- Gerar link
- Outros aplicativos
- Gerar link
- Outros aplicativos
Por Sandro Süffert*
Há dois meses divulguei um material (109 pag.) sobre Forense de Memória, tanto no blog da Techbiz Forense Digital quanto no blog SSegurança. Como o feedback foi muito positivo, resolvi também publicar por aqui o material que preparei sobre Forense de Registro Windows (83 pag.).
VEJA A APRESENTAÇÃO
Livros:
I - Windows Forensic Analysis v2, Harlan Carvey Capítulo 3 – Windows Memory Analysis, Capítulo
4– Registry Analysis
II - EnCE – The Official Encase Certified Examiner Study Guide, 2ndEdition, Steve Bunting Capítulos 3 – First Response e 9 – Windows Operating System Artifacts e 10 – Advanced Windows - Registry
III - Malware Forensics – Investigating and Analyzing Malicious Code, James Aquilina, - Eoghan Casey, Cameron Malin Capítulos 3 – Memory Forensics: Analyzing Physical and Process Memory Dumps e 9 – Analysis of a Suspect Program
IV – Microsoft Windows Registry Guide, 2nd Edition
V - "Registry Forensics" de Harlan Carvey <= :http://www.amazon.com/Windows-Registry-Forensics-Advanced-Forensic/dp/1597495808
Papers / Documentações:
“Inside the Registry” Windows NT Magazine – Mark Russinovich
http://technet.microsoft.com/en-us/library/cc750583.aspx
Windows 7 UserAssist Registry Keys - Didier Stevens: Into The Box Magazine. http://intotheboxes.wordpress.com/2010/04/05/into-the-boxes-issue-0x1/
Guide To Profiling USB Device Thumbdrives and Drive Enclosure on Win7, Vista, and XP http://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf http://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf
RegRipper Documentation -http://regripper.net/RR/Documents/Documents.zip - Registry Reference Deleted Apps ACMRU Windows Forensic Analysis -RegRipper version 2.02 Cheat Sheet
AccessData Registry Viewer Documentationhttp://www.accessdata.com/supplemental.html Registry Quick Find Chart Registry Offset UserAssist Registry Key
Forensic Analysis of the Windows Registry in Memory - Brendan Dolan-Gavitt: http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf
Recovering Deleted Data From the Windows Registry - Timothy Morgan: http://www.dfrws.org/2008/proceedings/p33-morgan.pdf
Forensic Analysis of Unnalocated Space in Windows Registry Hive Files – Jolantha Thomasen (University of Liverpool) http://www.sentinelchicken.com/data/JolantaThomassenDISSERTATION.pdf
Ferramentas:
1.0) VMWare Workstation, Server ou Player:http://www.vmware.com
1.1) VM SIFT Workstation 2.0: https://computer-forensics2.sans.org/community/siftkit/
2) Ferramentas Free/GPL:
2.1 - FTKImager -http://www.accessdata.com/downloads.html#FTKImager
2.2 - Process Monitor - Sysinternals -http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx 2.3 – Reg Ripper (+ RegSlack, + RegScan, +RipXp) -http://regripper.net/?page_id=150
2.4 – Registry Viewer - AccessData:http://www.accessdata.com/downloads.html#ForensicProducts 2.5 – Registry Summary Report Files - AccessData:http://www.accessdata.com/downloads/rsrfiles/AllRSRFiles.zip
2.6 – RegExtract (GUI/CLI) – WoanWare:http://www.woanware.co.uk/downloads/
2.7 – RegShot - http://sourceforge.net/projects/regshot/files/
2.8 – RegLookup -http://projects.sentinelchicken.org/reglookup/download/
2.9 – USBDeview -http://www.nirsoft.net/utils/usb_devices_view.html
2.10 – USBDeviceForensics -http://www.woanware.co.uk/usbdeviceforensics/
2.11 – UserAssist -http://blog.didierstevens.com/programs/userassist/
2.12 – FGET – https://www.hbgary.com/community/free-tools/
2.13 – TimeLord -http://computerforensics.parsonage.co.uk/timelord/timelord.htm
2.14 – MiTec Windows Registry Recovery –http://www.mitec.cz/wrr.html
3.1 – AccessData FTK 3.1 + Registry Viewer –http://www.accessdata.com
3.2 – Encase Forensics 6.17 – http://www.guidancesoftware.com UserAssist Decoder V3.3 Enscript -https://support.guidancesoftware.com/forum/downloads.php?do=file&id=832 (requer acesso ao suporte da Guidance) Registry Examiner Enpack -https://support.guidancesoftware.com/forum/downloads.php?do=file&id=752 (requer acesso ao suporte da Guidance)
* Sandro Süffert é CTO (Chief Technology Officer) da Techbiz Forense Digital, consultor em computação forense e professor convidado pela Universidade de Brasília, departamento de Engenharia Elétrica, do curso de pós-graduação em Computação Forense. Desde 2006 é membro da HTCIA (High Technology Crime Investigation Association) e é autor do blog de segurança http://blog.suffert.com. É profissional certificado em ACE (AccessData Certified Examiner); ACIA (ArcSight Certified Integrator/Administrator); ACSA (ArcSight Certified System Analyst); EnCE (Encase Certified Examiner), entre outras.
Há dois meses divulguei um material (109 pag.) sobre Forense de Memória, tanto no blog da Techbiz Forense Digital quanto no blog SSegurança. Como o feedback foi muito positivo, resolvi também publicar por aqui o material que preparei sobre Forense de Registro Windows (83 pag.).
VEJA A APRESENTAÇÃO
Livros:
I - Windows Forensic Analysis v2, Harlan Carvey Capítulo 3 – Windows Memory Analysis, Capítulo
4– Registry Analysis
II - EnCE – The Official Encase Certified Examiner Study Guide, 2ndEdition, Steve Bunting Capítulos 3 – First Response e 9 – Windows Operating System Artifacts e 10 – Advanced Windows - Registry
III - Malware Forensics – Investigating and Analyzing Malicious Code, James Aquilina, - Eoghan Casey, Cameron Malin Capítulos 3 – Memory Forensics: Analyzing Physical and Process Memory Dumps e 9 – Analysis of a Suspect Program
IV – Microsoft Windows Registry Guide, 2nd Edition
V - "Registry Forensics" de Harlan Carvey <= :http://www.amazon.com/Windows-Registry-Forensics-Advanced-Forensic/dp/1597495808
Papers / Documentações:
“Inside the Registry” Windows NT Magazine – Mark Russinovich
http://technet.microsoft.com/en-us/library/cc750583.aspx
Windows 7 UserAssist Registry Keys - Didier Stevens: Into The Box Magazine. http://intotheboxes.wordpress.com/2010/04/05/into-the-boxes-issue-0x1/
Guide To Profiling USB Device Thumbdrives and Drive Enclosure on Win7, Vista, and XP http://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf http://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf
RegRipper Documentation -http://regripper.net/RR/Documents/Documents.zip - Registry Reference Deleted Apps ACMRU Windows Forensic Analysis -RegRipper version 2.02 Cheat Sheet
AccessData Registry Viewer Documentationhttp://www.accessdata.com/supplemental.html Registry Quick Find Chart Registry Offset UserAssist Registry Key
Forensic Analysis of the Windows Registry in Memory - Brendan Dolan-Gavitt: http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf
Recovering Deleted Data From the Windows Registry - Timothy Morgan: http://www.dfrws.org/2008/proceedings/p33-morgan.pdf
Forensic Analysis of Unnalocated Space in Windows Registry Hive Files – Jolantha Thomasen (University of Liverpool) http://www.sentinelchicken.com/data/JolantaThomassenDISSERTATION.pdf
Ferramentas:
1) Virtual Machines:
1.1) VM SIFT Workstation 2.0: https://computer-forensics2.sans.org/community/siftkit/
2.1 - FTKImager -http://www.accessdata.com/downloads.html#FTKImager
2.2 - Process Monitor - Sysinternals -http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx 2.3 – Reg Ripper (+ RegSlack, + RegScan, +RipXp) -http://regripper.net/?page_id=150
2.4 – Registry Viewer - AccessData:http://www.accessdata.com/downloads.html#ForensicProducts 2.5 – Registry Summary Report Files - AccessData:http://www.accessdata.com/downloads/rsrfiles/AllRSRFiles.zip
2.6 – RegExtract (GUI/CLI) – WoanWare:http://www.woanware.co.uk/downloads/
2.7 – RegShot - http://sourceforge.net/projects/regshot/files/
2.8 – RegLookup -http://projects.sentinelchicken.org/reglookup/download/
2.9 – USBDeview -http://www.nirsoft.net/utils/usb_devices_view.html
2.10 – USBDeviceForensics -http://www.woanware.co.uk/usbdeviceforensics/
2.11 – UserAssist -http://blog.didierstevens.com/programs/userassist/
2.12 – FGET – https://www.hbgary.com/community/free-tools/
2.13 – TimeLord -http://computerforensics.parsonage.co.uk/timelord/timelord.htm
2.14 – MiTec Windows Registry Recovery –http://www.mitec.cz/wrr.html
3) Ferramentas Comerciais:
3.1 – AccessData FTK 3.1 + Registry Viewer –http://www.accessdata.com
3.2 – Encase Forensics 6.17 – http://www.guidancesoftware.com UserAssist Decoder V3.3 Enscript -https://support.guidancesoftware.com/forum/downloads.php?do=file&id=832 (requer acesso ao suporte da Guidance) Registry Examiner Enpack -https://support.guidancesoftware.com/forum/downloads.php?do=file&id=752 (requer acesso ao suporte da Guidance)
* Sandro Süffert é CTO (Chief Technology Officer) da Techbiz Forense Digital, consultor em computação forense e professor convidado pela Universidade de Brasília, departamento de Engenharia Elétrica, do curso de pós-graduação em Computação Forense. Desde 2006 é membro da HTCIA (High Technology Crime Investigation Association) e é autor do blog de segurança http://blog.suffert.com. É profissional certificado em ACE (AccessData Certified Examiner); ACIA (ArcSight Certified Integrator/Administrator); ACSA (ArcSight Certified System Analyst); EnCE (Encase Certified Examiner), entre outras.
- Gerar link
- Outros aplicativos
Comentários
Postar um comentário