1 / 26

Real Forensics

Real Forensics. The hard way. Data Recovery. What data/evidence can you retrieve from a hard drive. Usually dd is good enough Sometimes real help is needed. Real Help. Hard Drive recovered from Columbia Shuttle accident February 1, 2003 400 Mbyte

abra-weaver
Download Presentation

Real Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Real Forensics The hard way

  2. Data Recovery • What data/evidence can you retrieve from a hard drive. • Usually dd is good enough • Sometimes real help is needed

  3. Real Help • Hard Drive recovered from Columbia Shuttle accident • February 1, 2003 • 400 Mbyte http://www.sciam.com/article.cfm?id=hard-drive-recovered-from-columbia • 99% of the data was recovered from a Xenon shear thinning experiment

  4. Hard Drive Mounted on Plate

  5. HDD Internals

  6. Ontrack Data Recovery • Probably: • Remove the platters and cleaned them. • Rebuilt the Spindle assembly • Mounted in a new case • Exercised in a clean room

  7. Hard Drive Architecture

  8. HDD Capacity 10,000 `2015

  9. MRU Lists Most Recently Used Lists

  10. Best Known • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs • A MRU list for about every application • Used by the app to list your last accessed docs from that app.

  11. PowerPoint

  12. Which was the last one? First Second

  13. RunMRU Most recently run programs the the Run Command. cmd regedit msconfig

  14. Typed URLsHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

  15. Opened and Saved MRUs Chronological list of Opened/Saved files

  16. Opened and Saved MRUsVia File Extensions

  17. .exe’s

  18. Apps Associated with a File Extension

  19. ComDlg32

  20. Search Assistant Subkeys are for different search approaches: 5001 – Internet Search Assistant 5603 – XP file search 5604 – “word or phrase in a file”

  21. System Restore Points • Restore the system to a previous state • Restore Points built in the background • Trigged by installation of apps/drivers (unsigned) • Done once a day by default

  22. What gets restored • Registry • Local profiles • COM+ database • WFP DLL cache • WMI database • IIS database

  23. What doesn’t. • DRM • WPA settings • SAM hive • User-created data stored in the user profile • Contents of redirected folders

  24. System Restore Configuration Restore Point updates in seconds = 1 day Retention of Restore Points in seconds

  25. Lab 6.1 • Determine MRUs • Typed URLs • Recent files opened/viewed by app • Order viewed • Latest searches • What apps were recently run from cmd.exe

More Related