WEEK 2.0. Any sufficiently advanced technology is indistinguishable from magic.
|
|
- Terence Rogers
- 6 years ago
- Views:
Transcription
1 WEEK 2.0 Any sufficiently advanced technology is indistinguishable from magic.
2 Recycler A recycle bin for each user Created upon file deletion Only for RB aware programs ie Office, not command line tools Must find recycle bin for each user if you are to restore Do not open on your PC as you will change MACs and combine contents
3 Access from DOS prompt (/a ext) Accessed by SID User to SID, SID to User may be helpful INFO file links deleted files to real names and deletion times use IEhist
4
5 Deleted Naming Convention D%DriveLetter%_%IndexNumber%_%FileExtension%. The "D" stands for Drive. %DriveLetter% is the drive that the file resided on. %IndexNumber%: This number is assigned to each file or folder that is sent to the Recycle Bin, and can be used to tell the order of deletion. The highest number was the last file deleted. When the Recycle Bin is emptied and the system is restarted, the index numbering starts all over. %FileExtension%: This will be the original file extension of the file. If a folder is deleted, there will be no extension.
6 A file named Steve.doc is deleted from the C: drive and is sent to the Recycle Bin. It is the first item deleted for the particular user session. The file will be named Dc1.doc. A file named hacker.txt is deleted from the C: drive and is sent to the Recycle Bin. It is the second item deleted for the particular user session. The file will be named Dc2.txt. The entry for the files will be found in the C:\Recycler\%SID%\INFO2 file for the user who deleted the item from the C: drive.
7
8 Rifiuti
9 Vista/W7+ $Recycle.bin Still uses the User SID File names are random, keep ext No longer has Info2 files Uses $I - info $R content
10 Access View using dir /s command Copy out using XP = Xcopy /H c:\$recycle.bin e:\target_dir\recyclebin W7 = Robocopy use /MIR Rifiuti works on these
11 Registry Database containing information on every Windows compatible program installed on PC Information about users and their preferences Hardware Software Network information
12 Purpose Discuss the structure of the Windows Registry. Methods for determining Registry footprints for arbitrary applications and user activity will be presented.
13 The structure of the Registry
14 The various hives or sections of the Registry that are persistent on the system can be found in files located in the %SYSTEMROOT%\system32\config folder. Exception: The file that comprises the configuration settings for a specific user is found in that user s Documents and Settings folder.
15 Registry Organization The Windows registry contains the following: Hives are utilized by the registry to store data on itself. Hives are stored in a variety of files that are dependent on the Windows Operating System that is being utilized.
16 Registry Organization Root Keys HKEY_CLASSES_ROOT (HKCR) Contains file to program mapping for with Windows Explorer. HKEY_CURRENT_USER (HKCU) Contains the profile (settings, etc) about the user that is logged in. HKEY_LOCAL_MACHINE (HKLM) Contains system-wide hardware settings and configuration information. HKEY_USERS (HKU) Contains the root of all user profiles that exist on the system. HKEY_CURRENT_CONFIG (HKCC) Contains the profile used by the computer during start up. Sub Keys These are essentially sub directories that exist under the Root Keys.
17 Registry Organization
18 Windows Security and Relative ID The Windows Registry utilizes a alphanumeric combination to uniquely identify a security principal or security group. The Security ID (SID) is used to identify the computer system. The Relative ID (RID) is used to identity the specific user on the computer system. The SID appears as: S
19 SID: S-1-0 Name: Null Authority Description: An identifier authority. SID: S Name: Nobody Description: No security principal. SID: S-1-1 Name: World Authority Description: An identifier authority. SID Examples SID: S Name: Everyone Description: A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system. SID: S-1-2 Name: Local Authority Description: An identifier authority. SID: S-1-3 Name: Creator Authority Description: An identifier authority.
20 SID Security ID NT/2000/XP/2003 HKLM>SAM>Domains>Accounts>Aliases>Members This key will provide information on the computer identifier HKLM>SAM>Domains>Users This key will provide information in hexadecimal User ID Administrator 500 Guest 501 Global Groups ID Administrators 512 Users 513 Guest - 514
21 MRU To identify the Most Recently Used (MRU) files on a suspect computer system: Windows 9x/Me User.dat Windows NT/2000 Search should be made for MRU, LRU, Recent Ntuser.dat Windows XP/2003 Search should be made for MRU, LRU, Recent HKU>UserSID>Software>Microsoft>Windows> CurrentVersion>Explorer>RecentDoc Select file extension and select item
22 Registry Forensics Registry keys have last modified time-stamp Stored as FILETIME structure like MAC for files Not accessible through reg-edit Accessible in binary.
23 The Registry as a log file LastWrite time: last modification time of a file. The forensic analyst may have a copy of the file, and the last modification time, but may not be able to determine what was changed in the file.
24 What s in the Registry 1.Autostart locations 2.User activity
25 1. Autostart locations Used by a great many pieces of malware to remain persistent on the victim system. Example: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
26 User Activity
27 MRU ( most recently used ) lists there are a number of values named for letters of the alphabet; in this case, from a through g. The MRUList entry maintains a list of which value has been most recently used.
28 Registry Each user has own section of the Registry Shows Most recent used (MRU) Searched (Files Named MRU) Typed URLs (Typed URL) Last Commands (Run MRU) Last files saved (Open Save MRU)
29
30 MRU Doc Find Specs MRU reg query ** /s HKLM\Software\Microsoft\Windows\CurrentVersi on\[run\runonce\runservices\runservicesonce] Retrieve the content of all Run, RunOnce, RunServices and RunServiceOnce keys and all subkeys. To identify unusual programs and Trojans.
31 reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ Review Most Recently Used (MRU) files. To identify unusual files. reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall. To identify unusual programs and Trojans. C:\>wmic product list > products.txt streams s c: Check any NTFS streams on the C Drive. (sysinternals)
32 Run MRU
33 Typed URLs
34 Search History
35 Last Files Saved
36 Registry Forensics List of applications and filenames of the most recent files opened in windows
37 Investigate Copy files from their location in WINNT\System32\Config Copy from Repair directory Run Regedit and Import to your host OR Copy out using one of the following tools Note back up your Reg first
38 Registry Tools If I have seen further it is by standing on the shoulders of giants. Regdump large text file Reg Query get keys of Interest Regedit view the registry Registrar Lite resplendence.com Keytime shows last registry key write time in a readable format
39 Yaru access live registry / produce reports RegReport full report of exported hives Regedit view the registry tzworks.net Forensic Control free software
Windows Registry. Windows Registry. A Wealth of Evidence. What is the Registry? Some Evidence that Can Be Recovered. Registry History: Windows 3.
Windows Registry Windows Registry Week 3 Part 1 A great source of evidence and headaches What is the Registry? A Wealth of Evidence Collection of files that, together, form all the settings needed by applications
More informationDescription of the Microsoft Windows Registry
Page 1 of 5 Microsoft Knowledge Base Article - 256986 Description of the Microsoft Windows Registry The information in this article applies to: Microsoft Windows Server 2003, 64-Bit Datacenter Edition
More informationWindows Registry Forensics
Windows Registry Forensics Registry Definition The Microsoft Computer Dictionary defines the registry as: A central hierarchical database used in the Microsoft Windows family of Operating Systems to store
More informationwindows maurizio pizzonia roma tre university
windows maurizio pizzonia roma tre university 1 references M. Russinovich, D. A. Solomon Windows Internals: Including Windows Server 2008 and Windows Vista 5 th ed. Microsoft Press 2 architecture overview
More informationSession 26 Backup/Restore and The Registry
Session 26 Backup/Restore and The Registry Nassau Community College ITE153 Operating Systems 1 Overview Set Up a Backup Five Types of Backup Volume Shadow Copy Best Practices The Registry Required: Windows
More informationLesson 2: Editing the Registry
Lesson 2: Editing the Registry Lesson 2 Editing the Registry 4-15 Windows XP Professional stores hardware and software settings centrally in a hierarchical database called the Registry, which replaces
More informationWindows Registry Analysis
Windows Registry Analysis Omveer Singh Additional Director / Scientist E omveer@cert-in.org.in Cyber Forensics Lab Indian Computer Emergency Response Team (CERT-In) Department of Information Technology
More informationA+ Guide to Managing and Maintaining Your PC, 7e. Chapter 14 Optimizing Windows
A+ Guide to Managing and Maintaining Your PC, 7e Chapter 14 Optimizing Windows Objectives Learn about Windows utilities and tools you can use to solve problems with Windows Learn how to optimize Windows
More informationThe customer.inf setup is only available for the Barracuda VPN Client. It requires administrator rights on the target system.
In this Article: Preparing a The customer.inf setup is only available for the Barracuda VPN Client. It requires administrator rights on the target system. Customer.inf setup is a comprehensive installation
More informationChapter 11: Basic Operating Systems
Chapter 11: Basic Operating Systems Complete CompTIA A+ Guide to PCs, 6e To identify and use common desktop and home screen icons To manipulate files and folders in Windows and mobile devices How to modify
More informationCOPYRIGHTED MATERIAL. What Is a Registry and Why? Chapter 1
Chapter 1 What Is a Registry and Why? Some users of Windows know exactly what the registry is a system designed to cause users and administrators to lose their hair. I know this is true because I can no
More informationA+ Guide to Managing & Maintaining Your PC, 8th Edition. Chapter 11 Optimizing Windows
Chapter 11 Optimizing Windows Objectives Learn about Windows utilities and tools you can use to solve problems with Windows Learn how to optimize Windows to improve performance Learn how to manually remove
More informationn Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems
Outline n Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems n Describe methods used to escalate privileges Chapter #5: n Describe methods used
More informationDeploy Registry Settings Office 2010 to be used as an internal resource only
Deploying Custom Registry Settings for Office 2010 If you are planning to customise your Office 2010 deployment significantly, then at some point, you will more than likely need to make changes to the
More informationLegal Notices. AccessData Corp.
Legal Notices AccessData Corp. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems
Guide to Computer Forensics and Investigations Fourth Edition Chapter 6 Working with Windows and DOS Systems Understanding Disk Drives Disk drives are made up of one or more platters coated with magnetic
More informationComputer Forensics CCIC Training
Computer Forensics CCIC Training Chapter 7: Recycle Bin Lauren Pixley and Cassidy Elwell May 2017 (Version 1) This work by California Cyber Training Complex is licensed under a Creative Commons Attribution-NonCommercial
More informationCOMPUTER FORENSICS & WINDOWS REGISTRY. Aradhana Pandey Saumya Tripathi
COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi STEP 1 In initial forensics analysis, it is important to get more information about the owner and the system. So, we should confirm
More informationThe introduction of Windows 8 was a big change for Microsoft s traditional operating
A Comparison Between the Windows 8 & Windows 7 Registries Matthew Brewer B.S., Dr. Terry Fenger, Corporal Robert J. Boggs, Christopher Vance B.S. Marshall University Forensic Science Center, Huntington,
More informationIEDigest V Jean-Pierre Regente Jean-Pierre Regente. ( All rights reserved )
IEDigest V1.1.0 Jean-Pierre Regente http://www.iedigest.com 2011 Jean-Pierre Regente ( All rights reserved ) Table of Contents What is it?... 3 Differences to other tools... 3 User interface... 4 Home...
More informationTweaking the Windows 7 Registry
CHAPTER 12 Tweaking the Windows 7 Registry IN THIS CHAPTER. Firing Up the Registry Editor. Getting to Know the Registry. Understanding the Registry Files. Keeping the Registry Safe It is almost everywhere
More informationABSTRACT. In Windows Operating system, Registry is core component and it contains
ABSTRACT In Windows Operating system, Registry is core component and it contains significant information which is useful for a forensic analyst. It is a repository of the central database in a hierarchal
More informationGlobal Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without
More informationT : Malware Analysis and Antivirus Technologies Windows Operating System
T-110.6220: Malware Analysis and Antivirus Technologies Windows Operating System Antti Tikkanen, 17.2.2010 Protecting the irreplaceable f-secure.com Lecture Agenda 1. Applications on Windows 2. Processes
More informationServer. Client LSA. Winlogon LSA. Library SAM SAM. Local logon NTLM. NTLM/Kerberos. EIT060 - Computer Security 2
Local and Domain Logon User accounts and groups Access tokens Objects and security descriptors The Register Some features in Windows 7 and Windows 8 Windows XP evolved from Windows 2000 Windows 10, 8,
More informationLet s Tune Oracle8 for NT
Let s Tune Oracle8 for NT ECO March 20, 2000 Marlene Theriault Cahill Agenda Scope A Look at the Windows NT system About Oracle Services The NT Registry About CPUs, Memory, and Disks Configuring NT as
More informationCSE 4482 Computer Security Management: Assessment and Forensics. Computer Forensics: Working with Windows and DOS Systems
CSE 4482 Computer Security Management: Assessment and Forensics Computer Forensics: Working with Windows and DOS Systems Instructor: N. Vlajic,, Fall 2010 Required reading: Guide to Computer Forensics
More informationDetecting Computer Intrusions: Are You Pwned? Steve Anson HITB 8 Oct 2009
Detecting Computer Intrusions: Are You Pwned? Steve Anson HITB 8 Oct 2009 Steve Anson Former computer agent for the U.S. Department of Defense and Federal Bureau of Investigation (FBI) Cybercrime Task
More informationFile System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)
File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT) 1 FILE SYSTEM CONCEPTS: FILE ALLOCATION TABLE (FAT) Alex Applegate
More informationMalware Analysis and Antivirus Technologies: Windows Operating System
Malware Analysis and Antivirus Technologies: Windows Operating System Protecting the irreplaceable f-secure.com Lecture Agenda 1. Applications on Windows 2. Processes and Threads 3. Windows Architecture
More informationRegistry Artifacts. Villanova University Department of Computing Sciences D. Justin Price Spring 2014
Registry Artifacts Villanova University Department of Computing Sciences D. Justin Price Spring 2014 REGISTRY The registry is a central hierarchal database intended to store information that is necessary
More informationTerremark WorldWide. Harlan Carvey Vice President, Secure Information Services. Registry and Timeline Analysis. SANS Forensic Summit 2010
Terremark WorldWide Harlan Carvey Vice President, Secure Information Services Registry and Timeline Analysis SANS Forensic Summit 2010 Today s Workshop Registry/Timeline Analysis What is Registry Analysis?
More informationinfoxpert Support Article
infoxpert Support Article Version Date: March 2011 infoxpert Version: infoxpert Version 8.0.43 and above. Document Distribution This document is of a technical nature and is targeted to I.T. staff. Details
More informationIntroducing. the Registry. In This Part. CHAPTER 1 Introducing the Registry CHAPTER 2 Using the Editors to Inspect and Modify.
sample.qxd 3/14/2000 3:36 PM Page 1 P A R T O N E Introducing the Registry In This Part CHAPTER 1 Introducing the Registry CHAPTER 2 Using the Editors to Inspect and Modify the Registry CHAPTER 3 Putting
More informationA+ Certification Guide. Chapter 15 Troubleshooting and Maintaining Windows
A+ Certification Guide Chapter 15 Troubleshooting and Maintaining Windows Chapter 15 Objectives STOP (Blue Screen of Death) Errors: Discover what a BSOD is, typical causes, how to diagnose Boot Failures:
More informationAll About Mapped Drives
All About Mapped Drives All About Mapped Drives Intro to Mapped Hard Drives Mapped drives can be very useful when it comes to moving data around on an office or home network and they do have their usefulness.
More informationA+ Guide to Managing and Maintaining Your PC. Managing and Supporting Windows XP
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 16 Managing and Supporting Windows XP Security Using Windows NT/ 2000/XP Goals Secure system resources including hardware and software
More informationNirCmd. to be used as an internal resource only. nircmd.exe changesysvolume nircmd.exe changesysvolume nircmd.exe setsysvolume 65535
Description NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface. By running NirCmd with simple command-line option, you can write and delete
More informationUser Guide. Version R93. English
Anti-Malware User Guide Version R93 English March 17, 2017 Copyright Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULATOS
More informationConfiguring Ethernet Audio on Microsoft Windows Server 2012
Configuring Ethernet Audio on Microsoft Windows Server 2012 Ethernet Audio uses the NFS file sharing system available in Server 2012 to allow file sharing with DigiCart/E or DigiCart/EX. First, we need
More informationWindows Core Forensics Forensic Toolkit / Password Recovery Toolkit /
The Windows Forensics Core Training follows up the AccessData BootCamp training. This advanced AccessData training class provides the knowledge and skills necessary to use AccessData products to conduct
More informationWindows Artifacts as a part of Digital Investigation
Windows Artifacts as a part of Digital Investigation Divyang Rahevar, Nisarg Trivedi Institute of Forensic Science Gujarat Forensic Sciences University Gandhinagar, Gujarat India divurahevar@gmail.com,
More informationChapter 3. Shortcuts
Chapter 3 Shortcuts Link Files Practical Exercise - Manually Decoding Link Files 1. Use WinHEX to open up the file named \Student Files\03_Link Files\c-3.txt.lnk. 2. First, let s look at the file header
More informationContains over 60 Registry Tweaks, Cheats and Hacks
Contains over 60 Registry Tweaks, Cheats and Hacks For your convenience Apress has placed some of the front matter material after the index. Please use the Bookmarks and Contents at a Glance links to access
More informationRemote Access Forensics for VNC and RDP on Windows Platform
Edith Cowan University Research Online Australian Digital Forensics Conference Conferences, Symposia and Campus Events 2010 Remote Access Forensics for VNC and RDP on Windows Platform Paresh Kerai Edith
More informationHow To Remove Windows 7 Genuine Advantage Notification From Registry
How To Remove Windows 7 Genuine Advantage Notification From Registry review(s) for the wga removal tool for windows 7. Review by:vik.leonova Update? Remover 1.5? Download Now Genuine Advantage Notification
More informationDigital Forensics. Module 7 CS 996
Digital Forensics Module 7 CS 996 Module #6 Covered Using Autopsy Using Helix 3/30/2005 Module 7 2 Outline of Module #7 Review mid-term Helix presentation Forensic business news Gates v. Bando case Linux
More informationChapter. Accessing Files and Folders MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER
Chapter 10 Accessing Files and Folders MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER Monitor, manage, and troubleshoot access to files and folders. Configure, manage, and troubleshoot file compression
More informationACCESSDATA SUPPLEMENTAL APPENDIX
ACCESSDATA SUPPLEMENTAL APPENDIX Steps for Decrypting IntelliForms Data in Windows Vista This appendix reviews the process required to decrypt the protected information located in the IntelliForms subkey.
More informationImmidio White Paper Things You Always Wanted To Know About Windows Profile Management
Immidio White Paper Things You Always Wanted To Know About Windows Profile Management Abstract Why are Windows user profiles so critically important for corporate IT environments and how can they be managed
More informationMOVITHERE USB OVERVIEW
MOVITHERE USB OVERVIEW Movithere-USB version was designed to move server or workstation objects, files, folders, shares and security between unconnected Windows servers or workstations. Movithere USB is
More informationTZWorks Windows AppCompatibility Cache Utility (wacu) Users Guide
TZWorks Windows AppCompatibility Cache Utility (wacu) Users Guide Copyright TZWorks LLC www.tzworks.net Contact Info: info@tzworks.net Document applies to v0.34 of wacu Updated: Apr 14, 2018 Abstract wacu
More informationMachine Language and System Programming
زبان ماشين وبرنامه نويسی سيستم Machine Language and System Programming جلسه دوازدھم دانشگاه صنعتی ھمدان پاييز 1389 Objectives Explain the purpose and structure of file systems Describe Microsoft file structures
More information8 MANAGING SHARED FOLDERS & DATA
MANAGING SHARED FOLDERS & DATA STORAGE.1 Introduction to Windows XP File Structure.1.1 File.1.2 Folder.1.3 Drives.2 Windows XP files and folders Sharing.2.1 Simple File Sharing.2.2 Levels of access to
More informationATTENTION!!! Please be sure this document is delivered to the network administrator who will be installing Network WYNN!!
