1 / 8

Windows systems and artifacts

Windows systems and artifacts. John P. Abraham Professor UTPA. Windows file systems. FAT (file allocation table) and NTFS (new technology file system) NTFS has the ability to set access control lists on file objects, journaling, and compression.

tyne
Download Presentation

Windows systems and artifacts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Windows systems and artifacts John P. Abraham Professor UTPA

  2. Windows file systems • FAT (file allocation table) and NTFS (new technology file system) • NTFS has the ability to set access control lists on file objects, journaling, and compression. • MFT (master file table) – every file and directory has an MFT entry. The location of the starting sector of MFT can be found in the boot sector of the disk. • More info: http://msdn.microsoft.com/en-us/library/windows/desktop/aa365230(v=vs.85).aspx

  3. NTFS Alternate data streams • This was included to support Macintosh hierarchical file system. • Intruders can hide files using this without you detecting it with dir commands. Use dir /r • Tutorial: http://www.irongeek.com/i.php?page=security/altds

  4. Windows Registry • Windows configuration database • It records information specific to users and tracks an user’s activity. • Regedit is the utility we can use to view. • Registry files are located in the config directory of the windows system. • User profiles are found in NTUSER.DAT and USRCLASS.DAT • More info: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724946(v=vs.85).aspx

  5. Windows registry Forensics • Here is a tutorial: http://www.forensicfocus.com/forensic-analysis-windows-registry • Instead of reading papers (next two) I am assigning you to read this 16 page tutorial and write a summary of each page. • RegRipper is a utility that Harlan Carvey (one of the authors of your lab book)

  6. Event Logs • Windows has a built-in event viewer. ( Additional event log viewers can be downloaded from google.) To launch: • Right click on computer, manage, event viewer. OR Start, Run, type in: eventvwr.msc • You will see APPLICATION, SECURITY, SETUP AND SYSTEM categories. • Click on each and look at the events. There are several tutorials available on the web to help you understand these logs.

  7. Prefetch files • Windows keeps tracks of programs used during the session and saves it to a prefetch file located in the windows\prefetch directory. It allows to load regularly used programs faster. • When an application is launched a prefetch file for that application is created. The name of the appliation along with a hashed path where the program is actually located is stored in the name of the file. • For forensic examination, when a prefetch file is found, it means that program was run on that computer and can provide last run date and time.

  8. Shortcut files • File extension .lnk (LNK files) • This can be used to demonstrate access to files, particularly those on the network.

More Related