Registry Analysis (Windows Forensic Analysis) Part 7 Finding Users Information about users is maintained in the Registry, in the SAM hive file. Under normal circumstances, this hive is not accessible, even to administrators, not without taking special steps to manually edit the access permissions on the hive. There’s a good reason for this: Although much of the Registry can be "messed with," there are areas of the Registry where minor changes can leave the system potentially unusable. Much of the useful information in the SAM hive is encoded in binary format, and fortunately, Peter Nordahl-Hagen’s sam.h C header file is extremely helpful in deciphering the structures and revealing something understandable. You can use the userdump.pl ProScript (v.0.31, 20060522 provided in the ch4\code\ ProScripts directory on the media that accompanies this topic) to extract user and group membership information from the Registry Viewer in a ProDiscover project, once the Registry Viewer has been populated. Tracking User Activity The UserAssist Keys Tip::
CAINE Live CD - computer forensics digital forensics Matriux - La Distribution Open Source orientée Sécurité pour Ethical Hackers et Pentesters Users Guide · log2timeline/plaso Wiki This page is work in progress. How to get started First determine which version of plaso is must suitable to your needs, for more information see Releases and roadmap Installing the packaged release To install the packaged release see: Before we start Please report all discovered bugs to To follow announcements from the plaso team or send in generic inquiries or discuss the tool, please subscribe to the log2timeline-discuss mailing list or join the G+ community. I know the good old Perl version If you are one of those people that liked the old perl version of log2timeline but really would like to switch use all the nifty features of the Python version. The tools Though plaso initially was created in mind to replace the Perl version of log2timeline, its focus has shifted from a stand-alone tool to a set of modules that can be used in various use cases. image_export log2timeline pinfo preg preg is a command line tool to analyze Windows Registry files. psort
Linux LEO How I Cracked your Windows Password (Part 2) If you would like to read the first part in this article series please go to How I Cracked your Windows Password (Part 1). Introduction In the first part of this series we examined password hashes and the mechanisms Windows utilizes to create and store those values. We also touched upon the weaknesses of each method and possible avenues that can be used to crack those passwords. In the second and final article in this series I will actually walk you through the process of cracking passwords with different free tools and provide some tips for defending against having your password cracked. It is always crucial to note that the techniques shown here are strictly for educational purposes and should not be used against systems for which you do not have authorization for. Obtaining Password Hashes In order to crack passwords you must first obtain the hashes stored within the operating system. Physical Access If you are not quite comfortable doing this, you can use P. Console Access Network Access
penguinsleuth.org - Home Experts and expert witnesses This was an appeal by a claimant in a clinical negligence claim. The defendant was a general practitioner who treated the claimant’s son. Despite treatment, the son died and the claimant sought damages for psychiatric injury based on the defendant’s alleged negligence. The Court of Appeal said that a conflict of interest does not automatically disqualify an expert from giving evidence. However, in rejecting the appeal, the Court of Appeal said the practice of the Cases Committee of the MDU to exclude an expert involved in the litigation from discussions about the case meant that membership of the Committee would not automatically disqualify that expert from being an expert witness. Guidance for experts The Court of Appeal then went on to consider what should happen in any similar future situation. ‘The expert should not leave undisclosed any conflict of interest which might bring into question the suitability of his evidence as the basis for the court’s decision. Footnotes Disclaimer
untitled DF marking form - Excellent - A thorough investigation and a very clearly structured, written and presented report. Most significant evidence recovered - certainly enough to mount a prosecution." - Good - A reasonably thorough investigation and a very clearly structured, written and presented report. - Your recommendations for further investigation are also accurate." - Good to see you used software/techniques above and beyond those covered in the lectures." - You've clearly got to grips with the individual techniques as well as the overall investigative approach. - You've clearly got to grips with the individual techniques as well as the overall investigative approach, but you could have gone further in researching alternative/extra tools/techniques to use. Systematic Approach: Diskspace audit? Diskspace audit? - ok - Looked for installed software? Looked for installed software? Looked for user accounts? Looked for user accounts? Looked for recent activity? Looked for recent activity? - ok
SysKey and the SAM The Security Accounts Manager The Security Accounts Manager, or SAM, has been used by Windows since the days of NT to store information on local user accounts (or, in the case of a domain controller, the accounts for all users on the domain). It takes the form of a registry hive, and is stored in %WINDIR%\system32\config. Generally, two types of hash are stored in the SAM: the LanMan hash and the NT hash. The LanMan hash has many flaws: It is not salted, and is thus vulnerable to precomputed dictionary attacks such as rainbow tables. The NT hash, by contrast, is simply the MD4 hash of the password (encoded as UTF-16 little endian). The SAM before Windows 2000 In the registry, the hashes for each user are stored under SAM\SAM\Domains\Account\Users\[RID], where RID is the numeric user ID of the user as an 8 digit hex string. hash_offset = unpack("<L", V[0x9c:0xA0])[0] + 0xCCname_offset = unpack("<L", V[0x0c:0x10])[0] + 0xCCname_length = unpack("<L", V[0x10:0x14])[0] SysKey aqwerty = "!