Operating System Forensics

What is the file extension for ESE?

.EDB

Clipboard

A storage area that temporarily stores the items for a user to paste in another location of the document or office file

Print Spool

A temporary file created to hold print jobs in a Windoes OS so user can continue working while printer is printing

netstat

A universal command-line utility used to examine the TCP/IP connections open on a given host.

The system cannot modify the _____ data, thus retrieving ____ data can offer raw details of the file and execution of malware

ADS

allows the files to have more than one stream of data, which are invisible to the windows explorer and require special tools to view

ADS

offers ease in creating and accessing the additional streams, thus making it easy for the perpetrators to hide the data within the files and access them when required. Attackers can also store executable files in the ______ and execute them using the command line utility.

ADS

Features of X-ways forensics tool:

Access logical memory of running processes, Gather slack space, free space, inter-partition space, and generic text from drives and images, Ability to read partitioning and file system structures, Memory analysis for local RAM or memory dumps, Disk cloning and imaging

a NTFS file system feature, which helps users to find a file using alternate metadata information such as author title

Alternate data stream or ADS

Which of the following does the Remote Desktop Protocol not carry between a terminal server and a client?

Application Data

How to query diablelastaccess on a device

C:\>fsutil behavior query disablelastaccess

By default, in Windows operating system the '.SPL' and .SHD files are stored in the spool folder driver in what folder?

C:\Windows\System32\spool\PRINTERS

Reg.exe

CMD tools for accessing and managing the registry

small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all the files that are currently stored in the cache. For each cache file, the following information is displayed: URL, Content type, File size, Last accessed time, Expiration time, Server name, Server response, etc.

ChromeCacheView

displays the list of all cookies stored by Google Chrome Web browser. It also allows deleting unwanted cookies and exporting the cookies into text/csv/html/xmlfile

ChromeCookiesView

small packages of data made to track, validate, and maintain specific user information. _________may have an expiration date, after which the browser deletes it. The system can also delete the ________ without the need of an expiration date at the end of a user session. The users may also delete data directly from the browser.

Cookies

can be used to enable, disable, install, configure, and remove devices

DevCon

Devcon Features

Display driver and device info, search for device, Change device settings, Restart the device or computer

netstat -e

Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s

netstat -n

Displays active TCP connections However, the addresses and port numbers are expressed numerically with no specified names

netstat -o

Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager

netstat -r

Displays the routing table and shows if any persistent routes are enabled

program that performs a quick analysis of a crash dump file. This enables you to see summary information about what the dump file contains. If the dump file is corrupt in such a way that it cannot be opened by a debugger, _________reveals the same to the investigator

DumpChk (the Microsoft Crash Dump File Checker tool)

data storage technology from Microsoft, made to store and retrieve data sequential access data storage technology from Microsoft, made to store and retrieve data sequential access

Extensible Storage Engine

HDFS is a highly fault-tolerant, with high throughput, suitable for applications with large data sets, streaming access to ____ ____ ____ and can be built out of commodity hardware.

File system data

allows you to save the clipboard data to a file and also load clipboard data from a file, so that you can transfer clipboard contents between computers

Free Clipboard Viewer

Registry Key for hibernate

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power

The system stores the information about shared files and folders in the following registry root key: an investigator also wants to acquire information regarding the resources that the system is making available to other users over the network where would you look?

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Shares

SPL and SHD files contain metadata in unicode format and require capable tools to explore such as:

Hex Editors and UCCHECK

Tools like find & mount help to collect the information from the

Hidden Partition

logical section of a disk which is not accessible to the operating system

Hidden Partition

may contain files, folders, confidential data, or backups of the system

Hidden Partition

AutoRuns

Lists all programs that will run on start up and where they are called from

Passware Search Index Examiner

Lists all the emails, documents, spreadsheets, and other items indexed by Windows Desktop Search, Retrieves item properties, such as creation and modification dates, author, recipients, and summary content, Requires only one file from the target PC, a Windows Desktop Search Database (.edb), Saves reports in common formats: XML, Comma Separated Values (.csv)

a storage space, where the system stores a memory backup, in case of a system failure

Memory Dump/Crash Dump

Microsoft Security ID

Microsoft Security ID refers to a unique identification number that Microsoft assigns to a Windows user account for granting the user access to a particular resource

What are the commands to determine logged on users?

PSloggedon Logonsessions -p LogonSessions net session/ netsessions

implements a new concept of deleted or lost partition recovery. It locates and mounts partitions into the system, thus making those lost partitions available. It will also work in case any Boot Record (including the Master Boot Record) is missing, damaged or overwritten

Partition Find and Mount

can create, delete, erase, format, defragment, resize, copy, and move partitions and modify their attribute

Partition Logic

is a hard disk partitioning and data management tool. It can create, delete, erase, format, defragment, resize, copy, and move partitions and modify their attributes. It can copy entire hard disks from one to another

Partition Logic

Having a swap space allows your computer's operating system to pretend that you have more _____ than you actually do

RAM

NETSTAT [interval]

Refreshes and redisplays the statistics specified in the command at the stated number of seconds specified in place of [interval] in the code syntax.

tasklist /u domain\user

Runs the command with the account permissions of the user specified by User or Domain\User

netstat -a

Show active connections

netstat - p

Shows connections for the protocol specified. In this case, the Protocol can be tcp, udp, , icmp, ip, icmpv6, ipv6 tcpv6, or udpv6. Using this parameter with -s will display protocol based statistics

listdlls command

Shows modules and dlls in use. A tool & its parameters for seeing what DLLs are referenced by an EXE displays the full path of the loaded module as well as the version of the loaded DLL By using this information, the investigators can find the actual code. Spyware, Trojans, and even rootkits use a technique called DLL injection to load them into the memory space of a running process

doskey /history

Shows previously typed commands, is also capable of showing what drives or shares a target system has mapped to

tasklist /v

Specifies that verbose task information be displayed in the output. Also list all process id's for application and services.

tasklist /s comuter

Specifies the name or IP address of a remote computer

(TASKLIST) /P [password]

Specifies the password of the user account that is specified in the /u parameter

tasklist / fi filtername

Specifies the types of process (es) to include in or exclude from the query

(TASKLIST) /M [module]

Specifies to show module information for each process

is the tool used to discover Hidden Alternate Data Streams (ADS) and clean them completely from system. In this tool, auto analysis is coupled with Online Threat Verification mechanism. It consists of a multi-threaded ADS scanner and a built in File Type Detection system

StreamArmor

Linux operating system allocates certain amount of storage space on a hard disk called

Swap Space

What is considered volatile information in the OS?

System time/date time /t date /t

What tools/ commands are used to collect detailed information regarding process ?

Tasklist Pslist Listdlls Handle

Programs and processes create _________ when they cannot allocate enough memory for the tasks or when the program is working on a large set of data. In general, when a program terminates, the system deletes these temp files. However, some programs create temp files and leave them behind.

Temporary Files

Meta Data

The Meta data of the file system generally provides information about content locations, file size and MAC timestamps

Application data

The application data gives information about the File system journal Quota statistics

What parameters can an investigator use to retrieve full process information?

The full path to the executable image (.exe file) The command line used to launch the process, if any The amount of time that the process has been running The security/user context that the process is running in The modules the process has loaded The memory contents of the process

ipconfig

The utility used to display TCP/IP addressing and domain name information in the Windows client operating systems.

nbstat -r

This command displays the count of all NetBIOS names resolved by broadcast and by querying a WINS server

Fsutil

This command performs the tasks that are related to file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume

Content Data

This data has most of the information of the file system. It consists of the content of the file system

nbtstat -n

This displays the names that have been registered locally on the system by NetBIOS applications such as the server and redirector

nbtstat -S

This option is used to list the current NetBIOS sessions and their statuses

ClearPageFileAtShutdown

This particular registry value tells the operating system to clear the page file when the system is shut down

allows you to extract thumbnail images from the thumbcache_*.db and iconcache_*.db database files found on Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10. The program comes with both graphic user interface and command-line interface

Thumbcache Viewer

a disk image file format, which is having the functionalities similar to a typical hard drive. It stores contents including a file system, disk partitions, boot record, files, and folder.

