Unit 7: Windows Forensics Analysis 7.1 Windows Forensics Analysis More Windows Artifacts

>> Nowadays, the internet has become an important part of our life.

现在，互联网已经成为我们生活中重要的一部分。

We use the internet to search any information, including directions, jobs, social events,
and more.

我们使用互联网搜索任何信息，包括方向、工作、社交活动等等。

Chandra Levy was an intern at the Federal Bureau of Prisons
in Washington D.C. who disappeared in May 2001.

钱德拉·利维(Chandra Levy)是华盛顿特区联邦监狱管理局(Federal Bureau of Prisons)的实习生，2001年5月失踪。

Computer investigators who examined Levy's laptop computer determined
that the laptop was used to search for the location of a historic house in Rock Creek
Park.

电脑调查人员检查了列维的笔记本电脑后确定，这台笔记本电脑是用来搜寻岩溪公园一处历史悠久的房屋的。

This was Chandra Levy's last search.

这是钱德拉·利维的最后一次搜索。

Her skeleton was later found in Rock Creek Park.

她的骨骼后来在岩溪公园被发现。

Searching and examining suspect web browsing activities are a crucial step
in forensic investigation.

搜索和检查可疑的网络浏览活动是法医调查的关键步骤。

Forensic examiners usually search through web cache and the history files
to collect information, such as the URLs that a user visited, cookies,
pages downloaded, and the time of access.

法医检查人员通常通过网络缓存和历史文件来收集信息，比如用户访问的url、cookie、下载的页面和访问时间。

Before IE 10, the IE stored user browser history in an index.dat file.

在ie10之前，IE将用户浏览器的历史记录存储在一个索引中。dat文件。

The location of this file varied based on the OS.

这个文件的位置根据操作系统的不同而不同。

Since Explorer, IE 10, this information is stored in a central database located
at C and in a web cache directory.

由于资源管理器IE 10，这些信息存储在位于C和web缓存目录的中央数据库中。

Both EnCase and FTK support internet history viewing for all well-known browsers
to reconstruct a subject's internet activity.

EnCase和FTK都支持所有知名浏览器查看internet历史，以重构主题的internet活动。

They can also search browsing activities from an allocated space.

它们还可以从分配的空间搜索浏览活动。

The free tool, Pasco, which means browse in Latin, was developed to pass the index.dat
file and output the information in an index.dat
file.

免费工具Pasco(在拉丁语中是浏览的意思)是为了通过索引而开发的。dat文件并将信息输出到索引中。dat文件。

Pasco will execute Windows through Cygwin, Mac OS, Linux, and other BSD platforms.

Pasco将通过Cygwin、Mac OS、Linux和其他BSD平台执行Windows。

For file facts, the internet history file downloads cookies
and forms stored in that SQLite files.

对于文件事实，internet历史文件下载存储在该SQLite文件中的cookie和表单。

Safari stores internet history, bookmarks, and the download information in .plist files
[phonetic].

Safari将internet历史记录、书签和下载信息存储在.plist文件[语音]中。

And it stores cookie information in .binarycookies.

它将cookie信息存储在。binarycookies中。

Please be aware that if a user enables private browsing web browsers, some of the browse
-- browser history may not be available.

请注意，如果用户启用了私有浏览web浏览器，则某些browse - browser历史记录可能不可用。

Privacy protection tools, such as Tracks Eraser Pro or Ccleaner may also delete browser history.
Now let's look at what evidence a printer might leave behind.

隐私保护工具，如trackeraser Pro或Ccleaner也可以删除浏览器历史记录。

现在让我们看看打印机可能会留下什么证据。

Printing involves a spooling process.

打印涉及到假脱机过程。

The local print provider writes the file's contents to a spool file, .spl,
by creating graphics file, .emf, for every page.

本地打印提供程序通过为每个页面创建图形文件.emf将文件的内容写入spool文件.spl。

It stores printing metadata in a shadow file, .shd.

它将打印元数据存储在一个名为.shd的影子文件中。

It's then saved, both the spool file and the shadow file,
on a local disk to protect a print job until a printing process completes.

