Registry Analysis (Windows Forensic Analysis) Part 7 Finding Users Information about users is maintained in the Registry, in the SAM hive file. Under normal circumstances, this hive is not accessible, even to administrators, not without taking special steps to manually edit the access permissions on the hive. There’s a good reason for this: Although much of the Registry can be "messed with," there are areas of the Registry where minor changes can leave the system potentially unusable. Much of the useful information in the SAM hive is encoded in binary format, and fortunately, Peter Nordahl-Hagen’s sam.h C header file is extremely helpful in deciphering the structures and revealing something understandable. You can use the userdump.pl ProScript (v.0.31, 20060522 provided in the ch4\code\ ProScripts directory on the media that accompanies this topic) to extract user and group membership information from the Registry Viewer in a ProDiscover project, once the Registry Viewer has been populated. Tracking User Activity The UserAssist Keys Tip::
CAINE Live CD - computer forensics digital forensics Matriux - La Distribution Open Source orientée Sécurité pour Ethical Hackers et Pentesters BlackArch Linux - Penetration Testing Distribution Users Guide · log2timeline/plaso Wiki This page is work in progress. How to get started First determine which version of plaso is must suitable to your needs, for more information see Releases and roadmap Installing the packaged release To install the packaged release see: Before we start Please report all discovered bugs to To follow announcements from the plaso team or send in generic inquiries or discuss the tool, please subscribe to the log2timeline-discuss mailing list or join the G+ community. I know the good old Perl version If you are one of those people that liked the old perl version of log2timeline but really would like to switch use all the nifty features of the Python version. The tools Though plaso initially was created in mind to replace the Perl version of log2timeline, its focus has shifted from a stand-alone tool to a set of modules that can be used in various use cases. image_export log2timeline pinfo preg preg is a command line tool to analyze Windows Registry files. psort
Linux LEO Secured Distributions - Security, Forensics, Privacy A la fecha, Dic 11 de 2011, el Autor procura en un invaluable trabajo mantener la relación de versiones actualizadas como es deseable. Sin embargo, para tomar un ejemplo, la Distro LPS (Lightweight Portable Security) aparece acá como su última version la 1.2.4 de Sep. 19 de 2011 siendo en realidad la más reciente a la fecha de este artículo la 1.3.1 de Nov. 11 del presente. De todas formas este no es asunto mayor pues acá están los links de los sitios Oficiales de cada proyecto para estar al tanto de las Actualizaciones. Esta es una relación de las más reconocidas y de excelente reputación en cuanto a distribuciones Linux, destacables bajo tres criterios: Seguridad, Privacidad y Forenses. Será bien recibido en los comentarios toda sugerencia para complementar o suplementar la presente relación de herramientas. Astaro Security Linux A firewall and VPN product. BackBox Linux BackBox is based on Ubuntu. BackTrack
How I Cracked your Windows Password (Part 2) If you would like to read the first part in this article series please go to How I Cracked your Windows Password (Part 1). Introduction In the first part of this series we examined password hashes and the mechanisms Windows utilizes to create and store those values. We also touched upon the weaknesses of each method and possible avenues that can be used to crack those passwords. In the second and final article in this series I will actually walk you through the process of cracking passwords with different free tools and provide some tips for defending against having your password cracked. It is always crucial to note that the techniques shown here are strictly for educational purposes and should not be used against systems for which you do not have authorization for. Obtaining Password Hashes In order to crack passwords you must first obtain the hashes stored within the operating system. Physical Access If you are not quite comfortable doing this, you can use P. Console Access Network Access
penguinsleuth.org - Home Autopsy Forensic Easy to Use Autopsy was designed to be intuitive out of the box. Installation is easy and wizards guide you through every step. All results are found in a single tree. Extensible Autopsy was designed to be an end-to-end platform with modules that come with it out of the box and others that are available from third-parties. Timeline Analysis - Advanced graphical event viewing interface (video tutorial included). See the Features page for more details. Fast Everyone wants results yesterday. Cost Effective Autopsy is free.