File000125

Module XII – Windows Forensics I

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Passware Exposes Private
Data Indexed by Windows Search
New evidence discovery software extracts all users' data from a Windows Search Database.
MOUNTAIN VIEW, Calif., Nov. 12 / / - Passware, Inc., the expert in cryptanalysis,
introduces a new evidence discovery solution for Windows Vista, XP, and Server 2003.
Passware Search Index Examiner makes all the data indexed by Windows Search instantly
accessible to computer forensics and IT professionals.
Search Index Examiner lists all the documents, emails, and spreadsheets, as well as
provides creation and modification dates, author, recipients, summary content, and other
information for each item. The only data it needs from the target computer is a Windows
Search database.
A quick scan of a Windows Search Database can find documents relevant to a case, and
even a preview of files and items which have been deleted, deliberately or not.
It takes under 10 minutes to perform a full scan -- extracting over 150,000 items. As an
average personal computer stores far fewer items, a typical extraction is almost instant.
The wizard interface makes the process easy as ABC.
Source: http://news.thomasnet.com/

EC-Council
Module Objective
• Collecting volatile and Non-volatile Information
• Windows Memory Analysis
• Window Registry Analysis
• Window File Analysis
• Text-Based Logs
• Other Audit Events
• Forensic Analysis of Event Logs
• Tool Analysis
• Windows Password Issues
This module will familiarize you with:

EC-Council
Module Flow
Collecting Volatile &
Non-volatile Information
Windows Memory
Analysis
Window Registry
Analysis
Window File Analysis
Text-Based Logs
Other Audit Events
Forensic Analysis of
Event Logs
Tool Analysis
Windows Password
Issues

EC-Council
Volatile Information
Volatile information can be easily modified or lost
It helps you to determine a logical timeline of the security incident and the
users who would be responsible
• System time
• Logged-on user(s)
• Open files
• Network information
• Network connections
• Process information
• Process-to-port mapping
• Process memory
• Network status
• Clipboard contents
• Service/driver information
• Command history
• Mapped drives
• Shares

EC-Council
Non-volatile Information
Non-volatile information is used for the secondary storage, and is long-term
persisting
It is non-perishable and can be collected after the volatile data collection
Non-Volatile Information:
Hidden Files
Slack space
Swap file
Index.dat files
Metadata
Hidden ADS streams
Windows Search Index
Unallocated clusters
Unused partitions
Hidden partitions
Registry settings
Event logs

EC-Council
Window Password
Issues
Window File Analysis
Window Registry
Analysis
Other Audit Events
Forensic Analysis of
Event Logs
Metadata Investigation Text Based Logs
MD5 Calculation
Cache, Cookie and
History Analysis
Window Memory
Analysis
Collecting Non-
Collecting Volatile
Information
Forensics Tools

EC-Council
System Time
System time gives an accurate timeline of events that have occurred
on the system
Collect the system time from:
• Right bottom corner of the system
• The time/t command

EC-Council
Logged-on Users
Collect the information about users logged on to the system, both locally and
remotely
Note down context of a running process, the owner of a file, or the last access
time on files
• Psloggedon
• Net Sessions
• Logonsessions
Tools and commands to determine logged-on-users
are:

EC-Council
Logged-on Users (cont’d)
• It shows the name of the user logged on locally as well as
remotely
• Syntax: psloggedon [-] [-l] [-x] [computername |
username]
Psloggedon Tool

EC-Council
• It gives the information about the username and IP used to access
the system via a remote login session and the type of client system
accessed
Net Sessions Command

EC-Council
• It lists the authentication package used, type of logon, and active
processes
Logonsessions Tool

EC-Council
Open Files
Collect the information about the files opened by the intruder using
remote login
Tools and commands used for opening a file’s information:
• Net File command
• Psfile tool
• Openfiles command

EC-Council
Net File Command
Net file command displays the names of all open shared files on a
system
The syntax of the net file command:

EC-Council
Psfile Tool
Use the Psfile tool to list or close files that are remotely opened
Syntax:
• psfile [RemoteComputer [-u Username [-p Password]]]
[[Id | path] [-c]]

EC-Council
Openfiles Command
Use the Openfiles command to list or disconnect files and folders that are opened on a
system
Syntax of the Openfiles command:
•OPENFILES /parameter [arguments]
Examples:
•OPENFILES /Disconnect
•OPENFILES /Query
•OPENFILES /Local

EC-Council
NetBIOS Name Table Cache
NetBIOS name table cache maintains a list of connections made to other systems using NetBIOS
It contains the remote system’s names and IP addresses
You can use the Windows inbuilt command line utility nbtstat to view NetBIOS name table
cache
Syntax of nbtstat command is:
•Nbtstat [ [-a RemoteName] [-A IP address] [-c] [-n][-r] [-R] [-RR] [-s] [-S]
[interval] ]
Nbtstat with –c switch shows the NetBIOS name table cache

EC-Council
Network Connections
Collect the details of the network connections from the affected system
It helps to find out:
• Logged attacker
• IRCbot communication
• Worms logging into command and control server
• Netstat is a tool for collecting information regarding network
connections
• It provides a simple view of TCP and UDP connections and their
state and network traffic statistics
Netstat Tool

EC-Council
Netstat with –ano Switch:
Screenshot
Netstat with the -ano switch displays the TCP and UDP network
connections, listening ports, and the identifiers

EC-Council
Netstat with the –r Switch:
Screenshot
Netstat with the -r switch displays the routing table and shows the
persistent routes enabled on the system

EC-Council
Process Information
Investigate the processes running on a potentially compromised
system
Collect information from Task Manager
• The full path to the executable image (.exe file)
• The command line used to launch the process, if any
• The amount of time that the process has been running
• The security/user context that the process is running
in
• Which modules the process has loaded
• The memory contents of the process
Search for:

EC-Council
Task Manager: Screenshot

EC-Council
Process Information (cont’d)
• Tlist Tool
• Tasklist command
• Pslist
• Listdlls
• Handle
The tools and commands to collect the process
information:

EC-Council
Tlist Tool
Tlist is included as part of the
Microsoft Debugging Tools
It displays a good deal of information
about running processes
Syntax of the tool:
•TLIST, TLIST –t, TLIST pid,
TLIST -t pid, TLIST pattern,
TLIST -t pattern

EC-Council
Tasklist Command
Tasklist is a native utility included with Windows XP Pro and Windows
2003 installations
Tasklist provides options for output formatting, with choices between
table, CSV, and list formats

EC-Council
Tasklist with the /v Switch:
Screenshot (cont’d)
/v switch provides information about the listed processes, including the image
name, PID, name, and number of the session for the process

EC-Council
Pslist Tool
Pslist displays basic information about running processes on a system
• -x switch displays details about the threads and memory used by each process
Pslist shows detailed information about threads or memory used by a
process

EC-Council
Listdlls Tool
Listdlls tool shows the modules or DLLs that a process is using
• These DLLs are important as they provide the actual code that is used

EC-Council
Handle Tool
The handle tool shows various handles that processes have open on a
system
It shows information about the open files, ports, registry keys, and threads
This information is useful to determine the resources accessed by a process
while it is running
Syntax:
• handle [[-a] [-u] | [-c <handle> [-y]] | [-s]] [-p <process
name>|<pid>> [name]

EC-Council
Process-to-Port Mapping
Process-to-Port Mapping traces which process is using which port, and which
protocol is connected to which IP
The tools and commands to retrieve the process-to-port mapping:
• Netstat command
• Fport tool
• Openports tool

EC-Council
Netstat Command
Netstat command with the -o switch displays the process ID of the
process responsible for the network connection

EC-Council
Fport Tool
Fport tool obtains the process-to-port mapping
It needs to be run from an Administrator account to obtain information

EC-Council
Openports Tool
Openports tool obtains the process-to-port mapping and provides multiple
output formats
It does not require an Administrator’s account to be used
The -fport switch provides an fport-style output; displays the PID, the
name of the process, and number of the port

EC-Council
Network Status
• Ipconfig command
• Promiscdetect tool
• Promqry tool
Tools for the network status detection are:
Check the network status of the system to get information about whether the
system is connected to a wireless access point and what IP address is being
used

EC-Council
Ipconfig Command
Use /all switch of the Ipconfig command to display the network
configuration of the NICs on the system

EC-Council
Promiscdetect Tool
Promiscdetect tool detects if the NIC is in promiscuous mode

EC-Council
Promqry Tool
Promqry tool is run against remote systems to determine the active
network interfaces

EC-Council
Other Important Information
• Use Pclip.exe utility to retrieve the contents of the clipboard
• It automates information collection through batch files and scripts
Clipboard Contents
• Check service/device information for any malicious program
installed
Service/Driver Information
• Use the doskey /history command to see previously typed
commands
Command History

EC-Council
Other Important Information
(cont’d)
Mapped Drives
• Drives could be mapped with a malicious intent
• Drive mappings can be correlated to network connection information
retrieval
Shares
• Get the information regarding the shared resources
• This information is maintained in a folder:
KEY_LOCAL_MACHINESystemCurrentControlSetServicesla
nmanserverShares key

EC-Council
Collecting Non-volatile
Information
Collect the non-volatile information from:
• Contents of Registry keys or files
• Event Logs
• Index.dat
Collect the information such as drives mapped to or from the system, services
started, or applications installed

EC-Council
Run dir /o:d under c:/%systemroot%/system32> in DOS prompt
Enables the investigator to examine :
• The time and date of the installation of the operating system
• The service packs, patches, and sub-directories that automatically updates themselves very often
• For example: drivers etc
Give priority to recently dated files
Examining File Systems

EC-Council
Registry Settings
Use Reg.exe command line tool for accessing and managing the
Registry
Some important Registry values that need to be noted down:
• ClearPageFileAtShutdown
• DisableLastAccess
• AutoRuns

EC-Council
Registry Settings (cont’d)
• Registry value tells the operating system to clear the page file when the system is shut
down
• When the system is shut down, the information within the page file remains on the
hard drive
• Bits of this information might provide important leads in investigation
ClearPageFileAtShutdown:
• Windows has the ability to disable updating of the last access times on files
• HKEY_LOCAL_MACHINESystemCurrentControlSetControlFileSystem
Disablelastacess set the value to 1
• In Windows XP and 2003, the same query can be enabled via the fsutil command
DisableLastAccess:

EC-Council
Registry Settings (cont’d)
• Many areas of the Registry are referred as autostart locations
• These applications start when the system boots, user logs in, and
the user takes a specific action
• Collects the information with the help of the reg.exe tool or
AutoRuns tools
AutoRuns:

EC-Council
Microsoft Security ID
Microsoft Security IDs are available in Windows Registry
The process for accessing IDs is:
• Go to Registry Editor and view:
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileList
• Present under the ProfileList key
RockXP reveals Windows and MS Office CD-Key

EC-Council
Event Logs
Event logs change depends on what events are being audited and
how they are configured
Choose which data have to be collected depending on the
instance occurred
Use tools such as psloglist.exe and dumpevt.exe to
retrieve the event records
Copy .evt files from the system

EC-Council
Index.dat File
Index.dat file is used by the Internet Explorer web
browser as an active database, which runs as long as a
user is logged on Windows
It is a repository of redundant information, such as
visited web URLs, search queries, recently opened
files, and form auto-complete information
Separate index.dat files exist for the Internet Explorer
history, cache, and cookies

EC-Council
Index.dat File (cont’d)
Common Index.dat File Locations for Internet Explorer are as shown
in table:
Operating System File Path
Windows
95/98/Me
WindowsTemporary Internet FilesContent.IE5
WindowsCookies
WindowsHistoryHistory.IE5
Windows NT
WinntProfiles<username>Local Settings Temporary Internet
FilesContent.IE5
WinntProfiles<username>Cookies
WinntProfiles<username>Local Settings History History.IE5
Windows 2K/XP
Documents and Settings<username>Local SettingsTemporary
Internet Files Content.IE5
Documents and Settings<username>Cookies
Document and Settings<username>Local
SettingsHistoryHistory.IE5

EC-Council
Text View of an Index.dat File

EC-Council
Devices and Other Information
Collect other types of non-volatile information such as
hard drive installed in the system
Record the information for documentation purposes
Use the DevCon tool to document devices that are
attached to a Windows system
Check the available device classes and the status of the
connected devices with the help of DevCon

EC-Council
DevCon Screenshot
The output of DevCon resources =ports

EC-Council
DevCon Screenshot
Output of DevCon listclass usb 1394

EC-Council
Slack Space
Slack space is the space between the end of a file and the
end of the disk cluster it is stored in
Non-contiguous file allocation leaves more trailing
clusters leaving more slack space
The data residue in the slack space is retrieved by reading
the complete cluster
DRIVESPY tool collects all the Slack Space in an entire
partition to a file

EC-Council
Slack Space Information Collection
Connect to a target computer and select media
Create Bit-level copy of the original media
Check again by generating its hash value
Investigate using keyword searches, hash analysis, file signature analysis,
and Enscripts present in Encase tool

EC-Council
Virtual Memory
Virtual (or logical) memory is a concept that allows programmers to use a large
range of memory or storage addresses for stored data
Virtual memory can be scanned to find out the hidden running processes
Various example of tools:
• System Scanner
• X-Ways Forensics
CPU Cache RAM
Virtual
Memory
Disk Storage

EC-Council
Tool: DriveSpy
DriveSpy accesses physical drives and record all the
activities to a log file
It collects all the Slack Space in an entire partition to a
file
It wipes an entire Drive, individual Partition,
unallocated space, or slack space