然后，它被保存在本地磁盘上，包括spool文件和影子文件，以保护打印作业，直到打印过程完成。

Therefore, for each print job, two files are created.

因此，对于每个打印作业，将创建两个文件。

The shadow file contains information about the print job, such as the owner, the printer,
the name of the file printed, the fully qualified path,
and the printing method, in our case, the EMF.

影子文件包含有关打印作业的信息，例如所有者、打印机、打印的文件名称、完全限定路径和打印方法(在我们的示例中是EMF)。

The spool file contains file contents in .emf pictures.

spool文件包含.emf图片中的文件内容。

Shadow file and the spool files are deleted after the print job completes.

在打印作业完成后，将删除影子文件和spool文件。

However, these files may still exist in an allocated spaces or Windows memory page file.

但是，这些文件可能仍然存在于分配的空间或Windows内存页文件中。

Data carving techniques can be used to carve out the EMF graphics from spool files.

数据雕刻技术可以用于从spool文件中雕刻EMF图形。

The covering printed files provide forensic examiners additional evidences
for investigation.

所述印刷文件为法医审查员提供了额外的调查证据。

Jumplists are a new Windows 7 feature that provides the user with quick access
to the documents and the tasks that are frequently or recently used.

跳线是Windows 7的一个新特性，它为用户提供快速访问频繁使用或最近使用的文档和任务。

On the taskbar, jumplists appear for applications that you have pinned
to the taskbar, and applications that are currently running to provide you a list
of recently-accessed documents or frequently-accessed destinations, depending
on the application.

在任务栏上，将为已固定到任务栏上的应用程序以及当前运行的应用程序显示跳线，这些应用程序根据应用程序提供最近访问文档或经常访问目的地的列表。

For example, if you open two Microsoft Word files, and then right click Microsoft Word
icon on the taskbar, you will see these two documents
listed.

例如，如果打开两个Microsoft Word文件，然后右键单击任务栏上的Microsoft Word图标，就会看到列出了这两个文档。

By default, jumplists show the ten most recently-accessed file
or frequently accessed destination per application.

默认情况下，跳转列表显示每个应用程序最近访问的10个文件或频繁访问的目的地。

Forensic examiners are particularly interested in information stored in jumplists.

法医审查员对储存在跳码中的信息特别感兴趣。

This includes the full path to the targeted file or directory, along with the Mac times,
the computer name, and the Mac addresses the targeted file resides, the last access date
and time, and the application used to open the file.

这包括目标文件或目录的完整路径，以及Mac时间、计算机名称和目标文件所在的Mac地址、最后访问日期和时间，以及用于打开文件的应用程序。

There are two types of jumplists, automatic and a custom jumplists.

跳线有两种类型，自动跳线和自定义跳线。

The automatic jumplists located in user profile, and under automatic destinations,
are created automatically by OS when a user launches applications or access files.

当用户启动应用程序或访问文件时，操作系统会自动创建位于用户概要文件和自动目标文件之下的自动跳转表。

These files follow a compound file binary format, with a link information embedded.

这些文件遵循复合文件二进制格式，并嵌入链接信息。

Customer jumplists, located in user profile and under customer destinations,
are created when a user pings an item.

当用户ping一个项目时，将创建位于用户配置文件和客户目的地下的Customer jumplists。

This file are link format streams appended to each other.

此文件是互相附加的链接格式流。

There's more information about jumplists in the resource section
of this unit, for those interested.

在本单元的资源部分有更多关于跳转的信息，供感兴趣的人参考。

Why is this artifact important for forensic analysis?

为什么这个人工制品对法医分析很重要?

From the forensic analysis perspective, the existence of automatic jumplists is an
indication of a user activity on the system, and provide investigators with a variable
proof that a user accessed a file.

从取证分析的角度来看，自动跳转的存在是系统上用户活动的一个指示，并为调查人员提供了用户访问文件的可变证据。

Also, even if the files have been deleted, they are still included on the jumplist.

此外，即使文件已经删除，它们仍然包含在跳转列表中。

The full path information of the deleted targeted file may lead investigators
to identify more evidence.

被删除目标文件的完整路径信息可能会让调查人员发现更多证据。

Here is one scenario.

