Alternate Data Streams on Windows NTFS
Welcome to a discussion tutorial on alternate data streams in this tutorial we will be talking about what alternate data streams are why you should know about them and how they work.If you would rather just jump straight into a hands on example, the annotation on screen or click the link in the description for my alternate data stream tutorial.The slideshow will be avialable in the description.Why do you need to know about alternate data streams perhaps you want to hide files from anyone who might have access your computer.Incriminating information or just.
Information you don't want others reading.Or possibly you are a computer forensic scientist, and you are searching for hidden or incriminating files on an obtained harddrive.Or maybe you want to expand your knowledge and interested in the kinds of things you can do with your computer.So, what are alternate data streams or ads for short.An alternate data stream is a substructure of the microsoft ntfs file structure.Introduced when windows nt was released alternate data streams were originally indended to store macintosh files.Windows nt was designed as a server managed operating system, meaning a server would allow.
People to log in and have access to their own drive and network drives.But mircosoft knew that companies would also have macintosh computers and also wanted to be able to store macintosh files on the server.Because macintosh files were seperated into two parts a data part and a resource part which would contant information about the file.Due to windows remaining friendly to interact with the file system these extra data streams are hidden from almost all windows applications.What can we do with them inside an alternate data stream you can store any type of file that could be stored in a.
Default host data stream.For example, text, image, tutorial or even malicious code.You can also store files inside a folder itself data.Normally a folder must is just an icon to take you into the next directory.However a folder is actually a file on an ntfs data structure, however the default data stream contains a bit of data that tells windows this is a folder to this directory location.Which means you can store data in it's alternate data streams.If this is a little confusing, that's ok, because thinking about alternate data streams.
Is something that you may be only learning about for the first time.In the example tutorial that goes with this tutorial, we will store some data in a folder.You can also modify a files meta data or summary data as microsoft calls it.Such as author, title, etc.Finally you can use it for denial of service attacks.You may ask, how does that work i thought denial of service was a server thing where a server cant handle your request.Well it's well understood that a full hard drive cant store any more data so it tells.
You sorry you cant save that here, i'm full.Harddrives can sometimes begin to perform terribly when they are full, especially if they are large.There is no limit on how much data can be in an alternate data stream.So you can fill up an entire hard drive with data in an alternate data stream.In the next slide we will see why this is so devistating.The interesting thing about about alternate streams is that their filesize is not included in the filesize shown by windows.That's correct,.
Our denial of service will fill the hard drive and the user will have no idea where that large file taking up there harddrive is.You may have a 1 kilo byte text document, but hidden in an alternate data stream is a 12 gigabyte 4k tutorial file.Another very interesting trait of an alternate data stream is that it does not change a files checksum, a checksum is usually a md5 or sha1 hash of the files bytes.But checksum tool ignore alternate data streams.So you could place malicious code in an alternate data stream and not have the original checksum be changed.
Something to keep in mind when working with alternate data streams is many formats and tools will ignore alternate data streams.Compressing your file with zip, rar or arj will only compress the host file.Other encodings like base64 used in things like email, will lost the alternate data stream upon sending.Also keep in mind that other hard drive formats like fat32 will lost alternate data streams.Alright onto the exciting part, how does one access them on a standard windows machine it only comes with two ways to access alternate data streams,.
Notepad and type.In addition, you must know where the alternate data stream is stored to access it.Windows by default can not detect or delete alternate data streams you can create.The only way to get more power over the alternate data streams is to use 3rd party applications.Windows provides two system functions for programmers to access data streams which can be used to search for streams.But for now let's just look at how we can access them right now.If we only want to write text, we can use notepad to access the data streams.We use.
The command line pattern notepad the host filename, colon, stream name if we want to move an image or tutorial or executable into an alternate data stream we use the command type.Like so, type input filename greater than the host filename colon stream name in order to get it back out, reverse the order of input file and alternate data stream.So here is a more clear example.Of us accessing an alternate data stream called hello.Txt stored on the host file called readme.Txt.If you give this a shot, notepad will ask if you want to create this file, you want.
To answer yes.Then you can save anything you type like you would a normal notepad file.You can then access the file again by repeating the above command.Let's create a scenario here to talk about a possible use.Ok, let's say i'm an employee from a movie production company.Let's call it sany.I'm a little disgruntled i didn't get that promotion after i dragged the project over the finish line and saved the day.Lucky for me i know a little bit about alternate data streams and i want to leak a new movie.
Before it's released.One day i bring a usb into work, empty and formated as an ntfs drive.I ask my boss, hey is it okay if i put a copy of my work schedule onto my usb to take home i really want to go through it and put it all on my calendar at home sure the boss says and gives the go ahead.I copy the movie into my calendars alternate data stream and take it home on my usb.I get home wait a couple of days and relased the movie onto the internet for anyone to.
Download, send out press tips, delete the legal file from my usb and wait for the panic to set in.Get to work on the monday and chaos, their new movie which hasn't even hit cinema's yet is available online! the tech department quickly runs through the tracking logs for that file and see that it hasn't been copyed anywhere that is suspicious.Success.Granted this fictional scenario would work for small companies, a big company with money would be able to hire a computer forensic specialist to to a proper search and you would.
Eventually be discovered.Maybe.So on that note, let's talk about the drawbacks.Unforutunatly alternate data streams are quite known about in the computer security field.Thus many go to programs by forensic specialist can scan for any possible alternate data streams.Also they can scan deleted data on a harddrive so a simple delete or format wont save you should you try to hide it.Another draw back is that an alternate data stream cannot be deleted without deleting the host file, unless you use a 3rd party application.
Also if you have to manage a lot of alternate data streams it can become quite chaotic.As its like trying to fiddle with something you cant see or easily count.This brings the tutorial to an end, i hope you learnt something new, or got a different perspective on alternate data streams i have made a partner tutorial to this one, where we use python to write to alternate data streams and also retieve hidden streams.You can click the annotation on screen or find the link in the description.
A Geeks Guide to Digital Forensics
Gtgt today we've got andrew hoog from via forensics, correct gtgt hoog that's correct.Gtgt all right.And he's going to give us a brief chat on.Gtgt hoog digital forensics.Gtgt digital forensics.Gtgt hoog all right, so.Well, i first of all want to thank google for the invite today.Most of the companies that we end up working with would like us to go out of business and instead i met fitz a little while ago and he said, hey, why don't you come out and give a talk about digital forensics and.
I said, i'd love to do that.I said, indistinct lot of people at google that may not like some of the things that we've uncovered, some of the chances, i it doesn't matter.Come on, we'd want to hear about it.So, i want to thank you guys for the chance to be here.We're going to talk today about digital forensics.And obviously with the crowd that's here today, it's going to be a very technical talk but if you have any questions in the middle of it, go ahead and interrupt me.Let me know if you got questions in the middle.Otherwise,.
We'll cover some at the end.Via forensics has been around since about 2008.My background is a computer scientist.I've had various management roles in different companies and then maybe about 2008, we started via forensics.We've got a couple of books.They literally came out this week.One of them is on android forensics, which iswhich is my particular specialty.The other one's on iphone forensics, which i'm sure would be a big hit here.So, those just came out and we focus on both forensics and data security.We've got a couple of patents.
Pending in this phase.And i also do quite a bit of expert witness works, so in the forensics phase, you actually have to have certifications and then you can be an expert in state and federal courts.I'm also indistinct like most of you, i've been using indistinct for quite some time.And i remember the first time i ever learned indistinct special edition came out with an 800page book and i literally opened it up, started at page 1 and went through the whole thing.I was hooked from there and haven't looked back since.We did quite a.
Bit of work in a mobile space.I'll just tell you a quick story.This gentleman approaches and needed his phone examined and so we said, you know, okay, but what kind of phone is it is it android device you know, those guys are rolling out 400,000 devices a day.He said, no, it's not an android device.We said, how about ios is it an iphone you got 200 million iphones out there.He's like, oh no, no, no.He's like, i don't have a smart phone, i have a blackberry.So, we do quite a bit of work in the mobile.
Space.And again, iphone and android is really where we spend quite a bit of time.Today's talk is really meant to be an overview of digital forensics.It's going to be a quick run through.We're going to skip over some of the detail and boring stuff.We're going to jump right into examples and give youif you're interested in tinkering in the space, it'll give you some things that you can go back and install in your workstations start playing around with it.But briefly, digital forensics is a science, it's recognized as.
A science, which so i can be an expert in federal court.And we're interested in the preservation and analysis and reporting of digital artifacts.So that would typically would cover computers, laptops, obviously things like thumb drives, usb storage.Mobile phones have become a very, very big deal.That's why we chose to specialize electronic documents that are used in court cases.What we'll talk about near the very end is that forensics is typically a reactive science, so we get called inn when there's been a problem, when there's been a civil law suit or criminal case, an intrusion, incident response.The.
Big thing that we're interested in is kind of a indistinct of the company is, we do all the forensics cases and that's kind of fun and interesting, you learn a bunch of stuff.What gets really exciting is when you move forensics out of the reactive and move it into the proactive space.And so near the end, we'll cover a couple of topics in mobile app security and in enterprise security that kind of contain outside the typical forensics spots of being a reactive after theafter the scene and then come in and do things proactively.
So real quickly, the three types of storage devices that we typically deal with, the traditional hard drive spinning magnetic media, that's pretty simple.We could physically disconnect these things, hook up right blockers and deal with them.The solidstate drives that come outevery time the new technology comes out, there's a bunch of indistinct in the industry that say, this is going to change.We've got to recover any data.Its forensics is over, and that never happens.So obviously, we deal with solidstate drives and they have their own kind of host of issues and challenges that they come with.Where we really play.
In quite a bit, it's similar to the solidstate drives but basically in the raw nand flash memory.And so this is the type of memory that you'll find on a smart phone, on a usb, thumb drive, other types of portable devices.They're obviously not easy to remove.We have some techniques where you can hook up jtype clips and take open the cpu and basically pull data out in a debug mode.You can either chip off where you basically take out your plastic chip off of the pcb, put it into a special reader and you can pull the data off.
That way.But for the most part, you're not pulling data off of these devices with the physical technique, so you have to come out with other ways to image them.The other big thing about nand flash and the reason why i spend a lot of time on this, is that nand flash has really changed the forensics andi'm sorry, the security space.So, there's many characteristics, average nand flash can only have about 10,000 writes.It wont sustain a charge after that.And for that reason, the android team here at google and then folks.
At apple and a number of other companies developed or chose special file systems that are optimized for nand storage.And we'll come into that in a little while when we talk about types of data that you can recover off of that.The other thing too is that in the forensics space, we're very interested in preserving a piece of evidence and proving to the court or whomever may be that we have the exact copy.In traditional hard drives, that was very simple for us to do.We pulled a plug, hook up a write locker, and if you don't plug.
That thing back in and you image it ten times, we'll always be able to verify it and we have a bit for bit copy.Nand flash memory, thumb drives, solidstate drives, it's impossible to do.The reason is is that it's a lot of drive management and things going on behind scenes and then prevents you from getting an exact copy.So, we'll talk about some strategies to get around that but nand flash memory is the other big type of storage that we deal with considerably.So, in the forensics space, we have to talk about how we're going to apply.
Our data.There's three primary things that we do.And the most simple approach is essentially doing backup files.We'll get these in court cases that are involving a discovery, but we don't have to come in and look for deleted data.They really just need to get a bunch of files out, take a look at them and thenand then analyze it.We also do this quite a bit on iphones where we'll do a backup of an iphone and then we'll basically logically analyze the backup files that came off.You'll see it in email files, word docs, all different.
Types of documents.It's the least forensicly sound, it's the most uninteresting from a technical perspective and it's probably the largest thing that people do because most cases simply don't warn the other techniques.A second approach and kind of emphasizing this in the mobile space is the logical acquisition.So, on an iphone or an android device, we can pull out data through content providers, we can pull out data from the apple backup protocol.But what if we can get into the phone and basically do a tar gz of the entire.
File system.Now, i'm not going to get deleted data, but i can get anything in slash mobile or slash data and everything underneath that.So, there's a type of acquisition that we do, and you could do these on windows computers too.We are not pulling out all the unallocated space but you are going in there and preserving the date, time stamps and everything of that sort on the actual file system.So we consider that a logical acquisition of the device.And then kind of the gold standard of what we really strive for at forensic space as.
A physical acquisition.Physical acquisition is a bit for bit copy of the storage medium when we did our acquisition.In a traditional hard drive space, we can repeat and verify that.But again, in a nand flash memory and solidstate drives, we'll be getting a point indistinct copy.The device, whenever it's powered on, even if it's connected to a write blocker will always be changing behind the scenes.The nice thing about a physical acquisition is that we can easily recover deleted data out of those.And there are some specialized.
Tools, some specialized software, hard drive that we can use in order to do the physical acquisition.But in terms of just time tinkering, anybody could hook up a drive, do a physical acquisition with basically asay, at a usb adapter, you hook it up to a linux box.We'll go through some of the tools that you can use to do that.So physical acquisition is really the kind of the gold standard of what we're looking for.Now, how we do theinthe verification of the data that we have an exact copy well, it's very simple, we simply do.
Hash values.It's accepted in court, everybody eventually knows how they work.For those that may not be familiar, it's just a hex value that's calculated with some sort of import of data.The nice thing about the hash value is of course is that, a single byte change in your source data will have an avalanche effect and will have a radically different hash value.So, we use hash values, they're admissible in court and allows us to say the indistinct that are identical, i have an exact copy of the original.I did all my investigation.
On the copy.Now, we really don'twe don't have to reproduceso we don't have produce that physical media every single time we do referencing.And again, this is the challenge in the nand flash.In the mobile space is that we just can't get a hash signature to stay the sameimage that same device indistinct times.So you kind of do a point in time hash signature and basically say this is what it was, data hasn't changed since then and we're going to operate off ofoff of that data set.Two common ones, md5 is what most people.
Use.The forensics folks are starting with the sha256 because there's a possibility of some collisions now that the number of files has increased.And again, for anybody that hasn't seen like an md5, if you took my name and ran it through md5, here's the hex signature at the bottom of this slide that you would get our for that particular data set.We do this on entire drives.Yes gtgt sorry, soi apologize for indistinct my question, so, i know that if you got indistinct that there's something we're allowed to indistinct.
Like move things around it that's additional writes that would explain why you're not getting any indistinct hash gtgt hoog exactly.Gtgt but if you turn off writes to the thing, you should be able to gather a few hash on the flash as well gtgt hoog youthe problem is, is behind the scenes, even if you're not writing, the disc is still managing its base actively.And so there arethere's ware leveling, and it's very difficult for forensics folks to come in because most of the information and in that topic is intellectual property.So when.
We grab a solidstate drive from toshiba or intel, that.Gtgt they don't tell you what they're doing gtgt hoog they don't tell you what they're doing.That the ware leveling, the bad block management, the remanipulating and moving data around to optimize it, all that happens behind the scenes, we're not aware of it.Now, we'll talk about how android's a little bit different.We have some more access in the android space.It's still problematic and you don't even have to write anything.You can literally hook up a write blocker, nothing is being written and it'll still come.
Out with a different hash value.Gtgt okay.Gtgt hoog so let's talk for a minute about how to acquire a hash forensic image.So just conceptually, if possible, if you're dealing with a solidstate drive that you pull out or if you're dealing with a traditional hard drive, you hook it up to a physical write blocker.These are little black boxes you can buy in from indistinct and a number of other companies.And that physically prevents any writes from ever going back to the drive, it essentially intercepts them and then doesn't pass them through.There are software techniques.
You can use, linux, you can flip some flags, windows has got a usb driver.If you're really good at something for a cord or maybe use somewhere else, you know, don't put us off around, that's not why indistinct in aon a write blockerphysical write blocker.And again, this is essentially impossible to do in the nand flash space unless you do a physical chip removal and put it on a chip reader where you're stripped of any, you know, essentially all of that flash translation layer and things of that sort.Then you physically acquire.
Thisthethisthe device with software.We don't do a lot of commercial stuff, in fact, i don't think we do any commercial tools in house with this.So we primarily focus on involvement source and the presentation will just give you examples all on open source.There's a whole bunch of different tools out there.They're maintained sometimes by different federal agencies, by different forensics companies.There's a couple of examples up here.The department of defense dc3dd is the one that we use the most, the mobile indistinct example.There's also some free tools out there.For instance, ftk puts on an imager.Ftk is a.
Commercialforensics company, but they have a free imager out there that you can use to apply youran image.So you can download that and run a command line or do a hacking widows and i think a couple of other environments.And then there's the fullblown commercial tools that will also do this.So, a lot of forensic shops go down to commercial, they kind of drink that coolaid and they go do all of their acquisition and analysis in a particular commercial tool.After you do the forensic analysis, you then want to do the.
Verification where you essentially reread the source device and you compare the hash signature and make sure that you have that identical copy.So here's an example, if you guys want to refer back to this, we're going to post this out on viaforesics, our web site.Anybody can take a look at it and i know the google folks are going to put this up on.But the department of defense has a cyber crime center, they have invested interest in making sure there's validated software that works and allows them to do.
Their job and so they put that out there as open source.It's a patched version of dd that you've seen on many unit systems.But they do get a number of features that are helpful in the forensic space.It'si put an example up here where essentially you hasten the dc3dd command, you give it your source device, which would be typically be.Sta or std, whatever indistinct device that have been assigned by the operating system.We always put the verb of.You put of so this the output file that you're going.
To write into.So you give it some name like driver01edd, turn on verbose, do a hash signature on the fly, track that in a log file, and the very last thing is recoff.And that basically determines how you handle when the drive has errors.So we indistinct two drives yesterday, it was going to be a oneday turn around, we were going to get it back and overnight ofto that same day, would let you know if both drives were throwing out read errors.So we're unable to acquire the drive and get a hash signature.So this tells the program.
What to do when you encounter an error.And so we basically say if you see an error, do you want to keep going with the recovery or do you want to stop and then go figure out what to do next i have this from source, if you're going to use this on a workstation, it takes like 10 seconds.You can just download it from sourecforge.And i just gave an example here.On the second line, you can see write protect is on.This was a 500k power drive.
When you do a physical write blocker and you connect it up, if you look into system messages or d message, our link spot or pots or whatever, you'll actually see write protect is on so that the operating system has detected that it's unable to write through the device.And so this is the type of logs that we capture to show the process that we use.About 10 percent of our cases involve failing hard drives, so what you with those, if you don't want to throw in the towel and say you can't get anything off this device.So you have.
That little flag that says, hey, what do you want to do you either stop when you have an error and then decide hey, i'm going to go down a totally different path and try to figure out what i'm going to do.A lot of times people will continue on air and simply pad the sectors that you can't read and pad them with notes.That way you maintain the same size of the dd image as the actual hard drive, you rip past the bad locks and you pad it with zero's and then you decide what do you do, do you go back and explain that.
Later or how do you want to deal with it.The other option that exists is that you skip the bad locks and that's probably a really bad idea.If the image of 500 gig hard drive and 499 gigs come through, you've got a problem explaining in why are these differences.So this an example here, what you'll see or what you don't want to see, we're imaging a hard drive that's connected to ste, we start getting abort commands, we can't sense the information and that it says hey, i can't read this sector.I've got to find out i'm buffering or i can't.
