Scribd Logo
Upload

Welcome to Scribd!

  • Project 2

    Uploaded by

    Shreyas Shanker
    16 views1 page
    WINDOWS QUICK RESPONSE GUIDE Volatile Information: RAM CAPTURE: Registry: Windows Config files: NTUSER.DAT: Run the tool "dumpit"

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    WINDOWS QUICK RESPONSE GUIDE Volatile Information: RAM CAPTURE: Registry: Windows Config files: NTUSER.DAT: Run the tool "dumpit"

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    16 views1 page

    Project 2

    Uploaded by

    Shreyas Shanker
    WINDOWS QUICK RESPONSE GUIDE Volatile Information: RAM CAPTURE: Registry: Windows Config files: NTUSER.DAT: Run the tool "dumpit"

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    WINDOWS QUICK RESPONSE GUIDE

    Volatile Information:
    RAM CAPTURE:
    Registry:
    Windows Config files:
    NTUSER.DAT:
    Run the tool Dumpit
    Before we start collecting volatile
    1. Open regedit from
    Load the Drive on to FTK
    Export all ntuser files
    information, please note the watch time
    from the removable
    start menu.
    Imager and navigate to
    from following path.
    media that is attached
    (Not System time). Run a trusted
    2. Click on export option
    the path
    XP:
    command shell that you carry to the
    by the acquisition team
    from file tab.
    C:\Windows\System32\
    windows\profile\<userna
    and then press y. It
    incident scene in a removable media.
    3. Save registry to the
    and extract Config file.
    me>\
    Commands to be executed are as follows:
    will capture the RAM
    evidence collection
    This helps us with
    Win7:
    and save to the same

    date/t >> X:/Incident response


    collectibles.txt

    time\t >> X:/Incident response


    Prefetch:
    Link Files:
    JumpLists:
    USRCLASS.DAT:
    collectibles.txt
    Extract all the files from
    Shortcuts for windows
    Only for versions after
    Export all usrdat files

    tasklist svc >> X:/Incident


    the path
    files.
    win7.Export the file
    from following path
    response collectibles.txt
    Extract from following
    \
    Users\<profile Directory Listing:

    tasklist
    v Information:
    >> X:/Incident
    Windows\prefetch\
    Users\<user>\AppData\
    path.
    Volatile
    name>\AppData\Local\M
    Access times:Roaming\Microsoft\
    response
    collectibles.txt
    XP:
    Before we
    start collecting volatileicrosoft\Windows
    Windows\Recent\
    [root@suspectsystem/mnt/cdr

    netstat anob >> X:/Incident


    Documents and
    information, please note the watch time
    response collectibles.txt
    Settings\<Username>\Re
    omdevice/]./lsAutomaticDestinations
    alRu/ >>
    (Not System
    time).

    netstat
    rn >> X:/Incident
    cent
    dirlist1
    Win7:
    response collectibles.txt
    Created times:

    fport
    >> the
    X:/Incident
    response
    Mount
    removable
    device. The
    Thumbnails:
    Recycle bin:
    Event Logs:
    USB Logs:
    [root@suspectsystem/mnt/cdr
    collectibles.txt
    Command to mount the device asExtract
    follows.
    XP: This cache will be
    XP:
    Logs from
    Following
    Extract the logs from
    omdevice/]./ls
    alR/ >>

    arp
    a
    >>
    X:/Incident
    response
    mount /dev/cdrom /mnt/cdromdevice
    available in all the
    Extract Info2 file from
    Locations.
    following locations.
    dirlist2
    collectibles.txt
    folders, where pictures
    Recycle bin of every
    XP:
    XP:

    nbtstat nrsc >> X:/Incident


    Modified times:
    were stored.
    user.
    System32\config\application.evt
    Windows\setupapi.log
    Run thecollectibles.txt
    Following commands to collect
    response
    [root@suspectsystem/mnt/cdr
    Win7:
    Win7:
    System32\config\security.evt
    Win7:
    the
    volatile
    evidence

    X:/plsoggedon >> X:/Incident


    C:\Users\<profilename>\
    Extract Recycler bin from
    System32\config\system.evt
    omdevice/]./ls alRc/Windows\inf\setupapi.de
    >>
    response
    collectibles.txt
    cd /mnt/cdromdevice/
    AppData\Local\Microsoft\
    Operating System drive
    Win7:
    v.log
    dirlist3

    ipconfig
    /all
    >>
    X:/Incident
    Run a trusted command shell that
    you
    Windows\Explorer\
    on=f the system
    Windows\system32\winevt\logs\app
    response
    carry tocollectibles.txt
    the incident scene in a removable
    lication.evtx
    Resource
    List:
    These commands create

    ipconfig /displaydns >>


    Config
    Files:
    Windows\system32\winevt\logs\sec
    media.
    1. psloggedon is available on
    X:/Incident response
    directory listing of all the sub
    Email Data: (Outlook
    https://technet.microsoft.com
    Cookies:
    collectibles.txt
    Copy
    the following files
    Skype Data: directories recursively.
    Logs:
    Client)
    [root@suspectsystem/mnt/cdromdevice/]#
    Extract Cookies from the
    2. Dumpit
    is DD.
    a tool freely available
    XP:
    using
    Execute date andExtract
    command
    all the files in
    following path.
    from Extract the following logs
    ./bash
    Documents and
    once again.
    the following path
    Note: Check
    for the word promisc to know
    XP:
    http://www.moonsols.com/2011/07/18
    Settings\<profilename>\
    [root@suspectsystem/mnt/cdromdevice/]./
    /etc/passwd
    using dd
    XP: time
    about any sniffing activity.
    Document
    the
    watch
    Documents and
    /moonsols-dumpit-goes-mainstream/
    Application\Skype\<skyp
    date >> Volatile evidence.txt
    \Documents
    and
    Settings\<profilename>\
    once again.
    e user name>\
    3. FTK
    Imager Lite is a free tool
    /etc/shadow
    Utmp
    Settings\<profilename>\
    X is the[root@suspectsystem/mnt/cdromdevice/]./
    drive letter assigned to the
    Cookies
    Win7:
    available from AccessData.
    Local
    w media
    >> Volatile
    evidence.txt
    removable
    that is connected
    to the
    Win7:
    Users\<profilename>\app
    http://accessdata.com/product/etc/groups
    History:
    Wtmp
    Settings\Application
    suspect device
    for evidence collection.
    C:\Users\<profilename>\
    [root@suspectsystem/mnt/cdromdevice/]./
    Data\Roaming\Skype\<sk
    download/digital-forensics/ftkData\Microsoft\Outlook
    AppData\Roaming\Micros
    ype
    user
    name>
    arp a >> Volatile evidence.txt
    /etc/hosts
    imager-lite-version-3.1.1
    Lastlog
    Win7:
    Document the set
    of
    WMIC:
    oft\Windows\cookies\
    [root@suspectsystem/mnt/cdromdevice/]./
    4. WMIC :
    C:\Users\<userprofile>\A
    Powerful tool. Carry this as a batch file
    commands executed on bash
    /etc/host.equiv
    netstat
    >> Volatile
    evidence.txt
    https://technet.microsoft.com/enPacct
    ppData\Local\Microsoft\
    with all the
    commands
    required(say
    by using the following
    us/library/bb742610.aspx
    Outlook\
    [root@suspectsystem/mnt/cdromdevice/]./
    wmiccapture.bat).
    command
    Order
    of
    ~/.rhosts
    Web
    logs
    wmiccapture
    >> X:/Incidenet
    response
    netstat
    nl >> Volatile
    evidence.txt
    Execution:
    10. Cookies
    collectibles.txt
    Order
    of
    Execution:
    [root@suspectsystem/mnt/cdromdevice/]./
    Swap
    RAM Capture:
    File & Proc Directory:
    1. Volatile
    11. NTUSER.DAT
    etc/hosts.allow
    /var/log/httpd/access_log
    [root@suspectsystem/mnt/cdr
    Disk Imaging:
    1. Volatile
    Information.
    Ps ef >> Volatile evidence.txt
    information
    12.
    Try
    Capture
    to
    copy
    RAM
    the
    using
    swap
    fmem.
    file
    too.
    Directory Listings:
    omdevice/]./history
    >>
    1. Use FTK Imager
    Lite. This should be
