Uvod: povleci zapakirani sliki s polz.si. Naredi kopijo (snapshot) slike za kasnejšo analizo brez uničevanja podatkov.

Uporabnik: dobrota / sirota

Spoznavanje Oken

  • Zaženi regedit.
  • Zaženi event viewer.

Register

Primerjaj register v prvem in drugem navideznem truplu. Pomagaš si lahko z orodjema hivexml in reglookup. Datotečni format registra je opisan tukaj.

Dnevniki

Pri analizi dnevnikov si lahko pomagaš z orodjem grokevt.

  • Kdo so uporabniki na sistemu?
  • Kolikokrat se je uporabnik rudolf že prijavil?
  • Poskrbi, da se prijave ne bodo več beležile.
  • Spremeni registry, da bo log drugje.
  • Odpri log na izklopljenem računalniku.
  • Spremeni / dodaj vnos v event log.

Introduction: download the zip with disk images from polz.si. Make a copy (snapshot) of the images for later analysis without destroying evidence.

User: dobrota / sirota

Windows

  • Run regedit.
  • Run event viewer.

Registry

Compare the registry in the first and second disk image. You can use the tools hivexml in reglookup. Registry file format is described here.

Logging

You can analyze system logs with the tool grokevt.

  • Which users are on the system?
  • How many times has the user rudolf logged into the system?
  • Ensure that the system does not store data about user logins.
  • Modify the registry so that the log is somewhere else.
  • Open the log on a mounted disk image.
  • Modify / add an entry to the event log.
Last modified: Wednesday, 27 March 2019, 10:15 AM