这里有一个场景。

A jumplist contains information about a Word file stored in a USB stick.

一个跳转列表包含关于存储在u盘中的Word文件的信息。

The investigator obtains the proof that the susceptor accessed this file with the name
of the file, it's full path, as well as the date and the time of the last access.

调查者获得了接收者访问该文件的证据，文件的名称、完整路径以及最后一次访问的日期和时间。

Now, the investigator can request or search for this USB stick to recover more evidence.

现在，调查人员可以请求或搜索这个u盘，以恢复更多的证据。

Jumplists analysis is important for solid state drive analysis,
allowing investigators discover file's existence on the disk after the file has been wiped
through SSD garbage collection process.

跳线分析对于固态硬盘分析是非常重要的，通过SSD垃圾收集过程清除文件后，研究人员可以在磁盘上发现文件的存在。

Windows also has other artifacts, such as Shadow copies, Windows PreFetch, Control Panel,
ShellBag, and others that are important for forensic investigation.

Windows还具有其他工件，例如影子副本、Windows预取、控制面板、ShellBag和其他对法医调查很重要的工件。

The SANS post in the resources section provides a brief overview of the artifacts
and registries that help Windows forensic analysis.

参考资料部分的SANS post提供了帮助Windows法医分析的工件和注册表的简要概述。

If you are interested in learning more details, please read a couple of slides
in the appendix part of this set of slides.

如果你有兴趣了解更多的细节，请阅读这组幻灯片附录部分的几张幻灯片。

Now let's move onto the next important topic, event logs.

现在让我们进入下一个重要主题，事件日志。

Windows stores various events in three event logs, in a binary format,
SECEVENT, SYSEVENT, and an APPEVENT.

Windows以二进制格式、SECEVENT、SYSEVENT和APPEVENT在三个事件日志中存储各种事件。

Windows Event Viewer is used to read this log files.

Windows事件查看器用于读取此日志文件。

Application logs in APPEVENT contain events logged by programs or applications.

APPEVENT中的应用程序日志包含程序或应用程序记录的事件。

For example, a file error logged by a database program.

例如，数据库程序记录的文件错误。

The events that are logged and the amount of detail provided are determined by the application
developer.

记录的事件和提供的详细信息数量由应用程序开发人员决定。

System log contains events that are predetermined by the system server,
and they're logged by system components.

系统日志包含由系统服务器预先确定的事件，它们由系统组件记录。

An example of events can be failing to load a driver.

事件的一个例子是未能加载驱动程序。

Both the application log and the system log shows three different types
of events, error, warning, and information.

应用程序日志和系统日志都显示了三种不同类型的事件、错误、警告和信息。

Security log records security events, such as a log in, file accesses, or modification
attempts as successful or failed, depending on what
was request to be on it.

安全日志记录安全事件，例如登录、文件访问或修改尝试成功或失败，这取决于对其的请求。

These events are controlled by the auditing functions of the various resources and systems.

这些事件由各种资源和系统的审计功能控制。

By default, these events are not recorded.

默认情况下，不会记录这些事件。

Security logs are only viewable by administrators.

安全日志只能由管理员查看。

For example, Windows logs successful user logon, logoff, or failed logon,
logoff events under the security event log.

例如，Windows在安全事件日志下记录成功的用户登录、注销或失败的登录、注销事件。

For certain operating systems, the event ID of 4624 indicates a successful log on.
The event ID of 4625 means a failed logon.

对于某些操作系统，事件ID 4624表示登录成功。

事件ID为4625表示登录失败。

The event ID of 4634 indicates a successful logout.

事件ID为4634表示注销成功。

And then 540 means a successful network logon.

540表示网络登录成功。

Please be aware that sophisticated attackers may alter event logs by selectively editing
or deleting entries to hide their malicious actions.

请注意，老练的攻击者可能会通过选择性地编辑或删除条目来更改事件日志，以隐藏其恶意行为。

An investigator should always be vigilant about the malicious actions
and then look for inconsistent evidence.

调查人员应该时刻警惕恶意行为，然后寻找前后矛盾的证据。

 

转载于:https://www.cnblogs.com/sec875/articles/10015731.html