Newbie Q: How can I...
 
Notifications
Clear all

Newbie Q: How can I get basic info from HD

9 Posts
3 Users
0 Likes
542 Views
Azure
(@azure)
Posts: 10
Active Member
Topic starter
 

Hi, I have an image file which is a Windows XP, and I have FTK software. Now I can browse all folders inside the image as if it's a normal PC. Yet, I don't know where to look, the specific directories. I've reached many info i needed but others I couldn't, like

1. the install dateof the OS & timezone used & system aliases used.
2. Last logged into the computer
3. network cards, IP and MAC addresses used.

4. any evidence the computer was used for hacking wireless networks

5. any evidence of communication on the internet using IRC.
(I saw mIRC installed, is this enough evidence, or are there more locations to look into?)

6. I'd like to find any email addresses used by the user of that imaged PC.

7. I want to know if there are any viruses are on the system.

I'm willing to install more programs if they are free & workable on my Windows 7 64 bit.

I'd highly appreciate any help.

I'm looking forward, with much appreciation, for replies.

 
Posted : 10/02/2011 5:27 pm
azrael
(@azrael)
Posts: 656
Honorable Member
 

1) http//windowsxp.mvps.org/getosdate.htm
2) http//eprints.utm.my/9517/1/SomayehAghanavesiMFSKSM2008.pdf
3) http//www.forensicfocus.com/downloads/windows-registry-quick-reference.pdf & http//www.forensicfocus.com/forensic-analysis-windows-registry

4) Look for evidence of Wireless Network Hacking Tools …

5) No, you'd need to find logs &/or other evidence that it's been used - installation is not equal to use. ( Although it increases the probablility somewhat ).

6) Use FTK to search for strings that meet an e-mail format.

7) Mount the image and scan it using traditional AV. (http//www.mountimage.com/mount-image-faq.php)

 
Posted : 10/02/2011 6:02 pm
Azure
(@azure)
Posts: 10
Active Member
Topic starter
 

1)…

brilliant reply! Thank you very much!

Status Analyzing…

i'll be back after I solve the puzzle

 
Posted : 10/02/2011 9:32 pm
Azure
(@azure)
Posts: 10
Active Member
Topic starter
 

1) …

A big Thank You indeed! I've figured it all, except for one point

3. network cards, IP and MAC addresses used.

I couldn't find it..

Many sources mentioned that it's in this location
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces…
(HKLM = HKEY_LOCAL_MACHINE)

I downloaded the demo version of Paraben P2, and I was able to browse the registry but I couldn't get any info..
There was no file in that directory where I can get IP address or Mac address or have a clue regarding NT cards used.

Any further hints please?

 
Posted : 11/02/2011 3:58 am
(@bithead)
Posts: 1206
Noble Member
 

That is a good location to start. Is the problem with the tool because it is a demo version? Perhaps a tool like RegRipper would give you the output you need.

 
Posted : 11/02/2011 8:19 am
Azure
(@azure)
Posts: 10
Active Member
Topic starter
 

That is a good location to start. Is the problem with the tool because it is a demo version? Perhaps a tool like RegRipper would give you the output you need.

Thank you for your reply.
Actually Paraben was kind enough to provide fully-functional version for 14 days. If the info is really there, then the problem is with my analysis. I'm looking for clear IP address structure (four octets) & MAC address structure.
Or should I look for a different structure?
I'll try RegRipper.. brb =D

 
Posted : 11/02/2011 3:28 pm
Azure
(@azure)
Posts: 10
Active Member
Topic starter
 

Thanks for suggesting RegRipper, yet it didn't help me much, it's kinda advanced. I just have the image file. I'm not sure what to export. I tried some tweaks but nothing useful to figure out. I know it might be useful but for my level, I couldn't use it to extract the info needed.

I hope there are other ways to know the IP/MAC addresses… since they're usually basic info to get for CF experts.

I'm looking forward, with much appreciation, for your replies

 
Posted : 12/02/2011 1:31 am
(@bithead)
Posts: 1206
Noble Member
 

Thanks for suggesting RegRipper, yet it didn't help me much, it's kinda advanced. I just have the image file. I'm not sure what to export.

You need to export the Registry files. Typically I do not use Wikipedia as a reference, however the locations for the files are all listed at the bottom of THIS link.

In short point RegRipper at each file using the Hive entry, choose the location for the report in the second box, choose the appropriate plugin that matches your file in the third field the RipIt!

 
Posted : 12/02/2011 6:09 am
Azure
(@azure)
Posts: 10
Active Member
Topic starter
 

You need to export the Registry files. Typically I do not use Wikipedia as a reference, however the locations for the files are all listed at the bottom of THIS

Thanks a lot! I've made great progress, please view this image

Now as I know, the MAC address looks something like this 00095BECEEF2 (12 character).

In the image, I see two rows, each with 16 characters separated by "-" then another 16 characters. How can I get the MAC address from this? It should be only one MAC address for this card, right?

This will be my last (-ish) silly Q! ^^ with much appreciation.

 
Posted : 12/02/2011 9:39 pm
Share: