Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 5 Windows Forensics II
|
|
- Bryce Townsend
- 5 years ago
- Views:
Transcription
1 Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 5 Windows Forensics II
2 Objectives After completing this chapter, you should be able to: Understand event logs Understand other audit events Understand forensic analysis of event logs Understand Windows password issues Describe some popular Windows forensic analysis tools 2
3 Introduction to Windows Forensics, Part II This chapter: Continues the study of Windows forensics Covers events and event logs Discusses password and authentication issues Describes various popular Windows forensic tools 3
4 Understanding Events Whenever an event occurs, the OS logs the event Event Any occurrence that the OS or a program wants to keep track of or alert the user about Some events are recorded by default Others are recorded based on the audit configuration maintained in the PolAdEvt registry key Systems configured as domain controllers have File Replication and Directory Service event logs Systems configured as domain name servers (DNS) have DNS event logs 4
5 Understanding Events Table 5-1 The event logging system keeps track of different types of logon events 5
6 Event Log File Format Windows event log is stored in a binary format with distinct, recognizable features Each event log consists of a header section and a series of event records Event log is maintained as a circular buffer Event log header Contained in the first 48 bytes of a valid event log file Consists of 12 distinct DWORD values Event record structure Basic header for an event record is 56 bytes 6
7 Windows Event Logs Windows uses an XML format for storing events Supports central collection of event records XML General-purpose specification for markup programming languages Allows the user to define specific elements to aid in sharing structured data among different types of computers with different OSs and applications wevtutil command Retrieves information about the Windows event log that is not readily apparent via the Event Viewer 7
8 Windows Event Logs Figure 5-1 An investigator can list all the event logs available using wevtutil 8
9 Windows Event Logs Figure 5-2 An investigator can view configuration information about specific event logs using wevtutil 9
10 IIS Logs Microsoft s Internet Information Server (IIS) Popular Web server platform IS Web server logs are most often maintained in the %WinDir%\System32\LogFiles directory Each virtual server has its own subdirectory for log files, named for the server itself By default, the log files are in ASCII format Are easily openable and searchable IIS logs will generally have column headers located at the top of the file 10
11 Parsing IIS Logs Managing and configuring IIS through the IIS Management Console Possible only on a system that has IIS installed and running By default, logging is enabled and is configured to use the W3C Extended Log File Format setting Logs are stored in the format exyymmdd.log 11
12 Parsing IIS Logs Table 5-2 Fields in an IIS log (continues) 12
13 Parsing IIS Logs Table 5-2 Fields in an IIS log (continued) 13
14 Parsing IIS FTP Logs FTP logs record the same fields that IIS Web logs do, except for the following: cs-uri-query cs-host cs(user-agent) cs(cookie) cs(referrer) sc-substatus FTP logs are stored in the following location: %WinDir%\System32\LogFiles\MSFTPSVC1\exyymmdd.log 14
15 Parsing DHCP Server Logs Dynamic Host Configuration Protocol (DHCP) Service provided by a server in which the server assigns a client machine an IP address upon request Microsoft server products all provide DHCP service if it is enabled and configured DHCP Service Activity Logs are created by the DHCP service Logs are stored in the following location by default: %SystemRoot%\System32\DHCP Logs are stored on a daily basis 15
16 Parsing DHCP Server Logs Table 5-3 The information in a DHCP log 16
17 Parsing Windows Firewall Logs When logging is enabled, Windows Firewall logs are stored in %SystemRoot%\pfirewall.log Stores data in the file objects.data Located in %SystemRoot%\System32\wbem\Repository\FS\ Windows Firewall log contains a header at the top that describes the software and version, the time format, and the fields 17
18 Using the Microsoft Log Parser Microsoft Log Parser is a powerful and versatile log-parsing tool that uses SQL-like queries Command to get all of the information from the System event log: LogParser.exe -o:datagrid select * from system Accepts three arguments: Input type, specified by the -i switch Output type, specified by the -o switch Query, which is in quotation marks 18
19 Using the Microsoft Log Parser Figure 5-3 An investigator can feed SQL-like queries to Log Parser to get specific information about an event log 19
20 Evaluating Account Management Events Account management category of events Records changes to accounts and group membership Includes: Creation, deletion, and disabling of accounts Modifying which accounts belong to which groups Account lockouts and reactivations Various event IDs are associated with changes to accounts 20
21 Evaluating Account Management Events Table 5-4 Different group membership event IDs 21
22 Interpreting File and Other Object- Access Events Object-access audit category Allows administrators to configure the event logs to record access to various objects on the system Access attempts are recorded in the event logs using three different event IDs: 560, 567, and 562 When a process needs access to some object, it first opens a handle to that object Handle is simply a shorthand way of referring to an object The file will receive a handle ID, and the process will refer to that file by its handle ID 22
23 Examining Audit-Policy Change Events Attackers will frequently attempt to disable auditing Modifications to the audit policy are recorded as event ID 612 entries In the audit policy + symbols indicate which events are being audited symbols show which events are not being audited Audit policy of the domain controller takes precedence over changes made to the local audit policy on an individual computer 23
24 Examining System Log Entries System event log Records events relating to system behavior, including: Changes to the operating system Changes to the hardware configuration Device driver installation Starting and stopping of services When a service is started or stopped, the Service Control Manager sends a stop signal to the service Simultaneously sends a message (event ID 7035) to the System event log 24
25 Examining Application Log Entries Application event log Contains messages from both the operating system and various programs Many utilities send messages to the Application log Especially antivirus and other system-protection programs Virtual Network Computing (VNC) Allows remote connections VNC application records connections to the VNC server, with the IP and port from which the connection originated, in the Application log 25
26 Using EnCase to Examine Windows Event Log Files EnCase parses Windows event log files by means of an EnScript EnScript is provided in the Sweep Case series EnCase does not rely on the Windows API to process the event logs EnCase can process event logs that are reported as corrupt by viewers that rely on the Windows API Investigator can use EnCase to locate event log files with its Conditions feature, which is, in essence, a filtering system 26
27 EnCase Windows Event Log Parser Appears as an available module in the right pane of the Sweep Case Options dialog When the parser has completed its task, it will show bookmarks for each event Arranged in a hierarchical folder structure based on grouping selection Will have the same results in a spreadsheet 27
28 Windows Event Log File Internals Windows event log files Databases with the records related to the system, security, and applications Stored in separate files named SysEvent.evt, SecEvent.evt, and AppEvent.evt, respectively Stored in %SystemRoot%\system32\config folder Each file has a header, a floating footer of sorts, and records To keep the files from becoming fragmented, the OS may allocate large contiguous cluster runs to the event log files 28
29 Repairing Corrupted Event Log Databases Log file will be reported as corrupt when: The four critical fields appearing in both the header and the floating footer are out of sync The file status byte is a value other than 0x00 or 0x08 If a file is reported as corrupt, an investigator can use a hex editor to repair the file status byte The next step in the repair process: synchronize the four critical fields in the header with the current values found in the floating footer 29
30 Understanding Windows Password Storage Windows systems store their user and password data in one of two places: Security Account Manager (SAM) file Active Directory SAM file is located in the %SystemRoot%\System32\Config folder File exists as a registry hive file Active Directory database information resides on the domain controller in a file called ntds.dit Located in the %SystemRoot%\ntds directory 30
31 Hashing Passwords Password is run through a specific algorithm that converts the password into a numeric value This value, called the hash value or hash, is then stored in lieu of the actual password Hashing algorithm Also called hash function Group of algorithms called one-way functions When a particular password is used as the input to the function, it will generate the same hash value Likelihood of two separate passwords generating the same hash value is low 31
32 Hashing Passwords Authentication steps: User first selects a password System calculates the password hash value System records the resulting hash value along with the account name in the SAM or ntds.dit file When a user attempts to authenticate System takes the password the user provides during the authentication attempt, runs it through the hash function, and compares the result to the hash value stored in the password file If the two are the same, the authentication proceeds If the two are different, the authentication fails 32
33 Hashing Passwords Windows hash functions Modern Windows operating systems mainly use two different hash functions NT LanMan (NTLM) hash LanMan (LM) hash 33
34 Cracking Windows Passwords Stored Password cracking on Running Systems Process of taking a password hash and attempting to determine the associated password that generated the password hash Process consists of multiple iterations: Guess a possible password Generate a password hash of the guess using the same hashing algorithm used by the target system Compare the hash value of the guess to the hash of the target account s password If the two match, the guess was the original password 34
35 Exploring Windows Authentication Mechanisms Windows systems use one of three main types of authentication mechanisms to access remote computers: LanMan authentication NTLM authentication Kerberos 35
36 LanMan Authentication Relies on a hash to determine whether a remote user has provided a valid username/password combination LanMan hash is never actually sent across the network during an authentication session Attack methods Replay attack Attacker copies the authentication message as it crosses the wire Resends that message at a later date to impersonate the user 36
37 LanMan Authentication Attack methods (cont d) Known plain-text attack Attacker knows both the encrypted form of a communication and the original message that was encrypted LanMan authentication mechanism starts to break down when the complexity (or lack thereof) of its key is examined 37
38 NTLM and Kerberos Authentication More secure than its predecessor Hash is calculated across the entire case-sensitive password Resulting in a 16-byte hash Hash is created using the MD4 hash algorithm Changes make the NTLM password less susceptible to brute-force cracking Main problem When a client uses the NTLM authentication, the client also sends the LanMan hash as part of the authentication communication 38
39 NTLM and Kerberos Authentication Kerberos Secure option available to Windows computers Relies on a system of security, or access, tickets that are issued by computers designated as ticketgranting authorities Microsoft implementation still uses the NTLM hash as a starting point for identifying that a user knows the correct password Verification of the user s identity takes place between the domain controller and the client 39
40 Sniffing and Cracking Windows Authentication Exchanges Authentication takes places when a process on one system attempts to access a resource on another system When a process needs to access a remote system Attempts to authenticate to remote system by providing credentials for the account whose security context it is using When the user selects a share existing on another system Computer will automatically attempt to authenticate to the remote system by using the current user s account name and password information 40
41 Sniffing and Cracking Windows Authentication Exchanges Sniffing If an attacker controls that remote system, or if the attacker is able to monitor communication between the victim system and the remote system Attacker can potentially sniff the authentication attempt and use it to crack the user s password Cain and Abel Cain has many different capabilities Among them is a network sniffer that is designed to look for passwords exchanged during various types of authentication exchanges Abel acts as a remote sensor for Cain 41
42 Cracking Offline Passwords Certain tools can extract password data from the SAM files of computers Encrypting File System (EFS) Allows data to be stored on a disk in an encrypted format automatically without manual action by user One way to recover files encrypted with EFS Crack the passwords of the users accounts Make a duplicate working copy of the hard drive Boot the computer using the working copy of the drive Log in as the appropriate user, and view the file 42
43 Tool: Helix Helix Customized distribution of the Knoppix Live Linux CD Designed not to touch the host computer in any way Forensically sound Will not automatically mount swap space or any attached devices Focuses on incident response and forensics tools 43
44 Tools Present on Helix CD for Windows Forensics Tools on the Helix3 Pro live bootable CD include: A multi-platform LIVE side for three environments: Mac OS X, Windows, and Linux with one simple to use interface A bootable forensically sound environment to boot any x86 system Several open source forensic applications to assist with data analysis, including cell phone analysis 44
45 Tools Present on Helix CD for Helix Tool: SecReport Windows Forensics Comprises two command-line utilities SecReport collects security information from a Windows-based system Delta compares the results of SecReport Helix Tool: Windows Forensics Toolchest (WFT) Collects security information from a Windows system and provides an automated incident response Capable of running other security tools Produces reports in HTML format 45
46 Tool: Sigverif Built-in Windows tool that searches for unsigned drivers on a system To look for unsigned drivers in Windows 10: Click Start, click Run, type sigverif, and click OK After Sigverif is finished running its check A list of all unsigned drivers installed on the computer is displayed The investigator can find the list of all signed and unsigned drivers found by Sigverif in the Sigverif.txt 46
47 Tool: Word Extractor Hacking tool that extracts human-understandable words from binary computer files Some features of Word Extractor: Replaces nonhuman words with spaces or dots for better visibility Supports drag and drop and text wrapping Saves results as text or RTF files 47
48 Tool: RegScanner and PMDump RegScanner Scans the registry to find values that match a given set of criteria Can find values by keyword, data length, value type, and modified date PMDump Dumps the memory contents of a process to a file without stopping the process PMDump stands for Post-Mortem Dump Investigator can save the dump information to a secondary storage medium 48
49 Tool: System Scanner System Scanner Extracts information about processes, including the IDs of all the threads and handles to DLLs Provides the ability to suspend specific threads of a specific process and to view a process s virtual memory Shows all the processes currently running on the system, the number of threads per process, and the executable path of each process List is updated every five seconds by default, but this is configurable 49
50 Tool: X-Ways Forensics Provides a forensic work environment Some features of X-Ways Forensics: Disk cloning and imaging, including under DOS Examining complete directory structure inside raw image files, even spanned over several segments Native support for FAT, NTFS, ext2, ext3, CDFS, and UDF Built-in interpretation of RAID 0 and RAID 5 systems and dynamic disks Viewing and dumping physical RAM and the virtual memory of running processes 50
51 Tool: X-Ways Forensics Some features of X-Ways Forensics (cont d): Various data recovery techniques and file carving Hard disk cleansing to produce forensically sterile media Gathering slack space, free space, interpartition space, and generic text from drives and images File and directory catalog creation for all computer media Easy detection of and access to NTFS alternate data streams (ADS) Mass hash calculation for files 51
52 Tool: Traces Viewer and PE Builder Traces Viewer Allows an investigator to view all media files cached by Internet Explorer Can also remove all Web traces made by Internet Explorer PE Builder Creates a bootable Windows CD-ROM that creates a BartPE (Bart Preinstalled Environment) that offers a complete Win32 environment with network supports; a GUI; and FAT, NTFS, and CDFS - support 52
53 Tool: Ultimate Boot CD-ROM Allows an investigator to run floppy-based diagnostic tools from CD-ROM drives Without the need for an operating system Tool has over 100 diagnostic and system management utilities Types of tools include: CPU tester Memory tester Peripheral tools CPU information tools 53
54 Tool: Ultimate Boot CD-ROM Types of tools include (cont d): System information tools Benchmarking tools BIOS tools Hard disk installation tools Hard disk diagnostic tools Hard disk device management tools Hard disk wiping tools Hard disk cloning tools And more 54
55 Tool: Ultimate Boot CD-ROM Figure 5-4 The Ultimate Boot CD-ROM includes many utilities that a forensic investigator may want to use 55
56 Summary During a live response, an investigator should first collect the volatile information or any other information that can change or be lost Several registry values and settings can impact forensic analysis Analyzing the contents of RAM can help an investigator discover what has been hidden Some tools allow an investigator to dump the contents of process memory without stopping the process 56
57 Summary Registry analysis provides more information to the investigator during a live response The logs generated by the Web server are used for the exploitation of attacks 57
Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase
Computer Forensics: Investigating Data and Image Files, 2nd Edition Chapter 3 Forensic Investigations Using EnCase Objectives After completing this chapter, you should be able to: Understand evidence files
More informationDigital Forensics Practicum CAINE 8.0. Review and User s Guide
Digital Forensics Practicum CAINE 8.0 Review and User s Guide Ana L. Hernandez Master of Science in Cybersecurity Digital Forensics Concentration University of South Florida 12-8-2017 Table of Contents
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems
Guide to Computer Forensics and Investigations Fourth Edition Chapter 6 Working with Windows and DOS Systems Understanding Disk Drives Disk drives are made up of one or more platters coated with magnetic
More informationComputer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 7 Application Password Crackers
Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 7 Application Password Crackers Objectives After completing this chapter, you should be
More information10/13/11. Objectives. Live Acquisition. When do we consider doing it? What is Live Acquisition? The Order of Volatility. When do we consider doing it?
Live Acquisition Objectives Understand what Live Acquisition is and when it is appropriate Understand the concept of Order of Volatility Understand live acquisition issues and limitations Be able to perform
More informationAccessData Advanced Forensics
This advanced five-day course provides the knowledge and skills necessary to install, configure and effectively use Forensic Toolkit (FTK ), FTK Imager Password Recovery Toolkit (PRTK ) and Registry Viewer.
More informationContact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday
Contact Information Contact Center Operating Hours Contact Monday through Thursday Friday Phone: 1.801.796.0944 8 AM 5 PM Eastern Time 8 AM 3 PM Eastern Time Online chat: http://support.paraben.com 10
More informationWindows Forensics Advanced
Windows Forensics Advanced Index: CF102 Description Windows Forensics - Advanced is the next step for forensics specialists, diving deeper into diverse processes on Windows OS serving computer investigators.
More informationECCouncil Computer Hacking Forensic Investigator (V8)
ECCouncil 312-49v8 ECCouncil Computer Hacking Forensic Investigator (V8) Version: 9.0 QUESTION NO: 1 ECCouncil 312-49v8 Exam What is the First Step required in preparing a computer for forensics investigation?
More informationCHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.
CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed. File-System Structure File structure Logical storage unit Collection of related information File
More informationBinary Markup Toolkit Quick Start Guide Release v November 2016
Binary Markup Toolkit Quick Start Guide Release v1.0.0.1 November 2016 Overview Binary Markup Toolkit (BMTK) is a suite of software tools for working with Binary Markup Language (BML). BMTK includes tools
More informationCyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX
Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security HTML PHP Database Linux Operating System and Networking: LINUX NETWORKING Information Gathering:
More informationEd Ferrara, MSIA, CISSP
MIS 5208 - Lecture 12 Investigation Methods Data Acquisition Ed Ferrara, MSIA, CISSP eferrara@temple.edu Objectives List digital evidence storage formats Explain ways to determine the best acquisition
More informationVendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo
Vendor: ECCouncil Exam Code: EC1-349 Exam Name: Computer Hacking Forensic Investigator Exam Version: Demo QUESTION 1 What is the First Step required in preparing a computer for forensics investigation?
More informationCOPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51
Acknowledgments Introduction Part I: The Basics in Depth 1 Chapter 1: Windows Attacks 3 Attack Classes 3 Automated versus Dedicated Attacker 4 Remote versus Local 7 Types of Attacks 8 Dedicated Manual
More informationWindows Server 2003 Network Administration Goals
Objectives Differentiate between the different editions of Windows Server 2003 Explain Windows Server 2003 network models and server roles Identify concepts relating to Windows Server 2003 network management
More informationHands-On Ethical Hacking and Network Defense Chapter 6 Enumeration
Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration Modified 2-22-14 Objectives Describe the enumeration step of security testing Enumerate Microsoft OS targets Enumerate NetWare OS targets
More informationChapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.
Chapter Two File Systems CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D. 1 Learning Objectives At the end of this section, you will be able to: Explain the purpose and structure of file systems
More informationLinux+ Guide to Linux Certification, Third Edition. Chapter 2 Linux Installation and Usage
Linux+ Guide to Linux Certification, Third Edition Chapter 2 Linux Installation and Usage Objectives Install Red Hat Fedora Linux using good practices Outline the structure of the Linux interface Enter
More informationPASSWORDS & ENCRYPTION
PASSWORDS & ENCRYPTION Villanova University Department of Computing Sciences D. Justin Price Fall 2014 CRYPTOGRAPHY Hiding the meaning of a message from unintended recipients. Open source algorithms are
More informationMachine Language and System Programming
زبان ماشين وبرنامه نويسی سيستم Machine Language and System Programming جلسه دوازدھم دانشگاه صنعتی ھمدان پاييز 1389 Objectives Explain the purpose and structure of file systems Describe Microsoft file structures
More informationCourse 832 EC-Council Computer Hacking Forensic Investigator (CHFI)
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI) Duration: 5 days You Will Learn How To Understand how perimeter defenses work Scan and attack you own networks, without actually harming
More informationNetwork+ Guide to Networks, Fourth Edition. Chapter 8 Network Operating Systems and Windows Server 2003-Based Networking
Network+ Guide to Networks, Fourth Edition Chapter 8 Network Operating Systems and Windows Server 2003-Based Networking Objectives Discuss the functions and features of a network operating system Define
More informationWindows 7 Overview. Windows 7. Objectives. The History of Windows. CS140M Fall Lake 1
Windows 7 Overview Windows 7 Overview By Al Lake History Design Principles System Components Environmental Subsystems File system Networking Programmer Interface Lake 2 Objectives To explore the principles
More informationChapter 5 Live Data Collection Windows Systems
Chapter 5 Live Data Collection Windows Systems Ed Crowley Spring 10 1 Topics Live Investigation Goals Creating a Response Toolkit Common Tools and Toolkits Preparing the Toolkit Storing Information Obtained
More informationChapter 7 Forensic Duplication
Chapter 7 Forensic Duplication Ed Crowley Spring 11 Topics Response Strategies Forensic Duplicates and Evidence Federal Rules of Evidence What is a Forensic Duplicate? Hard Drive Development Forensic Tool
More informationCSE 4482 Computer Security Management: Assessment and Forensics. Computer Forensics: Working with Windows and DOS Systems
CSE 4482 Computer Security Management: Assessment and Forensics Computer Forensics: Working with Windows and DOS Systems Instructor: N. Vlajic,, Fall 2010 Required reading: Guide to Computer Forensics
More informationFTK Imager 2.9 Release Notes
FTK Imager 2.9 Release Notes These release notes apply to AccessData FTK Imager 2.9 IMPORTANT INFORMATION If the machine running imager has an active internet connection and you are viewing HTML from the
More informationDetecting Computer Intrusions: Are You Pwned? Steve Anson HITB 8 Oct 2009
Detecting Computer Intrusions: Are You Pwned? Steve Anson HITB 8 Oct 2009 Steve Anson Former computer agent for the U.S. Department of Defense and Federal Bureau of Investigation (FBI) Cybercrime Task
More informationLesson 1: Preparing for Installation
2-2 Chapter 2 Installing Windows XP Professional Lesson 1: Preparing for Installation When you install Windows XP Professional, the Windows XP Professional Setup program allows you to specify how to install
More informationMike Pilkington. SANS Forensics and IR Summit June, 2011
Mike Pilkington SANS Forensics and IR Summit June, 2011 Since graduating from UT- for a large oil and gas services company Systems Admin, Network Admin, and Security Analyst My current role focuses on
More informationChapter 7 Forensic Duplication
Chapter 7 Forensic Duplication Ed Crowley Spring 10 Topics Response Strategies Forensic Duplicates and Evidence Federal Rules of Evidence What is a Forensic Duplicate? Hard Drive Development Forensic Tool
More informationn Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems
Outline n Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems n Describe methods used to escalate privileges Chapter #5: n Describe methods used
More informationComputer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic
Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition Chapter 2 Investigating Network Traffic Objectives After completing this chapter, you should be able to: Understand network
More informationAppSense DataNow. Release Notes (Version 4.0) Components in this Release. These release notes include:
AppSense DataNow Release Notes (Version 4.0) These release notes include: Components in this Release Important Upgrade Information New Features Bugs Fixed Known Issues and Limitations Supported Operating
More informationAccessData Forensic Toolkit Release Notes
AccessData Forensic Toolkit 5.3.3 Release Notes Document Date: 5/19/2014 2014 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationActive Directory Attacks and Detection
Active Directory Attacks and Detection #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos This talk is Based on Tim Madin
More informationMS Operating Systems and Networks
In order to learn which questions have been answered correctly: 1. Print these pages. 2. Answer the questions. 3. Send this assessment with the answers via: a. FAX to (212) 967-3498. Or b. Mail the answers
More information8/31/2015 BITS BYTES AND FILES. What is a bit. Representing a number. Technically, it s a change of voltage
Personal Computing BITS BYTES AND FILES What is a bit Technically, it s a change of voltage Two stable states of a flip-flop Positions of an electrical switch That s for the EE folks It s a zero or a one
More informationPass Microsoft Exam
Pass Microsoft 98-367 Exam Number: 98-367 Passing Score: 700 Time Limit: 45 min File Version: 51.0 http://www.gratisexam.com/ Pass Microsoft 98-367 Exam Exam Name: Security Fundamentals Certdumps QUESTION
More informationOPERATING SYSTEMS & UTILITY PROGRAMS
OPERATING SYSTEMS & UTILITY PROGRAMS System Software System software consists of the programs that control the operations of the computer and its devices. Functions that system software performs include:
More informationCOMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9
COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9 Course Code: 3401 Prepare for the CHFI certification while learning advanced forensics investigation techniques. EC-Council released the most advanced computer
More informationShell Items, Eventlogs, Forensics
Shell Items, Eventlogs, Email Forensics Georgi Nikolov today Shell Items What are shell items? Figure 1: www.pinterest.com Shell Items Overview Data or file holding information for accessing another file
More information10 Active Directory Misconfigurations That Lead to Total Compromise Austin, TX 201 W 5th St.
