Device Information
- Use hdparm and disktype to view hard disk and partition details.
- Use RegRipper to extract USB storage information from registry.
- Use RegRipper to extract Device Class information from registry.
Operating System
- Use RegRipper to retrieve current Windows version from registry.
- Use RegRipper to retrieve computer name version from registry.
- Use RegRipper to extract UserAssist information from registry.
- Use RegRipper to retrieve recent documents from registry.
- Use RegRipper to extract User and Group information from registry.
- Use BKhive and Samdump2 to extract XP/2000/NT Passwords via SAM and SYSKEY.
Network
- Use RegRipper to extract Windows firewall configuration from registry.
Internet Histories
- Use Pasco to recover Internet Explorer histories.
- Use Mork to recover FireFox/Netscape histories.
- Use RegRipper to view typed URLs.
Volatile Memory Examination
Use
The Volatility Framework to extract the below information from physical memory samples:
- Image date and time
- Running processes
- Open network sockets
- Open network connections
- DLLs loaded for each process
- Open files for each process
- Open registry handles for each process
- A process' addressable memory
- OS kernel modules
- Mapping physical offsets to virtual addresses (strings to process)
- Virtual Address Descriptor information
- Scanning examples: processes, threads, sockets, connections, modules
- Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
File Recovery / Carving
Use
Foremost to recover file types. Including the below:
- jpg
- png
- gif
- bmp
- mpg
- wav
- avi
- wmv
- mov
- pdf
- htm
- ole
- zip
- rar
- exe
Sensitive Data Audit
- Use Spider to scan a system for sensitive data.
Misc
- Run from CD or USB.
- Save results in HTML and/or plain text.
- Run against a disk image or local disks.
