Hello All,
I still remember my days 7 years back, when I was very keen in learning and working on Computer Forensics, however there were no good resources available for understanding the concepts and practicals for the same.
I am starting this short series for all those who are still struggling to start their career into Digital / Computer Forensics.
However, I wont be covering the basic steps or Phases involved in Computer Forensics and Incident Response, as there are numerous books available for the same, and a Google search may help you all a lot.
So, Let’s start with NTFS Filesystem:-
Currently it is NTFS v3.1 for XP/2000/2003/Vista
NTFS: New Technology File System
formerly known as NTFS is a registered tradmark of Northern Telecom File System, you can still find them on older version’s of CD for Windows 3.5 NT and 4.0.
Going a bit deeper,
NTFS consists of records and entries of MFT,
$MFT= Master File Table
The length of the $MFT within NTFS is 1024 bytes.
Standard Sector size within NTFS is 512 bytes
Standard Cluster size within NTFS is 4096 bytes (8*512 sectors)
MFT is the primary file within NTFS file system,this file points to the locations of the other files within the NTFS formatted filesystem.
Within the MFT there are “entires”, and each entry contains information about the file it points to. These entries provide a variety of information about the file it points to, and it also includes the following:
File Name, File Size, dates about the file included:-
Created=C
Entry Modified=M
Written=E
Accessed=A
ocation of the data of the file.(MACE)
Typically an MFT entry is 1024 bytes in size, or two sectors, and starts with either FILE0 OR FILE*, depending and signifying whether the given partition was formatted using Windows XP , Windows 2000 respectively.
The first 16 MFT entries within the MFT are reserved.
In Next Series of this article we will go deep into NTFS structure with reference to MFT and other records.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K
Thursday, June 4, 2009
Restore Point and Forensics
Hello All,
Just to update on Windows XP Restore Point and it’s use in Forensics Investigation:-
within Windows XP, Windows creates “Restore Points”. These restore points are contained in numbered folders at the following location:
\System Volume Information\-restore{GUID}\RP### (### are sequential numbers as these restore points are created)
These Restore Points are / can be created when the following conditions are been met / due to action taken by the user /system.
1>These Restore points are created by default every 24 hours within Windows XP and named as System Checkpoint
2>These are also created prior and after the installation of Microsoft Windows Update or any Patches /hotfixes installation.
3>These are often created whenever a user installs any software or application
4>and finally whenever any new hardware changes occur and device driver installation is performed on the system.
There may have been other reasons which I may not be fully aware, or havent come across.
Now, how the above can help in an ongoing Forensic Investigation?
Well,
1>Check the System Image in question for Event ID of 110 which provides evidence of System Restore was successful, this is very useful after any machine is confiscated and is under investigation.
2>check for the following logs relevant to System Restore, a>RP.LOG, b>CHANGE.LOG, c>FIFO.LOG
The Change.Log is important as it contains the name of files which are renamed and thus it helps tracking the files from the restore point folder.
The FIFO.Log file contains the Deletion time and the number of the Restore Point being deleted, “RP###”
Restore Points are valid for 90 day period, also it depends on the amt of disk space available and how the system restore is configured.
System restore can be Disabled by a user or an Adminsitrator.
An Administrator can create a System restore Point manually
\System Volume Information\-restore{GUID}\RP### is neither accessible to an Administrator with the default NTFS permission set, nor for the user.
There are Registry settings for System restore at:-
HKLM\Sofware\Microsoft\WindowsNT\CurrentVersion\SystemRestore.
If you have any other inputs to add, or anything i have missed Please feel free to comment.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K
Just to update on Windows XP Restore Point and it’s use in Forensics Investigation:-
within Windows XP, Windows creates “Restore Points”. These restore points are contained in numbered folders at the following location:
\System Volume Information\-restore{GUID}\RP### (### are sequential numbers as these restore points are created)
These Restore Points are / can be created when the following conditions are been met / due to action taken by the user /system.
1>These Restore points are created by default every 24 hours within Windows XP and named as System Checkpoint
2>These are also created prior and after the installation of Microsoft Windows Update or any Patches /hotfixes installation.
3>These are often created whenever a user installs any software or application
4>and finally whenever any new hardware changes occur and device driver installation is performed on the system.
There may have been other reasons which I may not be fully aware, or havent come across.
Now, how the above can help in an ongoing Forensic Investigation?
Well,
1>Check the System Image in question for Event ID of 110 which provides evidence of System Restore was successful, this is very useful after any machine is confiscated and is under investigation.
2>check for the following logs relevant to System Restore, a>RP.LOG, b>CHANGE.LOG, c>FIFO.LOG
The Change.Log is important as it contains the name of files which are renamed and thus it helps tracking the files from the restore point folder.
The FIFO.Log file contains the Deletion time and the number of the Restore Point being deleted, “RP###”
Restore Points are valid for 90 day period, also it depends on the amt of disk space available and how the system restore is configured.
System restore can be Disabled by a user or an Adminsitrator.
An Administrator can create a System restore Point manually
\System Volume Information\-restore{GUID}\RP### is neither accessible to an Administrator with the default NTFS permission set, nor for the user.
There are Registry settings for System restore at:-
HKLM\Sofware\Microsoft\WindowsNT\CurrentVersion\SystemRestore.
If you have any other inputs to add, or anything i have missed Please feel free to comment.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K
Can Defeat Forensics upto 50%
Hello All,
After a long time, and Yes you read the Title right!!
With the new feature in Windows XP and Windows Vista called SteadyState, if configured properly, with Disk protection=ON, and deletion of Shared Profile either at Restart or Logoff is configured properly, there is no way to retreive any Artefacts from the system configured to run with Windows SteadyState.
as there are no modifications within $MFT, except for the entry within the $MFT itself for the C:\Boot\Bootstat.dat file.
and nothing changes!!
I am still trying to figure out other possibilities for recovering the Artefacts.
However, as of this time, i assume it is almost 50 % true to say that it is not too far, that one can hide all traces and artefacts from a system, as the advances in technologies like Windows SteadyState are coming..
Note:-System needs to be configured to use Locked Profile and deletion of any user data, Please refer to User Handbook for Windows SteadyState:-)
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K.
After a long time, and Yes you read the Title right!!
With the new feature in Windows XP and Windows Vista called SteadyState, if configured properly, with Disk protection=ON, and deletion of Shared Profile either at Restart or Logoff is configured properly, there is no way to retreive any Artefacts from the system configured to run with Windows SteadyState.
as there are no modifications within $MFT, except for the entry within the $MFT itself for the C:\Boot\Bootstat.dat file.
and nothing changes!!
I am still trying to figure out other possibilities for recovering the Artefacts.
However, as of this time, i assume it is almost 50 % true to say that it is not too far, that one can hide all traces and artefacts from a system, as the advances in technologies like Windows SteadyState are coming..
Note:-System needs to be configured to use Locked Profile and deletion of any user data, Please refer to User Handbook for Windows SteadyState:-)
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K.
Sunday, March 29, 2009
NMAP as a VA tool !!
NMAP a great Penetration-testing tool, which was only used as a Port-Scanning and Enumeration tool, has now got some additional and more powerful features then it’s previous versions.
with the newly added “NSE” Nmap Scripting Engine which uses “Lua”
The NSE (”The Nmap Scripting Engine“) executes the script in parallel with the ongoing scan. Scripts are written in the embedded Lua programming language.
The NSE scripts can be found under:-
/usr/share/nmap/scripts/
There are currently the following categories:
auth, default, discovery, external, intrusive, malware, safe, version, and vuln.
the above categories can be used together as well, seperated by commas:
nmap -v –script=malware,vuln,discovery hostipaddress.com
Some common examples of using NMAP with NSE are as follows:-
to update the Scripts use the following: nmap --script-updatedb
nmap -v -sC hostipaddress.com
nmap -v –script=all hostipaddress.com
nmap -v –script=default hostipaddress.com
nmap -v –script=malware hostipaddress.com
there can be many more options, depending upon what exactly you are trying to find out.
however, it will not be too late, to see NMAP as a Full-Blown Vulnerability Scanner, like or more powerfull than Nessus.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL
with the newly added “NSE” Nmap Scripting Engine which uses “Lua”
The NSE (”The Nmap Scripting Engine“) executes the script in parallel with the ongoing scan. Scripts are written in the embedded Lua programming language.
The NSE scripts can be found under:-
/usr/share/nmap/scripts/
There are currently the following categories:
auth, default, discovery, external, intrusive, malware, safe, version, and vuln.
the above categories can be used together as well, seperated by commas:
nmap -v –script=malware,vuln,discovery hostipaddress.com
Some common examples of using NMAP with NSE are as follows:-
to update the Scripts use the following: nmap --script-updatedb
nmap -v -sC hostipaddress.com
nmap -v –script=all hostipaddress.com
nmap -v –script=default hostipaddress.com
nmap -v –script=malware hostipaddress.com
there can be many more options, depending upon what exactly you are trying to find out.
however, it will not be too late, to see NMAP as a Full-Blown Vulnerability Scanner, like or more powerfull than Nessus.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL
Thursday, July 26, 2007
Unlock any Read-only Word Document !
Hi Folks,
Many a times we need to make some changes to documents or even need to fill-up some online documents which are in MS Word, and they have a read-only protection in place,
So here is how to bypass, or Unlock them.
If you are using office XP or 2003, you can change the view to HTML-Code using Microsoft Script-Editor by pressing the [Alt]+[Shift]+[F11] key combination.
Search for "Password", or scroll down till you will find something like this:
DocumentProtection>Forms
UnprotectPassword>60B9DAE3
To remove the protection:
Just remove those two lines, and after saving the document , the protection is gone.
To remove the password:
-replace the Password, here "60B9DAE3", with "00000000", save the Document and close "Script-Editor".
Enjoy!
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA
Many a times we need to make some changes to documents or even need to fill-up some online documents which are in MS Word, and they have a read-only protection in place,
So here is how to bypass, or Unlock them.
If you are using office XP or 2003, you can change the view to HTML-Code using Microsoft Script-Editor by pressing the [Alt]+[Shift]+[F11] key combination.
Search for "Password", or scroll down till you will find something like this:
DocumentProtection>Forms
UnprotectPassword>60B9DAE3
To remove the protection:
Just remove those two lines, and after saving the document , the protection is gone.
To remove the password:
-replace the Password, here "60B9DAE3", with "00000000", save the Document and close "Script-Editor".
Enjoy!
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA
Friday, July 13, 2007
Simulator for Juniper Networks --JunOS!!
Hi Folks,
Just found a link to an awesome tool which simulates the JunOS,
those who are looking for a hands-on and need to practice on the JunOS devices, can use this tool.
Since the JunOS is based on FreeBSD, you should be familiar with FreeBSD Install and configuration.
Here is the link:
Juniper Networks' Olive
* Preparing for Install
* Installation
* Installing under VMWare
* Limitations
* Hardware Support
* References
Enjoy!
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA
Just found a link to an awesome tool which simulates the JunOS,
those who are looking for a hands-on and need to practice on the JunOS devices, can use this tool.
Since the JunOS is based on FreeBSD, you should be familiar with FreeBSD Install and configuration.
Here is the link:
Juniper Networks' Olive
* Preparing for Install
* Installation
* Installing under VMWare
* Limitations
* Hardware Support
* References
Enjoy!
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA
Thursday, July 5, 2007
Google and your Privacy !!!
Hi Folks!
A very interesting news that has been around in US and many parts of the world is that Google does maintain a list of all your search activities and History of all you tried to dig on the Internet.
You can SEARCH for this as well on GOOGLE.
"Could Future Subpoenas Tie You to 'Britney Spears Nude'?
DOJ's subpoena of Google may lead to more intrusive examination of Internet users' online records
Fred von Lohmann
Special to Law.com
02-06-2006
As news circulated of the government's recent effort to force Google to hand over information about what its users are searching for, you could almost hear the collective gasp from Internet users. Wait, Google has been keeping records of all my searches? Including the embarrassing ones ("britney spears nude" was the second most popular "britney" search last month), the incriminating ones (your searches about marijuana cultivation were for research, of course), and the routine ones (from which your professional and recreational interests can easily be deduced)?"
A very famous example is that of "'Britney Spears Nude'" search string which set many of the officials and ISP's to an alert.
Read this text excerpt here:
"And so can any private litigant with an axe to grind and a subpoena in hand. If someone does deliver a subpoena to Google for your records, there is no law that requires that you even be notified, much less be afforded an opportunity to object.
The Google subpoena incident is a timely reminder to all Internet users that we are routinely entrusting third parties with an ever-increasing amount of private information about ourselves. We entrust our e-mail to services that encourage us to "never throw anything away," we upload our photos to share with family, and rely on search engines to help us track down virtually everything without a second thought."
So how are we going to protect our privacy??
Please comment on this.
Enjoy!
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA
A very interesting news that has been around in US and many parts of the world is that Google does maintain a list of all your search activities and History of all you tried to dig on the Internet.
You can SEARCH for this as well on GOOGLE.
"Could Future Subpoenas Tie You to 'Britney Spears Nude'?
DOJ's subpoena of Google may lead to more intrusive examination of Internet users' online records
Fred von Lohmann
Special to Law.com
02-06-2006
As news circulated of the government's recent effort to force Google to hand over information about what its users are searching for, you could almost hear the collective gasp from Internet users. Wait, Google has been keeping records of all my searches? Including the embarrassing ones ("britney spears nude" was the second most popular "britney" search last month), the incriminating ones (your searches about marijuana cultivation were for research, of course), and the routine ones (from which your professional and recreational interests can easily be deduced)?"
A very famous example is that of "'Britney Spears Nude'" search string which set many of the officials and ISP's to an alert.
Read this text excerpt here:
"And so can any private litigant with an axe to grind and a subpoena in hand. If someone does deliver a subpoena to Google for your records, there is no law that requires that you even be notified, much less be afforded an opportunity to object.
The Google subpoena incident is a timely reminder to all Internet users that we are routinely entrusting third parties with an ever-increasing amount of private information about ourselves. We entrust our e-mail to services that encourage us to "never throw anything away," we upload our photos to share with family, and rely on search engines to help us track down virtually everything without a second thought."
So how are we going to protect our privacy??
Please comment on this.
Enjoy!
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA
Saturday, June 9, 2007
No DEL key or DEL key broken, missing !
Hi Folks,
I am back again,
Recently a friend of mine had a problem with his Laptop and had given me for it to be repaired,
The Laptop was repaired, and another problem which was on the Laptop was that the DEL key was missing, so which actually despaired the functionality of CTRL+ALT+DEL combo.
so he has to always keep his Laptop to login automatically.
Well I just thought of replacing the Keypad, but finding a same match was difficult.
So Guess !
What i found that Windows OS has a built-in option for viewing the Keyboard On-Screen,
so it's easier to access the DEL key.
Here is how.
Goto---->Start---->Run---->OSK
and you can access the keyboard.
Hope this will help others with the Missing keys or the ones that gives a problem.
Enjoy!
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA
I am back again,
Recently a friend of mine had a problem with his Laptop and had given me for it to be repaired,
The Laptop was repaired, and another problem which was on the Laptop was that the DEL key was missing, so which actually despaired the functionality of CTRL+ALT+DEL combo.
so he has to always keep his Laptop to login automatically.
Well I just thought of replacing the Keypad, but finding a same match was difficult.
So Guess !
What i found that Windows OS has a built-in option for viewing the Keyboard On-Screen,
so it's easier to access the DEL key.
Here is how.
Goto---->Start---->Run---->OSK
and you can access the keyboard.
Hope this will help others with the Missing keys or the ones that gives a problem.
Enjoy!
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA
Sunday, February 4, 2007
NetStat Script !!
NetStat Script !!
Hi Folks,
Another Simple script to view all active connections,
and all exe's communicating on Internet.
Let me know If any Problems with this.
Download:
http://fixupload.com/file/2171/NitinStat.rar.html
Enjoy!
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA
Hi Folks,
Another Simple script to view all active connections,
and all exe's communicating on Internet.
Let me know If any Problems with this.
Download:
http://fixupload.com/file/2171/NitinStat.rar.html
Enjoy!
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA
Netstat with GREP in Windows !!
Netstat with GREP in Windows !!
Hi Folks,
Many times we use The most powerful command in MS Windows,
But we miss the GREP functionality in Windows,
which we use with most Debian/Linux/Unixes OS.
So here it is how we can get the GREP functionality within Windows.
here we go.
netstat -an | find "ESTAB"
netstat -an | find "LIST"
netstat -an | find "FIN_WAIT"
netstat -an | find "SYN_SENT"
Note:
ESTAB=Established sessions
LIST=Listening sessions
FIN_WAIT=Killing the session in process / Terminating in session
SYN_SENT=Normally when just opening a new session
Enjoy!
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA
Hi Folks,
Many times we use The most powerful command in MS Windows,
But we miss the GREP functionality in Windows,
which we use with most Debian/Linux/Unixes OS.
So here it is how we can get the GREP functionality within Windows.
here we go.
netstat -an | find "ESTAB"
netstat -an | find "LIST"
netstat -an | find "FIN_WAIT"
netstat -an | find "SYN_SENT"
Note:
ESTAB=Established sessions
LIST=Listening sessions
FIN_WAIT=Killing the session in process / Terminating in session
SYN_SENT=Normally when just opening a new session
Enjoy!
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA
Subscribe to:
Posts (Atom)
