How to perform a forensic PC investigation

When you have a technical interest in Windows or PCs in general, there are few things as fascinating as a good computer forensics package. 


This is partly because they're an excellent way to check exactly how someone is using a computer – the files they're accessing, the websites they're viewing and any information they may be trying to hide. It's a little sneaky, but if you have suspicions that, for example, an employee is doing something they shouldn't on a work PC, then this could prove very useful.


However, forensics programs also offer many other applications. They can help you recover deleted files, uncover even the stealthiest of malware, troubleshoot all kinds of PC problems, learn more about how Windows and your applications work, and let you pretend you're in your hometown's own version of CSI – perhaps.


This normally comes at a huge cost, with the top forensics packages running to thousands of pounds, but now there's a rare exception. PassMark Software has released a beta of a new package, OSForensics, which you can download for free and use until July 2011. 

Despite being a beta, OSForensics is already fast, generally reliable, and packed with a host of useful features, so there's never been a better time to find out what forensics software can do for you.

Recent activity
Checking up on how other people are using your PC sounds a little morally dubious, but if you believe that they're engaged in activities you don't approve of – and maybe trying to hide them from you – then it seems to us that you're entitled to try to discover the truth. OSForensics can help you accomplish this in several ways.

Launch the program, taking care to give it administrator rights if you're running Windows Vista or 7 (right-click the shortcut and select 'Run as administrator'). Click the 'Recent activity' tab on the left-hand menu. 

Accept all the default settings for the time being, click 'Scan' and, after a moment, OSForensics will list details relating to websites you've visited, files you've downloaded, documents you've opened, USB flash drives that have been attached to your PC, wireless networks that you've accessed (if appropriate) and more.

Some of this information is available from other sources. It's not difficult to browse through your web browser's history, for example, or check any cookies that have been downloaded, but other details are more unusual. If you're investigating a work PC, for instance, you could view the USB details to see if someone may be attaching unauthorised drives, perhaps in order to steal data. 

Filter scan results
There's a definite advantage in having every detail available in a single interface though, and it's filterable, too. If you only want to look at the files that have been downloaded, for example, you can do this by selecting 'Downloads' from the 'Show Only' list. 

If you're only interested in the events of the last week, select 'Search date range only', change the 'From' and 'To' dates accordingly, and then scan your system again. 

If you click the 'Timeline' view, you'll see a classic timeline graph that enables you zoom in on a period of interest. You can click a year, a month or a day, then drill right down to the activities during that period. Right-click to export the results that interest you in CSV, HTML or TXT format.

The majority of forensic packages provide easy ways to search a hard drive beyond any system that might currently be installed (such as Windows Search), and OSForensics is no exception.
Click the 'Create index' tab, for instance, and you'll be able to choose a start folder that defines the file structure you'd like to search. Any subfolders will be included automatically, so to search the entire C: drive, you would simply specify 'C:\'.
It may take a very long time to index the whole drive, so if you only want to search for something in the Documents folder, browse to 'C:\Users\[Name]\My Documents' instead.



forensic search
SEE HERE: Thumbnail previews are available in searches, making it easy to find anyimages you need, such as photos you've deleted and want to restore

The indexing is tool is already comprehensive, but you can make it even more so with a few extra tweaks. Click 'Config', then select both 'Scan files with no extensions' and 'Scan files with unknown extensions' to try to uncover content that other tools might miss. Then choose 'Files and unallocated sectors' to look for content in files that may have been deleted. 

When you've finished, click 'Create index', then leave the program for a while. It will have to scan a huge number of files and the process will therefore take some time to complete.

It's worth the effort though, because when it's finished, you can use the 'Search index' tab to enter your key words and pull up matching files, images, emails and more almost immediately, including content that wouldn't necessarily be available if you used Windows search alone. 

Deleted files search
If you're especially interested in deleted files, there's no need to spend lots of time performing unallocated sector searches. Just click the 'Deleted files search' tab and you'll find that OSForensics comes packaged with its own easy to use, built-in undelete tool.

The tool may appear confusing at first, but is straightforward if you understand how it works. On our test PC, for instance, the deleted files search announced that it would, by default, search the disk '\\. \PhysicalDrive0' – which, if you're used to Windows drive letters, isn't exactly clear. 

It's not that bad, though. All '\\. \PhysicalDrive0' means is that the program will search all the partitions on your first physical drive, however many there may be. If you want to restrict your search to a particular partition, then select it from the list, which for us produced something like '\\. \PhysicalDrive0: Partition 0, C: [931.21GB NTFS'. Rather lengthy, but you'll know what it means.

When you're finished, click 'Search', and the program will produce a list of all the deleted files it's found almost instantly. If you know what you're looking for, enter all or a part of the file name in the 'Filter string' box, and click 'Apply filter' to display only matching files. (You can also filter by multiple file specifications if you separate them with semi-colons, such as '*.gif;*.xls'.)

forensic undelete
BACK FROM THE DEAD: A simple Undelete tool enables you to view and recover deleted files

What the report won't give you, unfortunately, is any preview thumbnails, so if you're looking for images then you won't be able to spot them at a glance. However, if you suspect you've found the right file, then OSForensics can usually display it for you. Simply right-click it, select 'View with internal viewer', and the program will display the image. Not the right one? Use the 'Back' and 'Forward' buttons to step through the list. 

When you've found what you need, right-click the file and use one of the 'Save' options to bring it back from the dead.

Signatures
One particularly interesting feature of OSForensics is its ability to create a signature of a particular set of files, folders, or an entire hard drive. You could create one signature now, for example, and another tomorrow, then use the program's 'Compare signature' option to show you everything that's been changed – that's new and modified files.

This clearly has all kinds of applications. You might use it to highlight changes another user has made to your PC. You could also compare signatures taken before and after installing an application to view the changes that it's made to your PC. 

What about creating a signature of your Windows folder, then looking for changes that could indicate malware? Then you might create a signature of your entire system partition every day, then compare it to the previous version and look for unusual activity – whether it's malware or just applications that are creating unnecessary files.

Whatever your reasons, this is definitely worth trying and is very easy to do. Just click 'Create signature', then specify the starting folder for whatever you'd like to scan (try an entire drive to begin with), and click 'Start'. The process only takes a few seconds to complete, and you can save the results to your desktop. 

Open a browser window and visit a site or two, then switch back to OSForensics and click 'Start' again to create a second signature of the same area. Finally, click 'Compare signature', point OSForensics to the two signature files and let it highlight the differences. 

It's quick, easy to use, and can be very informative.

Our favourite OSForensics feature, for its sheer originality, is the Mismatch File Search. The core idea is a simple one. All you have to do is point the program at a starting folder – 'C:\' , say – then click 'Scan'.
The program will begin to scan your files, looking for any where the content doesn't match the extension. This might uncover all kinds of odd behaviour. If another user of your PC has renamed some videos to have ZIP extensions, for example, then the Mismatch File Search will reveal what's going on. 

If a piece of malware has renamed key executables to an apparently harmless TXT extension, then again, this OSForensics report will highlight the change.

What's in a format
More generally, you'll discover the real file formats behind many of your applications. The program revealed that our old Empire Earth '.ee3sav' save game files were actually ZIP files, and that CyberLink's '.thl' files were PNG thumbnails – information that could come in very handy if these files were ever corrupted and we needed to make manual repairs.

In our experience, the file search can be an extremely revealing look at what's really going on with your PC. The same can be said of almost all of OSForensics' utilities – the program has many possible applications, and there's no telling what it might be able to do for you until you try it. 

So give it a try – download a copy, explore the functions and see what this excellent forensics package can uncover about your computer, its software and users. 



轉自http://www.techradar.com/news/computing/pc/how-to-perform-a-forensic-pc-investigation-923706?artc_pg=2

0 意見: