Operating System Forensics
What is the file extension for ESE?
.EDB
Clipboard
A storage area that temporarily stores the items for a user to paste in another location of the document or office file
Print Spool
A temporary file created to hold print jobs in a Windoes OS so user can continue working while printer is printing
netstat
A universal command-line utility used to examine the TCP/IP connections open on a given host.
The system cannot modify the _____ data, thus retrieving ____ data can offer raw details of the file and execution of malware
ADS
allows the files to have more than one stream of data, which are invisible to the windows explorer and require special tools to view
ADS
offers ease in creating and accessing the additional streams, thus making it easy for the perpetrators to hide the data within the files and access them when required. Attackers can also store executable files in the ______ and execute them using the command line utility.
ADS
Features of X-ways forensics tool:
Access logical memory of running processes, Gather slack space, free space, inter-partition space, and generic text from drives and images, Ability to read partitioning and file system structures, Memory analysis for local RAM or memory dumps, Disk cloning and imaging
a NTFS file system feature, which helps users to find a file using alternate metadata information such as author title
Alternate data stream or ADS
Which of the following does the Remote Desktop Protocol not carry between a terminal server and a client?
Application Data
How to query diablelastaccess on a device
C:\>fsutil behavior query disablelastaccess
By default, in Windows operating system the '.SPL' and .SHD files are stored in the spool folder driver in what folder?
C:\Windows\System32\spool\PRINTERS
Reg.exe
CMD tools for accessing and managing the registry
small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all the files that are currently stored in the cache. For each cache file, the following information is displayed: URL, Content type, File size, Last accessed time, Expiration time, Server name, Server response, etc.
ChromeCacheView
displays the list of all cookies stored by Google Chrome Web browser. It also allows deleting unwanted cookies and exporting the cookies into text/csv/html/xmlfile
ChromeCookiesView
small packages of data made to track, validate, and maintain specific user information. _________may have an expiration date, after which the browser deletes it. The system can also delete the ________ without the need of an expiration date at the end of a user session. The users may also delete data directly from the browser.
Cookies
can be used to enable, disable, install, configure, and remove devices
DevCon
Devcon Features
Display driver and device info, search for device, Change device settings, Restart the device or computer
netstat -e
Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s
netstat -n
Displays active TCP connections However, the addresses and port numbers are expressed numerically with no specified names
netstat -o
Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager
netstat -r
Displays the routing table and shows if any persistent routes are enabled
program that performs a quick analysis of a crash dump file. This enables you to see summary information about what the dump file contains. If the dump file is corrupt in such a way that it cannot be opened by a debugger, _________reveals the same to the investigator
DumpChk (the Microsoft Crash Dump File Checker tool)
data storage technology from Microsoft, made to store and retrieve data sequential access data storage technology from Microsoft, made to store and retrieve data sequential access
Extensible Storage Engine
HDFS is a highly fault-tolerant, with high throughput, suitable for applications with large data sets, streaming access to ____ ____ ____ and can be built out of commodity hardware.
File system data
allows you to save the clipboard data to a file and also load clipboard data from a file, so that you can transfer clipboard contents between computers
Free Clipboard Viewer
Registry Key for hibernate
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power
The system stores the information about shared files and folders in the following registry root key: an investigator also wants to acquire information regarding the resources that the system is making available to other users over the network where would you look?
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Shares
SPL and SHD files contain metadata in unicode format and require capable tools to explore such as:
Hex Editors and UCCHECK
Tools like find & mount help to collect the information from the
Hidden Partition
logical section of a disk which is not accessible to the operating system
Hidden Partition
may contain files, folders, confidential data, or backups of the system
Hidden Partition
AutoRuns
Lists all programs that will run on start up and where they are called from
Passware Search Index Examiner
Lists all the emails, documents, spreadsheets, and other items indexed by Windows Desktop Search, Retrieves item properties, such as creation and modification dates, author, recipients, and summary content, Requires only one file from the target PC, a Windows Desktop Search Database (.edb), Saves reports in common formats: XML, Comma Separated Values (.csv)
a storage space, where the system stores a memory backup, in case of a system failure
Memory Dump/Crash Dump
Microsoft Security ID
Microsoft Security ID refers to a unique identification number that Microsoft assigns to a Windows user account for granting the user access to a particular resource
What are the commands to determine logged on users?
