It will be a good skill set if you can learning some scripting and programing language to speed-up your Digital Forensics works/investigation.
I know, there are tools available out there to help you. However you need to go deep, under the hood to understand what is going on.
You can start with Python if you like :)
http://www.python.org
A pure Python interface to parsing and reading Windows Registry files:
http://www.williballenthin.com/registry
python-registry was originally written by
Willi Ballenthin
or VBscript:
http://msdn.microsoft.com/en-us/library/t0aew7h6%28v=VS.85%29.aspx
Friday, October 28, 2011
Investigate and validating email addresses source
The link below will teach you on:
How to trace an email address source from most popular email service provider and application:
http://www.onimoto.com/cache/50.html
http://www.visualware.com/resources/tutorials/email.html
http://www.howtogeek.com/108205/htg-explains-what-can-you-find-in-an-email-header/
Validating the email address source:
http://centralops.net/co/EmailDossier.aspx
Free Online Tracking E-Mail Header:
http://www.ip-address.org/tracker/trace-email.php
http://www.traceemail.com/trace-email-header.html
How to trace an email address source from most popular email service provider and application:
http://www.onimoto.com/cache/50.html
http://www.visualware.com/resources/tutorials/email.html
http://www.howtogeek.com/108205/htg-explains-what-can-you-find-in-an-email-header/
Validating the email address source:
http://centralops.net/co/EmailDossier.aspx
Free Online Tracking E-Mail Header:
http://www.ip-address.org/tracker/trace-email.php
http://www.traceemail.com/trace-email-header.html
Tuesday, October 25, 2011
PST Files Process
Remember that before you do PST files processing, please make sure that all the PST files have no password protected. Else you will miss the important data needed.
One nice free tool to recover the password:
http://www.nirsoft.net/utils/pst_password.html
How the password is saved in the pst file ?
http://www.nirsoft.net/articles/pst_password_bug.html
Detecting a Password Protected PST:
http://blogs.msdn.com/b/stephen_griffin/archive/2009/02/17/detecting-a-password-protected-pst.aspx
Outlook Personal Folders (.pst) File Format:
http://msdn.microsoft.com/en-us/library/ff385210%28v=office.12%29.aspx
"4.2 Strength of PST Password
The PST Password, which is stored as a property value in the Message store, is a superficial mechanism that requires the client implementation to enforce the stored password. Because the password itself is not used as a key to the encoding and decoding cipher algorithms, it does not provide any security benefit to preventing the PST data to be read by unauthorized parties.
Moreover, the password is stored as a CRC-32 hash of the original password string, which is prone to collisions and is relatively weak against a brute-force approach."
One nice free tool to recover the password:
http://www.nirsoft.net/utils/pst_password.html
How the password is saved in the pst file ?
http://www.nirsoft.net/articles/pst_password_bug.html
Detecting a Password Protected PST:
http://blogs.msdn.com/b/stephen_griffin/archive/2009/02/17/detecting-a-password-protected-pst.aspx
Outlook Personal Folders (.pst) File Format:
http://msdn.microsoft.com/en-us/library/ff385210%28v=office.12%29.aspx
"4.2 Strength of PST Password
The PST Password, which is stored as a property value in the Message store, is a superficial mechanism that requires the client implementation to enforce the stored password. Because the password itself is not used as a key to the encoding and decoding cipher algorithms, it does not provide any security benefit to preventing the PST data to be read by unauthorized parties.
Moreover, the password is stored as a CRC-32 hash of the original password string, which is prone to collisions and is relatively weak against a brute-force approach."
Wednesday, October 19, 2011
Tracing MAC Address Manufacturer
You only need to enter the first six hexadecimal digits of any MAC
address to get the manufacturer. Most of the common formats are
supported: 00e0cf or 00:e0:cf or 00e0.cfe2.acd1 or 00-e0-cf or 00 E0 CF would all be interpreted as 00e0cf.
http://curreedy.com/stu/nic/
http://www.coffer.com/mac_find/
https://db.uga.edu/network/public/vendorcode.cgi
http://curreedy.com/stu/nic/
http://www.coffer.com/mac_find/
https://db.uga.edu/network/public/vendorcode.cgi
Monday, October 17, 2011
Windows Event Logs Location
Where to find the event logs:
Windows OS version: NT/ Win2000/ XP/ Server 2003
Filetype: *.evt
Folder: %SystemRoot%\System32\config
Filename: SecEven.evt, AppEvent.evt, SysEvent.evt
Window OS version: Vista/ Win7 / Win8 / 2008/ 2012/ Win10/ 2016
Filetype: *.evtx
Folder: %SystemRoot%\System32\winevt\logs\
Filename: Security.evtx, Application.evtx, System.evtx
Windows OS version: NT/ Win2000/ XP/ Server 2003
Filetype: *.evt
Folder: %SystemRoot%\System32\config
Filename: SecEven.evt, AppEvent.evt, SysEvent.evt
Window OS version: Vista/ Win7 / Win8 / 2008/ 2012/ Win10/ 2016
Filetype: *.evtx
Folder: %SystemRoot%\System32\winevt\logs\
Filename: Security.evtx, Application.evtx, System.evtx
Windows 7 Computer Forensics
Here are some nice link to learn about Windows 7 Forensics. Enjoy :)!
http://computer-forensics.sans.org/blog/2009/10/27/windows-7-computer-forensics
http://computer-forensics.sans.org/blog/2011/07/05/shellbags
http://computer-forensics.sans.org/blog/2009/09/09/computer-forensic-guide-to-profiling-usb-thumbdrives-on-win7-vista-and-xp
http://computer-forensics.sans.org/blog/2009/10/27/windows-7-computer-forensics
http://computer-forensics.sans.org/blog/2011/07/05/shellbags
http://computer-forensics.sans.org/blog/2009/09/09/computer-forensic-guide-to-profiling-usb-thumbdrives-on-win7-vista-and-xp
Thursday, October 13, 2011
Investigate domains and IP addresses
Get registrant information, DNS records, Whois and more:
http://www.domaintools.com/
http://centralops.net/co/
http://www.geobytes.com/IpLocator.htm
http://www.domaintools.com/
http://centralops.net/co/
http://www.geobytes.com/IpLocator.htm
Blue Screen Of Death (BSOD) Viewer
Here is one good and free tool to view your BSOD core dump file when needed.
http://www.nirsoft.net/utils/blue_screen_view.html
http://www.nirsoft.net/utils/blue_screen_view.html
Monday, October 10, 2011
Friday, October 7, 2011
The Definition:
You can quickly get the definition from Wikipedia, the free encyclopedia :).
Digital Forensics:
"Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data."
URL: http://en.wikipedia.org/wiki/Digital_forensics
Computer Forensics:
"Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information."
URL: http://en.wikipedia.org/wiki/Computer_forensics
Digital Forensic Science:
"The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations."
URL: http://www.dfrws.org/2001/dfrws-rm-final.pdf
Computer Forensics:
"Computer forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law."
URL: http://www.us-cert.gov/reading_room/forensics.pdf
Note: You can get more definition reference for the Google search result. Try it!
Base on my experience these term as below are very important in Digital Forensics or Computer Forensics definition:
Digital Forensics:
"Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data."
URL: http://en.wikipedia.org/wiki/Digital_forensics
Computer Forensics:
"Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information."
URL: http://en.wikipedia.org/wiki/Computer_forensics
Digital Forensic Science:
"The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations."
URL: http://www.dfrws.org/2001/dfrws-rm-final.pdf
Computer Forensics:
"Computer forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law."
URL: http://www.us-cert.gov/reading_room/forensics.pdf
Note: You can get more definition reference for the Google search result. Try it!
Base on my experience these term as below are very important in Digital Forensics or Computer Forensics definition:
- Identification
- Preservation
- Validation
- Recovery
- Analysis
- Presentation
Hello World!
This blog site will be focus on Digital Forensics. Hope that I will keep on updating this blog. All the best to me :). You can do it!
Subscribe to:
Posts (Atom)