Presentation is loading. Please wait.

Presentation is loading. Please wait.

5. Windows System Artifacts Part 1. Topics Deleted data Hibernation Files Registry.

Published bySheena Holmes Modified over 8 years ago

Similar presentations

Presentation on theme: "5. Windows System Artifacts Part 1. Topics Deleted data Hibernation Files Registry."— Presentation transcript:

1 5. Windows System Artifacts Part 1

2 Topics Deleted data Hibernation Files Registry

3 Deleted Data

4 Recovering Deleted Data File Carving Allocated space contains active data Deleted files are in unallocated space Useful tools o ProDiscover o FTK or EnCase o Foremost o Recuva o Photorec

5 Hibernation File

6 Shutdown Options Sleep – data kept in RAM o Power still on o Documents lost if power fails Hibernate – RAM copied to Hiberfil.sys o Power off o Documents never lost Hybrid Sleep o Default for Windows 7 desktops o Puts open documents and programs on disk o Keeps them in RAM as well for fast wakeup o Documents not lost if power fails

7 Enabling Hibernation Link Ch 5i

8 Registry Not in book, but may be on quizzes and Final Exam

9 Understanding the Structure of the Registry The registry consists of five root keys o HKey_Classes_Root o HKey_Current_User o HKey_Local_Machine o HKey_Users o HKey_Current_Config Or HKCR, HKCU, HKLM, HKU, and HKCC

10 Subkeys Root keys (sometimes called predefined keys), contain subkeys o Subkeys look like folders in Regedit HKCU has these top-level subkeys: AppEvents, Console, Control Panel, … o A root key and its subkeys form a path o HKCU\Console

11 Values Every Subkey contains at least one value o But it may show (value not set) The default value (often undefined) Values have name, data type, and data

12 Hives A key with all its subkeys and values is called a hive The registry is stored on disk as several separate hive files Hive files are read into memory when the operating system starts (or when a new user logs on)

13 HiveList HKLM\System\CurrentControlSet\ Control\HiveList

14 Hardware Hive \Registry\Machine\Hardware has no associated disk file Windows 7 creates it fresh each time you turn your system on

15 HKCR and HKCU These keys are links to items contained in other root keys o HKey_Classes_Root (HKCR) Merged from keys within HKLM\Software\Classes and HKU\sid_Classes o sid is the security identifier of the currently logged on user o HKey_Current_User (HKCU) HKU\sid

16 Purpose of Registry Database for configuration files Registry artifacts are very valuable for forensics o Search terms o Programs run or installed o Web addresses o Files recently opened o USB devices connected

17 Acquiring the Registry FTK Imager

18 Acquired Files

19 Reference Link Ch 5c

20 Important Registry Data Control Set Time Zone User Assist USB Store

21 Control Set A live Registry has an important key named HKLM\System\CurrentCo ntrolSet Contains Time Zone, USBSTOR, and other information

22 Control Set Acquired image doesn't contain CurrentControlSet It's ephemeral data—not stored in the hive files To determine which ControlSet is current, look in System\Select In this case, ControlSet001 is Current o Link Ch 5a

23 Time Zone System\ControlSet001\Control\TimeZoneInformatio n o Assuming that ControlSet001 is Current

24 UserAssist Shows objects the user has accessed To see it, open Users\ Username \NTUSER.DAT Navigate to Software\Microsoft\Windows\CurrentVersion\Explo rer\UserAssist

25 UserAssist Decoded in Lower Left Pane

26 RegRipper Link Ch 5k

27

28 Ripped Registry

29 USBSTOR System\ControlSet001\Enum\USBSTOR o Assuming Current Control Set is 1

Download ppt "5. Windows System Artifacts Part 1. Topics Deleted data Hibernation Files Registry."

Similar presentations

Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.

Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.
Windows Vista Boot process. All the computer running Windows vista have the same start up sequence: Power-on self test (POST) phase Initial startup phase.

Windows Vista Boot process. All the computer running Windows vista have the same start up sequence: Power-on self test (POST) phase Initial startup phase.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Investigating.

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Investigating.
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.

Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.
The Windows Registry Adapted from

The Windows Registry Adapted from
Chapter 3: Configuring the Windows Vista Environment.

Chapter 3: Configuring the Windows Vista Environment.
Registry Analysis What is it? What does it contain?

Registry Analysis What is it? What does it contain?
Registry Structure What is it? What does it contain?

Registry Structure What is it? What does it contain?
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.
Application Repackaging - Naushad Ali T Doddamani.

Application Repackaging - Naushad Ali T Doddamani.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Working with the Windows XP Registry

Working with the Windows XP Registry
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
Registry Forensics COEN 152 / 252.

Registry Forensics COEN 152 / 252.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.

Similar presentations

Ads by Google