EC-Council
Swap File
A swap file is a space on a hard disk used as the virtual memory extension of a
computer's RAM
Swap files contain information about:
• Files opened and their contents
• Websites visited
• Online chats
• Emails sent and received
On Windows, the swap file is a hidden file in the root directory called pagefile.sys
The registry path for swap file is:
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession
ManagerMemory Management

EC-Council

EC-Council
Windows Search Index
Windows Search index maintain a record of any document or application on the
PC, and the contents found within those items
It maintain email messages, calendar events, contacts, and media files stored on
the PC
Windows Search indexes the contents of each user's "Documents" and
"Favorites" folders

EC-Council
Tool: Search Index Examiner
Passware Search Index Examiner makes all the data indexed by Windows
Search accessible
This accessed search index data can be used as evidence
Passware Search Index Examiner lists:
• Documents
• Emails
• Spreadsheets
• Creation and modification dates
• Author
• Recipients
• Summary content
It targets Windows Search database

EC-Council
Collecting Hidden Partition
Information
Hidden partition is a logical section of a disk which is not
accessible to the operating system
Hidden partition may contain files, folders, confidential data
or store backup of the system
Tools like Partition Logic helps to collect the information
from the hidden partition
Partition Logic can create, delete, erase, format, defragment,
resize, copy, and move partitions

EC-Council
Partition Logic: Screenshot

EC-Council
Hidden ADS Streams
Alternate Data Stream (ADS) holds the security information, link information
User can hide data in alternate data streams
ADS can be created by typing notepad visible.txt:hidden.txt in
command prompt
Data can be copied into an ADS by using type atextfile >
visible.txt:hidden2.txt command
Use the more < visible.txt:hidden2.txt > newfile.txt command
to copy the ADS information into new file

EC-Council
Investigating ADS Streams
ADS Streams Tool can detect the presence of hidden NTFS streams on
target system

EC-Council
Windows Memory Analysis
Analyze the memory to check Malware presence, because, when the malware
is launched, it will be decrypted in memory
If the malware were allowed to execute, it would exist in memory in a
decrypted state
Analyzing the contents of RAM, will help to find what has been hidden in the
memory

EC-Council
Importance of Memory Dump
Memory dump refers to copying data from one place to another without formatting
It is used to diagnose bugs
It helps in analyzing memory contents during program failure
The memory dumps contain information in binary, octal, or hexadecimal forms
This information can be checked using dumpchk.exe

EC-Council
EProcess Structure
Each process on a Windows system is represented as an executive process
(EProcess) block
EProcess block is a data structure which contains attributes of the process, as
well as pointers to other attributes and data structures
EProcess contents can be viewed with the help of the Microsoft Debugging
Tools and LiveKD.exe
dt -a -b -v _EPROCESS helps to view all the content of the EProcess
block

EC-Council
EProcess Structure (cont’d)
Elements that are important to forensic investigation in the EProcess
structure:
• PPEB_LDR_DATA structure that includes pointers or references to DLLs used by
the process
• A pointer to the image base address, where the beginning of the executable image
file can be found
• A pointer to the process parameters structure, which maintains the DLL path, the
path to the executable image, and the command line used to launch the process

EC-Council
Process Creation Mechanism
• The image (.exe) file to be executed is opened
• EProcess object is created
• Initial thread is created
• Windows subsystem is notified of the creation
of the new process and thread along with the
ID of the process creator and a flag
• Execution of the initial thread starts
• Initialization of the address space is
completed
Steps for the process creation:

EC-Council
Parsing Memory Contents
• List Processes (Lsproc) locates processes
• It takes the path and name to a RAM dump file
• Ex: c:perlmemory>lsproc.pl d:dumpsdrfws1-
mem.dmp
• Output will be shown in six columns
Lsproc.pl:
Proc PPID PID
Name of
the
process
Offset of
the
process
Creation
time
Figure: Output of Lsproc.pl

EC-Council
Parsing Memory Contents
(cont’d)
• Lspd.pl is a Perl script that allows user to list the details of the
process
• It takes two arguments:
• Path and name of the dump file
• Offset from the lsproc.pl output of the process
• Ex: c:perlmemory>lspd.pl d:dumpsdfrws1-mem.dmp
0x0414dd60
Lspd.pl:

EC-Council
Parsing Process Memory
Use strings.exe or grep to parse through the contents of a RAM dump
Lspm.pl takes the arguments, such as:
• Name and path of the dump file
• Physical offset within the file of the process structure
It extracts the available pages from the dump file and write them to a file
within the current working directory
Example: c:perlmemory>lspm.pl d:dumpsdfrws1-mem.dmp
0x0414dd60

EC-Council
Extracting the Process Image
Lspi.pl is a Perl script that takes the same arguments as lspd.pl and
lspm.pl
It locates the beginning of the executable image for the process
It parses the values contained in the PE header to locate the pages that make
up the rest of the executable image file
Example: c:perlmemory>lspi.pl d:dumpsdfrws1-mem.dmp
0x0414dd60
File extracted from the memory dump will not be exactly same as the original,
since some of the file’s sections are writeable

EC-Council
Collecting Process Memory
Collect the contents of process memory available in a RAM dump file
pmdump.exe tool allows dumping the contents of process memory without
stopping the process
Process Dumper (pd.exe) dumps the entire process space along with the
additional metadata and the process environment to the console
Process Dumper redirects the output to a file or a socket
Userdump.exe is another tool which dumps any process on the fly, without
attaching a debugger and without terminating the process

EC-Council
Inside the Registry
An Administrator can interact with the Registry through intermediate
programs
Graphical user interface (GUI) Registry editors such as Regedit.exe or
Regedt32.exe are commonly used as intermediate program
There are five root folders in the Registry Editor:
• HKEY_USERS
• HKEY_CURRENT_USER
• HKEY_LOCAL_MACHINE
• HKEY_CURRENT_CONFIG
• HKEY_CLASSES_ROOT

EC-Council
Registry Editor: Screenshot
Figure: Registry Editor view showing five root folders

EC-Council
Inside the Registry (cont’d)
The HKEY_USERS hive contains all the actively loaded user profiles for that
system
The HKEY_CURRENT_USER is the active, loaded user profile for the
currently logged-on user
The HKEY_LOCAL_MACHINE hive contains a vast array of configuration
information for the system including hardware settings and software settings
The HKEY_CURRENT_CONFIG hive contains the hardware profile
information used during startup
The HKEY_CLASSES_ROOT hive contains configuration information
relating to which application is used to open various files on the system

EC-Council
Registry Structure within a
Hive File
Various components of the Registry called ‘cells’ have a specific structure
and contains specific information
The various types of cells and information contained in the Registry :
Key cell It contains Registry key information and includes offsets to
other cells as well as the LastWrite time for the key
Value cell It holds a value and its data
Subkey list cell It is made up of a series of indexes pointing to key cells
Value list cell It is made up of a series of indexes pointing to values cells
Security descriptor cell It contains security descriptor information for a key cell

EC-Council
Registry Analysis
During live response, you can retrieve and analyze much of the
information in the Registry, and the complete data during post-
mortem investigation
ProDiscover tool is used to access the Registry during post-mortem
analysis
Steps to obtain information using ProDiscover:
• Load the case into ProDiscover
• Right-click Windows directory in Content View
• Choose Add to Registry Viewer
• It locates files and displays them on the Registry Viewer

EC-Council
System Information
CurrentControlSet is a volatile portion of the Registry; an operating system uses
the CurrentControlSet to store the system’s information
It stores the information like version of the operating system, the Service Pack
level, and the name of the computer
There are two Controlsets:
• ControlSet001
• ControlSet002
Find the computer name in the following key, in the ComputerName value:
• SYSTEMCurrentControlSetControlComputerNameActiveComputerName
Find the time when the system was last shut down in the following key:
• SYSTEMControlSet00xControlWindows

EC-Council
Time Zone Information
Find information about the time zone settings in the following key:
• SYSTEMCurrentControlSetControlTime ZoneInformation
Use the ActiveTimeBias value from the TimeZoneInformation
key to translate or normalize the times to other sources from the
system

EC-Council
Shares
Windows 2000, XP, 2003, and Vista systems
create hidden administrative shares on a system
If a share is created by the user with the help of
the net share command, it can be found in
the HKEY_LOCAL_MACHINE hive
The path for the share is:
• SYSTEMCurrentControlSetServiceslanm
anserverShares

EC-Council
Audit Policy
A system’s audit policy is maintained in the Security hive, below the
PolicyPolAdtEv key
Its default value is REG_NONE data type and contains binary information
The first 4 bytes (DWORD) of the binary data gives the information about,
whether auditing was enabled
The value of DWORD explains the status of the audit policy:
00 There is no auditing
01 Success events are audited
02 Failure events are audited
03 Both success and failure events are audited

EC-Council
Wireless SSIDs
On live systems, Windows XP maintains a list of Service Set
IDentifiers (SSIDs) to which it is connected
This list is maintained in the below registry key:
• SOFTWAREMicrosoftWZCSVCParametersInterfaces{GUID}
Below this key, there is a value Active Settings and other values called
Static#000x
SSIDs for any wireless access points that have been accessed will be
included within this binary data
Offset 0x10 is a DWORD value that contains the length of the SSID

EC-Council
Autostart Locations
Autostart allows applications to be launched without the user’s
interaction
On a live Windows XP system, a command called MSConfig launches
the System Configuration utility
Path for the autostart option:
• Start > Run > type msconfig > press Enter

EC-Council
Autostart Locations: Screenshot

EC-Council
System Boot
Malware can be launched within the autostart locations of the
Registry during the system boots, even without user-intervention
• Example: Windows service at
HKEY_LOCAL_MACHINESystemCurrentControlSetServices
The ‘Current’ Controlset:
• Services that are present in the ControlSet include:
• That are scanned during startup, and
• That are launched automatically
• During intrusion analysis, you can use ProDiscover to locate the
Controlset marked Current
• You can sort the subkeys of the Services key, based on the LastWrite times
• If there is any mismatch in the times shown in the LastWrite times and the actual
time that the administrator launched legitimate programs, it implies that there is
a possible intrusion

EC-Council
User Login
When a user logs into a system, certain Registry keys are accessed and
parsed so that listed applications can be run
These keys are:
•HKEY_LOCAL_MACHINE Software
MicrosoftWindowsCurrentVersionRunonce
•HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPolic
iesExplorerRun
•HKEY_LOCAL_MACHINE SoftwareMicrosoftWindowsCurrentVersionRun
•HKEY_CURRENT_USERSoftwareMicrosoftWindows
NTCurrentVersionWindowsRun
•HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
•HKEY_CURRENT_USERSoftware
MicrosoftWindowsCurrentVersionRunOnce
These run keys are ignored if the system is started in Safe Mode

EC-Council
User Activity
Autostart Registry locations are accessed when the user starts any program
Look for malware in these locations:
• HKEY_LOCAL_MACHINESoftwareClassesExefileShellOpencommand
• HKEY_CLASSES_ROOTExefileShellOpenCommand
TaskMan allows the user to choose an application to replace the Task Manager

EC-Council
Enumerating Autostart Registry
Locations
Use AutoRuns tool to retrieve information from a
number of autostart locations on a live system
It retrieves entries from a number of Registry keys
and displays the result
It retrieves the description and publisher from the
executable file pointed by each Registry value and
listed in the Image Path column

EC-Council
USB Removable Storage Devices
Footprints or artifacts are created in registry when a USB device is connected to the
Windows system
Plug and Play (PnP) Manager queries the device descriptor in the firmware for information
about the device
When a device is identified, a Registry key will be created beneath this key:
•HKEY_LOCAL_MACHINESystemCurrentControlSetEnumUSBSTOR
Sub key beneath this key will look like:
•Disk&Ven_###&Prod_###&Rev_###
This subkey identifies a specific class of device; fields represented by ### are filled in by
the PnP Manager based on information found in the device descriptor

EC-Council
USB Removable Storage Devices
(cont’d)
The value iSerialNumber is a unique instance identifier for the device and is
similar to the MAC address of a network’s interface card
ParentIdPrefix determines the last time the USB device was connected to the
Windows system
Its value can be used to correlate additional information from within the Registry
which is important for investigation
Navigate to the following key to find specific device classes:
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceClasses

EC-Council
Mounted Devices
The MountedDevices key stores information about the various
devices and volumes mounted to the NTFS file system
The complete path to the key :
• HKEY_LOCAL_MACHINESystemMountedDevice
Use the ParentIdPrefix value found within the unique instance ID
key to map the entry from USBSTOR to the MountedDevices

EC-Council
Finding Users
Information about users is maintained in the Registry in the SAM hive
“sam.h” file is helpful in deciphering the structures and revealing information
The user’s information is maintained in the F value located in the following
path:
• SAMSAMDomainsAccountUsers{RID}
Time/date stamps are represented as 64-bit FILETIME objects
• Bytes 8–15 represent the last login date for the account
• Bytes 24–31 represent the date that the password was last reset
• Bytes 32–39 represent the account expiration date
• Bytes 40–47 represent the date of the last failed login attempt
The values and their locations :

EC-Council
Tracking User Activity
Registry keys that track user’s activities can be found in
the NTUSER.DAT file
When a user performs a particular action, the registry
key’s Lastwrite time is updated
These registry keys track the user’s activity and add or
modify timestamp information associated with the
Registry values
Majority of the user’s activities are recorded in the
HKEY_CURRENT_USER hive

EC-Council
The UserAssist Keys
For more information, check the user’s NTUSER.DAT file at:
• SoftwareMicrosoftWindowsCurrentVersionExplorerUser
Assist{GUID}Count
Value names beneath this key are ROT-13 encrypted
Rot-13 refers to a Caesarian cipher in which each letter is replaced
with the letter 13 spaces further down in the alphabet
Use Perl script uAssist.pl to decrypt the value names
The value names are preceded by UEME_, and then by RUNPATH,
RUNPIDL, and RUNCPL

