Showing posts with label Tricks on Windows OS. Show all posts
Showing posts with label Tricks on Windows OS. Show all posts

Thursday, June 4, 2009

Notes for Forensic Beginners’ Part1

Hello All,

I still remember my days 7 years back, when I was very keen in learning and working on Computer Forensics, however there were no good resources available for understanding the concepts and practicals for the same.

I am starting this short series for all those who are still struggling to start their career into Digital / Computer Forensics.

However, I wont be covering the basic steps or Phases involved in Computer Forensics and Incident Response, as there are numerous books available for the same, and a Google search may help you all a lot.

So, Let’s start with NTFS Filesystem:-

Currently it is NTFS v3.1 for XP/2000/2003/Vista

NTFS: New Technology File System

formerly known as NTFS is a registered tradmark of Northern Telecom File System, you can still find them on older version’s of CD for Windows 3.5 NT and 4.0.

Going a bit deeper,

NTFS consists of records and entries of MFT,

$MFT= Master File Table

The length of the $MFT within NTFS is 1024 bytes.

Standard Sector size within NTFS is 512 bytes

Standard Cluster size within NTFS is 4096 bytes (8*512 sectors)

MFT is the primary file within NTFS file system,this file points to the locations of the other files within the NTFS formatted filesystem.

Within the MFT there are “entires”, and each entry contains information about the file it points to. These entries provide a variety of information about the file it points to, and it also includes the following:

File Name, File Size, dates about the file included:-

Created=C

Entry Modified=M

Written=E

Accessed=A

ocation of the data of the file.(MACE)

Typically an MFT entry is 1024 bytes in size, or two sectors, and starts with either FILE0 OR FILE*, depending and signifying whether the given partition was formatted using Windows XP , Windows 2000 respectively.

The first 16 MFT entries within the MFT are reserved.

In Next Series of this article we will go deep into NTFS structure with reference to MFT and other records.

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K

Restore Point and Forensics

Hello All,

Just to update on Windows XP Restore Point and it’s use in Forensics Investigation:-

within Windows XP, Windows creates “Restore Points”. These restore points are contained in numbered folders at the following location:

\System Volume Information\-restore{GUID}\RP### (### are sequential numbers as these restore points are created)

These Restore Points are / can be created when the following conditions are been met / due to action taken by the user /system.

1>These Restore points are created by default every 24 hours within Windows XP and named as System Checkpoint

2>These are also created prior and after the installation of Microsoft Windows Update or any Patches /hotfixes installation.

3>These are often created whenever a user installs any software or application

4>and finally whenever any new hardware changes occur and device driver installation is performed on the system.

There may have been other reasons which I may not be fully aware, or havent come across.

Now, how the above can help in an ongoing Forensic Investigation?

Well,

1>Check the System Image in question for Event ID of 110 which provides evidence of System Restore was successful, this is very useful after any machine is confiscated and is under investigation.

2>check for the following logs relevant to System Restore, a>RP.LOG, b>CHANGE.LOG, c>FIFO.LOG

The Change.Log is important as it contains the name of files which are renamed and thus it helps tracking the files from the restore point folder.

The FIFO.Log file contains the Deletion time and the number of the Restore Point being deleted, “RP###”

Restore Points are valid for 90 day period, also it depends on the amt of disk space available and how the system restore is configured.

System restore can be Disabled by a user or an Adminsitrator.

An Administrator can create a System restore Point manually

\System Volume Information\-restore{GUID}\RP### is neither accessible to an Administrator with the default NTFS permission set, nor for the user.

There are Registry settings for System restore at:-

HKLM\Sofware\Microsoft\WindowsNT\CurrentVersion\SystemRestore.

If you have any other inputs to add, or anything i have missed Please feel free to comment.

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K

Can Defeat Forensics upto 50%

Hello All,

After a long time, and Yes you read the Title right!!

With the new feature in Windows XP and Windows Vista called SteadyState, if configured properly, with Disk protection=ON, and deletion of Shared Profile either at Restart or Logoff is configured properly, there is no way to retreive any Artefacts from the system configured to run with Windows SteadyState.

as there are no modifications within $MFT, except for the entry within the $MFT itself for the C:\Boot\Bootstat.dat file.

and nothing changes!!

I am still trying to figure out other possibilities for recovering the Artefacts.

However, as of this time, i assume it is almost 50 % true to say that it is not too far, that one can hide all traces and artefacts from a system, as the advances in technologies like Windows SteadyState are coming..

Note:-System needs to be configured to use Locked Profile and deletion of any user data, Please refer to User Handbook for Windows SteadyState:-)

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K.

Saturday, January 20, 2007

The Hex Editor in Windows Xp and Windows 2003 OS !!

The Hex Editor in Windows Xp and Windows 2003 OS !!

Hi Folks,

I am working on my client’s Project on Malware analysis and I came across this file.

Which is part of Microsoft OS, but not known to many of us.

It is known as “Private Character Editor”

It is a very useful graphics tool for designing your own fonts, logos and icons.

To start the program go to Run--> eudcedit and click OK.


It will then open the program, and you just select a hexadecimal code
for your first character from the grid to start then
click OK and you are now ready to begin designing.
Using the set of drawing tools on the left and.
you can do your own design.

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Thursday, January 11, 2007

The Windows Security Manager!

The Windows Security Manager!

Hi Folks!
The Security Tab, You must be aware of this tab.

Warning!
Before attempting this Trick, Please make sure you backup your System and Registry!
The Windows Security tab, which is used to manage permissions of files and folders on an NTFS partition,

See here:


Is controlled by %SystemRoot%\System32\Rshx32.dll.
Let’s Search for this DLL.

See here:


Normally, Everyone has read permission to this file and Administrator has Full Control.
To hide this Security tab, simply remove permissions from the everyone group.

The Reverse can be done to resolve issues when you are not able to view the Security Tab.

Enjoy this Hack!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Wednesday, January 10, 2007

Windows Update Hacks!

Windows Update Hacks!


Hi Folks!

This article is for those who have a very low bandwidth and can’t afford to every time download the online Patches/Hot-fixes for their Windows XP Home, Professional and Windows 2003 All editions Users.


Due to the latest Spywares, Trojans & Malwares attacks on your Personal PC’s.
One needs to keep their PC’s up2date on Latest Security fixes and Patches.

Or-else they need to re-format their PC’s losing some of their settings and lot’s of other stuff.

So why Am I talking about all this??

Well the point here is that if you can copy the Windows Update online Patches and Hot-fixes which are downloaded when you update every time.


So you can eliminate the need for going online always for the same

Provided you copy these patches to a WORM device (Write Once Read Many).

So here is the Hack.

When doing Online Windows Update
The Patches are downloaded & installed and your PC needs to be restarted.

So where are the Patches?

You can find all the Patches which were downloaded at the below location.

See here: Step 1>


See here: Step 2>



See here: Step 3>




See here: Step 4>





Finally the last!


See here: Step 5>



Now you can Copy the entire Downloads Folder to a CD with Date so you know till when are your patches updated.

Happy Windows Update!



Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Tuesday, January 9, 2007

Your Browser Reveals All ! How to prevent it ?

Hi Folks,

Ever wondered when you visit some sites like forums they tell you what Browser,
ISP and your version of OS is??

Your Browser is the only culprit which POST’s all information in the headers, when you Browse the Internet/ Web Server (User Agent String).

If you are still in doubt see below:



WOW! Amazing Isn’t it…

Now how do you stop this..?

Well it’s a Bit Tricky and there is a Risk if you wanna update Patches Hot-fixes from Microsoft.com.

Because Microsoft Windows Update Site checks these Header Information when you connect.

So be aware when you do this.

Always make sure you take the Registry Backup.

Here it is how to remove or Fake this Information:

Open your registry “REGEDIT” and find the “User Agent” key below.
If it does not already exist then you may need to create it.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Internet Settings\5.0\User Agent

You have to Create three new string values as followed:
"Compatible"
"Version"
"Platform"
Without quotes, with the Data Type of “REG_SZ” that’s for a String value.
See here:


For Mozilla FireFox Browsers:

You can run any Packet Analyzer and view the GET Request sent out from your Browser.
See here:


Type in your Mozilla Browser in URL address bar “about:config” , without any quotes and Yes these all are configurable parameters.
See here:


The user agent value can be specified in the defaults\pref\all.js file by adding the "general.useragent.override" property, as in this example:

pref( "general.useragent.override", "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" );


Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA