jess LAND
       www.jessland.net
        Sponsored by:       
One eSecurity
www.one-esecurity.com
JISK Knowledgebase >>    About    News    Essentials    Architecture    FWs    IDS/IPS    Honeypots    Malware    Forensics   
  +  JSS Home    Projects    JSS Community    Events    News    Docs    About    Contact .

JISK > Forensics > Areas > Windows Forensics Section Map

Windows Forensics

Content Leader: Jess Garcia - Last Updated: April 16, 2007


Index

Common Windows Files

User Files

  • Thumbs.db
    • Thumbs.db is in Microsoft's OLE 2 Compound Document format. It's the same format that MS Office uses. http://jakarta.apache.org/poi/index.html
    • Cumulative file where thumbs for viewed images are stored. Even if you delete the images, the thumbs will remain.
    • There is just one time attribute associated to it.
    • Viewers:
  • Index.dat
  • Documents and Settings\NTUser.dat
  • Recycle Bin
    • The Recycle Bin has sub-Recycle Bins for each user on the system.
    • There is an index file (INFO2) which keeps track of where was what..
    • Deletion time: located in the INFO2 file
    • New name of the file after deletion:
      • eg: D<vol.letter>1.<ext> (eg: Dc1.bmp)
      • eg: D<vol.letter>2.<ext> (eg: Dc2.jpg)
    • File entries are 800 bytes long
    • You can find where the deletion information can be found!
    • If the SHIFT key is pressed while deleting it will not leave traced in the Recycle Bin.
    • If the drive letter dissapears (00) from the INFO2 entry it means that the file was either permanently deleted or restored.
    • There is a Unicode version of the file name.
    • Timestamp is located 12 bytes before the Unicode filename & spans for 8b
    • The UserID is the latest 3 or 4 digits of the RECYCLER sub-folder entry Actually the whole string is the long UserID as it can be found in the SAM
    • Remember that the person who deleted the file may or may not be the owner of the file.
  • Link Files
    • .lnk extension
    • Timestamp is found at an offset of 24 spanning for 28 bytes.
    • 4 bytes before the referenced filename you can file the volume serial number
    • Info (TBC):
      • File Flags
      • File Attrs
      • Shortcut Display Mode
      • CWA Times
      • Vol. Label
      • Media Type
      • Volume Serial
      • File Length
      • Base Path
      • Target Exists
  • Internet Explorer
    • Favorites
    • History
      • Tools: NetAnalysis, Pasco
    • Cache
    • Cookies
    • Fields: Key, Value, Host, Secure, Modified Date, Expiration Date.
  • Firefox
    • Favorites
    • History
    • Cache
    • Cookies
    • Passwords
    • Downloads
  • Toolbars

Operating System Files

  • Pagefile.sys
  • Hiberfil.sys
  • %SYSTEMROOT%\System32\Config\Default
  • %SYSTEMROOT%\System32\Config\SAM
  • %SYSTEMROOT%\System32\Config\Security
  • %SYSTEMROOT%\System32\Config\Software
  • %SYSTEMROOT%\System32\Config\System
  • %SYSTEMROOT%\System32\Config\AppEvent.evt
  • %SYSTEMROOT%\System32\Config\SecEvent.evt
  • %SYSTEMROOT%\System32\Drivers\Etc\Hosts
  • %SYSTEMROOT%\System32\Drivers\Etc\LMHosts
  • %SYSTEMROOT%\System.ini
  • %SYSTEMROOT%\Win.ini
  • Print Spool Files
    • Under %SYSTEMROOT%\System32\Spool\Printers
    • SHD
      • The first 2 bytes identify the OS which generated the file:
        0x4B49 -> Windows 9x
        0x6649 -> Windows NT
        0x6749 -> Windows 2000/XP
        6849 -> Windows Server 2003
      • Contents:
        User who printed the job
        User who is notified when the job is completed.
        Document Name
        Printer Port Name
        Printer Name
      • The relevant information is at the position by the contents of location 14h.
    • SPL
      • Format can be: RAW or EMF
  • Windows Shortcuts

Users

  • Tools
    • sid2user
    • user2sid

Gral. Information

  • Time Zone
    • Registry Entries:
      • HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation\StandardName
      • HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation\DaylightName
    • Look in the Event Log for Timezone changes
  • Windows XP activation info resides in:
    • C:\Windows\System32\wpa.dbl - C:\Windows\System32\wpa.bak
  • USB drives:
    • Registered (forever) in ControlSet\Enum\USBSTOR
      • One entry for each device.
    • There exists a WXP SP2 hack to make a removable drive read-only in Windows.

References


Copyright © 2000-2008 Jessland - Jess Garcia's Website - All rights reserved.