Windows Forensics Basics

Windows Forensics:
Cache Memory and History Analysis:
IE:

• Content.IE5 Files – Temporary internet files
• AppData Folders – Contain Cookies
• History Folder

IE Cookies View Tool – for Analysis
Firefox:
Md5 Hash

• 32 digit -128 bit Message digest
• Non collision resistant
• Checks the integrity of the tool

Recycle Bin:

• File is deleted – Sub Directory is created
• Recycler
• Remember Convention for Recycler <Drive Name – Hash>
• Info2 contains the records related to the data.

Restore Points:

• RP.Log filename

Change.log.x files

• Format: Axxxxx.ext
• X is sequence number and ext is extension of the file.

Prefetch:

• Prefetch files leaves traces and can collect data from it.

Shortcut Files

• Use .lnk files

File Signature Analysis:

• Collect information from first 20 bytes of a file
• Mac Time Stamp: Modification, Access and Change time. Managed by OS  in UTC Format

Static Analysis

• You’ll not open the file- Just open it in some application and review the data.

Dynamic Analysis:

• You'll execute the file in order to analyze it.
• Create a Test Environment and Process of Testing malware

Meta Data investigation:

• Data about data
• Descriptive Metadata
• Structural Metadata

Windows Events:

• Logs Day to day  Events
• Event log maintains this data.
• Command – wevtutil
• Events files are databases- related to System, Security and Application
• Storage location: SysEvent.evt

Popular event ID:

• Event ID 4902 – Modification of Audit Policy

ISS Log:

• Exyymmdd.log
• Ex refers to extended format

DHCP Server Logs:

• Format

Firewall Logs:
                Pfirewall.log
Windows Password:
Active Directory - NTDS.DID –
For a System is SAM (System Account Manager) File – System32 Config, Additional Copy in repair folder.

• Password is stored in HASH format

LMNAM –it’s outdates
NTLM V2 is the latest version used by windows:
Sigverif:  Shows unsigned drivers

• CurrPorts – Similar to NetStat -a

 
 
​