Waa maxay artifacts in Windows (caddayn forensic) iyo sida loo falanqeeyo iyaga?

Cusbooneysiintii ugu dambeysay: 22/09/2025
Author: Isaac
  • Farshaxanada forensic ee ku jira Windows Waxay oggolaadaan in hawsha loo nisbeeyo iyo in taariikhda dib loo dhiso si sax ah.
  • Event Log, Prefetch, LNK, Diiwaanka, NTFS iyo SRUM waxay sameeyaan xudunta falanqaynta la taaban karo.
  • Xidhiidhka isha iyo ilaalinta baadhista (xashka, silsilada haynta) waa lama huraan.
  • Aaladaha sida qolka Zimmerman, autopsy/FTK, iyo Volatility waxay dardargeliyaan oo ansixiyaan natiijooyinka.

Farshaxanada forensic ee Windows

La macluumaad ku xeel dheer Degaanada Windows, waxay u baahan tahay fahamka sida nidaamku uga tago raadadka wax kasta oo dhaca: dhaqdhaqaaqa isticmaalaha, fulinta barnaamijka, isku xirka shabakada, iyo qaabeynta isbedelada. Raad-raacyadan, oo loo yaqaan artifacts, ayaa ah alaabta ceeriin ee dib-u-dhiska shilalka iyada oo aan wax u dhimayn daacadnimada caddaynta.

Dhacdooyinka dhabta ah, ee artifact forensic Waxay kuu oggolaanayaan inaad abuurto waqtiyo, aqoonsato xisaabaadka la isticmaalay, ogaatid ku adkaysiga, oo aad bixiso caddayn la aqbali karo maxkamadda dhexdeeda. In kasta oo xogtu ay kala firirsan tahay oo qaarkood aan degganayn, haddana waxa jira ilo ku jira Daaqadaha kuwaas oo ay fududahay in la ururiyo oo xog badan leh.

Sida loo isticmaalo qalabka pslist gudaha Windows
Maqaalka laxiriira:
Sida Loo Isticmaalo PsList Daaqadaha: Hagaha Dhamaystiran

Waa maxay agabka forensic-ka ee Windows-ka maxayse muhiim u yihiin?

Farshaxan forensic ah waa mid kasta diiwaanka, fayl, ama xogta badan in nidaamku si toos ah u abuuro inta lagu jiro isticmaalka. Gudaha Daaqadaha, kuwani waxay u dhexeeyaan Diiwaanka Dhacdooyinka iyo Prefetch ilaa Diiwaanka, LNK, ShellBags, SRUM, iyo nidaamka faylalka telemetry (NTFS). Mid kastaa wuxuu wax ku biiriyaa qaybo ka mid ah halxiraalaha si uu uga jawaabo maxay, cidda, goorta, meesha laga keenay, iyo saamaynta ay leedahay.

Waad ku mahadsan tahay falanqaynteeda waa suurtogal dib u dhiska taariikhaha (abuurista / wax ka beddelka / tirtirka, fulinta codsiga), la xidhiidh dhaqdhaqaaqa isticmaalayaasha ama kombuyuutarrada, la ogaado joogteynta iyo farsamooyinka dhaqdhaqaaqa lateral, iyo taageeridda warbixinnada khabiirada leh caddayn adag.

Diiwaanka Dhacdada: Aqoonsiyada Muhiimka ah iyo Wadooyinka

  • Logins: 4624 (guulaystay), 4625 (fashilmay), 4634/4647 ( xidhitaan), 4648 (logon leh aqoonsiyo cad), 4672 (logon leh mudnaanta sare leh).
  • Isbeddellada xasaasiga ah: 4719 waxay ka warbixiyeen isbeddelada siyaasadaha hantidhawrka, faa'iido u leh aqoonsiga isku dayga faragelinta.
  • adeegyada: 7034 (shil), 7035 (Start/Stop), 7036 (bilaaban/joojiyay), 7040 (nooc bilow ah oo la bedelay), 7045 iyo 4697 (adeeg ku rakiban).
  • RDP: 4778 (kulan ku xiran/dib u xiran) iyo 4779 (kala go'ay), ku haboon la socodka isticmaalka Desktop Fog.

Si looga sifeeyo bilawga fashilmay PowerShell, waad tuuri kartaa wada tashi toos ah lid ku ah diiwaanka amniga:

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 } | Select-Object TimeCreated, Message

Daawadeha dhaladka ah (eventvwr.msc) iyo adeegyada sida FullEventLogView fududeeya in xogtan dib loogu eego qaab la akhriyi karo oo la dhoofin karo, wax muhiim u ah profiles DFIR taas oo dhista waqtiyada.

