Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2. >> Nowadays, the internet has become an important part of our life.
8. that the laptop was used to search for the location of a historic house in Rock Creek Park.
11. Searching and examining suspect web browsing activities are a crucial step
13. Forensic examiners usually search through web cache and the history files
14. to collect information, such as the URLs that a user visited, cookies,
16. Before IE 10, the IE stored user browser history in an index.dat file.
18. Since Explorer, IE 10, this information is stored in a central database located
20. Both EnCase and FT Case support internet history viewing for all well-known browsers
23. The free tool, Pasco, which means browse in Latin, was developed to pass the index.dat file
25. Pasco will execute Windows through Cygwin, Mac OS, Linux, and other BSD platforms.
26. For file facts, the internet history file downloads cookies
31. Please be aware that if a user enables private browsing web browsers, some of the browse --
33. Privacy protection tools, such as Tracks Eraser Pro or Ccleaner may also delete browser history.
34. Now let's look at what evidence a printer might leave behind.
36. The local print provider writes the file's contents to a spool file, .spl,
39. It's then saved, both the spool file and the shadow file,
40. on a local disk to protect a print job until a printing process completes.
41. Therefore, for each print job, two files are created.
42. The shadow file contains information about the print job, such as the owner, the printer,
43. the name of the file printed, the fully qualified path,
46. Shadow file and the spool files are deleted after the print job completes.
47. However, these files may still exist in an allocated spaces or Windows memory page file.
48. Data carving techniques can be used to carve out the EMF graphics from spool files.
RITx: CYBER502x Computer Forensics
Course Unit 7: Windows Forensics Analysis 7.1 Windows Forensics Analysis
49. The covering printed files provide forensic examiners additional evidences
51. Jumplists are a new Windows 7 feature that provides the user with quick access
52. to the documents and the tasks that are frequently or recently used.
53. On the taskbar, jumplists appear for applications that you have pinned
54. to the taskbar, and applications that are currently running to provide you a list
57. For example, if you open two Microsoft Word files, and then right click Microsoft Word icon
58. on the taskbar, you will see these two documents listed.
62. This includes the [inaudible] to the targeted file or directory, along with the Mac times,
63. the computer name, and the Mac addresses the targeted file resides, the last access date
64. and time, and the application used to open the file.
65. There are two types of jumplists, automatic and a custom jumplists.
66. The automatic jumplists located in user profile, and under automatic destinations,
67. are created automatically by OS when a user launches applications or access files.
68. These files follow a compound file binary format, with a link information embedded.
69. Customer jumplists, located in user profile and under customer destinations,
71. This file are link format streams appended to each other.
77. and provide investigators with a variable proof that a user accessed a file.
78. Also, even if the files have been deleted, they are still included on the jumplist.
79. The [inaudible] information of the deleted targeted file may lead investigators
82. A jumplist contains information about a Word file stored in a USB stick.
83. The investigator obtains the proof that the susceptor accessed this file with the name
84. of the file, it's [inaudible] pass, as well as the date and the time of the last access.
85. Now, the investigator can request or search for this USB stick to recover more evidence.
87. allowing investigators discover file's existence on the disk after the file has been wiped
89. Windows also has other artifacts, such as Shadow copies, Windows PreFetch, Control Panel,
90. ShellBag, and others that are important for forensic investigation.
91. The [inaudible] post in the resources section provides a brief overview of the artifacts
93. If you are interested in learning more details, please read a couple of slides
95. Now let's move onto the next important topic, event logs.
96. Windows stores various events in three event logs, in a binary format,
106. Both the application log and the system log shows three different types
108. Security log records security events, such as a log in, file accesses, or modification attempts
110. These events are controlled by the auditing functions of the various resources and systems.
113. For example, Windows logs successful user logon, logoff, or failed logon,
115. For certain operating systems, the event ID of 4624 indicates a successful log on.
119. Please be aware that sophisticated attackers may alter event logs by selectively editing
When a document is printed, which of these files are created during the spooling
process? (Select all that apply)
A shadow file (.SHD) that contains information about the print job
A temp file (.TMP) for temporally storing the information about the print job.
All of the files above are created during the printing process.
True
False