ATTENTION!!! Please be sure this document is delivered to the network administrator who will be installing Network WYNN!! Network WYNN 3.1 Installation Documentation November 2003 The following information
More informationWindows 10 Registry AGENDA. What is the Registry? About Dan Purcell. Copyright Dan Purcell 2014
Windows 10 Registry Copyright Dan Purcell 2014 What is the Registry? AGENDA About Dan Purcell 1 What is the Registry? AGENDA Basic Registry Terminology & Structure Physical v. Logical Date & Time Formats
More informationManagement Mechanisms
Chapter 4 Management Mechanisms This chapter describes three fundamental mechanisms in Microsoft Windows that are critical to the management and configuration of the system: The registry Services The Registry
More informationA+ Chapter 11 Test (2.0) True / False Indicate whether the statement is true or false.
True / False Indicate whether the statement is true or false. 1. Windows Task Scheduler can be set to launch a task or program at a future time, including at startup. 2. You do not have to be logged on
More informationBy Bryan A. Thompson Last Updated 2/26/2003. Perl Code Samples for use in Application Installation
By Bryan A. Thompson Last Updated 2/26/2003 Perl Code Samples for use in Application Installation Typical Install Script written in Perl use Win32::Registry; # Note - for reference, this is line 3 # Do
More informationUser Migration Tool. User Migration Tool Prerequisites
Prerequisites, page 1 Features, page 2 Migration Scenarios, page 2 Internationalization (I18n) and Localization (L10n) Considerations, page 3 Security Considerations, page 3 User Migration Steps, page
More informationWindows Forensics Computer forensics
Mag. iur. Dr. techn. Michael Sonntag Windows Forensics Computer forensics E-Mail: sonntag@fim.uni-linz.ac.at http://www.fim.uni-linz.ac.at/staff/sonntag.htm Institute for Information Processing and Technology
More informationDigital Forensics. Module 6 CS 996
Digital Forensics Module 6 CS 996 Module #5 Covered B of A case; corporate responsibility for security New security standards: NIST 800-53 and ITIL Another new security standard: ISF Standard of Good Practice
More informationWindows 2000 System Administration Handbook, 1/e
Windows 2000 System Administration Handbook, 1/e Will Willis, Lewisville, Texas David Watts, Sugarland, Texas Tillman Strahan, Lewisville, Texas Copyright 2000, 721 pp. Paper format ISBN 0-13-027010-5
More informationTZWorks NTFS Copy Utility (ntfscopy) Users Guide
TZWorks NTFS Copy Utility (ntfscopy) Users Guide Abstract ntfscopy is a standalone, command-line tool that can copy any file on a NTFS volume. It can operate on a live NTFS volume, an image of an NTFS
More informationMicrosoft Office 2007, 2010 Registry Artifacts Dustin Hurlbut September 16, 2010
Microsoft Office 2007, 2010 Registry Artifacts Dustin Hurlbut September 16, 2010 INTRODUCTION Previous versions of Microsoft Office used application specific registry artifacts to track opened documents.
More informationRecycle Bin. Overview. Recycling Files
Recycle Bin Overview The Recycle Bin is a tool inside OU Campus that allows users to "recycle" files on the staging server as opposed to permanently deleting them. This is helpful, as it reduces the damage
More informationAccessData Advanced Forensics
This advanced five-day course provides the knowledge and skills necessary to install, configure and effectively use Forensic Toolkit (FTK ), FTK Imager Password Recovery Toolkit (PRTK ) and Registry Viewer.
More informationCan Delete Sharing Folder Windows 7 Access Denied
Can Delete Sharing Folder Windows 7 Access Denied File and folder permissions on Windows are pretty great when they're working for you but when the OS suddenly decides to deny access to a folder on your
More information5 MANAGING USER ACCOUNTS AND GROUPS
MANAGING USER ACCOUNTS AND GROUPS.1 Introduction to user accounts Objectives.2 Types of User Accounts.2.1 Local User Account.2.2 Built-in User Account.2.3 Domain User Account.3 User Profile.3.1 Content
More informationKaseya 2. User Guide. Version 7.0. English
Kaseya 2 AntiMalware User Guide Version 7.0 English January 6, 2015 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULATOS as
More informationChapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.
