https://wiki.espai.de/index.php?action=history&feed=atom&title=ForensicsForensics - Historial de revisió2026-05-27T18:02:52ZHistorial de revisió per a aquesta pàgina del wikiMediaWiki 1.39.6https://wiki.espai.de/index.php?title=Forensics&diff=1753&oldid=prevMarti: Es crea la pàgina amb « Introduction to Windows Forensics: https://www.youtube.com/watch?v=VYROU-ZwZX8 ===SANS DFIR Cheat Sheet=== Author: 13Cubed Original from: https://www.13cubed.com/d...».2019-02-08T20:43:23Z<p>Es crea la pàgina amb « Introduction to Windows Forensics: https://www.youtube.com/watch?v=VYROU-ZwZX8 ===SANS DFIR Cheat Sheet=== Author: 13Cubed Original from: https://www.13cubed.com/d...».</p>
<p><b>Pàgina nova</b></p><div><br />
<br />
Introduction to Windows Forensics:<br />
https://www.youtube.com/watch?v=VYROU-ZwZX8<br />
<br />
===SANS DFIR Cheat Sheet===<br />
Author: 13Cubed<br />
<br />
Original from: https://www.13cubed.com/downloads/dfir_cheat_sheet.pdf<br />
<br />
<pre><br />
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer<br />
• \ComDlg32<br />
o \LastVistedPidlMRU<br />
o \OpenSavePidlMRU<br />
• \RecentDocs<br />
• \RunMRU<br />
• \TypedPaths<br />
• \UserAssist<br />
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<br />
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce<br />
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<br />
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce<br />
HKCU\SOFTWARE\Microsoft\Windows\Shell < Shellbags<br />
• \BagMRU<br />
• \Bags<br />
HKCU\SOFTWARE\Classes<br />
• Insert %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat<br />
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR < Class ID / Serial #<br />
HKLM\SYSTEM\CurrentControlSet\Enum\USB < VID / PID<br />
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices<br />
• Find Serial # and then look for FriendlyName to obtain the Volume Name of the USB device<br />
HKLM\SYSTEM\MountedDevices<br />
• Find Serial # to obtain the Drive Letter of the USB device<br />
• Find Serial # to obtain the Volume GUID of the USB device<br />
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt<br />
• Key will ONLY be present if system drive is NOT SSD<br />
• Traditionally used for ReadyBoost<br />
• Find Serial # to obtain the Volume Serial Number of the USB device<br />
o The Volume Serial Number will be in decimal – convert to hex<br />
o You can find complete history of Volume Serial Numbers here, even if the device has been<br />
formatted multiple times. The USB device’s Serial # will appear multiple times, each with a<br />
different Volume Serial Number generated on each format.<br />
Using the Volume GUID found in SYSTEM\MountedDevices, you can find the user that actually mounted<br />
the USB device:<br />
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2<br />
USB Times:<br />
• First time device is connected<br />
• Last time device is connected<br />
• Removal time<br />
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USB iSerial<br />
#\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\####<br />
• 0064 = First Install (Win7 / 8)<br />
o Also found in setupapi.log / setupapi.dev.log<br />
• 0066 = Last Connected (Win8+ only)<br />
o Also \Enum\USB\VID_XXXX&PID_YYYY last write time of USB Serial # key<br />
o Also \MountPoints2\{GUID} last write time of key<br />
• 0067 = Last Removal (Win8+ only)<br />
USB First Time Device Connected Logs:<br />
XP: C:\Windows\setupapi.log<br />
Vista+: C:\Windows\inf\setupapi.dev.log<br />
Search for the device’s Serial # within these logs and you can discover the first time a device was plugged in<br />
to a computer.<br />
USBDeviceForensics is an application by WoanWare that can help automate all of these things.<br />
Miscellaneous Info:<br />
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation<br />
HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName<br />
HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Shares<br />
• Display all open shares on a system<br />
HKLM\SYSTEM\CurrentControlSet\Control\FileSystem<br />
• Look for NtfsDisableLastAccessUpdate, which is set to 0x1 by default, which means that access<br />
time stamps are turned OFF by default<br />
HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces<br />
• Display interfaces and their associated IP address configuration (record the interface GUID!)<br />
Network Location Awareness (NLA) was included in Vista+, and aggregates the network information for a<br />
PC and generates a GUID to identify each network (a “network profile”, if you will). The Windows Firewall<br />
uses that information to apply firewall rules to the appropriate profile. You can find evidence of every<br />
network a machine has connected to using NLA registry keys.<br />
Check the last write time of a key to determine the last time a PC connected to a particular network.<br />
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList<br />
• \Signatures<br />
o \Unmanaged (record DefaultGatewayMac, DnsSuffix, FirstNetwork (SSID), ProfileGuid)<br />
o \Managed<br />
• \Nla<br />
o \Cache<br />
• Profiles<br />
Most info regarding NLA will be stored under the NetworkList key above, and also:<br />
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup<br />
Network Type, and First / Last Connected Times (find using the ProfileGuid key harvested from<br />
Signatures\Unmanaged):<br />
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID}<br />
HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{GUID} à (XP only, use last write time of<br />
the key to determine the last time the network was connected)<br />
0x06 = Wired<br />
0x17 = Broadband<br />
0x47 = Wireless<br />
You will also find DateCreated and DateLastConnected under this key. It’s 128-bit Windows System Time,<br />
and is stored in UTC.<br />
LNK File Analysis:<br />
C:\username\AppData\Roaming\Microsoft\Windows\Recent<br />
*Use TZWorks lp.exe utility!<br />
Jump Lists (like LNK files on steroids):<br />
C:\username\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations<br />
C:\username\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations<br />
*Use TZWorks jmp.exe utility!<br />
…remember, LNK files are actually embedded in the database structure in AutomaticDestinations<br />
Prefetcher and SuperFetch:<br />
• Prefetcher and SuperFetch are part of Windows' memory manager<br />
• Prefetcher is the less capable version included in Windows XP<br />
• Prefetcher was extended by SuperFetch and ReadyBoost in Windows Vista+<br />
• ReadyBoot replaces Prefetcher for the boot process if > 700MB RAM<br />
• Tries to make sure often-accessed data can be read from the fast RAM instead of slow HDD<br />
• Can speed up boot and shorten amount of time to start programs<br />
C:\Windows\Prefetch<br />
filename-hash(xxxxxxxx).pf<br />
Example: CALC.EXE-AC08706A.pf<br />
The hash is a hash of the file’s path. In this example, CALC.EXE is located in C:\Windows\System32. If it<br />
were copied to another location (like the Desktop) and executed, a new .pf file would be created reflecting a<br />
hash of the new path.<br />
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory<br />
Management\PrefetchParameters<br />
EnablePrefetcher Key:<br />
0 = Disabled<br />
1 = Application prefetching enabled<br />
2 = Boot prefetching enabled (default on Windows 2003 only)<br />
3 = Application and Boot prefetching enabled (default)<br />
• Task Scheduler calls Windows Disk Defragmenter every three (3) days<br />
• When idle, lists of files and directories referenced during boot process and application startups is<br />
processed<br />
• The processed result is stored in Layout.ini in the Prefetch directory, and is subsequently passed to<br />
the Disk Defragmenter, instructing it to re-order those files into sequential positions on the physical<br />
hard drive<br />
</pre></div>Marti