first thing any attacker will do after exploiting to your network. The aim of the attacker will be to gather the credentials for privilege escalation and lateral movement. Companies do not pay much attention to the account and password management and adversaries do take advantage of it. See the mind-map below to understand the top categories.
Picture

    Archives

    September 2019
    August 2019
    July 2019
    June 2019
    March 2019
    March 2018

    Categories

    All
    ATA
    Detection
    Forensics
    Microsoft
    Rules
    Windows
    Windows Foreniscs

    RSS Feed

  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity