Computer Forensics: Investigations Procedures and Responses (Chapter 7)

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

How FireFox stores internet data

It uses cache folders

Internet history

Stores URLs of visited websites, searches, downloaded/opened files, emails that have been sent/viewed through Outlook History\History.IE5\index.dat

index.dat cookies

Stores data written by web sites to the computer system. This is basically a log of all cookies written.

NTUser.dat

Stores information about a particular user There is an NTUSER.dat file for each user Includes browser history

Private browsing

It isn't logged in the internet history, but evidence can still be found in the registry and cache (including images, etc.)

HKEY

short for "handler to key"

The creation date of a .lnk file

When the underlying file was first opened

EXIF Data

"Exchangeable Image File" standard mostly used for JPEG compressed images can also be viewed natively in hexadecimal format

What is the Windows registry made up of

"keys" which act like folders

Cookies

A cookie is a file created by a web browser that is saved to the client machine Cookies are often used to save settings and track usage Cookies\index.dat

3 types of logs displayed by the event viewer by default

Application log: This log contains events generated by applications. For example, a spreadsheet program might save a file missing or corrupted error in this log. Security log: The system administrator can specify which events to log. Login attempts are commonly logged here. File management may also be logged. System log This logs stores events relating to system components, such as errors produced by drivers

Index.dat location for Windows XP

C:\Documents and Settings\<username>\Cookies\index.dat C:\Documents and Settings\<username>\Local Settings\History\History.IE5\index.dat C:\Documents and Settings\<username>\Local Settings\History\History.IE5

Significant Points of Evidence in Windows Systems

Internet History LINK Files AKA "Recents" Thumbs.db/thumbcache.db Document/Image MetaData Activity logs Registry

Temporary Internet Cache

Cached webpages and multimedia content from websites visited by the user Previously cached websites are still available offline Allows websites to quicker the next time they are visited Temporary Internet Files\Content.IE5\index.dat

5 types of events logged by the Event Viewer

Error-a serious problem, such as a service that fails to start or data that has been lost. Warning-a possible problem, such as low space. Information-an event that is new or successful, such as loading a new driver. Success Audit-a security event, such as a login attempt, that succeeds. Failure Audit-a security event, such as a login attempt, that fails.

Three separate concepts that index.dat is based on

History Cookies Temporary Internet Files

Information contained on Windows Registry

Keeps track of user and system configuration and preferences - Search terms - Programs that were run or installed - Web addresses - Files/software that have been recently opened

Three types of index.dat files

Master - contains overall current history Daily - stored within folder containing date range. One folder for each day Weekly - Stored within folder containing date range. When week ends, a new folder is created and the dailies are deleted.

Thumbs.db

System-generated file that catalogues images/movies Used to view thumbnail representations of files Automatically generated when a user requests to see thumbnail view (or folder is defaulted as such)

How can internet history be reconstructed?

Temporary Internet Cache History files (index.dat)

Scienter

a legal term that refers to intent or knowledge of wrongdoing

index.dat Temporary Internet Cache

assists IE in loading cached pages to improve browsing speed Pages may be renamed when cached and that information is stored here may be a place to look for evidence of web based email

Analysis of the thumbs.db file

can assist in recreating the history of a folder; or track the movement of a file

Microsoft Management Console (MMC)

contains a number of tools for monitoring and managing systems - Windows Event Viewer

HKEY_CURRENT_CONFIG

contains configuration information regenerated when the system boots.

HKEY_USERS

contains subkeys corresponding to the HKEY_CURRENT_USER keys for each registered user on the machine

index.dat

file created by internet explorer which stores information about the internet history on a computer.

file header/signature

is at the beginning of the file and programs use this signature to associate files with programs - This is why a document file can be given a .LAM extension and Word will still open it as a document file when asked

LINK Files

shortcuts that point to other files can be created by the user or by the computer Files with a .lnk extension created when registered files are opened in Windows Listings in the Recent Documents are link files

Windows Registry

simply a database for configuration files Like the computer's central nervous system

HKEY_LOCAL_MACHINE

stores general settings for all users on the computer.

HKEY_CLASSES_ROOT

stores information about registered applications.

HKEY_CURRENT_USER

stores settings for the user currently logged in.


Kaugnay na mga set ng pag-aaral

Final Interpersonal communication

View Set

Nutritional Concepts and Related Therapies

View Set

Texas Principles of Real Estate 2 - Chapter 3

View Set

Algebra 1A- End of Semester Test: South Carolina Algebra IA

View Set

Pneumonia Practice NCLEX Questions

View Set

Sparsh Gupta cellular adaptation ,intracellular accumulation

View Set