Difference between pages "Windows" and "Belkasoft"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m (small updates)
 
Line 1: Line 1:
{{Expand}}
+
'''About Belkasoft'''
  
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
+
Belkasoft is a computer and mobile phone forensic software manufacturer since 2002. The company develops a range of forensic products aimed at law enforcement officials, investigators and experts in IT security and intelligence. The company delivers solutions that work right out of the box, without requiring a steep learning curve or any specific skills to operate
  
There are 2 main branches of Windows:
+
'''Products'''
* the DOS-branch: i.e. Windows 95, 98, ME
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
+
  
== Features ==
+
The company’s flagship product is '''Belkasoft Evidence Center''', an all-in-one solution for searching, analysing, managing and sharing digital evidence discovered on suspects’ hard drives and RAM. Supported types of evidence include information found in instant messenger logs, internet browser histories, mailboxes of popular email clients, social network remnants, peer-to-peer data, multi-player game chats, office documents, pictures, videos, encrypted files, mobile backups and system files. Belkasoft Evidence Center is available in four major editions: Chat Analyzer, Chat & Social Analyzer, Professional, and Ultimate. The fifth Enterprise edition brings in centralized evidence processing with server-based operation and user-level permission management. A Portable edition requiring no installation and running off a USB pen drive is also available.
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
+
  
=== Introduced in Windows NT ===
+
'''Belkasoft Forgery Detection''' offers the ability to discover digital pictures that were altered, modified or otherwise manipulated. The tool applies a range of image analysis algorithms and a decisive neural network to produce a single numeric estimate of images’ authenticity.
* [[NTFS]]
+
  
=== Introduced in Windows 2000 ===
+
In addition to commercial products, Belkasoft offers a range of free forensic tools.
  
=== Introduced in Windows XP ===
+
'''Belkasoft Facebook Profile Saver''' captures information publicly available in Facebook profiles. This small utility is designed for computer forensic and security specialists who need to automate the downloading of Facebook pages to their local computers. A local copy of public Facebook pages may be required for performing investigations and/or presented as court evidence.
* [[Prefetch]]
+
* System Restore (Restore Points); also present in Windows ME
+
  
==== SP2 ====
+
'''Belkasoft Live RAM Capturer''' is a tiny free forensic tool to reliably extract the entire content of the computer's volatile memory - even if protected by an active anti-debugging or anti-dumping system. Separate 32-bit and 64-bit builds are available in order to minimize the tool's footprint as much as possible. Memory dumps captured with Belkasoft Live RAM Capturer can be analyzed with any forensic tool including Live RAM Analysis in Belkasoft Evidence Center.
* Windows Firewall
+
  
=== Introduced in Windows Server 2003 ===
+
'''Belkasoft Evidence Reader''' enables Evidence Center users to share evidence collected with the main suite. Users of Evidence Reader can access evidence collected during an investigation from any computer, even if Belkasoft Evidence Center is not installed on that PC.
* Volume Shadow Copies
+
  
=== Introduced in [[Windows Vista]] ===
+
'''Customer Base'''
* [[BitLocker Disk Encryption | BitLocker]]
+
* [[Windows Desktop Search | Search]] integrated in operating system
+
* [[ReadyBoost]]
+
* [[SuperFetch]]
+
* [[NTFS|Transactional NTFS (TxF)]]
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
+
* $Recycle.Bin
+
* [[Windows XML Event Log (EVTX)]]
+
* [[User Account Control (UAC)]]
+
  
=== Introduced in Windows Server 2008 ===
+
Belkasoft customers include government and private organizations in more than 60 countries, including the FBI, US Army, DHS, police departments in Germany, Norway, Australia and New Zealand, PricewaterhouseCoopers, and Ernst & Young.
  
=== Introduced in [[Windows 7]] ===
+
'''Credentials'''
* [[BitLocker Disk Encryption | BitLocker To Go]]
+
* [[Jump Lists]]
+
* [[Sticky Notes]]
+
  
=== Introduced in [[Windows 8]] ===
+
Belkasoft D-U-N-S number is 683524694.
* [[Windows File History | File History]]
+
Belkasoft NATO Commercial and Government Entity (NCAGE, also CAGE) code is SKF09.
* [[Windows Storage Spaces | Storage Spaces]]
+
Belkasoft is also registered within Central Contractor Registration (CCR), ORCA and WAWF.
* [[Search Charm History]]
+
Belkasoft is a registered trademark.
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
+
 
+
=== Introduced in Windows Server 2012 ===
+
* [[Resilient File System (ReFS)]]
+
 
+
== Forensics ==
+
 
+
=== Partition layout ===
+
Default partition layout, first partition starts:
+
* at sector 63 in Windows 2000, XP, 2003
+
* at sector 2048 in Windows Vista, 2008, 7
+
 
+
=== Filesystems ===
+
* [[FAT]], [[FAT|exFAT]]
+
* [[NTFS]]
+
* [[Resilient File System (ReFS) | ReFS]]
+
 
+
=== Recycle Bin ===
+
 
+
==== RECYCLER ====
+
Used by Windows 2000, XP.
+
Uses INFO2 file.
+
 
+
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
+
 
+
==== $RECYCLE.BIN ====
+
Used by Windows Vista.
+
Uses $I and $R files.
+
 
+
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
+
 
+
=== Registry ===
+
 
+
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
+
 
+
=== Thumbs.db Files ===
+
 
+
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
+
 
+
See also: [[Vista thumbcache]].
+
 
+
=== Browser Cache ===
+
 
+
=== Browser History ===
+
 
+
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
+
 
+
=== Search ===
+
See [[Windows Desktop Search]]
+
 
+
=== Setup log files (setupapi.log) ===
+
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
+
 
+
=== Sleep/Hibernation ===
+
 
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
+
 
+
=== Users ===
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
+
<pre>
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
+
</pre>
+
 
+
The %SID%\ProfileImagePath value should also contain the username.
+
 
+
=== Windows Error Reporting (WER) ===
+
 
+
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
+
<pre>
+
C:\ProgramData\Microsoft\Windows\WER\
+
</pre>
+
 
+
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
+
<pre>
+
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
+
</pre>
+
 
+
Corresponding registry key:
+
<pre>
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
+
</pre>
+
 
+
== Advanced Format (4KB Sector) Hard Drives ==
+
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
+
 
+
== %SystemRoot% ==
+
The actual value of %SystemRoot% is store in the following registry value:
+
<pre>
+
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
+
Value: SystemRoot
+
</pre>
+
 
+
== See Also ==
+
* [[Windows Event Log (EVT)]]
+
* [[Windows XML Event Log (EVTX)]]
+
* [[Windows Vista]]
+
* [[Windows 7]]
+
* [[Windows 8]]
+
  
 
== External Links ==
 
== External Links ==
 +
* [http://belkasoft.com/ Official website]
  
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
 
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
 
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
 
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
 
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
 
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html?m=1 Search history on Windows 8 and 8.1], by [[Yogesh Khatri's]], April 1, 2014
 
 
=== Malware/Rootkits ===
 
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
 
 
=== Program execution ===
 
* [http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html HowTo: Determine Program Execution], by [[Harlan Carvey]], July 06, 2013
 
* [http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html It Is All About Program Execution], by [[Corey Harrell]], January 14, 2014
 
* [http://sysforensics.org/2014/01/know-your-windows-processes.html Know your Windows Processes or Die Trying], by [[Patrick Olsen]], January 18, 2014
 
 
=== Tracking removable media ===
 
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
 
 
=== Under the hood ===
 
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
 
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
 
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
 
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
 
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
 
 
==== MSI ====
 
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
 
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
 
 
==== Side-by-side (WinSxS) ====
 
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
 
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
 
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
 
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
 
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
 
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
 
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
 
* [http://www.fireeye.com/resources/pdfs/fireeye-dll-sideloading.pdf DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry], by Amanda Stewart, April 2014
 
 
==== Application Experience and Compatibility ====
 
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
 
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
 
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
 
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
 
* [https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
 
* [http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html Revealing the RecentFileCache.bcf File], by [[Corey Harrell]], December 2, 2013
 
* [http://journeyintoir.blogspot.ch/2013/12/revealing-program-compatibility.html Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys], by [[Corey Harrell]], December 17, 2013
 
 
==== System Restore (Restore Points) ====
 
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
 
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
 
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
 
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
 
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
 
 
==== Crash dumps ====
 
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
 
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
 
 
==== RPC ====
 
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
 
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
 
 
==== User Account Control (UAC) ====
 
* [http://blog.strategiccyber.com/2014/03/20/user-account-control-what-penetration-testers-should-know/ User Account Control – What Penetration Testers Should Know], by Raphael Mudge, March 20, 2014
 
 
==== Windows Event Logs ====
 
* [http://journeyintoir.blogspot.ch/2014/03/exploring-program-inventory-event-log.html Exploring the Program Inventory Event Log], by [[Corey Harrell]], March 24, 2014
 
 
==== Windows Scripting Host ====
 
* [https://www.mandiant.com/blog/ground-windows-scripting-host-wsh/ Going To Ground with The Windows Scripting Host (WSH)], by Devon Kerr, February 19, 2014
 
 
==== USB ====
 
* [https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf USBKEY Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
 
* [https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf USB Drive Enclosure Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
 
 
==== WMI ====
 
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
 
 
==== Windows Error Reporting (WER) ====
 
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
 
* [http://journeyintoir.blogspot.ch/2014/02/exploring-windows-error-reporting.html Exploring Windows Error Reporting], by [[Corey Harrell]], February 24, 2014
 
 
==== Windows Firewall ====
 
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
 
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
 
 
==== Windows 32-bit on Windows 64-bit (WoW64) ====
 
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
 
 
=== Windows XP ===
 
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
 
  
[[Category:Operating systems]]
+
[[Category:Vendors]]
[[Category:Windows]]
+

Latest revision as of 10:21, 8 June 2014

About Belkasoft

Belkasoft is a computer and mobile phone forensic software manufacturer since 2002. The company develops a range of forensic products aimed at law enforcement officials, investigators and experts in IT security and intelligence. The company delivers solutions that work right out of the box, without requiring a steep learning curve or any specific skills to operate

Products

The company’s flagship product is Belkasoft Evidence Center, an all-in-one solution for searching, analysing, managing and sharing digital evidence discovered on suspects’ hard drives and RAM. Supported types of evidence include information found in instant messenger logs, internet browser histories, mailboxes of popular email clients, social network remnants, peer-to-peer data, multi-player game chats, office documents, pictures, videos, encrypted files, mobile backups and system files. Belkasoft Evidence Center is available in four major editions: Chat Analyzer, Chat & Social Analyzer, Professional, and Ultimate. The fifth Enterprise edition brings in centralized evidence processing with server-based operation and user-level permission management. A Portable edition requiring no installation and running off a USB pen drive is also available.

Belkasoft Forgery Detection offers the ability to discover digital pictures that were altered, modified or otherwise manipulated. The tool applies a range of image analysis algorithms and a decisive neural network to produce a single numeric estimate of images’ authenticity.

In addition to commercial products, Belkasoft offers a range of free forensic tools.

Belkasoft Facebook Profile Saver captures information publicly available in Facebook profiles. This small utility is designed for computer forensic and security specialists who need to automate the downloading of Facebook pages to their local computers. A local copy of public Facebook pages may be required for performing investigations and/or presented as court evidence.

Belkasoft Live RAM Capturer is a tiny free forensic tool to reliably extract the entire content of the computer's volatile memory - even if protected by an active anti-debugging or anti-dumping system. Separate 32-bit and 64-bit builds are available in order to minimize the tool's footprint as much as possible. Memory dumps captured with Belkasoft Live RAM Capturer can be analyzed with any forensic tool including Live RAM Analysis in Belkasoft Evidence Center.

Belkasoft Evidence Reader enables Evidence Center users to share evidence collected with the main suite. Users of Evidence Reader can access evidence collected during an investigation from any computer, even if Belkasoft Evidence Center is not installed on that PC.

Customer Base

Belkasoft customers include government and private organizations in more than 60 countries, including the FBI, US Army, DHS, police departments in Germany, Norway, Australia and New Zealand, PricewaterhouseCoopers, and Ernst & Young.

Credentials

Belkasoft D-U-N-S number is 683524694. Belkasoft NATO Commercial and Government Entity (NCAGE, also CAGE) code is SKF09. Belkasoft is also registered within Central Contractor Registration (CCR), ORCA and WAWF. Belkasoft is a registered trademark.

External Links