Presentation is loading. Please wait.

Presentation is loading. Please wait.

WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA.

Published byMargaret Jacobs Modified over 8 years ago

Similar presentations

Presentation on theme: "WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA."— Presentation transcript:

1 WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA

2 Windows file systems FAT (file allocation table) and NTFS (new technology file system) NTFS has the ability to set access control lists on file objects, journaling, and compression. MFT (master file table) – every file and directory has an MFT entry. The location of the starting sector of MFT can be found in the boot sector of the disk. More info: http://msdn.microsoft.com/en- us/library/windows/desktop/aa365230(v=vs.85).aspxhttp://msdn.microsoft.com/en- us/library/windows/desktop/aa365230(v=vs.85).aspx

3 NTFS Alternate data streams This was included to support Macintosh hierarchical file system. Intruders can hide files using this without you detecting it with dir commands. Use dir /r Tutorial: http://www.irongeek.com/i.php?page=security/altds http://www.irongeek.com/i.php?page=security/altds

4 Windows Registry Windows configuration database It records information specific to users and tracks an user’s activity. Regedit is the utility we can use to view. Registry files are located in the config directory of the windows system. User profiles are found in NTUSER.DAT and USRCLASS.DAT More info: http://msdn.microsoft.com/en- us/library/windows/desktop/ms724946(v=vs.85).aspxhttp://msdn.microsoft.com/en- us/library/windows/desktop/ms724946(v=vs.85).aspx

5 Windows registry Forensics Here is a tutorial: http://www.forensicfocus.com/forensic- analysis-windows-registryhttp://www.forensicfocus.com/forensic- analysis-windows-registry Instead of reading papers (next two) I am assigning you to read this 16 page tutorial and write a summary of each page. RegRipper is a utility that Harlan Carvey (one of the authors of your lab book)

6 Event Logs Windows has a built-in event viewer. ( Additional event log viewers can be downloaded from google.) To launch: Right click on computer, manage, event viewer. OR Start, Run, type in: eventvwr.msc You will see APPLICATION, SECURITY, SETUP AND SYSTEM categories. Click on each and look at the events. There are several tutorials available on the web to help you understand these logs.

7 Prefetch files Windows keeps tracks of programs used during the session and saves it to a prefetch file located in the windows\prefetch directory. It allows to load regularly used programs faster. When an application is launched a prefetch file for that application is created. The name of the appliation along with a hashed path where the program is actually located is stored in the name of the file. For forensic examination, when a prefetch file is found, it means that program was run on that computer and can provide last run date and time.

8 Shortcut files File extension.lnk (LNK files) This can be used to demonstrate access to files, particularly those on the network.

Download ppt "WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA."

Similar presentations

IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.

IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.
®® Microsoft Windows 7 for Power Users Tutorial 6 Optimizing Your Hard Disk.

®® Microsoft Windows 7 for Power Users Tutorial 6 Optimizing Your Hard Disk.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 3 IT278 Network Administration Course Name – IT278 Network Administration Instructor.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 3 IT278 Network Administration Course Name – IT278 Network Administration Instructor.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Windows XP File System Management Group D. 3 Layers of Drivers Filter Drivers Filter Drivers –Virus protection, compression, encryption File System Drivers.

Windows XP File System Management Group D. 3 Layers of Drivers Filter Drivers Filter Drivers –Virus protection, compression, encryption File System Drivers.
COS/PSA 413 Day 3. Guide to Computer Forensics and Investigations, 2e2 Agenda Questions? Assignment 1 due Lab Write-ups (project 2-1 and 2-2) due next.

COS/PSA 413 Day 3. Guide to Computer Forensics and Investigations, 2e2 Agenda Questions? Assignment 1 due Lab Write-ups (project 2-1 and 2-2) due next.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
File System Variations and Software Caching May 19, 2000 Instructor: Gary Kimura.

File System Variations and Software Caching May 19, 2000 Instructor: Gary Kimura.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Module 6: Managing Data Storage. Overview Managing File Compression Configuring File Encryption Implementing Disk Quotas.

Module 6: Managing Data Storage. Overview Managing File Compression Configuring File Encryption Implementing Disk Quotas.
Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.

Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
1 Module 2 Installing Windows NT. 2  Overview Preparing for Installation Installing Windows NT Performing a Server-based Installation Troubleshooting.

1 Module 2 Installing Windows NT. 2  Overview Preparing for Installation Installing Windows NT Performing a Server-based Installation Troubleshooting.

Similar presentations

Ads by Google