The project has been funded by the European Commission. The Education, Audiovisual and Culture Executive program (EACEA), TEMPUS IV. The content of this presentation reflects the opinion of the author.

Windows Artefacts

Developers:

C.Yesil

Windows Artefacts

• What are Windows Artefactss

In Windows applications leaves differents marks

•What kind of artefacts exists

–Installed Stand-Alone Programms (main Focus)

–Portable Application (less marks /signatures) –e.g.Trucrypt

–Applications in Browsers (harder, Browser and Applet Forensic, unallocated Space)

Aim

•Students should learn

–Overview about typical User-Applications in Windows and there digital forensic meaning

–Find and evaluate artefacts

Content

•Basic analysismethadology

•Overview about typical applications

•Detailed view in artefacts

Introduction

•How can you find out where an unknown applications leaves artefacts ?

•What can you find out and what not?

•Is there a way for automisation?

Introduction

•Which applications are typical?

–Not possible to say which is typical and which not

•Gamer, Developer, Forensic

•E.g. Computer full of trash

•Not only installed programms

•Executeable programms (portable)

Introduction

• Examples for installed Programms

Introduction

•Examples for installed programms

•Documentprocessing:

•Adobe Reader, freePDF, Ghostscript, OpenOffice, PDF exchange

viewer, ... Browser: Firefox, ...

E-Mail: Thunderbird, Tobit, ...

Chat: Jabbin, Miranda, ...

•Softphone: Sipgate, Skype, Google Phone, ...

•Filetransfer: unprotected: WS-FTP, wxDownload, ...

•protected: openVPN, putty, ...

•Encyrpting: Bitlocker-to-Go, TrueCrypt, ...

•Remote: MaxiVista, UltraVNC, ... Cloud: Dropbox, Wuala, skyDrive, ...

Introduction

•Cleaner: Ccleaner, SuperWinSpy, ...

•Databases: SQLite, SQL Server, ...

Money: Bitcoin, Quicken, StarMoney, Steuer, tax, Wiso, ... Virusprotection: AntiVir, ...

•Packer: 7zip, sfArk, Winrar, Winzip, ... Editoren: gvim, Neo Hexeditor, notepad++, ... Geodaten: Google Earth, ...

•Multimedia:

•Audacity, Audiograbber, CDBurner, div. Codecs, FastVideoIndexer, ffdshow, FLV-Player, Fox Converter, Freecorder, Hauppauge WinTV, IrfanView, MP3- Player Utilities, Picasa, Quicktime, Real Player, Simfy, Stream-Switcher, DVD- Videosoft, VLC Media Player, WAV2MP3-Konverter, Windows Media Player, Windows Movie Maker, ...

•System management: freeCommander, totalCommander, Debugging Tools, Powertoys, ...

Introduction

•Linux and virtualisation:

•andLinux, cygwin, Oracle VirtualBox, Qemu, VMWare + LiveView, ...

•Development Enviroment: Perl, Python, SDKs (Android, Eclipse), ...

Creativitiy: freeMind, ...

•Device Managment:

•Canon-Scanner, Olympus-cameraund , Surfstick, Roland-Synthesizer, ...

•IT-forensic Tools:

•analyzeMFT, Cain & Abel, Data Revoery, dtsearch, EZLog, FastStone Image Viewer, Forensic Card Reader, FTK Imager, Kernel Exchange EDB Viewer, Mandiant Web Historian, Mount Image Pro, PE Builder, Pro Discover, Raid Recovery, PDFStreamDumper, SkypeR, Stellar Phoenix Exchange Mailbox Recovery, WinPcap, Woanware ESEDBViewer, XWF, ...

•Games: WinBoardChess, .....