Host Preparationx - Anthony Vance

feastcanadianΛογισμικό & κατασκευή λογ/κού

14 Δεκ 2013 (πριν από 3 χρόνια και 7 μήνες)

94 εμφανίσεις

Host Preparation for Windows Hosts

1.

Log onto a lab workstation as “Sleuth” or a Windows.

2.

Activate the Last Accessed time

date
-
time stamp. To do this, Open
regedit
. Browse to Local
Machine

(
HKLM
)
\
SYSTEM
\
Curren
tControlSet
\
Control
\
FileSystem. Double
-
click the value
NtfsDisableLastAccessUpdate

and change the data to 0 (false).

3.

Ensure that the operating system has not been configured to encrypt the swap/page file. In
Windows

7
, this setting can be found in the Regi
stry at
HKLM
\
SYSTEM
\
CurrentControlSet
\
Control
\

FileSystem
\
NtfsEncryptPagingFile.

Make sure the
data for this value is 0.

4.

Ensure that the operating system is not clearing the swap/page file when the system is shut down,
so that it will still be available to

the investigator who images after a graceful shutdown.
Browse
to HKEY_LOCAL_MACHINE
\
SYSTEM
\
CurrentControlSet
\
Control
\
Session Manager
\
Memory
Management, and make sure the ClearPageFileAtShutdown value either doesn’t exist or has a
value of 0.

Alternatively
, search for “
local security policy
” in the Windows Start menu. Open “local
settings,” and “Security Options.” Make sure the
“Shutdown: c
lear virtual memory pagefile

option is set to “disable”.

5.

Ensure that the log file for the system’s host­based firewall

is turned on, and that the log file size
has been increased from the default.

From the Start menu, open Windows Firewall with
Advanced Security. In the center pane, click on the link, “Windows Firewall Properties.” The lab
workstations have the firewall o
ff

just note this; don’t change this. Click on the Public Profile
tab. Next to “logging”, click customize.

Increase the default log file size. Change the “log
dropped packets” and “log successful connections” settings to Yes. Click OK.

6.

Increase the size of

the NTFS. This journal will contain date-time stamps that can be used by a
forensic analyst to investigate file system events even when the primary date-time stamps for file
records have been manipulated.


a.

Ope
n a command prompt and type:


fsutil usn quer
yjournal c:


b.

The output will display the maximum size of the journal in hexadecimal (e.g., Maximum
Size: 0x0000000002000000”). Enter the hex number into Windows Calculator and switch the
view to Programmer. Select hex, and enter the value. Then switch the
value back to decimal
to see the number of bytes. What is the current size of the NTFS journal?

c.

Increase the size of the NTFS journal by enter the following command:


fsutil usn createjournal m=2147483648 a=1 c:


2147483648 bytes is 2 GB

(
2 * 1024^3
)


d.

Verify that the journal size has been increase correctly by running again the command:


fsutil usn queryjournal c: