Windows Forensics:
Cache Memory and History Analysis:
IE:
Firefox:
Md5 Hash
Pfirewall.log
Windows Password:
Active Directory - NTDS.DID –
For a System is SAM (System Account Manager) File – System32 Config, Additional Copy in repair folder.
NTLM V2 is the latest version used by windows:
Sigverif: Shows unsigned drivers
Cache Memory and History Analysis:
IE:
- Content.IE5 Files – Temporary internet files
- AppData Folders – Contain Cookies
- History Folder
Firefox:
Md5 Hash
- 32 digit -128 bit Message digest
- Non collision resistant
- Checks the integrity of the tool
- File is deleted – Sub Directory is created
- Recycler
- Remember Convention for Recycler <Drive Name – Hash>
- Info2 contains the records related to the data.
- RP.Log filename
- Format: Axxxxx.ext
- X is sequence number and ext is extension of the file.
- Prefetch files leaves traces and can collect data from it.
- Use .lnk files
- Collect information from first 20 bytes of a file
- Mac Time Stamp: Modification, Access and Change time. Managed by OS in UTC Format
- You’ll not open the file- Just open it in some application and review the data.
- You'll execute the file in order to analyze it.
- Create a Test Environment and Process of Testing malware
- Data about data
- Descriptive Metadata
- Structural Metadata
- Logs Day to day Events
- Event log maintains this data.
- Command – wevtutil
- Events files are databases- related to System, Security and Application
- Storage location: SysEvent.evt
- Event ID 4902 – Modification of Audit Policy
- Exyymmdd.log
- Ex refers to extended format
- Format
Pfirewall.log
Windows Password:
Active Directory - NTDS.DID –
For a System is SAM (System Account Manager) File – System32 Config, Additional Copy in repair folder.
- Password is stored in HASH format
NTLM V2 is the latest version used by windows:
Sigverif: Shows unsigned drivers
- CurrPorts – Similar to NetStat -a