网络犯罪侦察技术4.pptVIP

* linying@ linying@ * Cyber-crime investigative techniques LIN YING linying@ * Chapter4 Investigate Windows System Outline Understanding some of the methods used to investigate Windows system, so can validate some illegal and unauthorized activities – know where we can find the data in windows system – know how to investigate the windows system linying@ * The position where the data stored in windows system Where to find? The core Space debris Leisure and unallocated space Logic File System The event log Register Application log Pagefile.sys linying@ * Special application-level document temporary files Recycled Printers ‘s Spooler cache E-mail documents, such as the outlook. Pst file, aol mail. Ost documents In the process of investigation, maybe you have to investigate in every position introduced above, and this will be a very complicate process. In this chapter, we will introduce a basic frame. linying@ * Execute Windows Investigation Step Examine every associate logs Execute key words search Examine associate files Identify unauthorized user and user group Identify vicious process and services Search abnormal or hidden file/ folder Examine unauthorized access point Examine windows schedule Analysis trust relationship Examine SID linying@ * WindowsNT/2000/XP include three separate log file system System log Application log Security Log 1.Examine every associate logs linying@ * Check the three log we can get the following information :??? ? Identify the user to visit a specific document ??? ? Identify the user who has successfully / unscuccessfully login to the system ??? ? Identify the status of specific procedures ??? ? tracking the change of audit strategy ??? ? tracing the change of user’s priviledge linying@ * 现场系统中的日志，可以通过Event Viewer事件查看器来访问本地主机的审核日志 通过事件ID和描述，可以了解系统上审核的细节 – Windows2000事件ID /windows2000/techinfo/reskit/ErrorandEventMessages/default.asp – WindowsXP事件ID /technet/treeview/