260 likes | 359 Views
Real Forensics. The hard way. Data Recovery. What data/evidence can you retrieve from a hard drive. Usually dd is good enough Sometimes real help is needed. Real Help. Hard Drive recovered from Columbia Shuttle accident February 1, 2003 400 Mbyte
E N D
Real Forensics The hard way
Data Recovery • What data/evidence can you retrieve from a hard drive. • Usually dd is good enough • Sometimes real help is needed
Real Help • Hard Drive recovered from Columbia Shuttle accident • February 1, 2003 • 400 Mbyte http://www.sciam.com/article.cfm?id=hard-drive-recovered-from-columbia • 99% of the data was recovered from a Xenon shear thinning experiment
Ontrack Data Recovery • Probably: • Remove the platters and cleaned them. • Rebuilt the Spindle assembly • Mounted in a new case • Exercised in a clean room
HDD Capacity 10,000 `2015
MRU Lists Most Recently Used Lists
Best Known • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs • A MRU list for about every application • Used by the app to list your last accessed docs from that app.
Which was the last one? First Second
RunMRU Most recently run programs the the Run Command. cmd regedit msconfig
Typed URLsHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
Opened and Saved MRUs Chronological list of Opened/Saved files
Search Assistant Subkeys are for different search approaches: 5001 – Internet Search Assistant 5603 – XP file search 5604 – “word or phrase in a file”
System Restore Points • Restore the system to a previous state • Restore Points built in the background • Trigged by installation of apps/drivers (unsigned) • Done once a day by default
What gets restored • Registry • Local profiles • COM+ database • WFP DLL cache • WMI database • IIS database
What doesn’t. • DRM • WPA settings • SAM hive • User-created data stored in the user profile • Contents of redirected folders
System Restore Configuration Restore Point updates in seconds = 1 day Retention of Restore Points in seconds
Lab 6.1 • Determine MRUs • Typed URLs • Recent files opened/viewed by app • Order viewed • Latest searches • What apps were recently run from cmd.exe