VHD/ virtual hard disk

allows users to cache the contents of web pages locally, in order to speed future access to regularly visited sites. This can be done because, the downloaded content remains on the hard drive until deleted. However, the data remains in the unallocated space of the hard drive even after deleting the cache

Web Browser Chache

supports indexing for over 200 common file types by maintaining a record of all the documents. It also allows the users to quickly access any document such as messages, calendar events, contacts, and media files

Windows Search Index

DisableLastAccess

Windows has the ability to disable the updating of the last access times on files. This feature is actually meant for performance enhancement, particularly on high-volume file servers

What should be used to scan virtual memory?

X-ways forensics tool

Edge stores history records, Cookies, HTTP POST request header packets and downloads in:

\Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Edge Cached Files location

\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\#!001 \MicrosoftEdge\Cache\

Edge last browsing history location

\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\Micro softEdge\User\Default\Recovery\Active\

If the last browsing session open was in PrivacIE mode then the browser stores these records where?

\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\Micro softEdge\User\Default\Recovery\Active\{browsing-session-ID}.dat

ESE database

\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\Micr osoftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.eb

ProcDump

a command-line utility its primary purpose is to monitor applications for CPU spikes and generating crash dumps during a spike so that an administrator or developer can determine the cause of the spike

Free Clipboard Viewer

a program used to view the information that is stored in memory when you use copy and cut functions in Windows operating system. A clipboard viewer displays the current content of the clipboard.

PMdump

a tool that lets you dump the memory contents of a process to a file without stopping the process

Handle

a utility that displays information about the open handles for any process in the system. You can use it to see the programs that have an open file or to see the object types and names of all the handles of a program This information is useful to determine the resources accessed by a process while it is running Handle helps in searching open file references, and find out whether the user has specified any command-line parameters; it will then list the values of all the handles in the system`

Promqry

can determine if a Windows system has network interfaces in promiscuous mode. It has command line and GUI versions. Users can run the tool using any of the versions and dump its output to a text file. It cannot detect standalone sniffers or sniffers running on non-Windows operating systems

PromiscDetect

checks to see if NIC is in promiscuous mode, which may be a sign that there is a sniffer running on the computer

DevCon

command-line tool that displays detailed information about devices on computers running Windows operating system

The _______ can store data in encrypted form, mostly in an ________file, which includes the date and time information. The investigators can use this file to fetch any evidence regarding the incident

cookies, index.dat

Pslist

displays basic information about the already running processes on a system, including the amount of time each process has been running (in both kernel and user modes). show detailed information about the threads or memory used by a process. However, it does not provide information about a process in regard to the path to the executable image, the command line used to launch the process, or the user context in which the process runs

tasklist.exe

displays the list of applications and services along with the Process IDs (PID) for all tasks that running on either a local or a remotely connected computer

Five Sections of File Systems

file system data, content data, metadata, file name, and file system application data

PD

forensically dumps the memory of a running process, it is a command line interface tool that dumps the whole process space, uses meta-information to describe the different mappings, states and saves the process environment

File system data

gives details about the file system structure, like file system and file system block size, number of allocated blocks etc

nbtstat

helps to troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses

What are the commands used to determine open files?

net file psfile openfiles

is a hidden file on the Windows operating system, which is used as virtual memory to expand the physical memory of a system

pagefile.sys

The OS splits physical RAM into bits/chunks of memory called

pages

__________ allows to login to remote systems in situations when current set of security credentials would not permit access to the Event Log. It retrieves message strings from the computer on which the event log resides. It shows the contents of the System Event Log on the local computer and allows formatting of Event Log records

psloglist

nbstat -c

shows the contents of the NetBIOS name cache, which contains NetBIOS name-to-IP address mappings

Process Explorer

shows the information about the handles and DLLs of the processes which have been opened or loaded

Slack space

space generated between the end of the file stored and the end of the disk cluster

Investigators can gather services information using the _________command line tool

tasklist