background preloader

Digital forensics

Facebook Twitter

Hardware forensics

STANDS4 Web Services - Synonyms API. OSForensics - Digital investigation for a new era by PassMark Software® Showing Evidence. Untitled. How I Cracked your Windows Password (Part 2) If you would like to read the first part in this article series please go to How I Cracked your Windows Password (Part 1).

How I Cracked your Windows Password (Part 2)

Introduction In the first part of this series we examined password hashes and the mechanisms Windows utilizes to create and store those values. We also touched upon the weaknesses of each method and possible avenues that can be used to crack those passwords. In the second and final article in this series I will actually walk you through the process of cracking passwords with different free tools and provide some tips for defending against having your password cracked. It is always crucial to note that the techniques shown here are strictly for educational purposes and should not be used against systems for which you do not have authorization for.

Obtaining Password Hashes In order to crack passwords you must first obtain the hashes stored within the operating system. Physical Access If you are not quite comfortable doing this, you can use P. Console Access Network Access. Windows registry quick reference. Digital forensics method validation: draft guidance (second consultation) - Consultations. Users Guide · log2timeline/plaso Wiki. This page is work in progress.

Users Guide · log2timeline/plaso Wiki

How to get started First determine which version of plaso is must suitable to your needs, for more information see Releases and roadmap. SANS Computer, Digitial Forensics, Incident Response Summit Archives. Windows Forensic Analysis DVD Toolkit - Harlan Carvey. Windows Forensic Analysis. Registry Analysis (Windows Forensic Analysis) Part 7. Finding Users Information about users is maintained in the Registry, in the SAM hive file.

Registry Analysis (Windows Forensic Analysis) Part 7

Under normal circumstances, this hive is not accessible, even to administrators, not without taking special steps to manually edit the access permissions on the hive. There’s a good reason for this: Although much of the Registry can be "messed with," there are areas of the Registry where minor changes can leave the system potentially unusable. The SAM file is one of those areas. Much of the useful information in the SAM hive is encoded in binary format, and fortunately, Peter Nordahl-Hagen’s sam.h C header file is extremely helpful in deciphering the structures and revealing something understandable. You can use the userdump.pl ProScript (v.0.31, 20060522 provided in the ch4\code\ ProScripts directory on the media that accompanies this topic) to extract user and group membership information from the Registry Viewer in a ProDiscover project, once the Registry Viewer has been populated.

Are You Owned? DEFT Linux - Computer Forensics live CD. The Law Society of Scotland - Directory of Expert Witnesses. Experts and expert witnesses. This was an appeal by a claimant in a clinical negligence claim.

Experts and expert witnesses

The defendant was a general practitioner who treated the claimant’s son. Despite treatment, the son died and the claimant sought damages for psychiatric injury based on the defendant’s alleged negligence. The Medical Defence Union (MDU) was acting for the defendant and instructed an expert to report. CRCnetBASE. Untitled. DF marking form - Excellent - A thorough investigation and a very clearly structured, written and presented report.

untitled

Most significant evidence recovered - certainly enough to mount a prosecution. " - Good - A reasonably thorough investigation and a very clearly structured, written and presented report. Significant evidence recovered - certainly enough to mount a prosecution. " - Your recommendations for further investigation are also accurate. " - Good to see you used software/techniques above and beyond those covered in the lectures. " - You've clearly got to grips with the individual techniques as well as the overall investigative approach. - You've clearly got to grips with the individual techniques as well as the overall investigative approach, but you could have gone further in researching alternative/extra tools/techniques to use. Systematic Approach: Diskspace audit? Diskspace audit? SysKey and the SAM. The Security Accounts Manager The Security Accounts Manager, or SAM, has been used by Windows since the days of NT to store information on local user accounts (or, in the case of a domain controller, the accounts for all users on the domain).

SysKey and the SAM

It takes the form of a registry hive, and is stored in %WINDIR%\system32\config. Generally, two types of hash are stored in the SAM: the LanMan hash and the NT hash. The LanMan hash has many flaws: It is not salted, and is thus vulnerable to precomputed dictionary attacks such as rainbow tables. Partition types: List of partition identifiers for PCs. Below a list of the known partition IDs (system indicators) of the various operating systems, file systems, boot managers, etc.

Partition types: List of partition identifiers for PCs

For the various systems, short descriptions are given, in the cases where I have some info. There seem to be two other major such lists: Ralf Brown's (see interrupt list under Int 19) and Hale Landis' but the present one is more correct and more complete. (However, these two URLs are a valuable source for other information.) Sepero/SearchBin. DPATechInfo.

Network forensics

Rattlesnake. SQLite. Streaming media. M Gowrie's data at Radaris - The #1 information search database on the web. Search now! Forensic visualization.