Windows\System32\winevt\Logs Security.evtx EventID 4616 : The system time was changed.
Windows 10 Password Using Jack
1. Use AccessData FTK Imager -> Obtain Protected Files 2. Output = SAM, system files 3. Kali Linux, df -l -> /dev/sdb1 = /media/root/DT2G 4. cd /media/root/DT2G 5. pwdump system SAM >/root/Desktop/hashes.txt 6. cd /root/Desktop/ 7. john -format=nt -users=a hashes.txt
WinPmen
1. winpmem-21.post4.exe -o -output.aff4 2. winpmem-2.1.post4.exe output.aff4 –export PhysicalMemory -o memory.img 2.1 rekal -f memory.img hives 3. Rekal -f \\.\pmem 4. pslist 1. Output: Reading 0x3f7338000 16243MiB / 16255MiB 52MiB/s Adding C:\Windows\SysNative\drivers\1394ohci.sys as file:///C:/Windows/SysNative/drivers/1394ohci.sys Adding C:\Windows\SysNative\drivers\3ware.sys as file:///C:/Windows/SysNative/drivers/3ware.sys Adding
Memory Acquisition Analysis Tools
Windows 10 New Processes
Registry Viewer RST Files
AOL Instant Messenger (TM).rsr AOL Instant Messenger.rsr Favorites.rvc Internet Explorer.rsr NTUser – Files set to Run on Startup.rsr NTUser – Internet Account Manager.rsr NTUser – Internet Explorer.rsr NTUser – LastVisited and OpenSave MRU.rsr NTUser – Media Player MRUs.rsr NTUser –
SIFT Clean Install
Instruction on Installing SIFT3 -Download Ubuntu 14.04 Desktop ubuntu-14.04.5-desktop-amd64.iso http://releases.ubuntu.com/14.04/SHA256SUMS -Check SHA256 f5ce20686a2f3201f04a309d04171ee15757f00954b33b87f3f1d36b3b0f5356 *ubuntu-14.04.5-desktop-amd64.iso PS C:\download> certutil.exe -hashfile .\ubuntu-14.04.5-desktop-amd64.iso sha256 SHA256 hash of file .\ubuntu-14.04.5-desktop-amd64.iso: f5ce20686a2f3201f04a309d04171ee15757f00954b33b87f3f1d36b3b0f5356 -Install in Oracle VM Virtualbox -sudo apt-get update -wget –quiet -O – https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh |
Windows 10 Auto Start Up Program Settings
Hold down the Windows key, and type R. Type: “shell:startup” Click OK. Put shortcut to program to be start up automatically.
Use Powershell Build in Func to check MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512
Build in Powershell certutil -hashfile 1.txt sha256 >1.txt.sha2 MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512 Output (1.txt.sha2) SHA256 hash of file 1.txt: a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3 CertUtil: -hashfile command completed successfully.
Setup Metalsploit using Virtual Box and Ubuntu
c:\share Oracle VM Share Folder: Treansient Folders wd c:\share insert guest addition cd image sudo apt-get update sudo apt-get install virtualbox-guest-dkms cd /home/metal/share/ sha1sum metalsploit-latest-linux-x64-installer.run > metalsploit-latest-linux-x64-installer.sha1 sha1sum -c metalsploit-latest-linux-x64-installer.sha1 or sha1sum -c s.sha1 gedit error “could not save file”