Wednesday, February 22, 2023

DIGITAL FORENSICS:How To Check If Someone Else Is Using Your Computer

DIGITAL FORENSICS:How To Check If Someone Else Is Using Your Computer

This is another digital forensics image that was prepared to cover a full Windows Forensics course.

System Image: here

Forensic Artifacts

Windows Logon Events  วิธีการเช็ค Logon events

Windows  will automatically annotate a login every time one occurs. This means that each time you log in, the time and date is tracked and noted for you to see. 

Export Security event
Export Event security.evtx ('c:/Windows/System32/Winevt/logs/Security.evtx)
Export Security event

Event ID: 4608 Windows is starting up 21-6-2016 6:40


Event ID: 4624 An account was successfully logged on. 21-6-2016 8:07

Windows Logon Events 4624

Event ID: 4672 Special privileges assigned to new logon 21-6-2016 8:07

Event ID: 4672 Special privileges assigned to new logon

Event ID: 4616 The system time was changed. 21-6-2016 7:58

Event ID: 6013 The system uptime is <number> seconds. 21-6-2016 8:41

The system uptime is <number> seconds.


Anonymous Logon / Null



Program execution artifacts

Program execution artifacts indicate programs or applications that were run on the system. The user could cause the execution, or it could be an autostart/run event managed by the system. Some categories overlap with the file knowledge category we discussed earlier in the chapter. I am not going to re-examine those specific artifacts in this section. Just be aware that the artifacts from recent apps, JumpLists, an MRU, and prefetch files will also contain information about program/application activity. 

Program execution artifacts

Prefetch  Windows Prefetch files, are designed to speed up the application startup process. The Prefetch files are stored into the path

 %windir%\Prefetch

and contains the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run.

Prefetch
Export *.pf file 
Prefetch
Last Run Time CCLEANER.exe  21-6-2016 12:28

Prefetch

Browser History & Web Search เช็คประวัติบราวเซอร์

Google Chrome, Firefox, and Edge all have a way of allowing you to see your search history. You can usually find it in the Settings, whichever icon that may be, toward the top-right of the screen. Click on it and locate History, then backtrack through it to see if you can notice any inconsistencies. Look for unfamiliar websites as they can be a classic sign that someone else has been accessing your computer.

Web Search 21-6-2016 15:53 "Skype" , 21-6-2016 16:29"kitties"

Browser History

Browser History

Recent Activities เช็คเปิดใช้ไฟล์ล่าสุด

Status checks on specific files and folders is a great way to determine if unauthorized users have been accessing your computer.

How To Check If Someone Else Is Using Your Computer

วิธีตรวจสอบว่ามีคนอื่นใช้คอมพิวเตอร์ของคุณหรือไม่

อ่านเพิ่มเติม : How to Determine the Last Shutdown Time and Date in Windows

                 LastActivityView , 


ที่มา: ultimatewindowssecurity

         Digital Forensic Challenge Images (Datasets)


หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #computerforensic #ComputerForensics #dfir #forensics #digitalforensics #investigation #cybercrime #fraud

No comments:

Post a Comment

Digital Forensics:CDIC2024

Digital Forensics:CDIC2024    งานสัมมนาประจำปีด้านความมั่นคงปลอดภัยไซเบอร์  27-28 พฤศจิกายน 2567 ณ Grand Hall ไบเทค บางนา วันนี้แอดแวะมางาน ...