Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
14 views30 pages

Module 5-1 - Computer-Forensics

The document discusses topics related to computer forensics including recovering deleted data, hibernation files, the Windows registry structure and important registry keys. It describes how deleted files can be recovered from unallocated space, how hibernation works, the structure and components of the registry including keys, subkeys, values and hives, and important registry artifacts for investigations such as Control Set, Time Zone, UserAssist and USBSTOR.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
14 views30 pages

Module 5-1 - Computer-Forensics

The document discusses topics related to computer forensics including recovering deleted data, hibernation files, the Windows registry structure and important registry keys. It describes how deleted files can be recovered from unallocated space, how hibernation works, the structure and components of the registry including keys, subkeys, values and hives, and important registry artifacts for investigations such as Control Set, Time Zone, UserAssist and USBSTOR.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 30

Module 5: Computer forensics

(Part 1)
Topics

• Deleted data
• Hibernation Files
• Registry
Deleted Data
Recovering Deleted Data

• File Carving
• Allocated space contains active data
• Deleted files are in unallocated space
• Useful tools
– ProDiscover
– FTK or EnCase
– Foremost
– Recuva
– Photorec
Hibernation File
Shutdown Options
• Sleep – data kept in RAM
– Power still on
– Documents lost if power fails
• Hibernate – RAM copied to Hiberfil.sys
– Power off
– Documents never lost
• Hybrid Sleep
– Default for Windows 7 desktops
– Puts open documents and programs on disk
– Keeps them in RAM as well for fast wakeup
– Documents not lost if power fails
Enabling Hibernation
Registry

Not in book, but may be on quizzes and Final


Exam
Understanding the Structure of the Registry

• The registry consists of five root keys


– HKey_Classes_Root
– HKey_Current_User
– HKey_Local_Machine
– HKey_Users
– HKey_Current_Config
• Or HKCR, HKCU,
HKLM, HKU,
and HKCC
Subkeys

• Root keys (sometimes called predefined keys), contain subkeys


– Subkeys look like folders in Regedit
• HKCU has these top-level subkeys: AppEvents, Console,
Control Panel, …
– A root key and
its subkeys
form a path
– HKCU\Console
Values

• Every Subkey contains at least one value


– But it may show (value not set)
• The default value (often undefined)
• Values have name, data type, and data
Hives

• A key with all its subkeys and values is called a hive


• The registry is stored on disk as several separate hive files
• Hive files are read into memory when the operating system
starts (or when a new user logs on)
HiveList

• HKLM\System\CurrentControlSet\
Control\HiveList
Hardware Hive

• \Registry\Machine\Hardware has no associated disk file


• Windows 7 creates it fresh each time you turn your system on
HKCR and HKCU

• These keys are links to items contained in other root keys


– HKey_Classes_Root (HKCR)
• Merged from keys within HKLM\Software\Classes and HKU\
sid_Classes
– sid is the security identifier of the currently logged on user
– HKey_Current_User (HKCU)
• HKU\sid
Purpose of Registry

• Database for configuration files


• Registry artifacts are very valuable for
forensics
– Search terms
– Programs run or installed
– Web addresses
– Files recently opened
– USB devices connected
Acquiring the Registry

• FTK Imager
Acquired Files
Reference
Important Registry Data

• Control Set
• Time Zone
• User Assist
• USB Store
Control Set

• A live Registry has an


important key named
HKLM\System\
CurrentControlSet
• Contains Time Zone,
USBSTOR, and other
information
Control Set

• Acquired image doesn't


contain CurrentControlSet
• It's ephemeral data—not
stored in the hive files
• To determine which
ControlSet is current, look in
• System\Select
• In this case, ControlSet001
is Current
Time Zone

• System\ControlSet001\Control\
TimeZoneInformation
– Assuming that ControlSet001 is Current
UserAssist

• Shows objects the user has accessed


• To see it, open Users\Username\
NTUSER.DAT
• Navigate to Software\Microsoft\Windows\
CurrentVersion\Explorer\UserAssist
UserAssist Decoded in Lower Left Pane
RegRipper
Ripped Registry
USBSTOR
• System\ControlSet001\Enum\USBSTOR
– Assuming Current Control Set is 1
• Q&A

http://fpt.edu.vn 06/04/24 30

You might also like