It would be great if we can have one tool that will be able to tell us what are the user activities or have done on the computer base on date!
May be we can start with this tool.
Name: LastActivityView by Nirsoft
URL: http://www.nirsoft.net/utils/computer_activity_view.htm
Description:
LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more...
Tuesday, October 21, 2014
Windows OS: When was a File Deleted?
Can dates of file deletion be obtained? Yes, sometimes.
In a computer forensics examination dates are almost always going to important. Every file on a modern Windows system has numerous dates, from the Created, Modified, Last Written, and Entry Modified dates in the NTFS, to the dates in Link file, registry entries, and folders.
“Was the file deleted before his resignation?”
“Was the file deleted before or after the data preservation order?”
“If the file was deleted on the 1st rather than the 31st, than that means there was a breach of a court order. Can you say when it was deleted?”
All of these questions are asking the same thing: “When was a file deleted?”
NTFS, the standard file system for Windows, does not record a deleted date, however the recycle bin does. When a file is deleted via the recycle bin (i.e when a user clicks delete for a file it is placed in the recycle bin) the recycle bin keeps track of the deletion of the file – when it happend, how big the file was, and where it came from. This information is stored within the INFO2 file of that recycle bin.
Therefore if a file was deleted via the recycle bin the date of deletion can be recovered.
However, if it is not deleted via a recycle bin, this information is not recorded.
Source URL:
http://whereismydata.wordpress.com/2009/04/02/forensics-deleted-dates/
http://whereismydata.wordpress.com/2009/08/16/forensics-when-was-a-file-deleted-part-1/
http://whereismydata.wordpress.com/2009/08/17/forensics-when-was-a-file-deleted-part-2/
In a computer forensics examination dates are almost always going to important. Every file on a modern Windows system has numerous dates, from the Created, Modified, Last Written, and Entry Modified dates in the NTFS, to the dates in Link file, registry entries, and folders.
“Was the file deleted before his resignation?”
“Was the file deleted before or after the data preservation order?”
“If the file was deleted on the 1st rather than the 31st, than that means there was a breach of a court order. Can you say when it was deleted?”
All of these questions are asking the same thing: “When was a file deleted?”
NTFS, the standard file system for Windows, does not record a deleted date, however the recycle bin does. When a file is deleted via the recycle bin (i.e when a user clicks delete for a file it is placed in the recycle bin) the recycle bin keeps track of the deletion of the file – when it happend, how big the file was, and where it came from. This information is stored within the INFO2 file of that recycle bin.
Therefore if a file was deleted via the recycle bin the date of deletion can be recovered.
However, if it is not deleted via a recycle bin, this information is not recorded.
Source URL:
http://whereismydata.wordpress.com/2009/04/02/forensics-deleted-dates/
http://whereismydata.wordpress.com/2009/08/16/forensics-when-was-a-file-deleted-part-1/
http://whereismydata.wordpress.com/2009/08/17/forensics-when-was-a-file-deleted-part-2/
Wednesday, July 9, 2014
Windows Share Folder Auditing Setting
If you want to setup Windows share folder Auditing policy, check out this link http://blog.windowsnt.lv/2011/11/15/tracking-user-activity-english/
Wednesday, June 4, 2014
Windows Registry Hives
A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data.
Most of the supporting files for the hives are in the %SystemRoot%\System32\Config directory. These files are updated each time a user logs on.
Registry hive Supporting files
HKEY_CURRENT_CONFIG System, System.alt, System.log, System.sav
HKEY_CURRENT_USER Ntuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\Security Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\Software Software, Software.log, Software.sav
HKEY_LOCAL_MACHINE\System System, System.alt, System.log, System.sav
HKEY_USERS\.DEFAULT Default, Default.log, Default.sav
Detail URL: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724877%28v=vs.85%29.aspx
Most of the supporting files for the hives are in the %SystemRoot%\System32\Config directory. These files are updated each time a user logs on.
Registry hive Supporting files
HKEY_CURRENT_CONFIG System, System.alt, System.log, System.sav
HKEY_CURRENT_USER Ntuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\Security Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\Software Software, Software.log, Software.sav
HKEY_LOCAL_MACHINE\System System, System.alt, System.log, System.sav
HKEY_USERS\.DEFAULT Default, Default.log, Default.sav
Detail URL: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724877%28v=vs.85%29.aspx
Thursday, May 22, 2014
Powershell: Get FQDN of local or remote computer
To get FQDN of local computer:
PS C:\> [System.Net.Dns]::GetHostByName(($env:computerName))
To get FQDN of Remote computer:
PS C:\> [System.Net.Dns]::GetHostByName("notebook01")
Note:
System.Net.DNS class has a few other useful methods using which you can get FDQN and IP address details.
Refer to http://msdn.microsoft.com/en-us/library/system.net.dns.aspx for more details.
PS C:\> [System.Net.Dns] | Get-Member -Static
PS C:\> [System.Net.Dns]::GetHostByName(($env:computerName))
To get FQDN of Remote computer:
PS C:\> [System.Net.Dns]::GetHostByName("notebook01")
Note:
System.Net.DNS class has a few other useful methods using which you can get FDQN and IP address details.
Refer to http://msdn.microsoft.com/en-us/library/system.net.dns.aspx for more details.
PS C:\> [System.Net.Dns] | Get-Member -Static
Friday, May 2, 2014
How to Use the Cipher Security Tool to Overwrite Deleted Data
To overwrite deleted data on a volume by using Cipher.exe, use the /w switch with the cipher command. Use the following steps:
C:>Users\user_name\> cipher /w:C:\ and then press ENTER.
To overwrite deleted data on folder
C:>Users\user_name\> cipher /w:C:\your_folder_name and then press ENTER.
Note: Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space.
Detail URL: http://support.microsoft.com/kb/315672
- Quit all programs.
- Click Start, click Run, type cmd, and then press ENTER.
- Type cipher /w:driveletter:\foldername, and then press ENTER.
C:>Users\user_name\> cipher /w:C:\ and then press ENTER.
To overwrite deleted data on folder
C:>Users\user_name\> cipher /w:C:\your_folder_name and then press ENTER.
Note: Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space.
Detail URL: http://support.microsoft.com/kb/315672
Wednesday, April 2, 2014
Microsoft Outlook temporary OLK folder
Where does Microsoft create the Outlook Temporary folder Or store temporary data such as attachments?
Depending on the operating system, version of Outlook AND user logged in, the OLK temporary folder will be created in a different spot. To find where it’s been created, open the Windows registry using regedit32.exe and use the MAP below:
Outlook 97: HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Outlook\Security
Outlook 98: HKEY_CURRENT_USER\Software\Microsoft\Office\8.5\Outlook\Security
Outlook 2000: HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security
Outlook 2002/XP: HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security
Outlook 2003: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security
Outlook 2007: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security
BackGround:
When you open file attachments that are considered safe, Outlook places these attachments in a subdirectory under the your Temporary Internet Files directory as an extra precaution. When Outlook first tries to use a temporary file, it examines the registry to determine whether or not the TEMP OLK folder has already been created. If yes, it uses the folder. If no, it creates a random folder then stores the path in the registry location mentioned above.
Detail URL: http://www.hancockcomputertech.com/blog/2010/01/06/find-the-microsoft-outlook-temporary-olk-folder/
Depending on the operating system, version of Outlook AND user logged in, the OLK temporary folder will be created in a different spot. To find where it’s been created, open the Windows registry using regedit32.exe and use the MAP below:
Outlook 97: HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Outlook\Security
Outlook 98: HKEY_CURRENT_USER\Software\Microsoft\Office\8.5\Outlook\Security
Outlook 2000: HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security
Outlook 2002/XP: HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security
Outlook 2003: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security
Outlook 2007: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security
BackGround:
When you open file attachments that are considered safe, Outlook places these attachments in a subdirectory under the your Temporary Internet Files directory as an extra precaution. When Outlook first tries to use a temporary file, it examines the registry to determine whether or not the TEMP OLK folder has already been created. If yes, it uses the folder. If no, it creates a random folder then stores the path in the registry location mentioned above.
Detail URL: http://www.hancockcomputertech.com/blog/2010/01/06/find-the-microsoft-outlook-temporary-olk-folder/
Subscribe to:
Posts (Atom)