Do anything.The trick that we found in its great software isagain, this is an open source under the indistinct project, is ddrescue.It's an extremely powerful program, you go out there, you compile it and what it does is it begins to read the drive as fast as it can.As soon as it starts hitting bad blocks, it essentially skips over them and it keeps going.And the idea is, if your hard drive is going to fail, let's rip every piece of data we can off of it as quick as possible.As soon as we get to the end of.
The drive, it maintains a list of which blocks are bad, and then it goes back and it takes the size of the sector that it reads and it makes it smaller and smaller and smaller.And it takes a long time, but we typically get very, very good recovery by skipping over the bad blocks.It has the ability to read things backwards, to read them direct or indirect, it has a whole bunch of different options.So if you ever have a hard drive for a family member which is ai'm sure you guys have gotten these requests before.The hard drive.
Is partially failed, all is not lost.Take a look at ddrescue, it's a great program and again you can just download that and compile it.So, i want to spend just quick overview on what does a typical forensic investigation look like.And i say typical because there really isn't a typical one, but there are a number of steps that you ought to consider.We believe very, very strongly in building a timeline of events, it's the first thing that we want to do when we get a computer.We want to figure out the entire, what we.
Call macd, the modified access changed and created timestamps on the entire file system.We want to rip through the metadata inside the files themselves and we want to build an entire timeline, anything that happened on that device.And now, we can zero in, and say this file was modified at this time, we saw registry change here, and somebody connecting a usb drive, and we could find out everything that is happening.So the first thing that we do is we create a timeline and i'm going to step you through these in some examples.
You don't have to mount the dd image to do that, so we've got some special softwareopen source software that will allow you to do it.We then mount the dd image as a readonly so workingwe're only working on the copy but we mount that readonly.We list off every file that's on there and every file that the file system is aware that's deleted, so we list off every single file deleted and not deleted.And then we begin to analyze key files.If you're in the window space, you're going to be looking at registry files, link.
Files, user profile, web history, whatever it happens to be.If you're running an indistinct or linux, you're going to look at the past history, you're going to look at the recently run programs, you're going to look the gvfvfs metadata about the file systems that have been connected.You're going to try to basically piece together all of the information on the system.At that point, we typically removemove into recovery deleted files that may bethat may be important to the case.Now, deleted files are typically still referenced inside.
The database, if you will, of the file system.So, in an ntfs files system, you have the master file table, the mft or you've got the file system that has their own back table.It is essentially a list of all the different files that's a where of, were there inodes, where they point.And when you delete a file, the entries can still exist in that master database.So, we'll go into the ntfs database, the mft and we'll parse out and then decide have we recovered to be somebody's deleted files.Here, i'll show you an example of that.
In a minute.If you're unable to recover them, there's still the possibility that the data exists in what we call unallocated space, space that was perhaps allocated at some point.The operating system says i am not using this anymore but maybe there are files or file fragments in there.So, we use a technique called file carving.We'll go in and see if we can extract out or carve out unallocated files that are unallocated.Then we may do something like a full index search of the dd image, and a full index search of all of.
The logical files so that we can come and search and look for keywords and things of that sort.And then from there it really goes in a million directions.People hide sensitive data in other files.That's called stenography.You can go in and try to figure these things out.So, there's a million different specialties that have been in the forensic space.But these first six or seven steps are really what you're going to do in many, many investigations to get that start.So, this kind of part of the talk, we're going to go into specific.
Examples.These are all open source tools that again, you can download and install.There's an excellent tool, we use it all the time.It's called the sleuth kit.It's written by brian carrier.He still actively maintains it.He also wrote a fantastic book calledwe call it fsfa.It's file system forensic analysis.It's 400 pages of everything you wanted or didn't want to know about file systems.And if you have insomnia and, with all respect to brian, pick up that book late in the evening, you'll be set or pick up our book, it's pretty.
Much the same thing.But what you need to go in there and understand why did microsoft update this time in milliseconds, this one in an hour and then here it's every two seconds.Brian's got all the details in his book.It's kind of the bible for forensics people when it comes to file systems.So, he's got the book and then he has the sleuth kit that's out there.You can install that with different forensic packages and whatnot.But again, if you're going to be playing around with this, just download it from source.It's very,.
Very simple to compile.He pushed down an update two or three days ago.It supports a lot of file systems that you may run into ntfs, fat, different linux file systems, cdroms and it's just sitting out there.It's sleuthkit.So we're going to spend a few slides going through in some examples.One of the first programs you'll find out there is called mmls, media management ls, if you will.And that basically gives you partition info.So, if you look at the screen here, you can see that i'm doing an mmls on.Spv.So that's on a.
Physically connected disk.You can just as well do these on dd images.And you can see each one of the different pieces of the file system.It's probably quite obvious here that we're dealing with a linux file system.You can see thatand this is very, very common.The dos partition cable is typically 63 bytes long.The first byte tells us everything that we need to know about the file system and then you got 62 bytes that are essentially unused, unallocated.So, that's why you see the primary allocation table and then unallocated.
And then you can see that we've got a linux partition ext3.And you go down the table and you can see all the different data.So, this would tell us our physical device or dd image, what does a file system look like and where should we be looking for data in a lot of cases, we're going to jump right into the ext3 or the ntfs.If we've got somebody that's very good technically, we might start looking on unallocated space.And say, you know what somebody could hide data physically on the drive and move it into an unallocated.
Partition.That's easy enough for us than to see here to tap and kind of focus the investigation.So, mmls will give you that background information.The next thing that you can do is you can run a program in the sleuth kit called fsstat, file system statistics.It will give you a lot of information.On this particular one, you see i switched to a different file.This time i'm looking at a dd image on a webos taken from a palm tree.So, this is a dd where we went out.We got a physical image of aof a palm tree, it was running webos.We've done.
A secure race on it.We wanted to see how effective is secure race on webos.And so buy doing fsstat, you can see a lot of these didn't fit on the screen.So, i just kind of cut it off after the first couple of lines.But you can see information about the file system.What file system what was the volume id when it was last written or updated, mounted a whole bunch of information and it gets into all the metadata and then will individually list out each of the files and the inodes, what files they're connected to, and essentially.
Allow you to reverse the entry and recover information.So, that's fsstat.Now, the one that's really interesting and we spentwe use quite often is something called forensics list or forensic ls.This utility where we can come in and we can clear the things like the master file table, the mft, that's part of ntfs.And we can say rip through that whole database and tell me everything that you see on the system.You can provide different offsets.So, you can take a dd image and you could just examine that third partition or that.
Fourth partition.So, fls will basically rip through and pull out everything about the allocatedabout the file system that it can find.Again, i refer back to this macb.This is going to give us any time that a file is modified, accessed, changed or deleted.And we use this to build our timeline analysis.And here's an example of a command on running fls, putting in the essential time, otherwise it will be in gmt.We track what the skew is in terms of the real time versus what the bios are supporting.So, we do investigation,.
We boot up the computer, we look at the atomic flaps that we have, we look at the bios, we figure out there's a threesecond skew.And that's probably important in alike in aincident response.But we have to come in and try to decide whether or not something happened three seconds ago and it matters if we're matching up loss.So you can tell what the skew offset is, you give it a label, a file system, some offsets and then you basically point it at the file.So in this particular example, we're actually looking at down here, at the command.
I did it against a ntfs file system.And you can begin to seeand it's difficult to read.The next slide will address that.The different files, if you'd noticed there isabout halfway down, there's one that says $mft and then $mftmirror.Those are the two ntfs databases that track your entire file system.It actually stewards a primary mft and then it mirrors the mft.So, if somebody tries to wipe out your entire system, we have the ability to protect you.You can come back and grab the mirror mft and essentially recover what have.
Been mirrored by the operating system.So, by looking at it from a forensics perspective, we're actually looking at the dollar sign special files that you don't have access to with the normal operating system.Then we can then parse that information out.Now, looking at it in this format is a little challenging.So, the file that you created is called a body file.It's just the terminology that the forensics community came up with.And so what youwhat you do is you then take a program called mactime.And you point it.
At a body file and you say, hey, i need to make this human readable.So, give me something that's better to use.And so forensics, what we'll typically do is we'll put it onto csv.And then we can hand this off to attorneys.We can go in and fill a dirt and say, hey, show me everything that was modified at this time.Show me anything that was deleted or whatnot.In this particular examplei'm going to go back on pagewell, in this particular example, maybe we can cover it later, you can actually see the files that have been.
Deleted and the files that have been deleted and reallocated.If they'd been reallocated, that's basically been reused by another file but we don't have it fully recovered.If it simply shows up as deleted, we have tools that will then jump in and recover that deleted information off of the drive of the dd image.So, once you've got the dd image, you've got a forensics copy, you've got your hash signature, now, what you want to do you need to mount that dd image.You need to be able to open that single file up and do stuff on it.
Gtgt i just wantwhat circumstances, there's a record of the file actually saying on the disk either as just deleted or it's reallocated gtgt hoog so, if somebody deletes itand i actually had a different example and i think i changed it out at the last minute.But if somebody comes in and deletes a file in ntfs file systemand we'll talk about the apps2 next, which is a large structured file system.It's totally different in how they handle it.But essentially, that record stays in the mft database until it gets reallocated,.
Until the file system says, hey, i need to reuse that space.And so, what we end up having is the file system marks it as deleted but it's still sitting there.It's still allocated on the disk.It's still referenced as deleted but it's never shown up in the actual file system.So, when you come in with like fls, you'll find tons of references of deleted files that are sitting there and recoverable.Now, there's another case where it's still sitting in the mft but some of the sectors on the disk that were rising that file get.
Reallocated for another file.And then we have a situation where we're aware that the file existed but part or all of it has been reused on theon the disk.So then we get a status fact of deletedreallocated.Gtgt but for most ntfs systems, files that you deleted years ago still show up gtgt hoog it's kind of a mix.The filethe system level files tend to get reallocated quite a bit but we find a lot of users based files that we do end up recovering and it depends.If somebody had a 250 gig hard drive,.
They only use 30 gigs, let's say they came in or deleted all their files or went into internet explorer and tried to do a clear cash because, you know, they wanted to hide what they were doing, we'll essentially recover all of that.Now, it was five years ago, it kind of depends.Gtgt you also have a record of files.Gtgt hoog a lot of times you have to record unless the mft itself doesn clean up and basically, you know, completely gets rid of that.But in general, we see all that information.So,.
In this particular example, we need to mount the dd image.So we come in with mmls and we take a look at the dd image that we have out there.Just like you saw with the physical disk, you can see the partition table, this actually was pulled out of an android device and was the sd cards.We pulled out the sd card, we imaged it and we can see that unlike most hard drives, we actually had the primary partition table in the first, of basically one sector, and then we have a hundred and twentynine bytes that are unallocated and.
A hundred and twentyeight and then a hundred twentynine byte the indistinct the fat16 file system.So, we basically use that information, that 129 could then go out and mount the file system.So, we go out and we create a directory and with pseudoaccess, you basically say, hey, i want you to mount the vfat file system.I want you mount it on a loop back.So we're setting loop back device because we don't have a physical device that we're using, mounted readonly and here's my offset.The offset number is basically the start of the fat16.
Times size of the sectors, so 129 times 512 will lead you out to 66048.So, it tells mount to seek out to that part of the file, the mounts is readonly as a fat file system and then here's my dd file and where to mount it.If you then go out and take a look at theat your mount tables, you'll see that on devloop0, we have the vfat file system and then you can see that the vfat file system here at the very bottom is got 1.9 gigs,.
244 megs are used.So, you can basically mount that dd and enjoy your work station.At that point in time you jump and you can do any analysis that you want because if you're working on a readonly copy of the original source media.So, couple more slides and i want to just kind of give you some ideas.There's a gentleman i've been speaking with for probably over a year now, kristinn gudjonsson, he's out at iceland, he developed log2timeline, which i slightly misspelled and i have it here.But a lot of the timeline was kristinn's.
Attempt to basically say there's a lot of valuable metadata in individual files sitting in registry files.I can pull out timing info for registry files from the vent blocks, from the mft, prefetch, browser history, flash cookies done by the flash indistinct so, he's got 46 different file types that he can extract timeline data out.And so, if you download his software and essentially compile that, he'll export it onto ten different formats, just sitting out there at log2timeline.It's great software and so what we do is just we.
Run a piece of his software, it's called timescanner, so we basically tell time scanner to go in, to look at the mount sd card directory that we mounted the file system at, to put everything in central time zone and to rip off any piece of forensic metadata, filetimeline metadata it can of all the files that it finds.And so it'll find dll's, what time the dll's were created, what sort of cookies are found, any kind of information and it will put that into a body file.We take that same body file that the sleuth kit helped us fill, put those two.
Things together and then we run a indistinct against that and create abasically called a super timeline.So, we've got every piece of information we could want, whether we could positively track out that device and now we've got a timeline.Couple of other tools to mention, harlan carvey, he's also published by a few books indistinct he focuses really only in the windows space and he developed a tool of regripper.A lot of people use this together in perili tried to convince kristinn to move tokristinn to move to hightime and.
I think he's considering.Harlan does all his stuff in pearl and he actually wrote it for the windows platform but there is a linux indistinct which is the one that we use.And the goal or regripper is essentially to parse out the windows registry files, pull out every piece of information it can possibly get out of the registry.And it's pretty amazing what you can find there in the registry.So, you can go out the regripper.Wordpress and essentially download that tool, compile it and you can specify the registry file and.
Then what sort of data you want to extract from it.This is open source software and it will rip out forensic data out of windows system.The last tool that i want to talk about is scalpel.Scalpel is a file carving utility.Again, this is open source for years and years of sitting, i've indistinct and about a month ago, they released a indistinct version.So you can go out to the website, download scalpel, you can compile it and download it and they don't actually have a make installed and you can basically copy that and use a.
Local bin.And what you do with scalpel is that many files have essentiala magic number at the very top and you can identify a single live file, you can identify a jpeg.And so what scalpel does is it rips through the dd image and it says, hey, i'm looking for any of these known file headers.They specify a bunch of them ahead of time for you.You can basically put your own ones in there.In anytime it finds it, it then will parse through the system and look for the footer.If it has a defined footer, it will go through.
And do 10k or 800k or whatever you tell it to do.It'll look for a separate type of identifier and then reverse and go backwards, so some pdf files, you need to find the start, find the bottom marker and then go back up a couple spots and so it will find the last one.So, there's a lot of functionality built in the scalpel that will allow you to carve files out at the file system.So, there's kind of a standard scalpel tha comes with it.We developed our own scalpel configuration possible in android and iphone because they.
Are different types of file system and we're pulling out different information.All of that goes in the scalpel output directly and then you can go in and see all the recovered files.So, i'm going to shift gears here and i want to talk a little bit abound the android space.The android obviously uses nand flash memory.This is, again, we have a specialty in this.We got our books around, we've got some commercial software.Unlike iphone and other platforms, the android folks decided to not have nand flash memory where the manufacturer.
Had to use a certain one.So, it allows them to use any nand flash that they want.And they provide this layer that sits between the developer and the nand flash called the flash translation layer, that basically exposes the flashes that block the indistinct so, that is implemented in software in the android space and the flash translation handles the ware leveling, bad block management, some of the stuff we were talking about earlier.In android and in linux, the flash translation ware that most people use is called mtd, memory.
Technology devices.Again, it's another open source device.The newer android devices, samsung started doing this fist.They're actually beginning to move away from the mtd and they're coming out with their own nand flash chips that have the flash translation that are built in the indistinct it's already baked in so we don't have the same kind of access we have in the earlier android devices.Butso those are built in the indistinct but on a lot of the other phones, we still have the devmtd devices were we can do our physical.
Imaging.Now, mtd divides the memory essentially into different blocks.The set up is a little different in educational hard drive, you're normally looking at 128k block and there is a 64 bytes of outofband data that store inside the block for each junk or each particular cage.And inside that is wherefor instance, you have two storage of bunch of metadata bad block, error correction code and things of that sort.So, this is kind of what it looks like in the android space.So, if you have an android device using the mtd, memory.
Technology devices, that access your nand memory, you basically have 132k as your block site.In case you have 64 two kilobyte chunks and after each one of these 2k chunks you have 64 bytes of outofband data.The great thing about doing forensics on android with mtd is that when you're able to get your hands on the oob data, you can do a lot more with the devices because we're actually seeing how the nand flash is being managed by the flash translation layer.So, we can see where the bad blocks have been marked.What is the.
Ware leveling technique can we reassemble the blocks back in indistinct allocation even though they're scattered all out over the physical image so that is a big change for us and something that in the android space, we're now able to do and this is kind of what it looks like.As we talked about earlier, there's a couple of different forensic techniques that you use.You've got your physical techniques, but first thing that you start out with is a logical recovering.Most cases it's sufficient to start there, it's the least complex.In.
The android space, you do a logical recovery using content providers.It adds an interface that the android team built in to allow apps to share data.So we essentially come in, we say, hey, we want to share some of thetake some of that information that's being shared.We have a free tool that we developed.We have a free tool that we developed.We give it away to law enforcement and to different government agencies.It's called aflogical and it basically goes out and it takes the content providers, it reads that information.
Logically so it won't get any deleted data.And then it stores it and analyzes it.We indistinct about 10 days ago to release the commercial tool based on the aflogical that takes all of the manual stuff that had to be done, does different analysis on it and puts it into a virtual machine and makes it point thatkind of easy.So, logical recoveries are the primary thing that you could on android devices.But we're interested in moving beyond those content providers, thosethe cpros because we're only getting the information.
That the android developer chose to share with us.So, we can pull an sms, we can pull outright now, we pull out about 4040, 45 content providers, we're working on a new version that may pull out a couple hundred, but it's still a limited amount of data.So, to get beyond the content providers, you basically need to escalate privileges, you need to get some sort of assets to the device.Now, if you had the original group of dev phones, you just hadas your access that was great, no problem.This talk is not about how tohow.
To get indistinct on android.If you want to do that, you know, you can google dev phone, go out to xda, go buy our book.So we're not really going to cover how to do that, but basically if you escalate privileges on the device, you can then take the next step forward which says, all right, i want to tar gz up for the entire file system.It's not the same as having unallocated, but it is going to get us everything under datadata.And if you're in android space, if you can get that to record, you've got a lot of what you need.
So, that would be all of the sequel, like databases, preferences, files, pictures, images that app developers are storing inside their protected space that they couldwhen they spin off any indistinct so we'llif we can escalate privileges, then we'll go for a logical acquisition.You could push indistinct up to the phone as long as you recompile it.For the arm platform, you could tar gz it and send it out like over netcap or you can just use something like an adadad data as a recursive hole.We have some issues when.
You do larger cursive holes that you could run into some issues.So, in general, if we're doing it for a case, we'll do a tar gz and send it out over netcap.But the real goal in the forensic space, of course, is this physical acquisition.And so in the android space, once you've escalated privilegesand quite frankly, it's the same deal in the iphone space, you get escalated privileges and then you got two options.In the android space, dd comes built in.I love it.There's no copy command, there's no cp command in android.
If you want to copy a file, you got shell access, you have to dd it from one file to the next and i like that and it makes me smile and mostly confuses everybody else.If you do the dd, dd does not have access to the outofband data.So, if you go on you do a dd on one of the mtd devices, you're actually not going to get all of the information that you would want for a forensic analysis.Now, it gives you quite a bit of data, it's going.
To get you unallocated data, but it's not going to get you all the pieces of the puzzle.So, what you really need to doand this took us, some folks, other people some time to figure out, but you need to go in there and do a full nand dump.That's going to include all of that outofband data that we talked about.We have a custom version of nand dump that we developed, it allows us to get a full dump of the mtd partition and then on top of that, you have to deal with things like bad blocks and things of that sort.So we.
Basically build our own, you could go out and compile so of the nand dump out there that are available and do it for arm and essentially use that as well.And once you do that, now, you can take advantages of all of the special stuff that you get with yaffs2.Yaffs2 is the file system that originally google shows thatit's basically angled away from and some people run axt3 and some people are nowthe google team and are android teams with the xd4, but yaffs2 is great.It was open source, it's a log structured file system, so the.
Best way to think about that and i had to look it up when i first read about it, is that it's essentially like source control on your file system.Because it doesn't go back and ever rewrite a block, it can only erase the block and thenand then write the data there, it just says it's more efficient for me to write in front of the wall.So, if you have a file and you change a couple of bytes in it, it just says go ignore that previous byte and rewrite that entire block and in front of the wall.So, what we get.
When we analyze the yaffs2 file system, if garbage collection hasn't occurred, is basically an entirely version file system that we can recreate every single state the file was ever in.Now, of course, the practice, we have to reclaim a space on the device and so garbage collection occurs and so we may end up having fragments of different files.But in fact, we get a very, very dramatic recovery from the yaffs2 file system.I don't think we've been geeky enough, so i want to take it up one more notch here and say thatlet's take.
A look at yaffs2 from a indistinct point.So, if we'reyou have access on the device, you can get into the devmtd, so, here we do a nand dump of the devmtd and i wanted to get rid of a bunch of zeros and fs that go flying by that's important to the file system but it's not that interesting when we're looking at it on screen.So, what you essentially have here is we're looking at the raw flash nand dump of a particular file.At the very top, you can see that the file one.Txt is the name.The yaffs2 file system.
Has basically two types of data.It either has an object header or it has object data.What we're looking at here is an object header, so this is giving us the file name.And then most people would say, well, there's no other information over here, there's nothing else i can do so, well, there's just a bunch of binary data and a couple here, so let's move on.But honestly, there's quite a bit more information here, you just have to look at the yaffs2 source code, figure out what it is.So, android stores integers in little.
Endian, so right to left.And if you look in here, i highlighted a couple different things, you'll see a repeating pattern of 6'9d5d4.In the end, this indistinct of being a time stamp.So what you've got is you've got a little endian number at the indistinct so you actually have to completely reverse these guys.So, you take that 6'9 and you flip it around completely.So you end up with 4d5d9936.You take that number, that hex number and you convert it to a base ten number.You come out with a time stamp and actually android.
Does time stamps in milliseconds for the most part.And so you end up getting the number of milliseconds since 1970.As soon as you recognize that date format, you can pass it into a number of tools, convert that date, format their date time stamp.So, file one.Txt that was written on thursday, february 17th at 355 pm, which means that i was working on my book in the middle of a workday in mid february.So, this is actually an example that was taken out of the book.But it's very interesting, with the yaffs2 file system,.
You could essentially come back in, rip up all of the object header files and recreate every single time that a file was accessed, modified or changed on the entire file system.And so what you have to do is you got to get into the source book.You have to look at the stuff in hash, you have to try to figure out what the data looks like and then essentially write programs.The type of stuff that we're doing here is not supported in the commercial forensic tools for the most part.So, what we can do if we spend a couple of years ahead.
Of what the big forensics tools are going to be and we write our own tight on scripts to essentially rip through the image, pull off the oob stuff and do some data carving, go back in, reput the file system back and block allocation order, start ripping out the object header, build a timeline and let's figure out what would happen on this device.So, by starting with the basic tool, the sleuth kit, dd, hex editors, you can basically get physical images of these devices, work your way all the way up into the hex dumps and.
Then again figure out the file system structure.Yaffs2 is interesting, they actually don't track the access time.Because every time a file is accessed, they didn't want to rewrite a new object header, which would be a new write to theto the nand flash which would ultimately wear the device out.So, there's an a time that's in there.It's actually the first time that it was created and then they never updated the access time after that.But they do also track the modified time and the changed time on the file.You could pull.
Up the object id that's out on the outofband, you can do different cross referencing and basically figure out, you know, what file is this, what i know, you know, what are the different blocks that are used in the allocating.So we could build that entire timeline and then you can also go and begin your indistinct files and other pieces of binary data that might be of importance to your investigation for your analysis.So, the last slide to kind of wrap this up, this is all kind of interesting stuff, it's android, it's iphone, it's whatever.
The different files and you can do this on or anything that's out there.But the forensic space is a kind of in the corner of security.So, you've got security that sometimes sits at the side and then in the side of that, we're all the way off at the corner.So, we're the guys that don't get out of the lab that often.And for a commercial forensics company, the traditional technique was do more investigations.How do i get bigger i do ten times investigations and then ten times that and maybe someday we could have a couple hundred employees doing.
Investigations.There's a change that's happening and we'd like to think that we're kind of at the forefront of that.While we find the forensic investigation, the hex analysis fascinating, what's far more interesting is if you take this reactive science of forensics and say, let's not call the forensics guys in after there's an incident, let's kind not invite them to the party ahead of time, you know, we want be in the nice offices and have the nice foosball tables and hang out with you guys.So, let's get us out of the corner.
And move us into the proactive space.And when you apply forensics in the proactive space, amazing things happen.And i want to just give you a couple of quick examples.You can check this stuff out online and take a look at it.The first thing that we do, we do some basic mobile apps security testing.It's low hanging stuff.I mean, it's kind of an easiest than the easiest.So you go out there, you take a device, you may have privileges on it, you may not need privileges depending on what's your view of content providers.
Or what app comes in the backup utilities.And you go out there and you look for data that says since you stored it on the device and in an insecure fashion.Now, we've been doing this for a little while.We've got about a hundred mobile app reviews out on our website.You can take a look, you can filter it, you can see what applications or storing data in an insecure fashion.So what's interesting about this well, by using forensics, we can spot different issues that we may say to the development team, hey, there's a better way.
To store this information.Now, we can have lots of debates about, well, if you're storing information onto a device and you encrypt it and you did not type in a 32character, you know, key file every time they want to access their sms, have you really secured the information and in the space and in the mobile space, especially when you look at the threat to consumers, the main threat to consumers are cyber criminals, people that want to steal their identity, they want to get financial information.So what they go.
For is the easiest stuff, the lowest hanging proof.If they have to come in, compromise the device, perhaps revoke theget in there, find out what programs are running, try to pull the encryption keys out, get that data off and then maybe get a user name or password.It's way easier for them to just take all of the different apps that store your username and password and plain theft, they just copy them all.So, there's kind of thisyes, you can't necessarily fully secure a device if somebody gets rude on it, but you can make.
It far more difficult for them.So that's one space when you apply forensics to mobile app security and you take a look at what sort of data exists on this device.I actually did a presentation down in american banker conference so i think it was a week or so ago.So, there's a lot more information about this and if you hit that second link, you kind of go through the presentation and get some more details on, how do you apply forensics to this space what kind of information can be recovered we have a very simple rating.
Of pass or a fail, something around 17 of the apps passed.I think somewhere around 30s or so percent get a warning and almost 50 of the apps failed the most basic tests.And now with these information that you would typically consider private that would be protected by a username and password, this basically contribute to pull up the device.So that's kind of interesting space applying forensics proactively in the security space and say, what can we find out about these advices so if you change some of our development techniques.
And only store the information that really needs to be stored there.If my android device were my iphone or whatever i happen to have is always online, then why do we have to cash pieces of info.Now, there are applications that require data to be cashed.In those particular cases, you do a balance between security and usability and a number of other things.But a lot of times, we'll simply find information that has no business being out of device and it's just sitting there.So, that's kind of an interesting application in the mobile space.
The, you know, the other space i want to talk about is that when forensics guys get called in instead of response guys getting called in, we'll come and we'll look at a computer or we'll look at a server and something happened.It may be an hour ago, most likely it was a day or a week or a month ago and we basically are saidtold, hey, something happened.Can you help pieceget the puzzle and we're actually really good at that.But it's a really tough job, so we'll come in about 70 or 80 of what we need to tell you what happened.
Is gone.Network connections, ran, link files, somebody cleaned up after themselves, is gone, you can never get it back.Windows does a great thing.Windows will only track the last time you plugged in a usb drive.And that's also only what it feels like.Sometimes it just doesn't track it at all.So we come back and somebody said, well, we know this usb drive had sensitive info on it.How many times did they connect it we can't tell you.Windows doesn't track.So instead of coming in after the milk has been spilled and trying to put.
Humpty dumpty back together again, there's a totally different way to approach this problem.Forensic metadata is actually pretty tiny.If you look at a registry file, it's a couple indistinct so, if you have a key server that has potential information and they've taken all of it, don't wait until you get comprised, just pull those three meds off everyday, every hour, every 15 minutes.You guys know something about storing data and putting it in a database, and analyzing and making sense of it, right so, why not just.
Gio with that information somewhere and so that's what we did.One of the other interesting things we called a continuous forensics monitoring, but the idea is let's not wait until something happens.Let's see if we can get ahead of that.And now you've got an exact copy of everything that you need to know.And if something happened a day or a week ago, guess what, we'll just pull it up, yeah, all those usb drives are connected, you guys missed it, we missed it, we weren't monitoring it.And i can tell you who, what, when, i can tell.
You the network connection, i can tell you what happened.So it's a really interesting space and i just wanted to share with you guys to think about if you kind of get into the forensics stuff and you start tinkering if it's interesting to find what's sitting on your device, it's far more interesting to think about how can you take the forensic science and apply that proactively to security or to improving development techniques so that we can come up with more efficient ways or more effective and more secure ways to.
Hacking The Windows Registry
Hacking the windows registry,Info level beginner presenter eli the computer guy date created january 23 2012 length of class 23 minutes tracks hacking computer security integrity. Some pitfalls of interpreting forensic artifacts in the windows registry,Jacky fox student at ucd school of computer science and informatics presents the results of her dissertation on windows registry reporting focusing on.
Windows registry forensic analysis part 1,Windows registry contains lots of information that are of potential evidential value or helpful in aiding forensic examiners on other aspects of forensic analysis. Introduction to computer forensics registry introduction,Introduction to computer forensics registry introduction. Introduction to computer forensics registry overview autoruns and running processes,Introduction to computer forensics registry overview autoruns and running processes. Windows fe cd a windows based boot cd for computer forensics,A short tutorial that shows how to create a windows fe boot cd this special version is based on windows pe by using some registry hacks it works forensically.
DFIR Summit 2016 Plumbing The Depths Windows Registry Internals
Dfir summit 2016 plumbing the depths windows registry internals,Sansorgdfirsummit this presentation will explore the lowlevel structures that comprise registry hives including key and value records data cells including big. Forensic lunch 121313,This week with yogesh kahtri talking about his windows 8 registry forensics research you can read it hereswiftforensics and email him.
Windows phone 8 forensic artifacts and case study dfir summit 2015,Cindy murphy cindymurph detective city of madison wi police department due to the quick progression of mobile device technology a need often arises. Computer forensic examinations 10 shellbags,In this tutorial were going to look at registry entries called shellbags which monitors the way you view folders within windows explorer be sure to check out the. Windows registry tutorial,Learn how microsoft windows utilizes the registry how the hierarchy is organized into hives the dangers of manipulating the registry edit or create keys.
My registry comparision tool forensic tool,This tool allows to create and compare between the database saved and the current state of the windows registry it shows all the new keys new values and. Module 8 accessdata registry viewer,Windows registry is a the center repository where windows store options and settings such as hardware installed software and user informationaccount.
Learning Computer Forensics Tutorial File Systems WindowsBased
Learning computer forensics tutorial file systems windowsbased,Want all of our free computer forensics tutorials download our free ipad app at itunesappleusapptutorialtrainingcoursesfromid418130423mt8. Ftk movie module 5 viewing registry files,Viewing registry files. Gcfe giac certified exam forensic test examiner questions,For giac gcfetest questions and answers please visit spasseasilygcfehtm practice section 1 browser test forensic questions test.Gcfe giac exam certified forensic test examiner questions,For more information on giac gcfe practice test questions please visit spassguaranteedgcfehtm what am i going to be tested for. 20131106 cerias yahoo messenger forensics on windows vista and windows 7,Recorded 11062013 cerias security seminar at purdue university yahoo messenger forensics on windows vista and windows 7 tejashree datar purdue.
How to disable usb using registry editor in windows 7 windows 8 in hindi and english,This is a tutorial tutorial and this tutorial is helpful for disabling usb device in your computer using registry editor tool by priy ranjan. Def con 23 panel whymi so sexy wmi attacks real time defense and advanced forensics,Windows management instrumentation wmi is a remote management framework that enables the collection of host information execution of code and. Windows live forensics part 1 of 2,This tutorial illustrates some common forensic tools that can be used to acquire evidence from a running windows system.