George Kurian

Title : - Study of Last Activity View, Windows Forensic tool.

Compatible Browser: - Internet Explorer, Fire Fox, Opera, Chrome

Compatible Operating System : - Windows
Project: - In this project the Forensic tool Last Activity view, and its various utilities will be
studied, it collects information from various sources on a running system, and displays a log of
actions made by the user and events occurred on this computer. The activity displayed by
LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder
from Explorer or other software, software installation, system shutdown/start, application or
system crash, network connection/disconnection and more.
The tool Last Activity view downloaded from
http://www.nirsoft.net/utils/computer_activity_view.html

Utilities

BrowsingHistoryView : - BrowsingHistoryView extracts browsing history information from all

major Web browsers, including Firefox, Chrome, Opera, Internet Explorer, Microsoft Edge.
CredentialsFileView: - CredentialsFileView decrypts and displays the passwords and other data
stored inside Credentials files of Windows.
VaultPasswordView: - VaultPasswordView decrypts and displays the passwords and other data
stored inside 'Windows Vault'.
DataProtectionDecryptor: - DataProtectionDecryptor is a powerful tool for Windows that allows
you to decrypt passwords and other information encrypted by the DPAPI (Data Protection API)
system of Windows operating system.
WirelessKeyView: - WirelessKeyView decrypts the wireless network keys stored by Windows
operating system.FullEventLogView: - FullEventLogView displays the details of all events from
the event log of Windows (Including the event description). You can load multiple event log files
and watch all of them in a single table.IEHistoryView: - IEHistoryView extracts information
from the history file (index.dat) of Internet Explorer. This history information includes the URLs
that user visited, the Web site title, The number of times that this URL was visited (Hits column),
and the last date/time that the Web site visit occured. The history file also contains a list of local
files that the user opened with Internet Explorer (Usually .html and image files).

IECacheView: - IECacheView extracts information from the cache files (index.dat) of Internet
Explorer. The information provided by IECacheView is somewhat similar to IEHistoryView.
However, while the history file (IEHistoryView) stores only one record fro every Web page visit,
the cache file stores multiple records for every Web page, including all images and other files
loaded by the Web page.
IECookiesView: - IECookiesView extracts the content of all cookie files stored by Internet
Explorer.
IE PassView: - IE PassView extracts the Web site passwords stored by Internet Explorer.

MozillaCacheView: - MozillaCacheView extracts the details of all cache files stored by Mozilla
Firefox.
MozillaHistoryView: - MozillaHistoryView extracts the details of all browsing history stored by
Mozilla Firefox. Starting from Mozilla Firefox 3, MozillaHistoryView requires that Firefox 3 will
be installed on the computer that you run it, because it uses the sqlite3.dll library to read the
SQLite history database of Firefox.
MozillaCookiesView: - MozillaCookiesView extracts the content of all cookie files stored by
Mozilla Firefox. Starting from Mozilla Firefox 3, MozillaCookiesView requires that Firefox 3
will be installed on the computer that you run it, because it uses the sqlite3.dll library to read the
SQLite cookies database of Firefox.
PasswordFox: - PasswordFox extracts the Web site passwords stored by Firefox Web browser.
PasswordFox requires that Firefox will be installed on the computer that you run it, because it
uses the decryption library of Firefox to decrypt the passwords.
ChromeCacheView: - ChromeCacheView extracts the details of all cache files stored by Google
Chrome Web browser.
MyLastSearch: - MyLastSearch utility scans the cache and history files of 4 Web browsers (IE,
Firefox, Opera, and Chrome), and locate all search queries made with the most popular search
engines (Google, Yahoo and MSN) and with popular social networking sites (Twitter, Facebook,
MySpace). The search queries are displayed in a table with the following columns: Search Text,
Search Engine, Search Time, Search Type (General, Video, Images), Web Browser, and the
search URL.
LiveContactsView: - Extracts the contacts of Windows Live Messenger stored inside the
contacts.edb file.

This tool works on Internet Exploere, Fire Fox, Opera and Chrome, and it has specific
utilities for each, for search history, cookies, cache.

Hands on Lab : - We will be testing all the utilities on the three browsers, and the windows
operating system.