Chapter Two File Systems CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D. 1 Learning Objectives At the end of this section, you will be able to: Explain the purpose and structure of file systems
More informationISE. Integrated Systems Engineering. Development, Modeling, and Optimization of Microelectronic Processes, Devices, Circuits, and Systems
ISE Integrated Systems Engineering D A TC Development, Modeling, and Optimization of Microelectronic Processes, Devices, Circuits, and Systems Contents UNIX... 1 1 Supported platforms...1 2 Installing
More informationTZWorks Graphical Engine for NTFS Analysis (gena) Users Guide
TZWorks Graphical Engine for NTFS Analysis (gena) Users Guide Copyright TZWorks LLC www.tzworks.net Contact Info: info@tzworks.net Document applies to v0.39 of gena Updated: Jul 29, 2018 Abstract gena
More informationUC Export Folders Version 3.5 for Worksite 8.x, 9.x x86
UC Export Folders Version 3.5 for Worksite 8.x, 9.x x86 Exports folders and subfolders directly from workspaces, tabs and folders Filter documents and email messages Integrated into Filesite and Desksite
More informationPractice Test. Guidance Software GD Guidance Software GD0-110 Certification Exam for EnCE Outside North America. Version 1.6
Guidance Software GD0-110 Guidance Software GD0-110 Certification Exam for EnCE Outside North America Practice Test Version 1.6 QUESTION NO: 1 A FAT directory has as a logical size of: A. One cluster B.
More informationSearching for Yahoo Chat fragments in Unallocated Space Detective Eric Oldenburg, Phoenix Police Department
Searching for Yahoo Chat fragments in Unallocated Space Detective Eric Oldenburg, Phoenix Police Department Purpose and Goal To demonstrate a methodology used for locating Yahoo Instant Messenger chat
More informationNdaw, Maam Awa. Microsoft Office Excel 2007
Download the Project3.E01 file from Blackboard under Projects & Labs\Project 3 and verify the integrity of the image after downloading (open image in FTK Imager right-click on image - verify Drive/Image).
More informationRegistry Functions. Each of the W/32 registry functions has a syntax of the form: CALL creg ( key%,, ADDROF(result%) )
Registry Functions Introduction The registry is a system-defined database that applications and Microsoft Windows system components use to store and retrieve configuration data. This appendix to the W/32
More informationTime ^ ping estom tim
Time ^ timestomping For our guests from England, please allow me to translate. ^ timestomping Quick background File Creation Date Last Accessed File 127 08/04/11 10:22:36 08/04/11 10:22:3 File 128 08/04/11
More informationIT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems
IT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems 5.0 Introduction 1. What controls almost all functions on a computer? The operating system 5.1 Explain the purpose of an operating system 2.
More informationCCleaner Beginner's Guide. Getting Started
CCleaner Beginner's Guide Getting Started CCleaner is a freeware system optimization and privacy tool. It removes unused files from your system - allowing Windows to run faster and freeing up valuable
More informationANNOYING COMPUTER PROBLEMS
ANNOYING COMPUTER PROBLEMS And their solution Before you do this to your computer read this information. Feel free to print it out. This will make it easier to reference. Table of Contents 1. Computer
More informationBinary Markup Toolkit Quick Start Guide Release v November 2016
Binary Markup Toolkit Quick Start Guide Release v1.0.0.1 November 2016 Overview Binary Markup Toolkit (BMTK) is a suite of software tools for working with Binary Markup Language (BML). BMTK includes tools
More informationUser Guide. Version R95. English
Anti-Malware (Classic) User Guide Version R95 English July 20, 2017 Copyright Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept
More informationTZWorks ShellBag Parser (sbag) Users Guide
TZWorks ShellBag Parser (sbag) Users Guide Abstract sbag is a standalone, command-line tool used to extract Shellbag artifacts from Windows user account registry hives. It can operate on a live target
More informationNetwork Guide CMS. SP2106 rev D. cms_network_installation_guide_cms-version_sp2106.indd 1 10/06/
CMS 1 cms_network_installation_guide_cms-version_sp2106.indd 1 10/06/09 12.59 2 cms_network_installation_guide_cms-version_sp2106.indd 2 10/06/09 12.59 Contents CMS...4 Introduction...4 Installation of
More informationRegForensicTool: Evidence Collection and Analysis of Windows Registry
RegForensicTool: Evidence Collection and Analysis of Windows Registry Dinesh N. Patil 1, Bandu B. Meshram 2 Veermata Jijabai Technological Institute Matunga, Mumbai, India dinesh9371@gmail.com 1, bbmeshram@vjti.org.in
More informationWindows Live Acquisition/Triage Using FOSS and AChoir
Windows Live Acquisition/Triage Using FOSS and AChoir Who Am I D0n Quix0te @OMENScan or OMENScan@Gmail.com Creator of OMENS, OMENSApp, AChoir Global Incident Response @ Live Nation 16 Years @ NASA 7 Years
More informationComputer Forensics CCIC Training
Computer Forensics CCIC Training Chapter 5: Starting Phase 2 Lauren Pixley and Cassidy Elwell May 2017 (Version 1) This work by California Cyber Training Complex is licensed under a Creative Commons Attribution-NonCommercial
More informationDCOM Configuration Utility
Appendix A Distributed COM (DCOM) DCOM is an object protocol that enables COM components (such as OPC clients and servers) to communicate directly with each other across a network. A certain amount of
More informationFile: Racket File Format Libraries
File: Racket File Format Libraries Version 5.1 February 14, 2011 1 Contents 1 Convertible: Data-Conversion Protocol 3 2 gzip Compression and File Creation 4 3 gzip Decompression 5 4 zip File Creation 7
More informationPreliminary. No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.
[MS-WSSCADM3]: Windows SharePoint Services Content Database Administrative Communications Version 3 Protocol Specification Intellectual Property Rights Notice for Open Specifications Documentation Technical
More informationOperating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07
0Handouts: Lesson 1 Quiz 1. What is the working definition of authentication? a. The ability for a person or system to prove identity. b. Protection of data on a system or host from unauthorized access.
More informationWindows 7: Current Events in the World of Windows Forensics. Harlan Carvey Troy Larson
Windows 7: Current Events in the World of Windows Forensics Harlan Carvey Troy Larson Introduc)on The Digital Forensics Subject Ma4er Exper8se Stack: Applications e.g., I.E., etc. OS Artifacts File Systems
More informationThe Complete Handbook of. jv16 PowerTools / 93
The Complete Handbook of jv16 PowerTools 2010 1 / 93 This digital book can be distributed freely and without permission from the author either in digital form or in paper print. However, if this book is
More informationServer Edition Administrator s Guide
Server Edition Administrator s Guide March 29, 2005 Beagle Software 800 Washington Ave. N, Suite 418 Minneapolis, Minnesota 55401 USA Introduction This document covers FinePrint, pdffactory, and pdffactory
More informationWindows Network Server
Windows Network Server The Client Explorer helps you manage all your client data files. Users on a network can share the same database so that the index is constantly up-to-date for all to see, and files
More informationSMB Analysis OPSEC 2016
SMB Analysis http://blogs.technet.com/b/josebda/archive/2013/10/02/windows-server-2012-r2-which-version-of-the-smb-protocol-smb-1-0 If Malware crafts a packet to negotiate only using LanMan v1, then Unlocked
More informationNotes: Describe the architecture of your product. Please provide also which Database technology is used for case management and evidence management.
EF-1. All protocols used between the different components in the distributed architecture (management server, agents, database, forensic analyst system, etc) shall be encrypted and signed. EF-2. The Enterprise
More informationExtended Search Administration
IBM Lotus Extended Search Extended Search Administration Version 4 Release 0.1 SC27-1404-02 IBM Lotus Extended Search Extended Search Administration Version 4 Release 0.1 SC27-1404-02 Note! Before using
More information