CHFI v3 Module 10 Windows Forensics.pdf

(1783 KB) Pobierz

Computer Hacking

Forensic Investigator

Module X

Windows Forensics

Module Objective

This module familiarizes you with the following:

Locating evidence on Windows systems.

Gathering volatile evidence.

Helix.

Investigating Windows file slack.

Examining file systems

systems.

Checking Registry.

Importance of Memory dump.

Virtual memory.

Investigating Internet traces.

Investigating ADS S

i i A S Streams.

EC-Council

Module Flow

Locating evidence on

Windows system

Wi d

Gathering volatile evidence

Investigating Windows file

slack

Helix

Examining File systems

Checking Registry

Virtual memory

Importance of memory dump

Investigating Internet traces

Investigating ADS Streams

EC-Council

Locating Evidence on Windows Systems

Hidden files

Assessing file attributes to find file signature

The registry

Searching Index.dat files

Areas to look for evidence

Files

Slack

Sl k space

Swap file

Metadata

Hidden ADS streams

Pagingfile

Unallocated clusters

Unused partitions

Hidden partitions

EC-Council

Gathering Volatile Evidence

Collecting volatile data using command prompt in Windows

NT/2000:

System date and time:

•

C:/>date ; C:/>time

Currently running processes:

•

Tool - pslist

Currently open sockets:

•

C:/>netstat

Applications listening on open sockets:

•

Tool - fport

Current users logged on:

•

Tool - psloggedon

Systems currently recentl connected:

S stems c rrentl or recently connected

•

C:/>nbstat

EC-Council

Plik z chomika:

qfx

Inne pliki z tego folderu:

CHFI v3 Module 02 Law and Computer Forensics.pdf (2867 KB)
CHFI v3 Module 03 Computer Investigation Process.pdf (3529 KB)
CHFI v3 Module 04 First Responder Procedures.pdf (2317 KB)
CHFI v3 Module 05 CSIRT.pdf (2815 KB)
CHFI v3 Module 01 Computer Forensics in Todays World.pdf (1418 KB)

CHFI v3 Module 10 Windows Forensics.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: