DO DIGITAL FORENSIC OF ANY WINDOWS MACHINE WITH DFIRTRIAGE FORENSIC TO

Views:
 
     
 

Presentation Description

Now we can do Digital forensic on any windows machine by using this Dfirtriage Forensic tool. We use this tool on compromised windows machine to verify whether any malware or any payload is running on the machine, or hacker might have installed Rootkit on your Windows machine. This will scan the complete windows machine and generates a report file for the end user. This tool is built on python language.

Comments

Presentation Transcript

slide 1:

DO DIGITAL FORENSIC OF ANY WINDOWS MACHINE WITH DFIRTRIAGE FORENSIC TOOL INTRODUCTION Now we can do Digital forensic on any windows machine by using this Dfirtriage Forensic tool. We use this tool on compromised windows machine to verify whether any malware or any payload is running on the machine or hacker might have installed Rootkit on your Windows machine. This will scan the complete windows machine and generates a report file for the end user. This tool is built on python language. ENVIRONMENT  OS: Microsoft Windows Version 10.0.18363.836  PROCESSOR_ARCHITECTURE : AMD64 INSTALLATION STEPS  Use this link to download the Dfirtriage tool https://github.com/travisfoley/dfirtriage/archive/master.zip and extract the file.  Next copy the file path and open the command prompt with administrator privileges. Move to file path using the cd command.  Now launch the tool by executing this command DFItriage.exe

slide 2:

 This tool is single command execution tool

slide 4:

 After firing this command it starts collecting all the system data like system information Network information Powershell command history NetBIOS information System32 and converts system files into hash files.  After complete scanning it will generate a report in zip format. When we extract the report file we can find four different files Forensic Images LiveResponseData.Zip Triage file collection hashlist.cvs and Triage into.txt.  Now Extract the LiveResponseData file to view the data files.

slide 5:

 Here we can see the complete reports of our system logs.  Basic Info: In the Basic info we can find the information about our system information like Windows Defender Antivirus details RTP Real-Time Transport protocol details RTP is used for communication purpose MPFilters Microsoft Malware protection by Microsoft details Mpfilter is used in protecting the Microsoft from knowing malware internet Browsing History system file which is converted into the hash Hidden files in our machine Powershell commands History and other basic information.

slide 6:

 EventLogs: EventLogs are the records of our windows machine security and application notification. All these files will be stored in an event log file. All windows system administrators use this for resolving the system problems.

slide 7:

NetworkInfo: In this folder we have complete internet connection details like: o ARP: Address resolution protocol. The main aim of arp is to convert internet addresses to physical addresses. In the arp report we have internet and physical addresses are stored o DNS cache: the main aim of DNS cache to capture the previous DNS Lookup and this refers to temporary storage. In the DNS cache we have the previous cache data. o NetBIOS sessions: Network-based input/output system we use this program to communicate between two different computers in a LAN Local Area Network. In NetBIOS sessions we can check any connection details. o NetBIOS Transferred: In Network-based input/output system transferred we can view the previous transactions. o Netstat: Netstat is a single command line. The main aim of this command to display the network connections for TCP. o Nbstat: Nbstat is used to verify the problems for NetBIOS over TCP/IP o Routing table: The main aim of the routing table is to forward the data packet from source to destination. In this routing table report we can see all the source and destination IPv4 address.

slide 8:

 PersistenceMechanisms: The data which is stored in windows hard disk that called PersistenceMechanisms  Prefetch: In prefetch the log file contains all the application which we have executed in our windows machines.

slide 9:

 Registry: The Windows registry is the place where all the system data both hardware and software stored in it just like a database.  RegRipper: The gripper in as forensics tool we use this to extract the data very quickly from the registry.  UserInfo: in this we can view the number of users in our machine.  Perform the scan more then one time for better results. CONCLUSION We saw how we can do forensic of any windows machine and retrieve the data to protect system from future attacks.

slide 10:

Contact https://www.exploitone.com/ MEXICO 538 Homero 303 Chapultepec Morales Mexico D.F Distrito Federal 11570 INDIA Fifth Floor HB Twin Tower Netaji Subhash Place Delhi NCR 110034

authorStream Live Help