EC-Council
The UserAssist Keys (cont’d)
• Refers to an absolute path within the file system; occurs when you
double-click an icon for an executable in Windows Explorer or type
the name of the application in the Start | Run box
RUNPATH
• Refers to launching a Control Panel applet
RUNCPL
• A PIDL, or pointer to an ID list, part of the internal Explorer
namespace, is used to refer to an object
• In the case of the UserAssist keys, these are most often shortcuts or
LNK files, as when you choose Start |Documents and select a file
RUNPIDL

EC-Council
MRU Lists
Applications maintain MRU list, which is a list of files that have been
most recently accessed
The filenames appear at the bottom of the drop-down menu when a File
is selected on the Menu bar
Find the well-known MRU list Registry key that is the RecentDocs key
at:
• SoftwareMicrosoftWindowsCurrentVersionExplorerRece
ntDocs
MRU list has two sections:
• The numbered value names: It contains the names of the files accessed
• MRUListEx key: It maintains the order in which the files are accessed

EC-Council
MRU Lists (cont’d)
Another MRUList can be found in the RunMRU key:
•SoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU
This key maintains a list of all the values typed into the Run box on the Start menu
Another key similar to the RunMRU key is the TypedURLs key:
•SoftwareMicrosoftInternet ExplorerTypedURLs
TypedURLs key maintains a list of the URLs that the user types into the Address bar
Another location for MRU lists can be found in the following key:
•SoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32OpenSaveMRU
This key maintains MRU lists of files opened via Open and SaveAs dialogs

EC-Council
Search Assistant
The files and folders searched through the Windows XP Search function are
stored into the Registry
The path for the registry key:
• SoftwareMicrosoftSearch AssistantACMru
The ACMru key generally has some combination of four subkeys:
5001 Contains the MRU list for the Internet Search Assistant
5603 Contains the MRU list for the Windows XP files and folders
search
5604 Contains the MRU list that corresponds to the “word or phrase
in a file” dialog box
5647 Maintains the MRU list for the computers entered via the “for
computers or people” selection in the Search Results dialog

EC-Council
Connecting to Other Systems
MRU list is created when a user uses the Map Network Drive Wizard to connect
to a remote system
The path of the key:
• SoftwareMicrosoftWindowsCurrentVersionExplorerMap Network
Drive MRU
Information about the user using the net use command is stored at:
• SoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2
The IP addresses appears in the following Registry key:
• SoftwareMicrosoftWindowsCurrentVersionExplorerComputerDesc
riptions

EC-Council
Analyzing Restore Point Registry
Settings
The purpose of restore points is to take a snapshot of the system so that a user can
restore system to a previous restore point
The settings for restore points are stored at:
•HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersion
SystemRestore
The interval for restore point creation is stored in the RPGlobalInterval value
Look for the restore points in numbered folders at:
•System Volume Information -restore {GUID}RP##
Path to navigate to System Restore:
• Select Start > All Programs > Accessories > System Tools > System Restore

EC-Council
Analyzing Restore Point Registry
Settings (cont’d)
• When restore points are created on schedule, they are named
System CheckPoint, that appears in the user’s interface
• The restore point name is stored and pulled from the file rp.log
found in the root of its RP## folder
• The restore point name is stored starting at byte offset 16 of the
rp.log file
• If software or unsigned drivers are installed, a restore point is
usually created
• A user can manually create restore points, and the user-provided
name is stored in this same location
• The last 8 bytes of the rp.log file are a Windows 64-bit timestamp
indicating when the restore point was created
Characteristics of restore point names:

EC-Council
System Restore: Screenshot

EC-Council
Determining the Startup
Locations
Common Startup locations in the Registry are listed below:
Registry Key Notes
HKEY_LOCAL_MACHINESoftware
MicrosoftWindows CurrentVersionRun
All values in this key are executed at system
startup
MicrosoftWindows
CurrentVersionRunOnce
All values in this key are executed at system
startup and are deleted later
MicrosoftWindows
CurrentVersionRunServices
All values in this key are run as services at
system startup
HKEY LOCAL MACHINESoftware
MicrosoftWindows CurrentVersion
RunServicesOnce
All values in this key are run as services at
system startup and then are deleted

EC-Council
Determining the Startup Locations
(cont’d)
Registry Key Notes
MicrosoftWindowsNT CurrentVersionWinlogon
The value Shell will be executed when any user logs
on. This value is normally set to explorer.exe, but it
could be changed to a different Explorer in a
different path
MicrosoftActive Setup Installed Components
Each subkey (GUID name) represents an installed
component. All subkeys are monitored, and the
StubPath value in subkeys, when present, is a way of
running code
MicrosoftWindows NT CurrentVersionWinlogon
Value Userinit runs when any user logs on; it can be
appended to have additional programs to start here
ShellServiceObjectDelay
Value Load, if present, runs using explorer.exe after
it starts

EC-Council
(cont’d)
Registry Key Notes
MicrosoftWindows
CurrentVersionPolicies Explorerrun
If Explorer and run are present, the values under run are
executed after Explorer starts
HKEY_LOCAL_MACHINESOFTWARE
RunOnceEx0001
It contains entries to be run
RunMyApp = ||notepad.exe
HKEY_LOCAL_MACHINESystem
CurrentControlSetServices VxD
When present, subkeys are monitored and the StaticVxD
value in each subkey is a method of executing code
CurrentControlSetControl Session Manager
The value BootExecute contains files that are native
applications executed before Windows Run
CurrentControlSetServices
This contains a list of services that run at system startup.
If the value Start is 2, startup is automatic. If the value
Start is 3, startup is manual and starts on demand for
service. If the value Start is 4, service is disabled

EC-Council
(cont’d)
Registry Key Notes
CurrentControlSetServices
Winsock2Parameters Protocol_Catalog
Catalog_Entries
The subkeys are for layered service providers, and
the values are executed before any user logs in
ControlWOW
Whenever a legacy 16-bit application is run, the
program listed in value cmdline is run
HKEY_CURRENT_USERSoftware
MicrosoftWindows CurrentVersionRun
All values in this subkey run when this specific user
logs on, as this setting is user specific
MicrosoftWindows CurrentVersionRunOnce
All values in this subkey run when this specific user
logs on, and then the values are deleted
RunOnceSetup
For this specific user, this key is used only by setup,
and a progress dialog box tracks progress as the
values in this key are run one at a time

EC-Council
(cont’d)
Registry Key Notes
HKEY_CURRENT_USER Control
PanelDesktop
For this specific user, if a screensaver is enabled, a
value named scrnsave.exe is present. Whatever is
in the path found in the string data for this value
will execute when the screensaver runs
MicrosoftWindows NT
CurrentVersionWindows
For this specific user, the string specified in the
value run executes when this user logs on
MicrosoftWindows NT
CurrentVersionWindows
value load runs when this user logs on
MicrosoftWindows
CurrentVersionPolicies Explorer
value run runs when this user logs on

EC-Council
(cont’d)
User Startup Folder Registry Settings are as shown below:
Registry Key Default or Normal Settings
HKCUSoftwareMicrosoft
WindowsCurrentVersion ExplorerShell
Folders
Value Startup will be C:Documents and
Settings%UserName% Start
MenuProgramsStartup where %UserName%
will not be the environment variable but will
actually specify the user’s name
HKCUSoftwareMicrosoft
WindowsCurrentVersion ExplorerUser Shell
Folders
Value Startup will be %USERPROFILE%Start
Menu ProgramsStartup
HKLMSoftwareMicrosoft
WindowsCurrentVersion ExplorerShell
Folders
Value Common Startup will be C:Documents
and Settings All UsersStart
MenuProgramsStartup
HKLMSoftwareMicrosoft
WindowsCurrentVersion ExplorerUser Shell
Folders
Value Common Startup will be
%ALLUSERSPROFILE%Start
MenuProgramsStartup

EC-Council
Cache, Cookie, and History
Analysis in IE
All IE activities of user are stored in the directory:
• C:Documents and Settingsuser Local SettingsTemporary Internet
FilesContent.IE5
This directory stores the cached pages and images reviewed by the
user
IE activity directories which contains the Internet history activity:
• C:Documents and SettingsuserLocal SettingsHistoryHistory.IE5
IE directory containing cookies:
• C:Documents and SettingsuserCookies

EC-Council
Cache, Cookie, and History
Analysis in Firefox/Netscape
Mozilla/Netscape/Firefox save the web activity in a file named history.dat
History.dat file is saved in an ASCII format
History.dat file is that it does not link website activity with cached web
pages
Firefox files are located in the directory:
• Documents and Settings<user name>Application
DataMozillaFirefoxProfiles<random text>history.dat
Mozilla/Netscape history files are found in the directory:
• Documents and Settings<user name>Application
DataMozillaProfiles<profile name><random text>history.dat

EC-Council
Browsing Analysis Tool: Pasco
Pasco is a command line tool that runs on Unix or Windows
It accepts an Index.dat file, reconstructs the data, and gives the information
in a delimited text file format
• The record type - Signifies the activity is either a URL that was browsed or
a website that redirected the user's browser to another site
• The URL - The actual website that the user visited
• Modified Time - The last moment in time the website was modified
• Access Time - The moment in time the user browsed the website
• Filename - The local file name that contains a copy of the URL listed
• HTTP Headers - The HTTP headers the user received when he browsed the
URL
It shows the fields saved by IE such as:

EC-Council
Tool: IE Cache View
IE Cache View reads the cache folder of Internet Explorer, and displays
the list of all files currently stored in the cache
• Filename
• Content Type
• URL
• Last Accessed Time
• Last Modified Time
• Expiration Time
• Number Of Hits
• File Size
• Folder Name
• Full path of the cache filename
It gives the information about:

EC-Council
Tool: IE Cache View (cont’d)
• IE Cache View displays the list of cache files
• It allows you to filter the cache files by file type
• It allows to view the cache files of another user or from
another disk
• Selecting and copying the desired cache item in clipboard
is easy
Advantages:

EC-Council
Forensic Tool: Cache Monitor
Cache Monitor offers real time view of the current state cache
It offers an interface to modify data
It also:
• Verify the configuration of dynamic caches
• Verify the cache policies
• Monitor cache statistics
• Monitors data flowing through the caches
• Data in the edge cache
• View data offloaded to the disk
• Manage the data in the cache

EC-Council
Tool - IE History Viewer
This utility reads all information from the history file on your computer, and
displays the list of all URLs that you have visited in the last few days
It also allows you to select one or more URL addresses, and then removes them
from the history file or save them into text, HTML, or XML file

EC-Council
IE Cookie Analysis
• Cookie file name
• The record type
• Record size in bytes
• Number of hits
• The site that created the cookie
The file index.dat file provides the
following information:
• Modified date
• Accessed date
• Name of the user
• MD5 of the actual cookie file
Index.dat also contain the
following information:

EC-Council
IE Cookie Analysis (cont’d)
Hash tables are used to retrieve the data records stored in a specified
index.dat file
The records collected are then parsed into separate information
portions

EC-Council
IE Cookie Analysis (cont’d)
Figure: The HASH table offset

EC-Council
Investigating Internet Traces
• Cookies
• C:Documents and SettingsAdministratorCookies
• Temporary Internet files
• C:Documents and SettingsAdministratorLocal SettingsTemporary Internet Files
Internet Explorer investigations:

EC-Council
Tool – IECookiesView
Displays details of all cookies
stored on the computer
Views the contents of each cookie
as well as save the cookies to a
readable text file
Enables the user to view
references to deleted cookies

EC-Council
Tool- IE Sniffer
IE Sniffer tool can be used to perform forensic analysis of "index.dat"
files
• Cookie Monitor to keep only the cookies you want and displays all
cookies that are deleted
• Cache Cleaner - Cleans the Internet Explorer cache as well as all
stored offline pages
• Quick viewer - To quickly view the contents of an "index.dat"
file and open any of the visited links in the browser
• Hex Viewer - To view the contents of the "index.dat" files
Features:

EC-Council
Screenshot: IE Sniffer

EC-Council
MD5 Calculation
Message-Digest algorithm 5 (MD5) was designed by
Ron Rivest in 1991
MD5 is a cryptographic hash function with a 128-bit
hash value
Md5 is used in the security applications and to check
the integrity of files

EC-Council
MD5 Algorithm
MD5 processes a variable-length message into a fixed-length output
of 128 bits
Input message is broken up into chunks of 512-bit blocks
The message is padded so that its length is divisible by 512
The padding is done as follows:
• To the first single bit ‘1’ is appended to the end of the message
• It is followed by as many zeros as are required to bring the length of the
message up to 64 bits
• Remaining bits are filled up with a 64-bit integer representing the length
of the original message

EC-Council
MD5 Pseudocode
//Note: All variables are unsigned 32 bits and wrap modulo 2^32 when
calculating
var int[64] r, k
//r specifies the per-round shift amounts
r[ 0..15] := {7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22}
r[16..31] := {5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20}
r[32..47] := {4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23}
r[48..63] := {6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21}
//Use binary integer part of the sines of integers (Radians) as constants:
for i from 0 to 63
k[i] := floor(abs(sin(i + 1)) × (2 pow 32))
//Initialize variables:
var int h0 := 0x01234567
var int h1 := 0x89ABCDEF
var int h2 := 0xFEDCBA98
var int h3 := 0x76543210
//Pre-processing:
append "1" bit to message
append "0" bits until message length in bits ≡ 448 (mod 512)
append bit /* bit, not byte */ length of unpadded message as 64-bit little-
endian integer to message //Process the message in successive 512-bit
chunks:
for each 512-bit chunk of message break chunk into sixteen 32-bit little-
endian words w[i], 0 ≤ i ≤ 15 //Initialize hash value for this chunk:
var int a := h0
var int b := h1
var int c := h2
var int d := h3
//Main loop:
for i from 0 to 63
if 0 ≤ i ≤ 15 then
f := (b and c) or ((not b) and d)
g := i
else if 16 ≤ i ≤ 31
f := (d and b) or ((not d) and c)
g := (5×i + 1) mod 16
else if 32 ≤ i ≤ 47
f := b xor c xor d
g := (3×i + 5) mod 16
else if 48 ≤ i ≤ 63
f := c xor (b or (not d))
g := (7×i) mod 16
temp := d
d := c
c := b
b := b + leftrotate((a + f + k[i] + w[g]) , r[i])
a := Temp
//Add this chunk's hash to result so far:
h0 := h0 + a
h1 := h1 + b
h2 := h2 + c
h3 := h3 + d
var int digest := h0 append h1 append h2
append h3 //(expressed as little-endian)

EC-Council
MD5 Generator: Chaos MD5
Chaos MD5 is a free MD5 generator for Windows
Input any file into this free program and it will
generate a MD5 checksum for that file
It generates an unique signature for each and every file
Chaos MD5 does not require installation; simply copy
it to the hard drive or USB device to run
The MD5 checksum that is generated can be used for
file identification or integrity checks

EC-Council
Chaos MD5: Screenshot

EC-Council
Secure Hash Signature
Generator
Secure Hash Signature Generator generates hash signatures that
are unique to the data stored on a disk drive
These signatures are used to verify data integrity by detecting
intentional or accidental tampering of drive data
The application has the ability to detect up to three P-ATA, S-
ATA, SCSI, or ATA compatible flash devices, attached to a PC
This application runs under the Windows XP or Windows 2000
environment
There are three different hash signature generating algorithms
from which to choose from, including MD5 (128-bit signature),
SHA1 (160-bit signature), and CRC32 (32-bit signature)

EC-Council
MD5 Generator: Mat-MD5
Mat-MD5 is a software that allows you to check the MD5 value for each file
processed and compare it with other MD5 strings
It will process one or more file and it will add the result value to a list
You can add your MD5 value to compare by typing it or by copying it from
an external file, so you can easily compare your values
=

EC-Council
Mat-MD5: Screenshot

EC-Council
MD5 Checksum Verifier
MD5 Checksum Verifier is files integrity checker based on the time proven MD5
algorithms
With it, you can easily create checksums of files and verify their integrity in the
future

EC-Council
Recycle Bin
The Recycle Bin exists as a metaphor for throwing files away, it
also allows user to retrieve and restore files
A subdirectory is created for the user within the Recycler
directory and named with the user’s security identifier
• For example: C:RECYCLERS-1-5-21-1454471165-630328440-
725345543-1003>
Check the subdirectory for the deleted files’ information
When a file is moved to the Recycle Bin, it is renamed using the
following convention:
• D<original drive letter of file><#>.<original
extension>

EC-Council
System Restore Points
• Rp.log is the restore point log file located within the restore point (RPxx)
directory
• It includes value indicating the type of the restore point; a descriptive
name for the restore point creation event, and the 64-bit FILETIME object
• Description of the restore point can be useful for information regarding the
installation or removal of an application
Rp.log Files
• Key system and application files are continuously monitored so that the
system can be restored to a particular state
• Changes are recorded in the change.log files, which are located in the
restore point directories
• Monitored file is preserved and copied to the restore point directory and
renamed
Change.log.x Files

EC-Council
Prefetch Files
The data after processing is written to a .pf file in
the WindowsPrefetch directory
Collect this data from the Prefetch directory
Prefetching is controlled by the Registry key:
• HKEY_LOCAL_MACHINESYSTEMControlSet00x
ControlSession ManagerMemory
ManagementPrefetchParameters

EC-Council
Shortcut Files
Shortcuts are the files with the extension .lnk that are
created and are accessed by the users
It is created on the system in the recent folder
It provides information about files or network shares that
the user had accessed and also about devices that the user
had attached to the system
Tools like AccessData’s Forensic Toolkit (FTK), Windows
File Analyzer (WFA), and EnCase are used to reveal
information embedded within the file

EC-Council
Searching with Event Viewer
The Filter feature in the event viewer allows removing clutter from
the event log display
Each log can be independently configured with different filter
properties
Use Filter and Find features in Event Viewer-under the View
menu
After applying the filter, the Event Viewer will show the log with
matched properties

EC-Council
Event Viewer: Screenshot

EC-Council
Word Documents
Word documents are compound documents, based
on the Object Linking and Embedding (OLE)
technology which defines file structure within the file
Word documents can maintain past revisions as well
as a list of up to the last 10 authors
Use wmd.pl, and oledmp.pl scripts to list the OLE
streams

EC-Council
PDF Documents
Portable document format (PDF) files can also contain metadata such
as the name of the author, the date that the file was created, and the
application used to create that file
The metadata shows that the PDF file was created on a Mac or it was
created by converting a Word document to PDF format
Use Pdfmeta.pl and pdfdmp.pl scripts to extract metadata from
PDF files

EC-Council
Image Files
Image files like JPEG contains the photographer’s information such as,
location of where the picture was taken
The metadata available in a JPEG image depends largely on the
application that created or modified it
Collect Exchangeable Image File Format (EXIF) information in images
which includes the model and manufacturer of the camera, and also stores
thumbnail or audio information
Use tools such as Exifer, IrfanView, and the
Image::MetaData::JPEG Perl module to view, retrieve, and modify the
metadata embedded in JPEG image files

EC-Council
File Signature Analysis
Analyze files with unusual extensions or files
with familiar extensions with the help of the
file signature analysis
File signature analysis is collecting information
from the first 20 bytes of a file
• This information will help to determine type and
function of the file
Use ProDiscover tool for the file signature
analysis

EC-Council
NTFS Alternate Data Streams
An NTFS Alternate Data Stream (ADS) is a feature of the NTFS file
system
ADS supports the Hierarchal File System (HFS) used by the
Macintosh
Create ADS by typing the following command:
• D:ads>notepad myfile.txt:ads.txt
Vista has a switch that allows to enumerate ADSes with dir using the
/r switch
Use Type command for executing the ADS

EC-Council
Executable File Analysis
• Static analysis is a process that consists of collecting information
about and from an executable file without actually running or
launching the file under any circumstances
Static Analysis
• Dynamic analysis involves launching an executable file in a
controlled and monitored environment so that its effects on a
system can be observed and documented
Dynamic Analysis

EC-Council
Documentation Before Analysis
Full path and location of the file
MAC timestamp
The system Information where file was stored
• The operating system and version
• File system
• User accounts
• IP address
Any references to that file within the file system or Registry
Details about who found it and when

