Logfiles of Hives
•RegHive is static Hive
•RegHive.LOG contains changes
41
Analyzing Sanboxie-Registry Hives
•RegView
•http://www.gaijin.at/
42
Analyzing Sanboxie-Registry Hives
•RegShot
–1.Shoot
–Execution of to be examined Programm
–2.Shoot
–Compairing
•http://sourceforge.net/projects/
regshot/
43
Runtime behavior
Windows Artefacts
44
Overview
•Analysing the traces which are produced during the runtime of an application
•During the runtime there are some Userdata which are created , chat-history and so on..
•RAM loaded DLLs, running processes, open network connections, userdata and passwords
45
Using of Jabber with Jabbin
•Creating a user and add a contact
•Write a unique identifiable chat
•Chat history /Local/Temp/chats_with_.....
•\JabbinChatData\profiles\default
•Contactlists \JabbinChatData\profiles\default\vcards
•List DLLs and processes
•Analyzing the process
•Analyze of TCP-Connections
•Creating a Ram Dump and analyzing it with volatility
46
Usage in practise
•Harddrive: manually search in Userdata folder
•RAM-Dump: more details
–Live-System
•CrashDump
•DLLs of running processes
•Open network connections
–Memory dump
•Analyzing with volatility
47
The project has been funded by the European Commission. The Education, Audiovisual and Culture Executive program (EACEA), TEMPUS IV. The content of this presentation reflects the opinion of the author.
Traces of typical Application
Digital Forensic
Developers:
C. Yesil
Windows OS-Artifacts
By the end of the presentation participants will be able to:
•Identify at least 2 artifacts of forensic interest;
•Identify, at a glance differences between Windows XP and Windows Vista /7
•Overview of Registry Hives & RPs/Shadow Copy
Typical application traces
•Where are traces from applications in other applications
–Access from data over
•Mailer/Webmailer (Attachments)
•Webbrowser ( Cookies, Download-Historie, Cache,..)
•Filetransfer
•File Exchange
–Checking data from Virusscanner
–Executing applications over Remote
–Tracks despite executing: