Skip to main content

Posts

Showing posts from October, 2007

Windows Forensics and Incident Recovery

Windows Forensics and Incident Recovery

Notes

Windows Event Log

-clearing the Security Event Log generates event ID 517

-Stealing info via USB drive may cause event ID 134: "Removable Storage Service"; If logs have been cleared,check HKEY_LOCAL_MACHINE\System\MountedDevices Registry key. A right click on these entries may show "RemoveableMedia"

-Logon events http://support.microsoft.com/default.aspx?kbid=174073

-Logon types http://support.microsoft.com/default.aspx?scid=kb;en-us;140714

-More security Events http://support.microsoft.com/kb/174074/

CMD Line History

- doskey /history or the RunMRU registry key

File Associations

- C:\>assoc will list out every association; C:\>assoc .exe ---> .exe=exefile

- ftype exefile ---> exefile="%1" %* ; shows what variables used at runtime; matched the value in HKEY_CLASSES_ROOT\exefile\shell\open\command

- if this value has been moded by malware use --> C:\>ftype exefile="%1" %* to change back

Hidden Fil…