Search This Blog

Friday, February 17, 2012

Forensic operation on windows registry

Windows General


Even more Windows Forensics goodness (or badness depending on your perspective).

Description: Temp folder
Location: C:\Users\<user name>\AppData\Local\Temp
Why you care: Lots of programs need a safe place, where the user has permissions, to dump temp data. This is the place to look. They may have wiped/shredded the main file, but there could be a version in this directory depending on how the application works.
Entry by: Irongeek, but thanks to Nir.

Description: Recycle Bin
Location: C:\$Recycle.Bin
Why you care: Do I really need to say?
Entry by: Irongeek, but thanks to Nir.

Description: Last logged on user
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Why you care: Lets you know who logged in last, and may also give you a user name to attack if you're a pen-tester.
Entry by: Irongeek, but thanks to Nir.

Description: Event logs
Location: Should be in C:\Windows\System32\config or C:\Windows\System32\winevt\Logs depending on OS
Why you care: These may be relocated, so do a desktop search for *.evt and *.evtx. Let you know all sorts of things about what is happening on the box.
Entry by: Irongeek.

Description: Last key edited by RegEdit
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
Why you care: Can be useful to know if the user was tweaking the registry for some purpose (like writing an article on Forensically interesting spots in the Windows 7 file system and registry).
Entry by: Irongeek, but thanks to Nir.

Description: List of Installed USB devices, both connected and unconnected
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
Why you care: It can be useful to know what USB devices have be connected to a box, and even the vendor and serial number of the device in some cases. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. Think how useful it can be to help tie something a user physical possesses to a box.
Entry by: Irongeek.

Description: List of installed USB storage devices
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
Why you care: Much like the installed USB devices entry, but just for USB storage. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. CleanAfterMe scrubsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but not USBSTOR when I tested last.
Entry by: Irongeek.

Description: SetupAPI Device Log
Location: C:\windows\inf\setupapi.dev.log
Why you care: Log that can help you find out what USB devices have been installed, including thumbdrives. CleanAfterMe scrubs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but notthis file when I tested last.
Entry by: Irongeek, but thanks to Nir.

Description: Windows Prefetch
Location: C:\Windows\Prefetch
Why you care: Windows Prefetch is a feature in Windows XP and newer system (Including Windows 7) that is ment to speed up commonly executed application and boot load times by recording what on the system is accessed. Mark McKinnon has a tool you might be interested in for parsing this data. Also, you may want to read the Wikipedia entry: http://en.wikipedia.org/wiki/Prefetcher
Entry by: Irongeek, but thanks to Nir and Mark McKinnon.


Source: Irongeek
Publishing By at No comments:

Forensically analyze Windows 7, Vista and XP file system and registry

Windows Explorer

Not to be confused with Internet Explorer, Windows Explorer is the default GUI shell for Windows 7 / Vista / XP. It leaves all sorts of data in the registry and file system for a forensics investigation.

Description: Recently opened files from Windows Explorer
Location: C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Recent
Why you care: It can be quite useful to know what files have been opened recently. Think someone is accessing records of embezzlement? Maybe there is a pointer to the Excel file here that can lead you to where the data has been stored. You may also see links to videos and images in here. I've had this lead to personal embarrassment before while doing a presentation for the ISSA. :)
Entry by: Irongeek, but thanks to Nir.

Description: Network Shortcuts
Location: C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Why you care: This could show an investigator what fileservers the person is accessing, or on a captured laptop a little about the internal network (useful for pen-testing).
Entry by: Irongeek, but thanks to Nir.

Description: Items recently ran from the "Run" bar
Location:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Why you care: Useful to know what the person is running using the Windows Run bar, but in Vista and Windows 7 lots of folks use "Search programs and files" text box, which does not show up in this registry key.
Entry by: Irongeek, but thanks to Nir.


Source: http://www.irongeek.com
Publishing By at No comments:
Labels: , ,

Saturday, July 23, 2011

Encrypt Your Call Through Cellcrypt

Cellcrypt encrypts voice calls on smartphones such as Android™, BlackBerry®, iPhone® and Nokia®, providing government-grade security in an easy-to-use application that makes secure calling as simple as making a normal call on the same device. Cellcrypt's software solutions allow many types of cell phones to be supported and can be deployed to users in remote locations over the air in minutes.

Source: Cellcrypt
Publishing By at No comments:

Friday, July 22, 2011

Search Hacks For FB.


Search Facebook Like A Pro:

Not everybody knows how powerful Facebook search is. Similar to any large search engine, Facebook search has a lot of advanced options to help you search like a pro. For example if you are looking for a person named John Marsh and filter your results down to only people who are married, you can try name: John Marsh status:married. A complete list of search tips for Facebook can be found here.
Search

Publishing By at No comments:

Saturday, July 16, 2011

Google Search Hacks

Using Google, and some finely crafted searches we can find a lot of interesting information.

For Example we can find:
Credit Card Numbers
Passwords
Software / MP3's
...... (and on and on and on) Presented below is just a sample of interesting searches that we can send to google to obtain info that some people might not want us having.. After you get a taste using some of these, try your own crafted searches to find info that you would be interested in.

Try a few of these searches:
intitle:"Index of" passwords modified
allinurl:auth_user_file.txt
"access denied for user" "using password"
"A syntax error has occurred" filetype:ihtml
allinurl: admin mdb
"ORA-00921: unexpected end of SQL command"
inurl:passlist.txt
"Index of /backup"
"Chatologica MetaSearch" "stack tracking:"


Amex Numbers: 300000000000000..399999999999999
MC Numbers: 5178000000000000..5178999999999999
visa 4356000000000000..4356999999999999


"parent directory " /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory "Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " MP3 -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " Name of Singer or album -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

Notice that I am only changing the word after the parent directory, change it to what you want and you will get a lot of stuff.

METHOD 2

put this string in google search:

?intitle:index.of? mp3

You only need add the name of the song/artist/singer.

Example: ?intitle:index.of? mp3 jackson

METHOD 3

put this string in google search:

inurl:microsoft filetype:iso

You can change the string to watever you want, ex. microsoft to adobe, iso to zip etc…


"# -FrontPage-" inurl:service.pwd
Frontpage passwords.. very nice clean search results listing !!

"AutoCreate=TRUE password=*"
This searches the password for "Website Access Analyzer", a Japanese software that creates webstatistics. For those who can read Japanese, check out the author's site at: http://www.coara.or.jp/~passy/

"http://*:*@www" domainname
This is a query to get inline passwords from search engines (not just Google), you must type in the query followed with the the domain name without the .com or .net

"http://*:*@www" bangbus or "http://*:*@www"bangbus

Another way is by just typing
"http://bob:bob@www"

"sets mode: +k"
This search reveals channel keys (passwords) on IRC as revealed from IRC chat logs.

allinurl: admin mdb
Not all of these pages are administrator's access databases containing usernames, passwords and other sensitive information, but many are!

allinurl:auth_user_file.txt
DCForum's password file. This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun, and all belong to googledorks. =)


intitle:"Index of" config.php
This search brings up sites with "config.php" files. To skip the technical discussion, this configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database.

eggdrop filetype:user user
These are eggdrop config files. Avoiding a full-blown descussion about eggdrops and IRC bots, suffice it to say that this file contains usernames and passwords for IRC users.

intitle:index.of.etc
This search gets you access to the etc directory, where many many many types of password files can be found. This link is not as reliable, but crawling etc directories can be really fun!

filetype:bak inurl:"htaccess|passwd|shadow|htusers"
This will search for backup files (*.bak) created by some editors or even by the administrator himself (before activating a new version).
Every attacker knows that changing the extenstion of a file on a webserver can have ugly consequences.


Let's pretend you need a serial number for windows xp pro.

In the google search bar type in just like this - "Windows XP Professional" 94FBR

the key is the 94FBR code.. it was included with many MS Office registration codes so this will help you dramatically reduce the amount of 'fake' porn sites that trick you.
Publishing By at No comments:

Thursday, June 9, 2011

Block Others Sim Card Using Code

Block Others Sim Card Using Code

Block others SIM card with a code. yes you can really block others sim card using a code.

Use this code **04*3814*7529*68243# 

After entering this it asks for PUK code type wrong code and it will be blocked.




an easy and free trick for airtel customers to get PUK and PIN no in their mobile without calling customer care just send a blank message to 785.You will get replay as your PUK number with PIN code.You should not be charged since it is a toll free number.

Please don't miss use it, this is only for educational purpose.
Publishing By at No comments:

Nokia Mobile Phone Unlock & Hidden Feature codes

Nokia Mobile Phone Unlock & Hidden Feature codes

#pw+1234567890+1# Provider Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols)
#pw+1234567890+2# Network Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols)
#pw+1234567890+3# Country Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols)
#pw+1234567890+4# SIM Card Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols)
Publishing By at No comments:
Subscribe to: Posts (Atom)