Windows Forensics, include the process of conducting or performing forensic investigations of systems which run on Windows operating systems, It includes analysis of incident response, recovery, and auditing of equipment used in executing any criminal activity. In order to accomplish such intricate forensic analyses, the investigators should possess extensive knowledge of the Microsoft Windows operating systems.
This module will discuss about collecting volatile and non-volatile information; performing windows memory and registry analysis; cache, cookie, and history analysis; MD5 calculation, windows file analysis, etc.
Windows Forensics Methodology
Most of the systems store data related to the current session in temporary form across registries, cache, and RAM. This data is easily lost when the user switches the system off, resulting in loss of the session information. Therefore, the investigators need to extract it as a priority. This section will help you understand the volatile data, its importance and ways to extract it.
Related Product : Computer Hacking Forensic Investigator | CHFI
Collecting Volatile Information
Volatile Information refers to the data stored in the registries, cache, and RAM of digital devices. This information is usually lost or erased whenever the system is turned off or rebooted. The volatile information is dynamic in nature and keeps on changing with time; so the investigators should be able to collect the data in real time.
Volatile data exists in physical memory or RAM and consists of process information, process-to-port mapping, process memory, network connections, clipboard contents, state of the system, etc. The investigators must collect this data during the live data acquisition process.
The investigators follow the Locard’s Exchange Principle and collect the contents of the RAM right at the onset of investigation, so as to minimize the impact of further steps on the integrity of the contents of the RAM. Investigators are well aware of the fact that the tools they are running to collect other volatile information cause modification of the contents of the memory. Based upon the collected volatile information, the investigators can determine the user logged on, timeline of the security incident, programs and libraries involved, files accessed and shared during the suspected attack, as well as other details.
System Time
The first step while investigating an incident is the collection of the system time. System time refers to the exact date and time of the day when the incident happened, as per the coordinated universal time (UTC). The system provides the system time so that the applications launched have access to the accurate time and date.
The knowledge of system time will give a great deal of context to the information collected in the subsequent steps. It will also assist in developing an accurate timeline of events that have occurred on the system. Apart from the current system time, information about the amount of time that the system has been running, or the uptime, can also provide a great deal of context to the investigation process.
Investigators also record the real time, or wall time, when recording the system time. Comparison of both the timings allows the investigator to further determine whether the system clock was accurate or inaccurate. The investigators can extract system time and date with the help of the date / t& time /t command or use the net statistics server command.
An alternative way for obtaining the system time details is by using the GetSystemTime function. This function copies the time details to a SYSTEMTIME structure that contains information of individual logged in members and the exact information of month, day, year, weekday, hour, minute, second, and milliseconds. Hence, this function provides better accuracy to the system time details.
Also Read : Introduction to Operating System Forensics
Logged-On Users
During an investigation, an investigator must gather details of all the users logged on to the suspected system. This not only includes the information of people logged on locally (via the console or keyboard) but also those who had remote access to the system (e.g. – via the net use command or via a mapped share). This information allows an investigator to add context to other information collected from the system, such as the user context of a running process, the owner of a file, or the last access times on files. It is also useful to correlate the collected system time information with the Security event log, particularly if the admin has enabled appropriate auditing.
Some of the tools and commands used to determine logged-on users are as follows:
- PsLoggedOn
- net sessions
- LogonSessions
Logged-On Users: Ps Logged On Tool
PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one, if you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on.
Syntax: psloggedon [- ] (-I] [-x] [ computername | username]
| – | Show the Options and the measurement units for output values. |
| -I | Displays only local logons |
| -x | Does not display logon times. |
| \\computername | System name for which logon information should be shown |
| Username | Searches the network for those systems to which that user is logged on. |
Logged-On Users: net Sessions Command
The net sessions Command is used for managing server computer connections. It is used without parameters and it displays information about all logged in sessions of the local computer. By using this command, one can view the computer names and user names on a server. It can also help us to see if users have any open files and how long each user’s session has been in the idle mode.
Syntax: net session [\\ComputerName] [/delete]
\\ComputerName: Identifies the computer for which you want to list or disconnect sessions.
/delete: Ends the computer’s session with ComputerName and closes all open files on the computer for the session.
net help command: Displays help for the specified net command.
Logged-On Users: LogonSessions Tool
It lists the currently active logged-on sessions and, if you specify the -p option, it can provide you the information of processes running in each session.
Syntax: logonsessions [-c[t]] I-p]
| -C | Prints output as CSV |
| -ct | Prints Output as tab-delimited values |
| -p | Lists processes running in logged-on sessions |
Questions related to this topic
- What is meant by computer forensics?
- What are Windows artifacts?
- What is the role of computer forensics?
- What are the three elements of computer forensics?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