PSloggedon Logonsessions -p LogonSessions net session/ netsessions
implements a new concept of deleted or lost partition recovery. It locates and mounts partitions into the system, thus making those lost partitions available. It will also work in case any Boot Record (including the Master Boot Record) is missing, damaged or overwritten
Partition Find and Mount
can create, delete, erase, format, defragment, resize, copy, and move partitions and modify their attribute
Partition Logic
is a hard disk partitioning and data management tool. It can create, delete, erase, format, defragment, resize, copy, and move partitions and modify their attributes. It can copy entire hard disks from one to another
Partition Logic
Having a swap space allows your computer's operating system to pretend that you have more _____ than you actually do
RAM
NETSTAT [interval]
Refreshes and redisplays the statistics specified in the command at the stated number of seconds specified in place of [interval] in the code syntax.
tasklist /u domain\user
Runs the command with the account permissions of the user specified by User or Domain\User
netstat -a
Show active connections
netstat - p
Shows connections for the protocol specified. In this case, the Protocol can be tcp, udp, , icmp, ip, icmpv6, ipv6 tcpv6, or udpv6. Using this parameter with -s will display protocol based statistics
listdlls command
Shows modules and dlls in use. A tool & its parameters for seeing what DLLs are referenced by an EXE displays the full path of the loaded module as well as the version of the loaded DLL By using this information, the investigators can find the actual code. Spyware, Trojans, and even rootkits use a technique called DLL injection to load them into the memory space of a running process
doskey /history
Shows previously typed commands, is also capable of showing what drives or shares a target system has mapped to
tasklist /v
Specifies that verbose task information be displayed in the output. Also list all process id's for application and services.
tasklist /s comuter
Specifies the name or IP address of a remote computer
(TASKLIST) /P [password]
Specifies the password of the user account that is specified in the /u parameter
tasklist / fi filtername
Specifies the types of process (es) to include in or exclude from the query
(TASKLIST) /M [module]
Specifies to show module information for each process
is the tool used to discover Hidden Alternate Data Streams (ADS) and clean them completely from system. In this tool, auto analysis is coupled with Online Threat Verification mechanism. It consists of a multi-threaded ADS scanner and a built in File Type Detection system
StreamArmor
Linux operating system allocates certain amount of storage space on a hard disk called
Swap Space
What is considered volatile information in the OS?
System time/date time /t date /t
What tools/ commands are used to collect detailed information regarding process ?
Tasklist Pslist Listdlls Handle
Programs and processes create _________ when they cannot allocate enough memory for the tasks or when the program is working on a large set of data. In general, when a program terminates, the system deletes these temp files. However, some programs create temp files and leave them behind.
Temporary Files
Meta Data
The Meta data of the file system generally provides information about content locations, file size and MAC timestamps
Application data
The application data gives information about the File system journal Quota statistics
What parameters can an investigator use to retrieve full process information?
The full path to the executable image (.exe file) The command line used to launch the process, if any The amount of time that the process has been running The security/user context that the process is running in The modules the process has loaded The memory contents of the process
ipconfig
The utility used to display TCP/IP addressing and domain name information in the Windows client operating systems.
nbstat -r
This command displays the count of all NetBIOS names resolved by broadcast and by querying a WINS server
Fsutil
This command performs the tasks that are related to file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume
Content Data
This data has most of the information of the file system. It consists of the content of the file system
nbtstat -n
This displays the names that have been registered locally on the system by NetBIOS applications such as the server and redirector
nbtstat -S
This option is used to list the current NetBIOS sessions and their statuses
ClearPageFileAtShutdown
This particular registry value tells the operating system to clear the page file when the system is shut down
allows you to extract thumbnail images from the thumbcache_*.db and iconcache_*.db database files found on Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10. The program comes with both graphic user interface and command-line interface
Thumbcache Viewer
a disk image file format, which is having the functionalities similar to a typical hard drive. It stores contents including a file system, disk partitions, boot record, files, and folder.
VHD/ virtual hard disk
allows users to cache the contents of web pages locally, in order to speed future access to regularly visited sites. This can be done because, the downloaded content remains on the hard drive until deleted. However, the data remains in the unallocated space of the hard drive even after deleting the cache
Web Browser Chache
supports indexing for over 200 common file types by maintaining a record of all the documents. It also allows the users to quickly access any document such as messages, calendar events, contacts, and media files
Windows Search Index
DisableLastAccess
Windows has the ability to disable the updating of the last access times on files. This feature is actually meant for performance enhancement, particularly on high-volume file servers
What should be used to scan virtual memory?
X-ways forensics tool
Edge stores history records, Cookies, HTTP POST request header packets and downloads in:
\Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Edge Cached Files location
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\#!001 \MicrosoftEdge\Cache\
Edge last browsing history location
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\Micro softEdge\User\Default\Recovery\Active\
If the last browsing session open was in PrivacIE mode then the browser stores these records where?
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\Micro softEdge\User\Default\Recovery\Active\{browsing-session-ID}.dat
ESE database
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\Micr osoftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.eb
ProcDump
a command-line utility its primary purpose is to monitor applications for CPU spikes and generating crash dumps during a spike so that an administrator or developer can determine the cause of the spike
Free Clipboard Viewer
a program used to view the information that is stored in memory when you use copy and cut functions in Windows operating system. A clipboard viewer displays the current content of the clipboard.
PMdump
a tool that lets you dump the memory contents of a process to a file without stopping the process
Handle
a utility that displays information about the open handles for any process in the system. You can use it to see the programs that have an open file or to see the object types and names of all the handles of a program This information is useful to determine the resources accessed by a process while it is running Handle helps in searching open file references, and find out whether the user has specified any command-line parameters; it will then list the values of all the handles in the system`
Promqry
can determine if a Windows system has network interfaces in promiscuous mode. It has command line and GUI versions. Users can run the tool using any of the versions and dump its output to a text file. It cannot detect standalone sniffers or sniffers running on non-Windows operating systems
PromiscDetect
checks to see if NIC is in promiscuous mode, which may be a sign that there is a sniffer running on the computer
DevCon
command-line tool that displays detailed information about devices on computers running Windows operating system
The _______ can store data in encrypted form, mostly in an ________file, which includes the date and time information. The investigators can use this file to fetch any evidence regarding the incident
cookies, index.dat
Pslist
displays basic information about the already running processes on a system, including the amount of time each process has been running (in both kernel and user modes). show detailed information about the threads or memory used by a process. However, it does not provide information about a process in regard to the path to the executable image, the command line used to launch the process, or the user context in which the process runs
tasklist.exe
displays the list of applications and services along with the Process IDs (PID) for all tasks that running on either a local or a remotely connected computer
Five Sections of File Systems
file system data, content data, metadata, file name, and file system application data
PD
forensically dumps the memory of a running process, it is a command line interface tool that dumps the whole process space, uses meta-information to describe the different mappings, states and saves the process environment
File system data
gives details about the file system structure, like file system and file system block size, number of allocated blocks etc
nbtstat
helps to troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses
What are the commands used to determine open files?
net file psfile openfiles
is a hidden file on the Windows operating system, which is used as virtual memory to expand the physical memory of a system
pagefile.sys
The OS splits physical RAM into bits/chunks of memory called
pages
__________ allows to login to remote systems in situations when current set of security credentials would not permit access to the Event Log. It retrieves message strings from the computer on which the event log resides. It shows the contents of the System Event Log on the local computer and allows formatting of Event Log records
psloglist
nbstat -c
shows the contents of the NetBIOS name cache, which contains NetBIOS name-to-IP address mappings
Process Explorer
shows the information about the handles and DLLs of the processes which have been opened or loaded
Slack space
space generated between the end of the file stored and the end of the disk cluster
Investigators can gather services information using the _________command line tool
tasklist
