文档介绍：******@ynu. 1 Cyber-crime investigative techniques LIN YING ******@ynu. 2 Chapter4 Investigate Windows System ? Outline ? Understanding some of the methods used to investigate Windows system, so can validate some illegal and unauthorized activities ?– know where we can find the data in windows system ?– know how to investigate the windows system ******@ynu. 3 The position where the data stored in windows system ? Where to find? ? The core ? Space debris ? Leisure and unallocated space ? Logic File System ? The event log ? Register ? Application log ? ******@ynu. 4 ? Special application-level document temporary files Recycled Printers ‘ s Spooler cache E-mail documents, such as the outlook. Pst file, aol mail. Ost documents In the process of investigation, maybe you have to investigate in every position introduced above, and this will be a plicate process. In this chapter, we will introduce a basic frame. ******@ynu. 5 ? Execute Windows Investigation ?? Step ? Examine every associate logs ? Execute key words search ? Examine associate files ? Identify unauthorized user and user group ? Identify vicious process and services ? Search abnormal or hidden file/ folder ? Examine unauthorized access point ? Examine windows schedule ? Analysis trust relationship ? Examine SID ******@ynu. 6 ? WindowsNT/2000/XP include three separate log file system ? System log ? Application log ? Security Log every associate logs ******@ynu. 7 ? Check the three log we can get the following information : ? Identify the user to visit a specific document ? Identify the user who has essfully / essfully login to the system ? Identify the status of specific procedures ? tracking the change of audit strategy ? tracing the change of user ’ s priviledge ? ******@ynu. 8 ?现场系统中的日志,可以通过 Event Viewer 事件查看器来访问本地主机的审核日志?通过事件 ID 和描述,可以了解系统上审核的细节?– Windows2000 事件 ID dows2000/ techinfo/reskit/ErrorandEventMessages /defa