Netscape and Firefox both store web history in a history. The location for the history. An in-depth analysis of these browsers is out of the scope of this particular paper as they are not relevant in a Windows Registry examination.
P2P Clients. Peer-to-Peer P2P networks are notorious of providing users with the ability to distribute illegal and sometimes unethical materials. Three popular P2P clients were downloaded, installed, used, and examined for the purpose of this research. The clients that were used are Limewire, Kazaa, and Morpheus.
The research conducted on Limewire was somewhat inconclusive in regards to a Registry examination. There were very minimal footprints of user activity and no logs of searches or downloaded files could be found. The most helpful thing discovered in the Registry was install paths of the program. Knowing this information would give the exact location of where to look in the file system. Kazaa, however, was a bit more successful.
Two Registry keys of interest were discovered. This setting will filter adult content from search results. Figure 9 shows the location of this key and the information in which it contains. Of the three P2P clients that were researched, Morpheus was the only one that kept a log in the Registry of recently searched for keywords or phrases.
If an examiner is investigating a case where the user is suspected to have used Morpheus to download illegal content, this key could be very useful in seeing exactly the type of material the user was querying.
One Thing in Common. Therefore, any type of program in use for file sharing purposes should appear on this list.
This would be a great place for a forensic examiner to look in determining if the system has other potential file sharing applications that have been overlooked.
Figure 9b Firewall Authorized Applications key Overview. Given the popularity of the Windows operating system — in homes and businesses — it is important for computer forensic experts to understand the complexity of the Windows Registry.
The information and potential evidence that reside in the Registry make it a significant forensic resource; uncovering this data can be crucial to any computer related investigation.
By understanding the fundaments of the Registry from a forensics standpoint, an examiner can develop a more precise account on what actions occurred on the given machine. This report is by no means conclusive in terms of a Registry Examination. It presents some explanations and examples of what types of data can be found, how it can be found, and why it may be relevant to an examination. For as long as operating systems are dependent upon the Registry as a configuration database, and for as long as applications continue to use that database for storage, there will always be different locations to discover that provide evidential support in an investigation.
Honeycutt, Jerry. Microsoft Windows Registry Guide. Redmond, WA: Microsoft Press, Kruse, Warren G. Computer Forensics: Incident Response Essentials. New York: Addison-Wesley, Guide to Computer Forensics and Investigations. Canada: Course Technology, Carvey, Harlan. Carvey, Harlan, and Cory Altheide. Davies, Peter. Jones, Kieth J. Microsoft Corp. AccessData Corp. Edoceo, inc.. Srinivasan, Ramesh.
Websense, Inc. Wong, Lih Wern. Part 5, Adding and Removing Software. Part 6, Managing Permssions. Part 8, Managing the User Environment. Part 9, Text manipulation. Part 10, Loadable Kernel Modules. Training Packages. Shadow Brokers Exploits. Wireless Hacks Wireless Hacking Strategies. Getting Started with aircrack-ng. Cracking WPS on Wifi. Evading Wireless Authentication. Wi-Fi Hacking without Cracking Passwords. Part 3: Building a Raspberry Spy Pi.
Part 2, Building a Raspberry Spy Pi. Part 4: Adding Listening Capability. Spy on Anyone's Smartphone. Listen to Anyone's Conversation. How to Catch a Terrorist. How to Hack Web cams.
Part 7: Creating a Backdoor with weevely. Part 8: Cloning a Web Site. Part 9: XSS. Part Directory or Path Traversal. Part CSRF. Part OS Command Injection. Part Fingerprinting with whatweb. Finding Hidden Directories with dirb. Web Technologies, Part 1. Overview and Strategy for Beginners. Spidering a Website with Scarab. Finding Vulnerable WordPress Sites.
Finding Vulnerabilities in WordPress. Finding Web Vulnerabilities: Wikto. Hacking Form Authentication with Burp Su. Network Forensics Wireshark Basics. Part 1: Analyzing an Intrusion. Part 3: Packet Analysis EternalBlue. Networks Basics for Hackers.
Digital Forensics Network Forensics. Part 1, Capturing the Image. Part 2, Live Memory Acquisition. Part 3, Recovering Deleted Files.
Part 4, Finding key Evidence. Part 5, Analyzing the Registry. Part 6: Pre-Fetch Files. Part 7: Browser Forensics. Part 8: Live Analysis with Sysinternals. Automobile Hacking Hacking the Mitsubishi Outlander. Part 2, can-utils for Linux. Part 3: Car Hacking with Metasploit.
Part 4: Hacking the Key Fob. Part 5: Hacking the Remote Alarm. Anatomy of ClamAV. Evading AV with Veil-Evasion. Part 4, Extracting Data with sqlmap. Password Cracking Strategy. Online Password Cracking. Online Password Cracking with Hydra. Cracking Passwords with hashcat. Creating a Custom Wordlist with Crunch. Welcome About. HoneyPot Dionaea Part 1.
Dionaea Part 2. Reconnaissance Operating System Fingerprinting with p0F. Recon with unicornscan. How to Use Maltego, Part 1. Maltego, Part 2: Recon on a Person. Google Hacking. Email Scraping and Maltego. Finding Website Vulnerabilities with Nik. In this above figure, you can see the user has opened cmd, Notepad, MSPaint etc.
This key stores the contents of the product and device ID values of any USB devices that have ever been connected to the system. This information can be useful to a forensic examiner as it shows any connected storage device has been recognized by the operating system. If the examiner notes a discrepancy between the physically attached devices and the ones reported here, it can be an indication that some device was removed prior to the evidence being seized.
This information will be quite informatic for Forensics Examiner as it could see the hacker used VPN such as CyberGhost which is used for being anonymous. So this key and its relevant subkeys can be used to track past files that were opened or saved by the suspect.
Windows maintains information about the systems that a specific user of this box connected to or whether it belonged to a particular Local Area Network. This key is found at the following location in the registry:. Notice the systems that the suspect connected to. These can be added to the scope of the investigation if needed [Figure 10]. This may indicate that Google Toolbar is not installed on this box [Figure 12]. Until now, we have been extracting information from the registry of a Windows XP box according to our case see case details here.
Now we extract information from a Windows 7 registry. There are slight differences in the structure of the registry in the various versions of Windows. This fact affects the successful execution of a plugin. The following examples are meant to exhibit that registry analysis using RegRipper on a Windows 7 box is not different from that on a Windows XP.
This is because the RegRipper plugins offer us certain abstraction when it automatically locates information in the Windows registry. It stores information about the folder paths that this user typed in the Windows Explorer Address Bar in the system. Note: During our experimentation, we found that most of the plugins for Windows Vista worked for Windows 7 as well as in this case. Note: If you do not have information on which hive file is required by a specific plugin, you need to view the Perl script in a text editor of your choice vi, nano, leafpad, notepad , etc.
You will notice a mention of the hive file that the script uses.
0コメント