Hordhac: Fulinta Barnaamijka iyo Macnaha Waqtiga

Farsamaynta Prefetch ayaa diiwaan gelisa fulinta binary si loo dedejiyo kabaha codsiyada. Khabiirka dambi baarista, waa dahab saafi ah sababtoo ah waxay ilaalisaa raadadka xitaa haddii la fulin karo la waayo. .pf faylasha ayaa ku jira C: \\ Windows \ Prefetch \\ magaceeduna waxa uu ka mid yahay fulinta oo lagu daray hash-dariiqa, kaas oo ka caawiya kala soocida dhacdooyinka isla app-ka laga fuliyay meelo kala duwan.

  • Windows XP-7: waxa ay abuurtaa hal .pf orodkiiba, oo leh xad ku dhaw 128 entries.
  • Daaqadaha 8+: wuxuu la midoobaa SysMain (oo hore u ahaan jiray Superfetch) wuxuuna kor u qaadayaa xadka ~1024, oo leh raadad qani ah.
  • Windows 10 / 11: Waxa ay ilaalisaa la-qabsiga SysMain oo waxa ay bixisa heerarkii u dambeeyay.
  • Windows Server: Daabacaadyada qaar waxa laga yaabaa in la naafo.
  Sida loo saaro ama loo furo aalada ku xidhan akoonkaaga Netflix

Xaaladaha isticmaalka caadiga ah: aqoonsado malware la fuliyay, muuji awoodaha maamulka fog ee dhaqdhaqaaqyada dambe, ama xaqiijiso ficilka isticmaalaha wakhti ka dib. Si loo falanqeeyo: PECmd (Eric Zimmerman), WinPrefetchView iyo si degdeg ah u eeg PowerShell qoraalkii u dambeeyay ee .pf:

Get-ChildItem -Path C:\Windows\Prefetch -Filter *.pf | Select-Object Name, LastWriteTime

Faylasha LNK: Jid-gaabyo leh metadata Forensic

.lnk shortcuts ayaa muujinaya waxa la furay, meesha iyo goorta, iyo xitaa faahfaahinta qalabka (taxane ah USB), taasoo fure u ah tuhunka sifaynta. Waxaad LNK ka heli doontaa Desktop-ka isticmaalaha iyo galka dhawaanahan:

  • Miiska: C: \\ Isticmaalayaasha \\ \\ Desktop\\
  • Dhawaan: C: \\ Isticmaalayaasha \\ \ AppData \ Roaming \ Microsoft \ Windows \ Dhawaan \\
  • Jid-gaabyo kaleBilow Menu iyo Daahfurka Degdegga ah ee astaanta isticmaalaha.

Qalab waxtar leh: LECmd si loo soo saaro xogta badan (wadooyinka isku xidhka, lambarada taxan, wakhtiyada wakhtiyada) iyo ShellBagsExplorer si loo dhamaystiro macnaha guud ee Explorer. Iyada oo PowerShell, waxaad ku qori kartaa alaabtii dhawaa iyo wax ka beddelkoodii u dambeeyay:

Get-ChildItem -Path "C:\Users\<usuario>\AppData\Roaming\Microsoft\Windows\Recent" -Filter *.lnk | Select-Object Name, LastWriteTime

Alaabtaani waxay caawiyaan dhaqdhaqaaqa sifo xisaabaadka iyo fadhiyada, xataa marka feylkii asalka ahaa la raray ama la tirtiray.

Diiwaanka Windows: Joogteynta, USB, iyo Hawsha Isticmaalaha

Diiwaanku waa a bakhaar heersare ah Habka iyo habaynta codsiga. Laga soo bilaabo, waxaan ka helnaa si toos ah bilawga (joogteynta), aaladaha ku xiran, iyo liisaska faylalka ee dhawaa, iyo kuwo kale.

  • Gawaarida gawaarida (joogteynta): HKLM: \ Software \ Microsoft \ Windows \ CurrentVersion \\ Run
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object *
  • Unugyada shirarka: HKLM:\SYSTEM \\MountedDevices
Get-ItemProperty -Path "HKLM:\SYSTEM\MountedDevices" | Select-Object *

Muhiim ah: MountedDevices maabka xarfaha wadista; si loo raadiyo USB-yada gaarka ah iyo taariikhdooda, waxaa fiican inaad la tashato usbstore (tusaale. SYSTEM \\ CurrentControlSet \\ Enum \\USBSTOR).

Laba shay oo muhiim ah oo ku saabsan fulinta barnaamijka waa Shimcache (AppCompatCache) y Amcache:

  • Shimcache: Waxay muujinaysaa binary-yada la joogay/fulay, laakiin maaha wakhtiga saxda ah. Furaha: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
  • Amcache: Alaabada tafatiran ee leh xashiishka SHA1, wadooyinka iyo wakhtiyada, ku haboon go'aaminta goorta iyo sidee Fayl ayaa la fuliyay Furaha: HKLM\SOFTWARE\MicrosoftWindows\CurrentVersion\AppCompatFlagsAmcache
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" | Select-Object *
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppCompatFlags\Amcache" | Select-Object *

Galka hagidda, the Bacaha Shell Waa classic. Waxay kuu oggolaanayaan inaad dib u dhisto hagaha la sahamiyay, xitaa haddii aysan hadda jirin. Waxay ku yaalliin HKU \\ \\ Software \\ Microsoft \\ Windows \ Shell \\ BagMRU iyo HKU \\ \\ Software \\ Microsoft \\ Windows \ Shell \\ Bags.

Get-ItemProperty -Path "HKU:\<SID>\Software\Microsoft\Windows\Shell\BagMRU" | Select-Object *

Farsamo badan oo muhiim ah oo ku jira Windows: min desktop ilaa NTFS

Inta kor ku xusan waxaa dheer ilo dhameystiran Kaas oo kobciya falanqaynta oo buuxinaya dulduleelada taariikhda.

  • Hibernation iyo paging: hiberfil.sys iyo pagefile.sys waxa ku jiri kara aqoonsiyo, hadhaaga fadhiga, iyo qaababka xusuusta.
  • UserAssist/MRUFurayaasha NTUSER.DAT oo muujinaya barnaamijyo dhawaan la isticmaalay iyo dukumeenti dhawaan la furay/la kaydiyay.
  • BAM/DAMDib-u-eegayaasha waxqabadka asalka iyo miiska, faa'iido u leh fahamka isticmaalka dhabta ah hababka isticmaale kasta.
  • Gawaarida: Dhibcaha otomaatiga ah ee lagu arki karo Sysinternals Autoruns ama la ururin karo marka la eego (KAPE/IR-Rescue).
  • Liisaska boodaLiisaska bood ee ka tarjumaya faylal/arjiyada inta badan la isticmaalo, vector kale oo loogu talagalay sifo.

Browser: taariikhda, kaydinta, cookies iyo soo celinta

Browser ayaa xoogga saaray ujeedo iyo ficil. Gudaha IE/Edge/Chromium/Firefox waxaan ka soo saari karnaa taariikhda baarista, baadhitaannada, kaydinta, fadhiyada iyo cookies-ka, taas oo macneheedu yahay degargas, wareejinta ama gelitaanka ilaha gudaha.

  • IE/Edge (dhaxalka): WebCacheV*.dat, Content.IE5, History.IE5
  • Firefox: places.sqlite (taariikh), downloads.sqlite (soo dejineed), sessionstore.js (soo-celinta)
  • Chromium / Chrome: Default\History, Default\Cache
  • Cookies: in profiles user ee IE/Edge/Firefox/Chrome
  Baro sida loo hagaajiyo iPhone Aan dirin fariimaha qoraalka ah

Si loo eego ilahan: BrowseHistoryView waxay dedejisaa agabka isdhaafsiga; Intaa waxaa dheer, kaydinta kaydka buskudka iyo buskudka ayaa caawinaya xaqiijinta exfiltration iyada oo loo marayo shabakadda ama isticmaalka codsiyada SaaS.

NTFS iyo Farshaxanada Nidaamka Faylka

Nidaamka faylka NTFS tomato telemetry granular taas oo muhiim u ah ogaanshaha waxa ku dhacay galalka.

  • $MFT: Jadwalka faylka sayidkiisa, oo wata xogta badan (taariikhaha, cabbirada, ACLs). Lagu lafa gurayo Mft2Csv oo lagu arki karo Registry Explorer.
  • $UsnJrnl: joornaalka isbeddelka mugga (abuurista / wax ka beddelka / tirtirka), oo aad waxtar u leh ogaanshaha muunado ka mid ah furin ama tirtirid qasab ah.
  • $LogFileWax kala iibsiga gudaha NTFS ayaa fure u ah dib u dhiska hawlgallada iyo shilalka.