EC-Council
Static Analysis Process
Scan the suspicious file with antivirus
software such as Norton, AVG, McAfee
Search for strings
Analyze PE Header
Analyze Import Tables
Analyze Export Table

EC-Council
Search Strings
Run suspicious files through tools such as strings.exe and BinText to
extract all ASCII and Unicode strings of a specific length
This will help to get an idea of the file’s nature from the strings within
the file
Collect the information about where the string is located within the file

EC-Council
Screenshot: BinText

EC-Council
PE Header Analysis
A file signature of the portable executable (PE) file consist of 64-byte structure
called the IMAGE_DOS_HEADER
Last DWORD (e_lfanew) value refer to the address of the new EXE file
This value is defined in the ntimage.h header file
The e_lfanew value points to the location of the PE header
Use PEview tool to view the PE header

EC-Council
Screenshot: PEview

EC-Council
Import Table Analysis
Information about DLLs and functions accessed by the executing
program is needed for operating system
This information is maintained in the import table and the import
address table of the executable file
Use pedump.exe, Dependency Walker tool to easily access the import
table information
Locate the import data directory and parse the structures to determine
the DLLs and their functions
Collect the networking code from the import table of the DLLs

EC-Council
Screenshot: Dependency Walker

EC-Council
Export Table Analysis
DLLs provide functions that other executable files can import
DLLs maintain a table of functions available in their export table
Collect the information about chained or cascading DLL dependencies
with the help of tools like Dependency Walker, pedump.exe

EC-Council
Dynamic Analysis Process
Create a testing environment
Use the visualization tools such as Bochs,
Parallels, Microsoft’s Virtual PC, VirtualIron,
Vmware
Arrange your tools properly
Start the process of testing the malware

EC-Council
Creating Test Environment
Run the malwares to be tested on a different system
than the victim system
Do not connect the test system to the victim system
through network
Reinstall operating system after each test
Work on the visual platform
Use virtualization tools such as Bochs, Parallels,
Microsoft’s Virtual PC, VirtualIron, Vmware

EC-Council
Collecting Information Using
Tools
Use network sniffer tools to know network connectivity
information
This will help to know whether malware attempt to
communicate to a remote system, or open a port to listen
connections
Record TCP and UDP port activity with the help of Port
Reporter tool
Use Process Monitor tool to see files and Registry keys that
were created or modified and also timeline of activity

EC-Council
Dynamic Analysis Steps
1 • Ensure that all monitoring tools are updated
2 • Ensure that all monitoring tools are configured properly
3 • Create log storage location
4 • Prepare malware to be analyzed
5 • Launch baseline phase of snapshot tools
6 • Enable real-time monitoring tools
7 • Launch malware
8 • Stop real-time monitoring tools, and save the data
9 • Launch second phase of snapshot tools, and save the data

EC-Council
Metadata
The term metadata refers to data about data
Example of metadata:
• Organization name
• Author name
• Computer name
• Network name
• Hidden text or cells
• Document versions
• Template information
• Personalized views
• Non-visible portions of embedded OLE objects
It is important to collect the data as it gives the information about:
• Hidden information about the document
• Who tried to hide, delete, or obscure the data
• Correlated documents from different sources

EC-Council
Metadata Example: Screenshot

EC-Council
Types of Metadata
Metadata is differentiated into three types, such as:
• Descriptive metadata
• Structural metadata
• Administrative metadata
Descriptive metadata includes the information such as title,
abstract, author, and keywords
Structural metadata facilitates information of navigation
and presentation of electronic resources
Administrative metadata provides information such as file
created, file type and other technical information

EC-Council
Types of Metadata (cont’d)
Type Description Sample Element
Descriptive Metadata Describes and identifies
information resources
Unique identifiers, physical
attributes, bibliographic
attributes
Structural Metadata Provides information about
the internal structure of
resources including page,
section, chapter numbering,
indexes, and table of contents
Tags such as title page, table of
contents, chapters, parts,
errata, index, sub-object
relationship
Administrative Metadata Includes technical data on
creation and quality control
Resolution, bit depth, color
space, file format,
compression, light source,
owner, copyright date, copying
and distribution limitations

EC-Council
Metadata in Different File System
Metadata such as modified, accessed, and created (MAC)
timestamp gives information about when the file was last
modified
These MAC times are managed by the operating system
depending on the file system used such as FAT, NTFS
• On the FAT file system, times are stored based on the local
time of the computer system
• NTFS file system stores MAC times in Coordinated Universal
Time (UTC) format
Investigate the way the timestamps are displayed, based
on various move and copy actions

EC-Council
Metadata in Different File
System (cont’d)
• Copy myfile.txt from C: to C:subdir Myfile.txt keeps the same modification
date, but the creation date is updated to the current date and time
• Move myfile.txt from C: to C:subdir Myfile.txt keeps the same modification
and creation dates
• Copy myfile.txt from a FAT16 partition to an NTFS partition Myfile.txt
keeps the same modification date, but the creation date is updated to the current date
and time
• Move myfile.txt from a FAT16 partition to an NTFS partition Myfile.txt
keeps the same modification and creation dates
FAT 16 file system:
• Copy myfile.txt from C: to C:subdir Myfile.txt keeps the same modification
date, but the creation date is updated to the current date and time
• Move myfile.txt from C: to C:subdir Myfile.txt keeps the same modification
and creation dates
For NTFS file system:

EC-Council
Viewing Metadata
Metadata can be viewed with the help of some native application
Metadata is viewed by going to File -> Properties in case of
Microsoft Office; or File -> Document Properties in case of
Adobe Acrobat
Tools used to view metadata:
• MetaViewer
• Metadata Analyzer
• iScrub

EC-Council
MetaViewer
Metaviewer allows to quickly extract
file system metadata, OLE metadata
contained in Microsoft Office Files
and hash values
It views metadata and hash values
inside Windows Explorer
It also allows to paste the retrieved
information into any application

EC-Council
Metadata Analyzer
Metadata Analyzer is an analytical
tool for checking MS Office
documents:
• Microsoft Word
• Microsoft Excel
• Microsoft PowerPoint
It gives information about an initial
name, authors, corporate name,
number of saves etc.

EC-Council
iScrub
iScrub extracts the information
about the authors of the
document, deleted text, and
drafting history
Features:
• It is a reporting tool to capture and
display document metadata
• It allows users to first manage
metadata in a document and then
lock it down

EC-Council
Summary
Live system activity notification is important for responders and investors
In live response, collect the data which is going to change in short span of time
Several Registry values and settings could impact the forensic analysis
Analyzing the contents of RAM, will help the investigator to find what has been hidden
pmdump.exe tool allows dumping the contents of process memory without stopping the
process
Registry Analysis provides more information to the investigator during live response
The logs generated by the web server are used for the exploitation of attacks on IIS web
server

File000125

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a File000125

Similar a File000125 (20)

Más de Desmond Devendran

Más de Desmond Devendran (20)

Último

Último (20)

File000125