23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.
WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA.
8
WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA
-
Upload
margaret-jacobs -
Category
Documents
-
view
218 -
download
0
Transcript of WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA.
WINDOWS SYSTEMS AND ARTIFACTSJohn P. Abraham
Professor
UTPA
Windows file systems• FAT (file allocation table) and NTFS (new technology file
system)• NTFS has the ability to set access control lists on file
objects, journaling, and compression.• MFT (master file table) – every file and directory has an
MFT entry. The location of the starting sector of MFT can be found in the boot sector of the disk.
• More info: http://msdn.microsoft.com/en-us/library/windows/desktop/aa365230(v=vs.85).aspx
NTFS Alternate data streams• This was included to support Macintosh hierarchical file
system. • Intruders can hide files using this without you detecting it
with dir commands. Use dir /r• Tutorial:
http://www.irongeek.com/i.php?page=security/altds
Windows Registry• Windows configuration database• It records information specific to users and tracks an
user’s activity.• Regedit is the utility we can use to view.• Registry files are located in the config directory of the
windows system.• User profiles are found in NTUSER.DAT and
USRCLASS.DAT• More info:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724946(v=vs.85).aspx
Windows registry Forensics• Here is a tutorial: http://www.forensicfocus.com/forensic-
analysis-windows-registry • Instead of reading papers (next two) I am assigning you to
read this 16 page tutorial and write a summary of each page.
• RegRipper is a utility that Harlan Carvey (one of the authors of your lab book)
Event Logs• Windows has a built-in event viewer. ( Additional event log
viewers can be downloaded from google.) To launch:• Right click on computer, manage, event viewer. OR Start, Run,
type in: eventvwr.msc• You will see APPLICATION, SECURITY, SETUP AND SYSTEM
categories.• Click on each and look at the events. There are several tutorials
available on the web to help you understand these logs.
Prefetch files• Windows keeps tracks of programs used during the
session and saves it to a prefetch file located in the windows\prefetch directory. It allows to load regularly used programs faster.
• When an application is launched a prefetch file for that application is created. The name of the appliation along with a hashed path where the program is actually located is stored in the name of the file.
• For forensic examination, when a prefetch file is found, it means that program was run on that computer and can provide last run date and time.
Shortcut files• File extension .lnk (LNK files)• This can be used to demonstrate access to files,
particularly those on the network.