Qalabka sida NTFS Journal Viewer o NTFS Log Tracker oggolow socodsiinta $UsnJrnl iyo $LogFile, halka X-Ways, Jiritaanka meydka ama FTK waxay bixiyaan daawadeyaal awood leh iyo filtarrada.

USB iyo qalabka dibadda: raadinta iyo isticmaalayaasha

USB, Windows waxay kaydisaa macluumaadka ku saabsan iibiyaha, alaabta iyo taxanaha hoosta SYSTEM\CurrentControlSetEnumUSB iyo USBSTOR. Guryaha waxay diiwaan geliyeen marxaladihii ugu muhiimsanaa sida rakibaadda koowaad (0064), xiriirinta u dambeysay (0066), iyo ka saarista u dambeysay (0067) gudaha Windows 8-10.

  • Isticmaale ku xidhan: NTUSER.DAT \ Software \ Microsoft \\ Windows \ CurrentVersion \ Explorer \\MountPoints2
  • Muga: SYSTEM \\MountedDevices and SOFTWARE \ Microsoft \\ Windows Portable Devices \\ Devices
  • Dhacdooyinka PnPSystem.evtx waxaa laga yaabaa inay ka tarjumayso rakibaadda darawallada (tusaale ahaan, 20001)

Ilahan waa wax macquul ah isku xidhka USB ficilada nidaamka (faylalka la maareeyay, waddooyinka la galay) iyo xisaab gaar ah.

Xisaabaadka, Xaqiijinta, iyo RDP

Xogta SAM waxa ay haysaa xogta akoontiga deegaanka oo waxay sahlaysaa in la aqoonsado login ugu dambeeyay iyo furaha sirta ah ayaa isbedela. Hawlaha gelitaanka, Security.evtx waa barta tixraaca ee dhacdooyinka 4624/4625, 4634/4647, 4648, 4672, iyo 4720 (xisaab abuur).

Xaaladaha Desktop Fog, xakamee dhacdooyinka 4778/4779 Waxa ay caawisaa in la taariikheeyo isku xidhka/goynta, la xidhiidho ciwaanada ilaha oo ay u gudbiso agabka kale sida LNK, Prefetch ama SRUM.

Maareynta diiwaanka nidaamka iyo raadadka

Marka laga soo tago Diiwaanka Dhacdada guud, Daaqadaha ayaa ilaalinaya diiwaanno gaar ah loogu talagalay rakibaadda, cusboonaysiinta iyo dayactirka.

  • setupact.log: %WINDIR%\\setupact.log
  • seterr.log: %WINDIR%\\setuper.log
  • WindowsUpdate.log: %WINDIR%\\WindowsUpdate.log
  • ReportingEvents.log: %WINDIR%\SoftwareDistribution\\ReportingEvents.log
  • MRT: %WINDIR% \\ Debug \ mrt.log
  • CBS. log: %WINDIR% \\ Logs \\ CBS \\ CBS.log (Integrity Qaybaha)
  • Panther: %SYSTEMROOT%\\$Windows.~BT\\Sources\Panther\*.log.xml iyo %WINDIR%\PANTHER\*.log.xml
  • Dejinta API: %WINDIR% \\ INF \\ setupapi.dev iyo % WINDIR% \ INF \\ setupapi.setup
  • WinSAT: %WINDIR% \\Performance \\ Winsat \\ winsat.log
  • Tuur xusuusta: %WINDIR% \\Memory.dmp

Galalkani aad bay faa'iido ugu leeyihiin is beddelka nidaamka saxda ah, rakibaadda darawalka iyo xaaladaha dib-u-cusboonaysiinta ee sharxaya daaqadaha nuglaanta ama dib-u-bilaabista muhiimka ah.

SRUM (Kormeerka Isticmaalka Ilaha Nidaamka): CPU, network, iyo isticmaalka awooda

SRUM waa xog-ururin ESE ah oo Windows mar mar cusboonaysiiso si loola socdo agabka codsi kasta/habka/adeeggaba. Faylkeeda ugu weyn waa SRUDB.dat, oo ku yaal C: \\ Windows \ System32 \\ sru \\ SRUDB.dat Windows 8 iyo wixii ka dambeeya.

Kordhinta SRUM waxay ka muuqataa diiwaanka ( tusaale, HKLM \ SOFTWARE \ Microsoft \\ Windows NT \\ CurrentVersion \ SRUM \\ Extensions), oo tilmaamaya xogta la heli karo si waafaqsan nidaamka. Qalabka sida SrumECmd (Eric Zimmerman) soo saar miisaska CSV: AppUsage, NetworkUsages, Tamarta, iyo kuwa kale.

  25 ka mid ah 25ka cunto ee ugu jaban

Iyadoo laga jawaabayo dhacdooyinka, miiska Isticmaalka Shabakada waa muhiim si loo muujiyo faaqidaad. Kiis caadi ah: si loo arko taas ssh.exe waxay soo dirtay mug sare oo bytes ah in muddo ah oo la xidhiidha fadhiga RDP ee shakiga leh. Adiga oo ku kala saaraya bytes ka baxaya taariikhda, a wareejin ballaaran oo ku xidh isticmaalaha (calaamada xisaabta) iyo habka gaarka ah.

Isha leh el tiempo gudaha SRUM: ah timestamp Waxay ka tarjumaysaa wakhtiga xogta la geeyey kaydka, ma aha daruuri wakhtiga saxda ah ee la fuliyay. Way fiicantahay in SRUM la isku xidho Prefetch, LNK, Logs Event, iyo artifacts diiwaanka si loo mideeyo taariikhda taariikheed.

Qalabka lagu taliyay

Sanduuqa qalabka si fiican loo habeeyey ayaa ka dhigaya farqiga u dhexeeya mala awaal iyo imtixaanKuwani waxay si gaar ah faa'iido ugu leeyihiin Windows:

  • Eric Zimmerman Suite: PECmd/WinPrefetchView (Prefetch), LECmd (LNK), ShellBagsExplorer (ShellBags), Registry Explorer iyo RECmd (Registry), SrumECmd (SRUM), Timeline Explorer (Taariikhda).
  • Qalabka meydka ee meydka & Sleuth: Isha furan ee falanqaynta saxanka forensic.
  • FTK / EnCase / X- Ways: xalalka xirfadeed ee mugga waaweyn iyo kiisaska adag.
  • Degenaansho: Falanqaynta RAM (oo leh qashinka hiberfil/pagefile marka ay ku habboon tahay).
  • RegRipperSoosaar toos ah oo furayaasha diiwaangelinta muhiimka ah.
  • FullEventLogView y BrowseHistoryView: Dulmar degdeg ah oo ku saabsan dhacdooyinka iyo taariikhda daalacashada.

Farshaxanka Farshaxanka ee Muhiimka ah ee Linux ( Dulmarka Isbarbardhigga)

Inkasta oo diiradda la saarayo Windows, way ku habboon tahay in la haysto khariidad maskaxeed de Linux deegaanka isku dhafan ee ururada.

  • Diiwaanka nidaamka: /var/log/ (syslog, auth.log, aamin) ee marin u helka hantidhawrka, sudo, guuldarrooyinka iyo adeegyada.
  • Isticmaalayaasha iyo kooxaha: /etc/passwd, /etc/shadow, /etc/group si loo eego xisaabaadka iyo mudnaanta.
  • FS MetadataWaqtiyada iyo sifooyinka (inodes) si loo abuuro abuur / wax ka beddel / tirtirid taariikh nololeed.
  • Shabakadda iyo hababka: ss/netstat, lsof, ps/top ee isku xirka waqtiga-dhabta ah iyo waxqabadka.
  • Taariikhda Shell: .bash_taariikh iyo kala duwanaansho, iyadoo la tixgelinayo dejinta HISTCONTROL/HISTTIMEFORMAT.
  • Memoria: daadinta LiME iyo falanqaynta Volatility ee caddaynta kacsan.
  • Faylasha qaabeynta: adeegyada, cron iyo diiwaanka xirmooyinka sida ilo dheeraad ah.

Isbarbardhiggani wuxuu caawinayaa xajiya dunta dhacdo ku dhex boodaya nidaamyada, ka fogaanshaha daldaloolada sheekada farsamada.

Muuqaalka farshaxanka ee Windows wuxuu muujinayaa in ficil kastaa uu ka tago raadadka: laga bilaabo 4625 ee Security.evtx ilaa .pf ee Prefetch, dhex mara LNK-yada leh nambarada taxanaha USB, furayaasha joogtada ah ee Diiwaanka ama isticmaalka shabakada SRUM. helitaan sax ahXidhiidhka ka dhexeeya ilaha iyo hubinta qalabka, waa suurtogal in dib loo dhiso sheeko oo leh saxnaansho ku filan oo farsamo iyo go'aano sharci ah, xitaa marka ay wajahayaan weeraryahannada kuwaas oo si gardarro ah u daboolaya jidkooda.