Notes - MCS
Computer Systems Forensic Analysis
Notes - MCS
Computer Systems Forensic Analysis
  • Computer Systems Forensic Analysis
  • Overview of Cybercrime
    • Cyberspace
    • Information Security Principles
    • Cybercrime vs. Computer Crime
    • Cybercrime slang
      • Images
    • Digital Evidence
  • Introduction to Digital Forensics
    • Concepts
    • Digital Forensic
    • Digital Investigation
    • Digital Crime Scene Investigation Methodology
    • Digital Evidence Handling
    • Ethical Code
  • Obtaining Evidences
    • Introduction
    • Boot Process
    • Secuere Boot Process
    • Windows Boot Process
    • Forensic Boot Tools
    • Bootable CD-ROMS - Linux Based
    • ADS
    • Forensic Sorting Tools
    • Forensic Acquisition
    • Dealing With Media Errors
    • Hidden Areas
    • Write Protection of Evidence Media
    • Storing Acquired Data
    • Image File Acquisition
    • Hash Values
  • Data Organization
    • Data Organization
    • File System
    • File Content
    • Endianness
    • Character Encoding
    • Data Structures
    • Date and Time
    • Encoding
  • Storage Devices
    • BIOS versus direct access
    • Hard Disk Geometry
    • Advanced Technology Attachment Interface
      • Device Configuration Overlay
    • Small Computer Systems Interface
    • NAND Flash memory
    • Level wearing
    • HDD vs SSD
    • Pen USB vs SSD Comparison
    • SSD Connectors, Interfaces, and Transfer Protocols
  • Volumes and Partitions
    • Concepts
    • Partition Tables
    • Sectors Addresses
    • Logical addresses
    • Volume Analysis
    • Types of Partition Tables
    • Common Partition Tables (MBR)
    • Boot Code
    • MBR examination
    • Removable Storage
    • Common Partition Tables (GPT)
    • Common Partition Tables (BSD)
    • Volumes’ Aggregation
  • RAM Analysis
    • RAM Analysis
    • General Computer Architecture
    • DMA – Direct Memory Access
    • Paging
    • Memory Acquisition
  • Mobile Forensics
    • Forensic value of phones
    • International Mobile Equipment Identifier
    • Potential Evidence
    • Forensics Dangers
    • Data Acquisition
    • Logical acquisition
    • Physical acquisition
    • Hashing
    • Software tools
  • Open Source INTelligence
    • Classical sources of information and intelligence
    • Evolution of OSINT - Open Sources Intelligence
    • Information sources
    • Closed source of information
    • Open sources
    • Information to Intelligence Cycle
    • Skills of the Analyst
    • Open Source Possibilities
    • Automated Processing
    • DarkNet
  • Documentation and Reporting
    • Introduction
    • Physical examination
    • Examining a computer
    • Media Examination
    • Examples of things to write in the report
    • Forensic Report
Powered by GitBook
On this page
  • Windows Registry
  • RegistryReport
  • ForensicUserInfo
  • Mitec WRR (Windows Registry Recovery)
  • RanSack
  • Portable Applications
  • Multi-Purpose Tool
  • FTK Imager
  1. Obtaining Evidences

Forensic Sorting Tools

Last updated 1 year ago

Windows Registry

  • requires the SAM, SOFTWARE, SYSTEM and NTUSER.DAT registry files.

  • doesn't process the registry files of the running operating system.

  • shows information about (Windows 2000 or higher).

    • the operating system.

    • installed software.

    • the last user activity.

    • the user settings.

    • and many other details.

  • the amount of information for each category can be configured in the settings dialog.

  • it allows you to save, print, and search the generated report.

  • requires the SAM, SOFTWARE, and SYSTEM files.

  • extracts the following information:

    • RID, Login Name, Name, Description, User Comment

    • LM Hash, NT Hash.

    • Last Login Date, Password Reset Date, Account Expiry Date, Login Fail Date.

    • Login Count, Failed Logins, Profile Path, Groups.

For crashed machines, registry configuration, and data recovery.

It allows us to explore:

  • File information

  • SAM

  • Security Record Explorer

  • Windows Installation

  • Hardware

  • User Data

  • Startup Applications

  • Services and Drivers

  • Network Configuration

  • Windows Firewall Settings

  • Environment

  • Shell Folders

  • Outlook Express

  • Raw Data

Free software program for finding files on your PC or network drives.

  • Fast search (less time waiting).

  • Powerful search capabilities (Boolean expressions, Perl regex).

  • Supports Microsoft Office and Libre Office file formats.

Portable Applications

Collection of freeware tools, such as:

  • DataProtectionDecryptor – decrypts passwords of Microsoft Outlook accounts, credentials files of Windows, wireless network keys, passwords in some versions of Internet Explorer, passwords, and cookies of Chrome Web browser.

  • JumpListsView – displays the information stored by the ’Jump Lists’.

  • Windows File Analyzer – decodes and analyzes to provide cached information.

  • BinText – extracts strings from binary files.

  • Data Converter – converts numbers, hexadecimal values, or dates.

  • EXIF Viewer – displays EXIF information from JPEG images.

  • eMule MET Viewer – shows various information from the eMule...

Multi-Purpose Tool

Very powerful and user-friendly tool:

  • Runs as a portable application, ideal to include in WinFE.

  • Search files.

  • Look for deleted files.

  • Copy files (e.g. cache and registry files).

  • Identify ADS (Alternate Data Stream).

  • Acquire storage devices and RAM.

  • Mount E01 files.

RegistryReport
ForensicUserInfo
Mitec WRR (Windows Registry Recovery)
RanSack
FTK Imager