Escolar Documentos
Profissional Documentos
Cultura Documentos
Week 5 Lab
Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
By the way
Note that you should do any necessary tool downloading from your host system rather than your SIFT Kit Unless, of course, youve applied all recommended current security updates
Thumbnails
vinetto
Link Files
Tzworks LNK Parsing Utility - lp Joachim Metz - lnkinfo Win7 Jumplists
3.
4.
Prefetch files
Run vinetto on the Thumbs.db file from the xp_dblake.dd folder /Documents and Settings/Donald Blake/My Documents/My Pictures
mkdir /tmp/thumb vinetto -o /tmp/thumb /mnt/windows_mount_2/Documents and Settings/Donald Blake/My Documents/My Pictures/Thumbs.db Examine the output, and the extracted results in /tmp/thumb
Drag & drop the same thumbs.db file onto Windows File Analyzer on your desktop
Examine all the .lnk files under the xp_dblake.dd folder /Documents and Settings/Donald Blake/Recent using lnkinfo commandlines such as the following:
Drag & Drop LNK File onto Windows File Analyzer, on your desktop Download & install current version of Tzworks link parsing utility from http://www.tzworks.net/download_links.php
My sample images are XP. I extracted the Jumplists from another workstation (my daughters laptop) for analysis. Extract the files from jumplists.zip and have at it! Download commandline jmp utility (Win or Linux) from http://tzworks.net/download_links.php Jumplists are normally located in two folders under the profiles appdata:
10
Use pref.pl to examine the entire prefetch folder on the xp_dblake.dd image
You can drag & drop individual prefetch files onto Windows File Analyzer (only understands small minority of artifacts) Double-click Prefetch Parser, tell it where to find the prefetch files to be analyzed, give it a newly created folder to store its results in, and hit parse prefetch files Download & install current version of tzworks prefetch parser from http://www.tzworks.net/download_links.php (command line tool)
Sample commands:
-pipe: dir input, -v: output all artifacts. csv: output in csv format (view with Excel)
12
Questions?
13