    carried in the removable
    media
    and connect it to
    2.older
    RAM
    Capture.
    2. Ram
    Capture
    USRCLASS.DAT
    Disk
    [root@suspectsystem/mnt/cdromdevice/]./
    Imaging:
    etc/hosts.deny
    Xferlog
    (ftp)
    This
    In
    serves
    versions
    as
    virtual
    of
    linux
    you
    Access times:
    the suspect system.
    Run
    the
    tool
    with
    Administrative
    privileges.
    Add
    the
    suspect
    Hard
    Disk
    Volatile evidence.txt
    3. Registry
    13. USB Logs
    3.
    Config
    files.
    1./o:d
    Run
    rn
    the
    >>X:\dirlista
    Volatile
    DD Command
    evidence.txt
    and perform
    a
    bit
    stream
    imaging
    of
    the
    hard
    disk.
    Select
    suspect
    system
    hard
    disk
    k:\dir /t:anetstat
    /a /s
    c:\ >>
    memory
    can copy
    /dev/mem/
    RAM. It acts
    using
    as a
    as evidence and perform a bit Stream Imaging to a destination
    Hardfor
    disk.
    4. Prefetch
    14. Thumbnails
    4.
    Logs.
    /etc/syslog.conf
    Modified [root@suspectsystem/mnt/cdromdevice/]./
    times: as source and the external hard
    /etc/syslog.conf
    to which
    we want
    to save
    the then
    image
    ascopy
    Destination
    hard
    disk.
    Make
    2. Youdisk
    can pull
    the suspect
    hard drive
    out and
    connect
    it to
    write and
    blocker.
    The
    Write
    DD.
    ofa RAM
    can
    help
    us
    5. Link Files
    15. Recycle bin
    NOTE:
    WHEN
    YOU to
    EXECUTE
    k:\dir /t:wmount
    /a /s /o:d
    c:\
    >>
    X:\dirlistm
    5.
    Disk
    Imaging.
    blocker
    should
    then
    be
    connected
    forensic
    work
    station.
    Connect
    the
    Destination
    hard
    sure
    >> Volatile
    that the
    evidence.txt
    destination hard disk is thoroughly wiped before using it.
    in
    This
    artifact
    acts as
    analysis.
    RAM in linux.
    6. Jump
    Lists
    16. Skype History
    /etc/inetd.conf
    IFOCNFIG
    COMMAND
    CHECK
    Created times:
    /var/log/messages
    the Forensic
    Work Station.
    that the
    Destination
    Hard disk
    is thoroughly
    2. You can pull out the source disk
    hardtodisk
    and connect
    it to a Make
    writesure
    blocker
    and
    then
    connect
    it to
    the forensic
    [root@suspectsystem/mnt/cdromdevice/]./l
    7. Event Logs
    17. Email
    Extract
    the
    proc
    directory.
    It
    k:\dir /t:w /a /s /o:d c:\ >> X:\dirlistc
    PROMISC
    wiped beforeFOR
    usingWORDS
    it. The Size
    of the
    destination hard disk should always be more than
    8. Cookies
    Attachments
    work
    station.
    Run FTK Imager
    Lite if forensic
    work LIKE
    stations
    operating system
    ishelps
    windows
    or run
    DD
    smod >>
    Volatile
    evidence.txt
    is
    This
    usually
    the
    us
    mostly
    size
    of
    system
    in
    /etc/xinetd.conf
    /var/log/rsyslog
    source hard disk.
    Run
    FTK
    Imager
    with
    Administrative
    privileges
    and
    add
    the
    suspect
    hard
    TTO
    DETECT ANY
    SNIFFING
    9. Windows
    if forensic work station is Unix
    flavoured
    operating
    system and perform a bit stream imaging of
    [root@suspectsystem/mnt/cdromdevice/]./I
    The above
    set of command
    commands perform

    UNIX QUICK RESPONSE GUIDE

    recursivefconfig
    directory
    of C hard
    drive
    for
    the
    source
    disk.
    Destination
    alisting
    >>
    Volatile
    evidence.txt

    memory.
    malware analysis. We can
    THEalways
    SYSTEM.
    HardPROCESS
    disk size ON
    should
    be more than
    source
    hard
    By
    extract
    copying
    the
    proc
    listdisk.
    of
    directory
    the
    we

    /etc/rsyslogd.cong
    In Linux can access

    You might also like