Extracting the Windows Clipboard from Physical Memory

When attempting to reconstruct the events leading up to a cyber security incident, one potentially important piece of information is the clipboard (Prosise et al., 2003). The clipboard has been present in Windows since Windows 3.1 and is the mechanism for transferring information from one application to another through copy and pasting actions. Being able to retrieve the last file copied or the last password used may provide investigators with invaluable information during a forensic investigation. This paper describes the Windows clipboard structure and the process of retrieving copy/paste information from Windows XP, Vista, and Windows 7 (both 32 bit and 64 bit) memory captures with data from applications including Notepad, Microsoft Word, and Microsoft Excel

Bulk extractor windows prefetch decoder

scan winprefetch is a C++ and thread-safe Windows prefetch scanner for the bulk extractor framework that decodes prefetch files. The decoder analyzes disk images for Windows prefetch files. At the completion of analyzing each prefetch file found on the disk image, a text file is created containing a XML output detailing all found prefetch files.Approved for public release; distribution is unlimited

Windows Driver Memory Analysis: A Reverse Engineering Methodology

In a digital forensics examination, the capture and analysis of volatile data provides significant information on the state of the computer at the time of seizure. Memory analysis is a premier method of discovering volatile digital forensic information. While much work has been done in extracting forensic artifacts from Windows kernel structures, less focus has been paid to extracting information from Windows drivers. There are two reasons for this: (1) source code for one version of the Windows kernel (but not associated drivers) is available for educational use and (2) drivers are generally called asynchronously and contain no exported functions. Therefore, finding the handful of driver functions of interest out of the thousands of candidates makes reverse code engineering problematic at best. Developing a methodology to minimize the effort of analyzing these drivers, finding the functions of interest, and extracting the data structures of interest is highly desirable. This paper provides two contributions. First, it describes a general methodology for reverse code engineering of Windows drivers memory structures. Second it applies the methodology to tcpip.sys, a Windows driver that controls network connectivity. The result is the extraction from tcpip.sys of the data structures needed to determine current network connections and listeners from the 32 and 64 bit versions of Windows Vista and Windows 7. Manipulation (DKOM), tcpip.sys, Windows 7, Windows Vista. 2000 MSC: 60, 490

Forensic acquisition of file systems with parallel processing of digital artifacts to generate an early case assessment report

A evolução da maneira como os seres humanos interagem e realizam tarefas rotineiras mudou nas últimas décadas e uma longa lista de atividades agora somente são possíveis com o uso de tecnologias da informação – entre essas pode-se destacar a aquisição de bens e serviços, gestão e operações de negócios e comunicações. Essas transformações são visíveis também em outras atividades menos legítimas, permitindo que crimes sejam cometidos através de meios digitais. Em linhas gerais, investigadores forenses trabalham buscando por indícios de ações criminais realizadas por meio de dispositivos digitais para finalmente, tentar identificar os autores, o nível do dano causado e a história atrás que possibilitou o crime. Na sua essência, essa atividade deve seguir normas estritas para garantir que as provas sejam admitidas em tribunal, mas quanto maior o número de novos artefatos e maior o volume de dispositivos de armazenamento disponíveis, maior o tempo necessário entre a identificação de um dispositivo de um suspeito e o momento em que o investigador começa a navegar no mar de informações alojadas no dispositivo. Esta pesquisa, tem como objetivo antecipar algumas etapas do EDRM através do uso do processamento em paralelo adjacente nas unidades de processamento (CPU) atuais para para traduzir multiplos artefactos forenses do sistema operativo Windows 10 e gerar um relatório com as informações mais cruciais sobre o dispositivo adquirido. Permitindo uma análise antecipada do caso (ECA) ao mesmo tempo em que uma aquisição completa do disco está em curso, desse modo causando um impacto mínimo no tempo geral de aquisição

Analysis of Windows 8 Registry Artifacts

Microsoft’s series of Windows operating systems represents some of the most commonly encountered technologies in the field of digital forensics. It is then fair to say that Microsoft’s design decisions greatly affect forensic efforts. Because of this, it is exceptionally important for the forensics community to keep abreast of new developments in the Windows product line. With each new release, the Windows operating system may present investigators with significant new artifacts to explore. Described by some as the heart of the Windows operating system, the Windows registry has been proven to contain many of these forensically interesting artifacts. Given the weight of Microsoft’s influence on digital forensics and the role of the registry within Windows operating systems, this thesis delves into the Windows 8 registry in the hopes of developing new Windows forensics utilities

How Virtualized Environments Affect Computer Forensics

Virtualized environments can make forensics investigation more difficult. Technological advances in virtualization tools essentially make removable media a PC that can be carried around in a pocket or around a neck. Running operating systems and applications this way leaves very little trace on the host system. This paper will explore all the newest methods for virtualized environments and the implications they have on the world of forensics. It will begin by describing and differentiating between software and hardware virtualization. It will then move on to explain the various methods used for server and desktop virtualization. Next, it will describe the fundamentals of a traditional forensic investigation and explain how virtualization affects this process. Finally, it will describe the common methods to find virtualization artifacts and identify virtual activities that affect the examination process. Keywords: Hardware-assisted, Hypervisor, Para-virtualization, Virtual Machine, virtualization, VMware, Moka5, MojoPac, Portable Virtual Privacy Machine, VirtualBox

Forensic examination and analysis of the Prefetch files on the banking Trojan malware incidents

Whenever a program runs within the operating system, there will be data or artefacts created on the system. This condition applies to the malicious software (malware). Although they intend to obscure their presence on the system with anti-forensic techniques, still they have to run on the victim’s system to acquire their objective. Modern malware creates a significant challenge to the digital forensic community since they are being designed to leave limited traces and misdirect the examiner. Therefore, every examiner should consider performing all the forensics approaches such as memory forensic, live-response and Windows file analysis in the related malware incidents to acquire all the potential evidence on a victim’s system. There is a challenge when an examiner only has an option to perform post-mortem forensic approach. It leads to a question: what is a forensic examination and analysis that available to obtain evidence in such incidents? The paper shows how the Prefetching process works on a system, common characteristics and the differences in the Prefetching process related to the various versions of Windows. Thus, the paper shows how the Prefetch files contain the evidentiary value which could answer what, how, where and when the banking Trojan malware infects the system. Finally, the paper shows that forensic examination and analysis of the Prefetch files can find the data remnants of banking Trojan malware incidents