Windows Forensics

Volatile Information
The following are some of the specific types of volatile information that investigators should
collect:
• System time
• Logged-on user(s)
• Open files
• Network information
• Network connections
• Process information
• Process-to-port mapping
• Process memory
• Network status
• Clipboard contents
• Service/driver information
• Command history
• Mapped drives
• Shares
 Nonvolatile Information
The following are some of the specific types of nonvolatile information investigators collect:
• Hidden files
• Slack space
• Swap files
• Index.dat files
• Metadata
• Hidden ADS (alternate data streams)
• Windows Search index
• Unallocated clusters
• Unused partitions
• Hidden partitions
• Registry settings
• Connected devices
• Event logs
 Introduction to Linux Forensics
Types of Linux Distributions
• Desktop distributions, which include a graphical interface
and common applications, suitable for home use.
• Server or enterprise distributions that are used primarily for
business applications, but can also be used as a home server.
• Live-CD distributions that are stored on bootable storage
devices. A Live CD is a bootable version of an operating
system that is loaded directly into RAM and functions
outside and independently of the target computer’s
operating system.
 Linux Forensics
Linux has a number of simple utilities for imaging and basic disk
analysis, including the following:
• dd: Copies data from an input file or device to an output file or
device
• sfdisk and fdisk: Determines the disk structure
• grep: Searches files for instances of an expression or pattern
• md5sum and sha1sum: Create and store an MD5 or SHA-1
hash of a file or list of files (including devices)
• file: Reads file header information in an attempt to ascertain its
type, regardless of name or extension
• xxd: Command-line hex dump tool
• ghex and khexedit: Gnome and KDE (X Window interfaces) hex
editors
 Application Password Crackers
A password cracker is a program that is used to
identify an unknown or forgotten password to a
computer or network resource. It can also be
used to obtain unauthorized access to resources.
 Password-Cracking Methods
Most password crackers use one or more of the
following methods:
• Brute force attack
• Dictionary attack
• Syllable attack
• Rule-based attack
• Hybrid attack
• Password guessing
• Rainbow attack
Brute Force Attack
• In a brute force attack, the attacker tries every
possible combination of characters until the
correct password is found. It is a slow method
and takes a large amount of time against
longer passwords.
Dictionary Attack
• In a dictionary attack, a dictionary file is loaded into the cracking
application that runs against user accounts.
• The program uses every word present in the dictionary to find the
password. Dictionary attacks can be considered more useful than
brute force attacks, although they do not work against systems that
use passphrases.

This attack can be applied under two situations:

1. In cryptanalysis, it is used to find out the decryption key for
obtaining the plain text from the cipher text.
2. In computer security, it can be used to guess passwords.
Syllable Attack
A syllable attack is the combination of both a brute
force attack and a dictionary attack. This is often
used when the password is a nonexistent word.
The attacker takes syllables from dictionary words
and combines them in every possible way to try to
crack the password.
Rule-Based Attack
• This type of attack is used when an attacker already has
some information about the password. He or she can
then write a rule so that the password-cracking
software will generate only passwords that meet this
rule.
• For example, if the attacker knows that all passwords on
a system consist of six letters and three numbers, he or
she can craft a rule that generates only these types of
passwords. This is considered the most powerful attack
Hybrid Attack
• This type of attack is based on the dictionary
attack. Often, people change their passwords by
just adding numbers to their old passwords. In
this attack, the program adds numbers and
symbols to the words from the dictionary.
• For example, if the old password is “system”, the
user may have changed it to “system1” or
“system2.”
Password Guessing
Common weak passwords include the following:
• Blank (none)
• The words password, passcode, admin, and their
derivatives
• The user’s name or login name
• A relative’s name
• The user’s birthplace or date of birth
• A pet’s name
• Automobile license plate number
• A row of letters from the qwerty keyboard, such as
“qwerty,” “asdf,” or “qwertyuiop”
Rainbow Attack
• The rainbow attack is based on the cryptanalytic time-
memory trade-off technique. Cryptanalytic time- memory
trade-off is a method that requires less time for
cryptanalysis. It uses already calculated information stored
in memory to crack a code, such as a password.
• In a rainbow attack, a password hash table called a rainbow
table is created in advance and stored into memory.
• This rainbow table is a table of password hashes created by
hashing every possible password and variation thereof to
be used in a rainbow attack to recover a plaintext password
from a captured cipher text.
 System Password Cracking
• Bypassing the BIOS Password
 Removing the CMOS Battery
To clear the CMOS settings by removing the battery, follow these steps:
1. Shut down the computer and disconnect the power plug.
2. Locate the battery on the motherboard (approximately ½ inch in
diameter).
3. Carefully lift it from the socket and place it aside.
4. Leave it for about 20 to 30 minutes.
5. Replace it in the socket.
6. Plug in and restart the computer.
7. As the computer begins its startup process, press the DEL, F10, or F1
key, depending on the specific computer, to get into BIOS/CMOS setup.
8. Look for the option to set the BIOS/CMOS to its default settings.
9. Check the settings of CPU, memory, and hard drive type and size.
10. Finalize all adjustments, save the settings, and restart the computer.
 Jumper Settings
By adjusting the jumpers or dipswitches on a motherboard, all custom
settings, including the BIOS passwords, will be cleared. The location of these
jumpers or dipswitches on the motherboard varies, so refer to the system’s
documentation.
Some manufacturers may label the jumpers and dipswitches as one of the
following:
• CLEAR
• CLEAR CMOS
• CLR
• CLRPWD
• PASSWD
• PASSWORD
• PWD
 Tools for System Software Password
Cracking
• Tool: Windows XP/2000/NT Key Generator
The Windows XP/2000/NT Key Generator recovers most passwords
and resets the domain administrator password for Active Directory
domain controllers directly from a bootable CD-ROM. It also supports
Windows 2003 Server.
• Tool: CmosPwd
CmosPwd (Figure 7-5) decrypts passwords for the following BIOS
types:
• ACER/IBM BIOS
• AMI BIOS
• AMI WinBIOS 2.5
• Award 4.5x/4.6x/6.0
• Tool: ERD Commander
ERD Commander 2005 directly boots systems into a
Windows-like repair environment from a CD, giving
complete access to the system. It has network features
allowing data to be accessed, and moved to and from
the system.
• Tool: Active@ Password Changer
Active@ Password Changer is a DOS-based solution
designed for resetting local administrator and user
passwords on Windows XP/Vista/2003/2000/NT systems.
 Application Software Password Cracking
•Tool: Advanced Office XP Password Recovery
Advanced Office XP Password Recovery uses brute force and dictionary
attacks to recover passwords in the following Office applications:
• Microsoft Word
• Microsoft Excel
• Microsoft Access
• Microsoft Outlook

•Tool: Word Password Recovery Master

Word Password Recovery Master cracks passwords on password-protected
Microsoft Word documents, allowing them to be opened and edited. Word
Password Recovery Master supports documents created in Microsoft Word
97/2000/XP/2003/2007
• Tool: Office Password Recovery Toolbox
Office Password Recovery Toolbox is another tool for recovering passwords
for Office documents, including Word, Excel, Outlook, and Access files. It
uses an online decrypting server for password recovery (Figure 7-9).
• Tool: Distributed Network Attack
Distributed Network Attack (DNA) utilizes the unused processing power of
multiple machines across the network to decrypt passwords. In this attack,
the DNA server is installed in a central location, where machines running
the DNA client can access it over the network.
• Tool: Passware Kit
Passware Kit combines more than 25 password recovery programs into
one single package, including crackers for Office, Windows
2003/XP/2000/NT (both local and domain administrator accounts), Lotus
Notes, WinRAR, WinZip, Access, Outlook, Acrobat, Quicken, QuickBooks,
WordPerfect, VBA, and more.
Word Password Recovery Master can crack the
passwords on Word files.
Office Password Recovery Toolbox uses a powerful online
server to crack Office passwords.
DNA uses distributed computing to crack
passwords.
Passware Kit combines over 25 password
recovery programs.
• Tool: Accent Keyword Extractor
Accent Keyword Extractor compiles dictionaries from words that it
can find on the Web and then uses these for a dictionary attack.
After loading a Web page, it will make a list of words on that page
and then follow all links on the page to look for more words.
• Tool: Advanced ZIP Password Recovery
Advanced ZIP Password Recovery cracks passwords for ZIP files,
including self-extracting archives. It is a brute force cracker that
can check 15 million passwords per second. For rule-based attacks,
Advanced ZIP Password Recovery can be customized according to
password length, character set, and various other options.
• PDF Password Crackers
CrackPDF, Abcom PDF Password Cracker, and Advanced PDF
Password Recovery can all be used to access password- protected
Adobe PDF files
 Password-Cracking Tools
• Tool: Cain & Abel
• Tool: LCP
• Tool: SID&User
• Tool: ophcrack
• Tool: John the Ripper
• Tool: Djohn
• Tool: Crack
• Tool: Brutus
Steganography