DIGITAL FORENSICS:How To Check If Someone Else Is Using Your Computer

DIGITAL FORENSICS:How To Check If Someone Else Is Using Your Computer

This is another digital forensics image that was prepared to cover a full Windows Forensics course.

System Image: here

Forensic Artifacts

Windows Logon Events  วิธีการเช็ค Logon events

Windows  will automatically annotate a login every time one occurs. This means that each time you log in, the time and date is tracked and noted for you to see. 

Export Event security.evtx ('c:/Windows/System32/Winevt/logs/Security.evtx)

Event ID: 4608 Windows is starting up 21-6-2016 6:40

Event ID: 4624 An account was successfully logged on. 21-6-2016 8:07

Event ID: 4672 Special privileges assigned to new logon 21-6-2016 8:07

Event ID: 4616 The system time was changed. 21-6-2016 7:58

Event ID: 6013 The system uptime is <number> seconds. 21-6-2016 8:41

Anonymous Logon / Null

Program execution artifacts

Program execution artifacts indicate programs or applications that were run on the system. The user could cause the execution, or it could be an autostart/run event managed by the system. Some categories overlap with the file knowledge category we discussed earlier in the chapter. I am not going to re-examine those specific artifacts in this section. Just be aware that the artifacts from recent apps, JumpLists, an MRU, and prefetch files will also contain information about program/application activity. 

Prefetch  Windows Prefetch files, are designed to speed up the application startup process. The Prefetch files are stored into the path

 %windir%\Prefetch

and contains the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run.

Export *.pf file 

Last Run Time CCLEANER.exe  21-6-2016 12:28

Browser History & Web Search เช็คประวัติบราวเซอร์

Google Chrome, Firefox, and Edge all have a way of allowing you to see your search history. You can usually find it in the Settings, whichever icon that may be, toward the top-right of the screen. Click on it and locate History, then backtrack through it to see if you can notice any inconsistencies. Look for unfamiliar websites as they can be a classic sign that someone else has been accessing your computer.

Web Search 21-6-2016 15:53 "Skype" , 21-6-2016 16:29"kitties"

Recent Activities เช็คเปิดใช้ไฟล์ล่าสุด

Status checks on specific files and folders is a great way to determine if unauthorized users have been accessing your computer.

อ่านเพิ่มเติม : How to Determine the Last Shutdown Time and Date in Windows

                 LastActivityView , Windows artifacts

                     Forensic Artifacts: evidences of program execution on Windows systems

ที่มา: ultimatewindowssecurity

         Digital Forensic Challenge Images (Datasets)

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #computerforensic #ComputerForensics #dfir #forensics #digitalforensics #investigation #cybercrime #fraud