10 Active Directory Misconfigurations That Lead to Total Compromise hello@javelin-networks.com +1-888-867-5179 Austin, TX 201 W 5th St. 1. Group Policy Preferences Visible Passwords Group Policy Preferences
More informationMicrosoft Windows Server 2003 Administration Fundamentals
C01613540.fm Page 1 Monday, April 12, 2004 10:19 AM Part I Microsoft Windows Server 2003 Administration Fundamentals The fundamental tasks you need for Microsoft Windows Server 2003 administration are
More informationVersion 11. NOVASTOR CORPORATION NovaBACKUP
NOVASTOR CORPORATION NovaBACKUP Version 11 2009 NovaStor, all rights reserved. All trademarks are the property of their respective owners. Features and specifications are subject to change without notice.
More informationA+ Guide to Managing and Maintaining Your PC. How Hardware and Software Work Together
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 2 How Hardware and Software Work Together You Will Learn About operating systems, what they are, and what they do How an OS interfaces
More informationETHICAL HACKING LAB SERIES. Lab 7: Breaking Windows Passwords
ETHICAL HACKING LAB SERIES Lab 7: Breaking Windows Passwords Certified Ethical Hacking Domain: System Hacking Document Version: 2015-08-14 otherwise noted, is licensed under the Creative Commons Attribution
More informationNotes: Describe the architecture of your product. Please provide also which Database technology is used for case management and evidence management.
EF-1. All protocols used between the different components in the distributed architecture (management server, agents, database, forensic analyst system, etc) shall be encrypted and signed. EF-2. The Enterprise
More informationKaseya 2. User Guide. Version 1.0
Kaseya 2 Imaging & Deployment User Guide Version 1.0 August 16, 2011 About Kaseya Kaseya is a global provider of IT automation software for IT Solution Providers and Public and Private Sector IT organizations.
More informationAccessData AD Enterprise Release Notes
AccessData AD Enterprise 6.5.1 Release Notes Document Date: 07/30/2018 2018 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationKillTest 䊾 䞣 催 ࢭ ད ᅌ㖦䊛 ᅌ㖦䊛 NZZV ]]] QORRZKYZ TKZ ϔᑈܡ䊏 ᮄ ࢭ
KillTest Exam : 312-49v8 Title : ECCouncil Computer Hacking Forensic Investigator (V8) Version : Demo 1 / 6 1.What is the First Step required in preparing a computer for forensics investigation? A. Do
More informationDownloaded from various sources on the NET
Overview Computers. Hardware components of a Computer. Purpose and functions of computer operating systems. Evolution of computer operating systems. Operating systems available today. Downloaded from various
More informationGlossary. The target of keyboard input in a
Glossary absolute search A search that begins at the root directory of the file system hierarchy and always descends the hierarchy. See also relative search. access modes A set of file permissions that
More informationDigital forensics. Andrej Brodnik. Andrej Brodnik: Digital Forensics
Digital forensics Andrej Brodnik Computer pre-knowledge: architecture of computers basics (BIOS) operating system secondary memory (disc) and its organization file systems chapter 15 Startup startup steps
More information6 Months Training Module in MS SQL SERVER 2012
6 Months Training Module in MS SQL SERVER 2012 Module 1 Installing and Configuring Windows Server 2012 Installing and Managing Windows Server 2012 Windows Server 2012 Overview Installing Windows Server
More informationLesson 2: Editing the Registry
Lesson 2: Editing the Registry Lesson 2 Editing the Registry 4-15 Windows XP Professional stores hardware and software settings centrally in a hierarchical database called the Registry, which replaces
More informationRecent Operating System Class notes 08 Administrative Tools (Part one) April 14, 2004
Recent Operating System Class notes 08 Administrative Tools (Part one) April 14, 2004 The administrative tools are a collection of system control and configuration utilities. The administrative tools include
More informationFile Management. Ezio Bartocci.
File Management Ezio Bartocci ezio.bartocci@tuwien.ac.at Cyber-Physical Systems Group Institute for Computer Engineering Faculty of Informatics, TU Wien Motivation A process can only contain a limited
More informationModifying image file contents with Ghost Explorer. This section includes the following topics:
Modifying image file contents with Ghost Explorer This section includes the following topics: Using Ghost Explorer Viewing image files and their properties Launching a file Extracting a file or directory
More informationCS370 Operating Systems
CS370 Operating Systems Colorado State University Yashwant K Malaiya Spring 2018 Lecture 22 File Systems Slides based on Text by Silberschatz, Galvin, Gagne Various sources 1 1 Disk Structure Disk can
More informationTechnology in Action. Alan Evans Kendall Martin Mary Anne Poatsy. Ninth Edition. Copyright 2013 Pearson Education, Inc. Publishing as Prentice Hall
Technology in Action Alan Evans Kendall Martin Mary Anne Poatsy Ninth Edition Copyright 2013 Pearson Education, Inc. Publishing as Prentice Hall Technology in Action Chapter 5 Using System Software: The
More informationThe following virtual machines are required for completion of this lab: Exercise I: Mapping a Network Topology Using
Module 08: Sniffers Objective The objective of this lab is to make students learn to sniff a network and analyze packets for any attacks on the network. The primary objectives of this lab are to: Sniff
More information2272 : Implementing and Supporting Microsoft Windows XP Professional
2272 : Implementing and Supporting Microsoft Windows XP Professional Introduction The purpose of this course is to address the implementation and desktop support needs of customers that are planning to
More informationCompTIA A+ Accelerated course for & exams
CompTIA A+ Accelerated course for 220-901 & 220-902 exams Course overview Target Audience This course is for Participants wishing to take and pass both CompTIA A+ exams (220-901 and 220-902) exam. It is
More informationCOURSE OUTLINE AND SCHEDULE: ASSIGNMENTS ARE DUE EACH MONDAY WEDNESDAY JANUARY Computing Overview
COURSE OUTLINE AND SCHEDULE: ASSIGNMENTS ARE DUE EACH MONDAY WEDNESDAY JANUARY 22 1.0 Computing Overview 1.1 Course Introduction 1.1.1 PC Pro and A+ Certification (9:03) 1.2 Using the Simulator 1.2.1 Using
More informationAccessData Imager Release Notes
AccessData Imager 3.4.0.5 Document Date: 10/27/2015 2015 AccessData Group, Inc. All rights reserved. This document lists the changes in the verion of AccessData Imager. All known issues published with
More informationTypical File Extensions File Structure
CS 355 Operating Systems File Systems File Systems A file is a collection of data records grouped together for purpose of access control and modification A file system is software responsible for creating,
More informationMcAfee Data Loss Prevention Prevent 11.1.x Release Notes
Revision B McAfee Data Loss Prevention Prevent 11.1.x Release Notes Contents What's new in update 11.1.100 Resolved issues in update 11.1.100 Additional installation information Rating for update 11.1.100
More informationAn Overview to Windows Server Security
An Overview to Windows Server Security Anil Sagar CERT-In Department of Information Technology Ministry of Communications & Information Technology Electronics Niketan, 6 C.G.O. Complex New Delhi- 110 003
More informationDigital Forensics. Module 7 CS 996
Digital Forensics Module 7 CS 996 Module #6 Covered Using Autopsy Using Helix 3/30/2005 Module 7 2 Outline of Module #7 Review mid-term Helix presentation Forensic business news Gates v. Bando case Linux
More informationAccessData Imager Release Notes
AccessData Imager 3.3.0 Document Date: 12/08/2014 2014 AccessData Group, Inc. All rights reserved. This document lists the changes in AccessData Imager 3.3.0. All known issues published with previous release
More informationCITRIX 1Y0-200 EXAM QUESTIONS & ANSWERS
CITRIX 1Y0-200 EXAM QUESTIONS & ANSWERS Number: 1Y0-200 Passing Score: 800 Time Limit: 120 min File Version: 38.7 http://www.gratisexam.com/ CITRIX 1Y0-200 EXAM QUESTIONS & ANSWERS Exam Name: Managing
More informationExam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo
Exam : JK0-015 Title : CompTIA E2C Security+ (2008 Edition) Exam Version : Demo 1.Which of the following logical access control methods would a security administrator need to modify in order to control
More informationExam Questions EC1-349
Exam Questions EC1-349 ECCouncil Computer Hacking Forensic Investigator https://www.2passeasy.com/dumps/ec1-349/ 1.What is the First Step required in preparing a computer for forensics investigation? A.
