6.3 Operating System Forensics Part 3 (FI)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

17 hours 41 minutes
Video Transcription
Hey, everyone, welcome back to the course. So in the last video, we talked about some non vile tal dated
in this video where to go over some browser paso again, things like your Microsoft edge, Google, Chrome and Firefox.
So for the exam, you're just gonna wanna kinda memorize and you don't necessarily need to memorize the entire path here. But just be familiar with where each brother stores certain information. So more specifically, like the cache information eso here, Microsoft edges gonna store it users. And then you know the user name
AP data, local packages, Microsoft dot Microsoft Edge
And then basically, you just want to kind of memorize, you know, it's Microsoft Edge, you know, slash cash
and then also the last browsing session again, similar to when we're memorizing about the Windows registry staff. Just kind of the last portion of that is really what we want to focus on. Its kind of unrealistic for you to try to memorize the entire path of every single one of these. But, uh,
a more realistic aspect would be just memorizing the last few sections there. So
you know, for example, with the cache files here on edge, you know, memorizing. Like, you know, the pound sign, exclamation 001 slash Microsoft age backwards slash cash. You know, same thing with the act of browsing Session default slash recovery slash active. So again, just kind of memorized the last half of those
far Fox. Similar thing here. You'll notice many of these look somewhat similar in the structure. You know, they show you the user name? Um, you know, it talks about the data than you know on the local machine than Mozilla. You know, whatever the browser is, for example, and then moving into, you know, some kind of default and then cash.
Now, the one difference here, you'll notice between the cache of fire fox and the history as you'll notice the word roaming
versus the word local. So keep that in mind for your exam. If you see if you see them just listing out like a path for a browser and saying, Hey, you know what is this show in, like Fire fox, then? Ah, those were some key words. You can look at that. Help you differentiate between the two
grown cash here, you know, again a similar type of path You know, we go here with the user information, and then we end up with default slash cash.
So when does restore point? So this is something important for your exam that you'll just want to know.
So our p dot log files if you see a question about it, um and then also the thing to remember is that these were kind of like many snapshots, right? So they take those little, uh, quote unquote snapshots, a different points on the system,
and so basically, it's is giving us some data. Now, they're only generally retained for, like, 90 days. So if we don't catch it in time,
that data could be lost forever. But it is something that even if the criminal is deleting stuff, they oftentimes cancer. It's stored in a place where they can't get to. Um, for the most part, there are ways to delete it. But most criminals aren't thinking to this capacity. So
keep that in mind that on a Windows machine this is one place where you may be able to grab
some good information about the files that were in existence on the machine at a certain particular date in time.
So elf log file Header s Oh, uh, this is something you just kind of want to be familiar with. A ce for us. The header and signature size. So more specifically, the header size, I guess, for your exam. So this is used to the start of an event. Lob basically defines information about the event log
some of the information that's not going to change or, like, the header size that. So he's gonna be the zero x 30
and then the signature as well.
And also the major minor version number. So again, just kind of keep that in the back of your head for your exam, just in case you see it asked, Um, I don't know. That they're going to go to in depth on this particular aspect is there's more important topics in the material. But, um, you know, just in case type of thing, these air, some key points that you just want to know about elf
linens, shell commands. So just be familiar with these what each one stands for So d mess eyes for display messages, as you can kind of, you know, determine from the name F S. C. K. So that's not a type of their file system. Consistency check, stat That's gonna display the file or system status history
that's gonna list out the different bash l commands that were used
and then mount, as the name implies, that bounce the file system or device to the directory.
So some common limits long for log files that you just want to be familiar with. If you're not a linen person, then just be familiar with where these are so far. Log off dot log for authentication. The Colonel's at you know bar lob kern dot log
Apache var log h T T p d. So just keep that one in mind for your exam
and then also system boot var log boo dot log
Mac log files again. You just want to kind of be familiar with where these operating systems air storing the log file. So here you've got a couple aspects you know var log for the system Locked folder system application logs that library logs and then system log Is that bar log system dot log. So definitely keep that in mind for your exam.
So just a few quick post assessment questions here s O for Mac computers. A system log folder is located at bar slash log. Is that true or false?
All right, so we just went over that. That one is true.
Question number two here, Windows restore points are like little snapshots on a suspect's computer. Is that true or false?
All right. So that one is also true as well. Remember, those were only store generally for about 90 days. So you want to keep that in mind as you're doing your investigation?
And then finally, question number three in limits, the D mess command is used to display file or system status,
or so that one is false. Right? So we actually got a false one there. So if you remember the d message commanders for display messages and the one the that's used to display file our system status is gonna be the stat or s t A. T command
***. On this video, we wrapped up our discussion on operating system forensics and the next video we're gonna talk about network forensics
Up Next