WINDOWS & MAC FORENSICS

Dear eForensics Readers!

We’ve just finished our special edition devoted to Windows & Mac Forensics. The main reason why this issue is so important, is that iOS and Mac’s are in general becoming more and more popular nowadays. I would even say it is getting kind-off mainstream…But why do people think that Apple OS is more secure than Windows OS? What the difference between the two operating systems from a forensic investigator’s perspective?Let’s see!
In this issue we try to pinpoint the differences between Windows and Mac OS’s, off course as applied in a forensic science discipline. Also, we would like to destroy the common myth that iOS is the most secured OS in the world. We believe this edition will be interesting for every forensicator. As usual, we collected the most practical articles regarding this subject and we trust you will find them useful.

Table of content

WINDOWS REGISTRY FORENSICS 101 by Jason Stradley

This article is meant to serve as a very basic introduction to the Windows Registry and its usefulness as a resource for certain types of forensic investigations. Windows 9x/ME, Windows CE, Windows NT/2000/XP/2003 store configuration data in a data structure called the Registry. The Windows Registry contains lots of information that are of potential evidential value or helpful in aiding forensic examiners on other aspects of forensic analysis. It is a central repository for configuration data that is stored in a hierarchical manner.
HOW TO PERFORM FORENSIC ANALYSIS ON IOS OPERATING AND FILE SYSTEMS by Deivison Pinheiro Franco and Nágila Magalhães Cardoso

With Apple Operation System (iOS) design and the large amount of storage space available, records of emails, text messages, browsing history, chat, map searching, and more are all being kept. With the amount of information available to forensic analysts on iOS, this article will cover the basics to accurately retrieve evidence from this platform and build forensically analysis when applicable. Once the image logically, via backup or physically has been obtained, files of interest will be highlighted for a forensic examiner to review.

FOUR WINDOWS XP FORENSIC ANALYSIS TIPS & TRICKS by Davide Barbato

When conducting forensics analysis of a Windows XP system, it must be taken into account some particular behaviors that can lead to misleading conclusions if not properly handled.

WINDOWS MEMORY FORENSICS & MEMORY ACQUISITION by Dr Craig S. Wright, GSE, GSM, LLM, MStat

This article takes the reader through the process of imaging memory on a live Windows host. This is part one of a six part series and will introduce the reader to the topic before we go into the details of memory forensics. The first step in doing any memory forensics on a Windows host involves acquisition. If we do not have a sample of the memory image from a system we cannot analyze it. This sounds simple, but memory forensics is not like imaging an unmounted hard drive. Memory is powered and dynamic, and changes as we attempt to image it.

HOW TO DETECT A FILE WRITTEN TO AN USB EXTERNAL DEVICE IN WINDOWS FROM THE MRU LISTS by Carlos Dias da Silva

Today one of the principal company asset is the digital information. The digital information can be used of a lot of methods and also can be copied using different modes. To know and to control what files were sent to out of the company is a problem nowadays and never is a little the investment to guarantee the data secure.

THE WINDOWS FORENSIC ENVIRONMENT by Brett Shavers

The Windows Forensic Environment, also known as Windows FE or WinFE, is a Windows operating system that can be booted from external media such as a CD, DVD, or USB flash drive. Windows FE is based on Windows PE, which is a minimal Windows operating system with limited services, used to prepare a computer for Windows installation, among other tasks related to Windows. The main, and of course most important, difference between Windows FE and Windows PE, is that Windows FE forensically boots a computer system whereas Windows PE does not.

INTRODUCTION TO WINDOWS FORENSICS USING PARABEN P2 COMMANDER by Dauda Sule, CISA

Microsoft Windows is the most widely used operating system both for business and personal use. Such popularity has made it one of the most targeted operating systems by malicious attackers. As a result, it is often used as a platform to access personal and work place data, or even to commit policy breaches assisting in the commission of criminal acts. Investigations that are based on electronic evidence stand a very high chance of being carried out on a system with one or the other version of Windows operating system. It is therefore one of the most important operating systems anyone going into the field of cyber forensics will need to know how to investigate.

HOW TO USE ENCRYPTED ITUNES BACKUPS FOR SMS HISTORY WITHOUT THE DEVICE OR JAILBREAKING by Gouthum Karadi, CISSP,CEH, MBA

Imagine it is late Friday afternoon at Forensics, Inc. and you get a call from ABC Corp, one of your top clients. It seems that ABC had competitor XYZ cornered and agreeing to submit to a deal before a timely lunch. Yet when talks resumed after the break, XYZ began to negotiate more fiercely. The opponent began to negotiate using not only the exact tactics that ABC prepared for, but even using the exact words in some cases. How could XYZ know what ABC was planning? Someone had to have leaked the internal talking points memorandum the morning of the negotiaton.

HOW TO PERFORM A BASIC AND FAST FORENSIC ANALYSIS ON MACINTOSH OPERATING SYSTEMS – A QUICK START GUIDE by Deivison Pinheiro Franco

Computer Forensics is an area that is very Windows-centric. Many tools pay lip service to Apple’s Macintosh (Mac) platform, and others do not even recognize it at all. The few Mac tools available are either expensive or inadequate. Regardless, it is necessary for an investigator to know what to look for and where to look. This article is intended to give investigators a brief outline of what the file system and structure of a Mac looks like and to give a basic criteria on what to look for, as well as some generalized locations for where to look. It is far from a comprehensive forensic manual for Macintosh computers, but it does attempt to give an examiner relatively comfortable with Windows environments a place to start learning about Mac forensics.

HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CASE STUDY IN SOCIAL ENGINEERING by Kevin M. Moker

Hacking? Why hack when you can trick someone more easily than trying to hack into his or her computer? I am talking about social engineering (SE). SE, in the context of information security, is the ability to manipulate someone to steal certain information. Using SE you can steal credit card numbers, or better yet steal someone’s login credentials. With no hacking involved, you will be able to easily reroute payroll funds from an employee’s account to another account before they even know the money is gone. However, with the right knowledge, a victim could thwart an adverse attack. Non-technical individuals should learn how to protect themselves when online. Non-techies should understand what SE is and how to protect themselves.

WHAT TO EXPECT WHEN YOU’RE ENCRYPTING CRYPTOGRAPHIC CHOICES FOR MAC AND WINDOWS by Eric Vanderburg

There are a variety of options for encrypting data whether you are a Macintosh or Windows user. Some products work for both platforms but Apple and Microsoft have also developed their own built-in products geared towards protecting your data from unauthorized access. These encryption choices are presented here so that you can protect your data no matter which system you want to use.

FORENSIC APPROACH TO ANALYSIS OF FILE TIMESTAMPS IN MICROSOFT WINDOWS OPERATING SYSTEMS AND NTFS FILE SYSTEM by Matveeva Vesta Sergeevna, Leading specialist in computer forensics, Group-IB company

All existing file browsers display 3 timestamps for every file in NTFS file system. Nowadays there are a lot of utilities that can manipulate temporal attributes to conceal the traces of file using. However, every file in NTFS has 8 timestamps that are stored in file record in MFT and are used in detecting the fact of attributes substitution. The author suggests a method of revealing original timestamps after replacement and automated variant of it in case of a set of files.

WINDOWS FORENSICS AND SECURITY by Adrian Leon Mare

The world we live in today is a technologically advanced world. While on one hand, commercialization of IT (Information technology) revolutionized our modern day lifestyle, it has raised a big question mark about the confidentiality and privacy of the information shared and managed using advanced means of communication.