文档介绍：******@ynu.
1
Cyber-crime investigative techniques
LIN YING
******@ynu.
2
Chapter4 Investigate Windows System
Outline
Understanding some of the methods used to investigate Windows system, so can validate some illegal and unauthorized activities
– know where we can find the data in windows system
– know how to investigate the windows system
******@ynu.
3
The position where the data stored in windows system
Where to find?
The core
Space debris
Leisure and unallocated space
Logic File System
The event log
Register
Application log

******@ynu.
4
Special application-level document
temporary files
Recycled
Printers ‘s Spooler cache
E-mail documents, such as the outlook. Pst file, aol mail. Ost documents
In the process of investigation, maybe you have to investigate in every position introduced above, and this will be a plicate process. In this chapter, we will introduce a basic frame.
******@ynu.
5
Execute Windows Investigation

Step
Examine every associate logs
Execute key words search
Examine associate files
Identify unauthorized user and user group
Identify vicious process and services
Search abnormal or hidden file/ folder
Examine unauthorized access point
Examine windows schedule
Analysis trust relationship
Examine SID
******@ynu.
6
WindowsNT/2000/XP include three separate log file system
System log
Application log
Security Log
every associate logs
******@ynu.
7
Check the three log we can get the following information :    • Identify the user to visit a specific document     • Identify the user who has essfully / essfully login to the system     • Identify the status of specific procedures     • tracking the change of audit strategy     • tracing the change of user’s priviledge
******@ynu.
8
现场系统中的日志,可以通过Event Viewer事件查看器来访问本地主机的审核日志
通过事件ID和描述,可以了解系统上审核的细节
– Windows2000事件ID dows2000/techinfo/reskit/ErrorandEventMessages/
– WindowsXP事件ID hnet/treeview/?url=//prodtechn