DIGITAL FORENSICS:How To Check If Someone Else Is Using Your Computer
This is another digital forensics image that was prepared to cover a full Windows Forensics course.
System Image: here
Forensic Artifacts
Windows Logon Events วิธีการเช็ค Logon events
Windows will automatically annotate a login every time one occurs. This means that each time you log in, the time and date is tracked and noted for you to see.
Export Event security.evtx ('c:/Windows/System32/Winevt/logs/Security.evtx)Event ID: 4672 Special privileges assigned to new logon 21-6-2016 8:07
Event ID: 6013 The system uptime is <number> seconds. 21-6-2016 8:41
Program execution artifacts
Program execution artifacts indicate programs or applications that were run on the system. The user could cause the execution, or it could be an autostart/run event managed by the system. Some categories overlap with the file knowledge category we discussed earlier in the chapter. I am not going to re-examine those specific artifacts in this section. Just be aware that the artifacts from recent apps, JumpLists, an MRU, and prefetch files will also contain information about program/application activity.
Prefetch Windows Prefetch files, are designed to speed up the application startup process. The Prefetch files are stored into the path
%windir%\Prefetch
and contains the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run.
Export *.pf fileBrowser History & Web Search เช็คประวัติบราวเซอร์
Google Chrome, Firefox, and Edge all have a way of allowing you to see your search history. You can usually find it in the Settings, whichever icon that may be, toward the top-right of the screen. Click on it and locate History, then backtrack through it to see if you can notice any inconsistencies. Look for unfamiliar websites as they can be a classic sign that someone else has been accessing your computer.
Web Search 21-6-2016 15:53 "Skype" , 21-6-2016 16:29"kitties"
Recent Activities เช็คเปิดใช้ไฟล์ล่าสุด
Status checks on specific files and folders is a great way to determine if unauthorized users have been accessing your computer.
วิธีตรวจสอบว่ามีคนอื่นใช้คอมพิวเตอร์ของคุณหรือไม่
อ่านเพิ่มเติม : How to Determine the Last Shutdown Time and Date in Windows
LastActivityView , Windows artifacts
ที่มา: ultimatewindowssecurity
Digital Forensic Challenge Images (Datasets)
หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
#WindowsForensic #computerforensic #ComputerForensics #dfir #forensics #digitalforensics #investigation #cybercrime #fraud
No comments:
Post a Comment