Now we are studying about the forensic evidence which we
have collected in the previous article.
If you are
interested to see the collection of forensic evidence, please click on the
below link.
First of all, we will look into the Trash folder (which contains the files and folders deleted by the
user but not erased permanently from system yet).
By clicking on Trash
folder, it will show us the different files and folders with their Creation
Time, Last Access Time, Last Change Time, and File Size.
Now click on Advanced
Registry and System Analyzer and then Auto
Run Option.
Go to Run
option. It will Show all the programs that can run automatically at the time of
booting of the system.
Now Select OS Info
option. Through OS Info, we can see
the Root Path, Current Version, Registered User, Product ID, Edition ID, and
Installation Type.
Now select Uninstall
Option from Programs Option. By Uninstall Option, we can see all the
programs which are installed in the system.
To see the running services in the system, select
Services option.
Now click on Known
DLLs to see the Dynamic Link Libraries ( which contains data and code that
are used by different programs simultaneously.)
Now to get the information about the removable disks used
recently or in the past, first click on USB Storage and then select USBSTOR.
It will show the name of the Disks.
Now Select any one of the disk and it will show us the
size as well as the manufacturer name.
To see the history of most
recently used commands from the Run command on the Start menu click on Users
Info Option. Select a user; in my case we are selecting Raj. Now click on RunMRU.
Author: Mukul Mohan is a Microsoft
Certified system engineer in security and messaging .He is a Microsoft
Certified Technology Specialist with high level of expertise in handling server
side operations based on windows platform. An experienced IT Technical Trainer
with over 20 years’ Technical Training experience you can contact him at
mukul@ignitetechnologies.in
0 comments:
Post a Comment