In this article explain Other Important Information of forensic Investigation using investigator.
Clipboard Contents
Clipboard is a temporary storage area, where the system stores data during copy and paste operations. Most Windows applications provide this functionality through the Edit option on the menu bar, Clicking Edit reveals a drop-down menu, which contains choices, like cut, copy, and paste. The user selects text or other data, chooses copy, and then chooses Paste to insert that data somewhere else. The cut functionality removes the data from the document the user is working on, and that data goes to the clipboard.
When a user performs any cut/copy function, and then pastes the content into the document, the information cut/copied is copied to the clipboard and as long as the computer has uninterrupted power supply or the user does not log out, the system neither adds nor deletes the clipboard contents.
Attackers use edit options to copy information from the system to various other sources, such as removable media, documents, email, etc. Investigators can retrieve the copied data from the clipboard contents, by using various clipboard extraction tools.
Free Clipboard Viewer
Source: http://www.freeclipboardviewer.com
Free Clipboard Viewer is a program used to view the information that is stored in memory when you use copy and cut functions in Windows operating system. A clipboard viewer displays the current content of the clipboard.
Free Clipboard Viewer allows you to save the clipboard data to a file and also load clipboard data from a file, so that you can transfer clipboard contents between computers.
Related Product : Computer Hacking Forensic Investigator | CHFI
Service/Driver Information
Based on the entries in the registry the services and drivers start automatically when the system is started. Most users do not even see these running services as processes, because there are really no obvious indications, as there are with regular processes. Yet, these services run nonetheless. The user or even the system administrators necessarily do not install all the services. Some malwares installs themselves as a service or even as a system driver. Check service/device information for any malicious program installed.
Investigators can gather services information using the tasklist command line tool. The tool will display image name and related RID services. The investigators can also use the Windows Management Instrumentation Command (wmic) in the following way to view the list of running services, their process IDs, startmode, state and status.
Other Important Information (Cont’d)
Command History
At the time of investigation, if there are too many command prompts, the commands typed by the user, such as ftp or ping, could hide valuable clues. To see the previously typed commands, the investigator can run the scroll bar for the command prompt up. If the user typed the cis command to clear the screen, the investigator would not be able to use the scroll bar to see any of the commands that the user had entered. Instead, the investigator should use the donkey /history command, which shows the history of the commands typed into that prompt.
Mapped Drives
During the investigation, the investigator might want to know what drives or shares the target system has mapped to. The user could have created these mappings, and they might provide information regarding the indication of malicious intent. There might be no persistent information within the file system or registry for these connections to the mapped shares on other systems.
Shares
Besides resources used by the system, an investigator also wants to acquire information regarding the resources that the system is making available to other users over the network. The system stores the information about shared files and folders in the following registry root key HKEY_LOCAL_MACHINE/System\CurrentControlset\Services\LanmanServer\Shares
Windows Forensics Methodology
Non-volatile data is a sort of permanent data that would remain on the system even after the use switches it off, but the system is easy to manipulate through online and direct access. Therefore, investigators must either extract or copy the non-volatile data from the system.
Also Read : How to Open Files using Command Line
Collecting Non-Volatile Information
Volatile information gathering is not the only aim of the investigator. Investigators need detailed information; because evidence is the only thing that helps them to solve the case with ease. They need to have firm evidences based on both volatile and nonvolatile data.
Nonvolatile data remains unchanged when a system shuts down or loses power. Some of the examples of nonvolatile data include emails, word processing documents, spreadsheets, and various “deleted” files. The investigator can decide what information needs to be extracted from the registry or what information about (or from) files should be collected for additional analysis.
There is also a possibility that the attacker could be actively logged into the system and accessing the data. In such cases, the investigator may decide to even track the attacker, It is important that the investigator should preserve certain important information intact without any modification or deletion. Once the user starts the system, there may be some data modifications, such as drives mapped to or from the system, services started, or applications installed. These modifications might not be persistent across a reboot and therefore, the investigator should record and document them. Non-volatile data usually resides in the hard drives; it also exists in swap files, slack space, and unallocated drive space. Other non-volatile data sources include CD-ROMs, USB thumb drives, smart phones, and PDAs.
Questions related to this topic
- How do I view everything on my clipboard?
- How many items can be copied using the Clipboard task pane?
- Where are the Clipboard files saved?
- Is there a way to find my copy paste history?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
