Forensics Wiki - User contributions [en]

Talk:Affuse

2007-05-31T20:01:46Z

Mkucenski:

Simson,
This is a very cool idea and use of Fuse. Looking forward to using the feature.

Talk:Affuse

2007-05-31T20:00:47Z

Mkucenski: New page: Simson this is a very cool idea and use of Fuse. Looking forward to using the feature.

Simson this is a very cool idea and use of Fuse. Looking forward to using the feature.

LNK

2006-09-28T15:47:23Z

Mkucenski:

Microsoft Windows Shortcut Files

== File Format ==

* TODO

== Metadata ==

* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
* The size of the target when it was last accessed.
* Serial number of the local volume where the target was stored.
* Network volume share name
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.
* TODO

== External Links ==

* [http://mitec.cz/wfa.htm Free tool that is capable of reading and reporting on Windows shortcut files]
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]

[[Category:File Formats]]

LNK

2006-09-27T22:17:24Z

Mkucenski:

Microsoft Windows Shortcut Files

== File Format ==

* TODO

== Metadata ==

* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
* The size of the target when it was last accessed.
* Serial number of the local volume where the target was stored.
* Network volume share name
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.
* TODO

== External Links ==

* [http://mitec.cz/wfa.htm Free tool that is capable of reading on reporting on Windows shortcut files]
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]

[[Category:File Formats]]

LNK

2006-09-27T22:16:10Z

Mkucenski:

{{Wikify}}

Microsoft Windows Shortcut Files

== File Format ==

* TODO

== Metadata ==

* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
* The size of the target when it was last accessed.
* Serial number of the local volume where the target was stored.
* Network volume share name
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.
* TODO

== External Links ==

* [http://mitec.cz/wfa.htm Free tool that is capable of reading on reporting on Windows shortcut files]
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]

[[Category:File Formats]]

LNK

2006-09-27T22:15:13Z

Mkucenski:

{{Wikify}}

MS Windows Shortcut Files

== File Format ==

* TODO

== Metadata ==

* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
* The size of the target when it was last accessed.
* Serial number of the local volume where the target was stored.
* Network volume share name
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.
* TODO

== External Links ==

* [http://mitec.cz/wfa.htm Free tool that is capable of reading on reporting on Windows shortcut files]
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]

[[Category:File Formats]]

LNK

2006-09-27T22:13:32Z

Mkucenski:

{{Wikify}}

MS Windows Shortcut Files

In addition the target file, Windows shortcut files contain several interesting pieces of information that include:

* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
* The size of the target when it was last accessed.
* Serial number of the local volume where the target was stored.
* Network volume share name
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.

== File Format ==

* TODO

== External Links ==

* [http://mitec.cz/wfa.htm Free tool that is capable of reading on reporting on Windows shortcut files]
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]

[[Category:File Formats]]

LNK

2006-09-27T22:12:38Z

Mkucenski:

{{Wikify}}

MS Windows Shortcut Files

In addition the target file, Windows shortcut files contain several interesting pieces of information that include:

* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
* The size of the target when it was last accessed.
* Serial number of the local volume where the target was stored.
* Network volume share name
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.

== External Links ==

* [http://mitec.cz/wfa.htm Free tool that is capable of reading on reporting on Windows shortcut files]
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]

[[Category:File Formats]]

LNK

2006-09-27T22:12:12Z

Mkucenski:

{{Wikify}}

MS Windows Shortcut Files

In addition the target file, Windows shortcut files contain several interesting pieces of information that include:

* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
* The size of the target when it was last accessed.
* Serial number of the local volume where the target was stored.
* Network volume share name
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.

== External Links ==

* [http://mitec.cz/wfa.htm Free tool that is capable of reading on reporting on Windows shortcut files]
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of Windows shortcut file format]

[[Category:File Formats]]

LNK

2006-09-27T22:11:47Z

Mkucenski:

{{Wikify}}

MS Windows Shortcut Files

In addition the target file, Windows shortcut files contain several interesting pieces of information that include:

* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
* The size of the target when it was last accessed.
* Serial number of the local volume where the target was stored.
* Network volume share name
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.

== External Links ==

* [http://mitec.cz/wfa.htm Free tool that is capable of reading on reporting on Windows shortcut files]
Specific can be found here:
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of Windows shortcut file format]

[[Category:File Formats]]

LNK

2006-09-27T22:10:19Z

Mkucenski:

{{Wikify}}

MS Windows Shortcut Files

In addition the target file, Windows shortcut files contain several interesting pieces of information that include:

* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
* The size of the target when it was last accessed.
* Serial number of the local volume where the target was stored.
* Network volume share name
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.

== External Links ==
* [http://mitec.cz/wfa.htm Free tool that is capable of reading on reporting on Windows shortcut files]
Specific details of .lnk shortcut files can be found here:
[http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Windows Shortcut File Format]

[[Category:File Formats]]

LNK

2006-09-27T22:08:33Z

Mkucenski:

{{Wikify}}

MS Windows Shortcut Files

In addition the target file, Windows shortcut files contain several interesting pieces of information that include:

* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
* The size of the target when it was last accessed.
* Serial number of the local volume where the target was stored.
* Network volume share name
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.

==External Links==
Specific details of .lnk shortcut files can be found here:
[http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Windows Shortcut File Format]

[[Category:File Formats]]

Windows Registry

2006-04-21T14:25:47Z

Mkucenski:

* [http://www.answers.com/topic/win-registry Windows Registry Information]
* [http://groups.yahoo.com/group/urfg/ Yahoo Group on using the Windows Registry in Forensics]

Windows Registry

2006-04-21T14:25:25Z

Mkucenski:

* [http://www.answers.com/topic/win-registry Windows Registry Information]
* [http://groups.yahoo.com/group/urfg/ Yahoo Groups on using the Windows Registry in Forensics]

Windows Registry

2006-04-21T14:25:08Z

Mkucenski: Documenting a couple of good links on this subject until someone has time to write a more detailed entry.

[http://www.answers.com/topic/win-registry Windows Registry Information]
[http://groups.yahoo.com/group/urfg/ Yahoo Groups on using the Windows Registry in Forensics]

Windows

2006-04-21T14:23:11Z

Mkucenski: Changed registry link to clarify that it is the *Windows* registry we are talking about.

'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].

== Forensics ==

=== Filesystems ===

[[FAT]], [[NTFS]], ...

=== Registry ===

The [[Windows Registry]] of a system is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.

=== Thumbs.db Files ===

[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].

=== Browser Cache ===

=== Browser History ===

== External Links ==

* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]

Locard's exchange principle

2006-03-30T19:28:21Z

Mkucenski:

[http://en.wikipedia.org/wiki/Locard's_exchange_principle Locard's exchange principle]

User:Mkucenski

2006-03-24T15:01:59Z

Mkucenski:

== About ==
Name: Matt Kucenski

Email: mkucenski_at_mac.com

== License ==
I hereby license all my contributions to this wiki (before and after March 19th, 2006) under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license.

User:Mkucenski

2006-03-24T15:01:07Z

Mkucenski:

== About ==
Matt Kucenski

mkucenski_at_mac.com

== License ==
I hereby license all my contributions to this wiki (before and after March 19th, 2006) under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license.

User:Mkucenski

2006-03-24T15:00:16Z

Mkucenski:

Matt Kucenski

mkucenski_at_mac.com

I hereby license all my contributions to this wiki (before and after March 19th, 2006) under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license.

User:Mkucenski

2006-03-24T15:00:02Z

Mkucenski:

User:Mkucenski

2006-03-24T14:58:56Z

Mkucenski:

User:Mkucenski

2006-03-24T14:58:45Z

Mkucenski:

Talk:Windows Event Log (EVT)

2006-03-15T20:31:45Z

Mkucenski:

ASchuster: Can you provide the source of your information on the header, cursor, retention, etc? If MSDN has this information, a link to it should be included in this page.

This information was obtained through extensive testing. As fas as I know the only information available on MSDN is the declaration of the event record. --ASchuster

Well then thank you for your efforts. I've just been ignoring the header/cursor as an invalid EVENTLOGRECORD and reading all of the rest of the records out. --MKucenski

Does your tool parse a split event record properly? Think of a record in a wrapped log file that starts at the (physical) end and continues near the top (right after the header). There might be even some padding in between of the two fragments. --ASchuster

The tool I am currently using is fairly primitive. I am basically searching the file for 'LfLe', reading the record out, then searching for the next 'LfLe'. Is it even possible to split a record? I have not seen that situation, but also have not been looking for it. It seems like this would cause havoc, especially for things like the data and string offsets within the record that are relative to the start of the record. --[[User:Mkucenski|Mkucenski]] 15:31, 15 March 2006 (EST)

== WikiMarkup for tables? ==

Is it possible to typeset tables in MediaWiki? I'm only used to DokuWiki and didn't find any information in the help. --ASchuster

Talk:Windows Event Log (EVT)

2006-03-15T20:31:16Z

Mkucenski:

ASchuster: Can you provide the source of your information on the header, cursor, retention, etc? If MSDN has this information, a link to it should be included in this page.

This information was obtained through extensive testing. As fas as I know the only information available on MSDN is the declaration of the event record. --ASchuster

Well then thank you for your efforts. I've just been ignoring the header/cursor as an invalid EVENTLOGRECORD and reading all of the rest of the records out. --MKucenski

Does your tool parse a split event record properly? Think of a record in a wrapped log file that starts at the (physical) end and continues near the top (right after the header). There might be even some padding in between of the two fragments. --ASchuster

The tool I am currently using is fairly primitive. I am basically searching the file for 'LfLe', reading the record out, then searching for the next 'LfLe'. Is it even possible to split a record? I have not seen that situation, but also have not been looking for it. It seems like this would cause havoc, especially for things like the data and string offsets within the record that are relative to the start of the record.

== WikiMarkup for tables? ==

Is it possible to typeset tables in MediaWiki? I'm only used to DokuWiki and didn't find any information in the help. --ASchuster

Talk:Windows Event Log (EVT)

2006-03-15T18:52:55Z

Mkucenski:

User:Mkucenski

2006-03-15T16:34:07Z

Mkucenski:

Matt Kucenski

mkucenski_at_mac.com

User:Mkucenski

2006-03-15T16:34:00Z

Mkucenski:

Matt Kucenski
mkucenski_at_mac.com

Talk:Windows Event Log (EVT)

2006-03-15T15:23:59Z

Mkucenski:

ASchuster: Can you provide the source of your information on the header, cursor, retention, etc? If MSDN has this information, a link to it should be included in this page.

Talk:Windows Event Log (EVT)

2006-03-15T13:59:57Z

Mkucenski:

ASchuster: Can you provide the source of your information on the header, cursor, retention, etc? I'm not quite clear on how this information is laid out. If MSDN has this information, a link to it should be included in this page.

Windows Event Log (EVT)

2006-03-13T19:29:30Z

Mkucenski:

MS Windows Event Log Files

Windows typically maintains three event log files: application, system, and security. They are generally found in C:\Windows\system32\config.

Details of .evt file format can be found in Microsoft's MSDN library under [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/eventlog/base/eventlogrecord_str.asp EVENTLOGRECORD].

Windows Event Log (EVT)

2006-03-13T19:29:03Z

Mkucenski:

MS Windows Event Log Files

Windows typically maintains three event log files: application, system, and security. They are generally found in C:\Windows\system32\config.

Details of .evt file format can be found in Microsoft's MSDN library under 'EVENTLOGRECORD'
[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/eventlog/base/eventlogrecord_str.asp EVENTLOGRECORD]

Windows Event Log (EVT)

2006-03-13T19:28:54Z

Mkucenski:

MS Windows Event Log Files

Windows typically maintains three event log files: application, system, and security. They are generally found in C:\Windows\system32\config.

Details of .evt file format can be found in Microsoft's MSDN library under 'EVENTLOGRECORD'
[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/eventlog/base/eventlogrecord_str.asp EVENTLOGRECORD]

LNK

2006-03-13T19:24:50Z

Mkucenski:

MS Windows Shortcut Files

In addition the target file, Windows shortcut files contain several interesting pieces of information that include:

* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
* The size of the target when it was last accessed.
* Serial number of the local volume where the target was stored.
* Network volume share name
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.

Specific details of .lnk shortcut files can be found here:
[http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Windows Shortcut File Format]

LNK

2006-03-13T19:24:41Z

Mkucenski:

LNK

2006-03-13T19:23:50Z

Mkucenski:

MS Windows Shortcut Files

In addition the target file, Windows shortcut files contain several interesting pieces of information that include:

* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
* The size of the target when it was last accessed.
* Serial number of the local volume where the target was stored.
* Network volume share name
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.

[http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Windows Shortcut File Format]

Windows Event Log (EVT)

2006-03-13T18:41:21Z

Mkucenski:

Windows Event Log Files