6.1 Operating System Forensics Part 1 (FI)

00:01

Hey, everyone, welcome back to the course on the last module, we wrapped up our discussion on anti forensics. So again we talked about some of the goals of anti forensics for an attacker.

00:10

In this video, we're gonna start module six with operating system forensics.

00:17

So just a quick pre assessment question. As a digital forensic investigator, you should never collect volatile data. First, is that true or false?

00:26

All right, so we obviously know that's false, right? That was kind of an easy one. But we always want to collect a volatile day first. So if you remember from earlier modules, the volatile data is the data that's lost once we unplug or turn off the machine.

00:42

So speaking of volatile data, how do we collect it? Right, So we want to collect the different things, and it's not an all inclusive list, but some of the most common things to collect our system time the ram, the logged on users open files and then also the print school files.

00:57

So system time, some for ah waste. We can collect us or several different commands we can use. We can also go if it's like a proprietary software we would want to go to the website and just see, like, Hey, how do we, you know, look for the system time or even just do a quick Google search of, you know, how do we find the system time on this particular

01:15

you know, piece of software or this particular operating system that particular

01:19

A device

01:19

also 64 bit file time, which is one of the more common ones in Windows for an investigator to get so that Mexico is, uh,

01:29

designed as, ah 102nd season, 100 nanosecond

01:33

interval since January for 60 no. One at midnight. So excuse me. Basically, it's gonna be, you know, a whole bunch of numbers, and then you have to calculate out, and there's many tools that'll do that for you, but you calculate out what the actual you know, date time and ours are that we would be able to interpret. But,

01:51

um, that's ah, one of the more common ones as well.

01:53

And the 32 bit UNIX on and again, that's on Windows seconds. That's the number of seconds since January 1st, 1970 at midnight and then string format, which we see like when we log into our computer, for example. You know, we see the date in the time

02:09

so different commands we can use. And this is not an all inclusive list. There's a ton of them you can use. These are some of the most common ones that you'll find investigators using. So get system time, get system time adjustment. Get time for Matt. Said Alexandra.

02:23

Um, basically, you'll notice all these have time in them. So as a CZ, we see there s so few on your exam. If you see any of these by chance,

02:31

just look for something with time in it, and that should help you narrow down the answers.

02:38

So, Ram so a couple of tools we can use to grab RAM dump it is probably the more one of the more popular ones. And then after we do the dump it or after we dump it, right, uh, we would use the volatility framework to take a look at it.

02:53

So just a quick screen shot here of the dump. It tools what it looks like. Command line, tool,

02:58

and then same of volatility framework. Just looking at to see, like Okay, look at all the stuff we can dump out and analyze

03:05

logged on user. So a couple tools. You want to just memorize a couple ways? Excuse me? We can

03:12

grab that information that you just want to memorize for the exam. PS logged on net sessions in log own sessions.

03:20

So just a quick screenshot of each one of those.

03:23

So net sessions and their log on session.

03:27

So again, you just want to kind of memorize those three for your examination

03:31

open file. So again, another thing here where you want to just kind of memorize these and just understand them. Net file PS file utility and open file Sonett file basically opened shared files and also the file locks,

03:45

P s file utility that's regarding files were opened remotely. So just remember that keyword right there remotely and then open files a CZ. The name implies it allows you to see open files,

03:57

prints, pool file. So remember what this one? Just remember that for principal school files, it's gonna produce a graphics file as well. And that's gonna be a dot e m f. So destroy. Remember that for your examine. Also, you're gonna need to do file carving to grab these.

04:15

So this video we talked about