More informationCompTIA A+ Certification ( ) Study Guide Table of Contents
CompTIA A+ Certification (220-902) Study Guide Table of Contents Course Introduction About This Course About CompTIA Certifications Module 1 / Supporting Windows 1 Module 1 / Unit 1 Windows Operating System
More informationDownload from Powered By JbigDeaL
1. If a word is typed that is not in Word s dictionary, a wavy underline appears below the word. (A) red (B) green (C) blue (D) black 2. The button on the quick access Toolbar allows you to cancel your
More informationHands-On Ethical Hacking and Network Defense Chapter 6 Enumeration
Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration Updated 3-3-18 Objectives Describe the enumeration step of security testing Enumerate Microsoft OS targets Enumerate *NIX OS targets Introduction
More informationCyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems
Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational
More informationOPERATING SYSTEM. Chapter 12: File System Implementation
OPERATING SYSTEM Chapter 12: File System Implementation Chapter 12: File System Implementation File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management
More informationIntroduction to Computer Forensics
Introduction to Computer Forensics Subrahmani Babu Scientist- C, Computer Forensic Laboratory Indian Computer Emergency Response Team (CERT-In) Department of Information Technology, Govt of India. babu_sivakami@cert-in.org.in
More informationChapter 11: Implementing File Systems
Silberschatz 1 Chapter 11: Implementing File Systems Thursday, November 08, 2007 9:55 PM File system = a system stores files on secondary storage. A disk may have more than one file system. Disk are divided
More informationVMware Mirage Getting Started Guide
Mirage 5.8 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document,
More informationTZWorks Windows Event Log Viewer (evtx_view) Users Guide
TZWorks Windows Event Log Viewer (evtx_view) Users Guide Abstract evtx_view is a standalone, GUI tool used to extract and parse Event Logs and display their internals. The tool allows one to export all
More informationCS720 - Operating Systems
CS720 - Operating Systems File Systems File Concept Access Methods Directory Structure File System Mounting File Sharing - Protection 1 File Concept Contiguous logical address space Types: Data numeric
More informationBackup challenge for Home Users
PARAGON Technologie GmbH, Systemprogrammierung Heinrich-von-Stephan-Str. 5c 79100 Freiburg, Germany Tel. +49 (0) 761 59018201 Fax +49 (0) 761 59018130 Internet www.paragon-software.com Email sales@paragon-software.com
More informationDigital Forensics. Module 6 CS 996
Digital Forensics Module 6 CS 996 Module #5 Covered B of A case; corporate responsibility for security New security standards: NIST 800-53 and ITIL Another new security standard: ISF Standard of Good Practice
More informationChapter 11: Implementing File Systems
Chapter 11: Implementing File Systems Operating System Concepts 99h Edition DM510-14 Chapter 11: Implementing File Systems File-System Structure File-System Implementation Directory Implementation Allocation
More informationNIST SP Notes Guide to Integrating Forensic Techniques into Incident Response
NIST SP800-86 Notes Guide to Integrating Forensic Techniques into Incident Response Authors: Karen Kent, Suzanne Chevalier, Tim Grance, Hung Dang, August 2006 Computer Forensics The application of science
More informationFile System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)
File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT) 1 FILE SYSTEM CONCEPTS: FILE ALLOCATION TABLE (FAT) Alex Applegate
More informationGFI EventsManager 8 ReportPack. Manual. By GFI Software Ltd.
GFI EventsManager 8 ReportPack Manual By GFI Software Ltd. http://www.gfi.com E-Mail: info@gfi.com Information in this document is subject to change without notice. Companies, names, and data used in examples
More informationFile Systems and Volumes
File Systems and Volumes Section II. Basic Forensic Techniques and Tools CSF: Forensics Cyber-Security MSIDC, Spring 2015 Nuno Santos Summary! Data organization in storage systems! File deletion and recovery!
More informationUSER GUIDE. CTERA Agent for Windows. June 2016 Version 5.5
USER GUIDE CTERA Agent for Windows June 2016 Version 5.5 Copyright 2009-2016 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced in any form or by any means without written
More informationTZWorks NTFS Copy Utility (ntfscopy) Users Guide
TZWorks NTFS Copy Utility (ntfscopy) Users Guide Abstract ntfscopy is a standalone, command-line tool that can copy any file on a NTFS volume. It can operate on a live NTFS volume, an image of an NTFS
More informationHands-On Ethical Hacking and Network Defense Chapter 6 Enumeration
Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration Modified 1-11-17 Objectives Describe the enumeration step of security testing Enumerate Microsoft OS targets Enumerate *NIX OS targets
More informationCNIT 124: Advanced Ethical Hacking. Ch 9: Password Attacks
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks Topics Password Management Online Password Attacks Offline Password Attacks Dumping Passwords from RAM Password Management Password Alternatives
More informationChapter 1: Windows Platform and Architecture. You will learn:
Chapter 1: Windows Platform and Architecture Windows 2000 product family. New features/facilities of. Windows architecture. Changes to the kernel and kernel architecture. New features/facilities. Kernel
More informationComputers: Tools for an Information Age. System Software
Computers: Tools for an Information Age System Software Objectives System Software Operating system (OS) Popular Operating Systems System Utilities 2 System Software 3 System Software System software includes
More informationIT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems
IT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems 5.0 Introduction 1. What controls almost all functions on a computer? The operating system 5.1 Explain the purpose of an operating system 2.
More informationTHOMAS RUSSELL, Information Technology Teacher
THOMAS RUSSELL, Information Technology Teacher Historical/Conceptual After installing the hard drive it needs to be partitioned. Partitioning is the process of electronically subdividing the physical hard
More information