Task 1: -
Utility Credentials File View

Run the executable file - CredentialsFileView.exe

After running CredentialsFileView, the 'Credentials Decryption Options' window is
displayed. CredentialsFileView automatically fills the correct folders of your current
running system and current logged-on user.
The only field you have to fill by yourself is the 'Windows Login Password', the login
password is needed in order to decrypt the Credentials files of Windows.
You can also decrypt the Credentials files of the current logged-on user without
providing the login password if you choose the 'Decrypt Credentials files of the current
user' option in the top combo-box.
This feature requires elevation (Run As Administrator) and also you must use the 64-bit
build of CredentialsFileView if you have 64-bit version of Windows.
If you want to decrypt the Credentials files stored on external drive or inside another user
profile on your current system, you can manually fill the correct folders of your external
drive or the other user profile, or alternatively you can choose the root folder of your
external drive and then click the 'Automatic Fill' button.
After clicking the 'Ok' button of the 'Credentials Decryption Options' window,
CredentialsFileView scans the Credentials files inside the specified folders, decrypts
them and then displays the result in the main window.
Task 2: -
Utility Valult Password View
 Run the executable file - VaultPasswordView.exe
After running VaultPasswordView, the 'Vault Decryption Options' window is displayed.
VaultPasswordView automatically fills the correct folders of your current running system
and current logged-on user.
The only field you have to fill by yourself is the 'Windows Login Password', the login
password is needed in order to decrypt the Windows vault files.
You can also decrypt the data of Windows Vault of the current logged-on user without
providing the login password if you choose the 'Decrypt vault files of the current user'
option in the top combo-box.
This feature requires elevation (Run As Administrator) and also you must use the 64-bit
build of VaultPasswordView if you have 64-bit version of Windows.
If you want to decrypt the Windows vault files of external drive, you can manually fill
the correct folders on your external drive, or alternatively you can choose the root folder
of your external drive and then click the 'Automatic Fill' button.
After clicking the 'Ok' button of the 'Vault Decryption Options' window,
VaultPasswordView scans the files inside the vault folders, decrypts them and then
displays the result in the main window.
The upper pane of the main window displays the list of all decrypted .vcrd files.
When selecting an item in the upper pane, the lower pane displays the entire decrypted
data in Hex-Dump format. If the decrypted data contains a password or other text, this
text is also displayed in the 'Item Value' column on the upper pane.
Task 3: -
Utility Data Protection Decryptor
Run DataProtectionDecryptor.exe, the 'DPAPI Decryption Options' window is displayed.
You can also open this window by pressing F9.
Here's the instructions for using the 'DPAPI Decryption Options' window:
Choose the 'Decryption Mode'. If the DPAPI data was encrypted on your own computer
with your current user, choose the 'Decrypt DPAPI data from current system and current
user' option. If you want to decrypt DPAPI data created on another system stored on
external drive, choose the 'Decrypt DPAPI data from external drive or another user'
option.
If you selected the external drive decryption mode: Choose the root folder of your
external drive, click the 'Automatic Fill' button and the other fields (Protect Folders,
Registry Hives Folder) will be filled for you. You can also manually fill these fields with
the correct folders. If the DPAPI data was encrypted with the logon password, you have
to enter this password in the 'Windows Login Password' field.
In the DPAPI data section, you can choose one of the following options:
Decrypt DPAPI data stored in the specified file or files: If you choose this option, you
can specify any file that contains the DPAPI encrypted data as binary data or as text.
Examples for files that you can specify: Windows Registry hives (ntuser.dat,
SOFTWARE file in C:\windows\system32\config), .reg files exported from the Registry,
Windows Credentials files, Wireless network key files (stored in
C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces ), cookies and passwords file of
Chrome Web browser.
Decrypt DPAPI data from the specified string: If you choose this option, you should type
or paste the sequence of DPAPI bytes in the DPAPI data text-box. For example:
01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB....
01,00,00,00,D0,8C,9D,DF,01,15,D1,11,8C,7A,00,C0,4F,C2,97,EB...
01000000D08C9DDF0115D1118C7A00C04FC297EB...
 You can also paste the text from .reg file of Windows that contains the DPAPI encrypted
data.
Optional Entropy: You should use this option only if the DPAPI data is encrypted with
additional key. You can specify the key in hexadecimal format (e.g: 2A 3D B8 C9...) , as
ANSI string or as Unicode string.
After filling all needed fields in the 'DPAPI Decryption Options' window, press the 'Ok'
button and DataProtectionDecryptor will start decrypting the DPAPI and display the
result on the main window.
Task 4: -
Utility Data Protection Decryptor
Copy the executable file (WirelessKeyView.exe) to any folder you like, and run it.
After you run it, the main window should displayed all WEP/WPA keys stored in your
computer by Windows 'Wireless Zero Configuration' service.
For WEP keys, the key is also displayed in Ascii form. Be aware that this utility can only
reveal the network keys stored by Windows operating system.
Task 5: -
Utility Full Event Log view
Run the executable file - FullEventLogView.exe
After running FullEventLogView, the main window loads and displays all events from
the last 7 days.
You can change the default 7-days time filter and set other filters by using the 'Advanced
Options' window (F9)
Task 6: -
Utility MyLastSearch
In order to start using it, simply copy the executable file (MyLastSearch.exe) to any
folder you like, and run it.
After running it, MyLastSearch scans the cache and history files of your Web browsers
(Internet Explorer and/or Firefox), and find all search queries stored in them.
The scanning process may take from a few seconds to 1 minute, depending on the size of
your cache and history files.
After the scanning process is finished, the main window should display the list of all
search queries the you made with the most popular search engines.