Forensic Analysis of Windows Server

Students will use the Autopsy forensic suite, a free and open software tool, to load and then analyze a disk image of a compromised Windows Server. Autopsy will allow you to examine artifacts from the Windows system including the registry files, the scheduled tasks, as well as date and time stamps on files which may give some indication to what was done. This particular server is running IIS, or Internet Information Services, and the IIS logs will provide important clues to the network instruction. After completing this lab, you will be familiar with some of the common locations where forensic artifacts exist on a Windows server.

Overview

In this lab, you will learn how to search through a forensic disk image in dd format to find artifacts related to an intrusion on a Windows Server. A hacker’s dream is to compromise a Windows Server, especially a domain controller because they can leverage the Domain administrator account to control most of the other systems within in the network. The relevant forensic artifacts from a Windows Server include log files, event viewer files, and registry entries.

OUTCOMES

In this lab, you will learn to:

Examine a compromised Windows Server using Autopsy
Analyze the common locations of compromised artifacts
Analyze a compromised Windows registry using Windows Registry Recovery

Courses

Cybersecurity Attack and Defend Skill Lab

Key terms and descriptions

Registry

A database within the Windows operating system that records settings related on the machine’s users, installed programs, and other system settings.

WRR

Windows Registry Recovery, automatically parses some of the most pertinent information from the Windows registry files.

SAM

The Security Accounts Manager file of Windows.

SYSTEM

A Windows file that has information about computer profile settings, including services.

Autopsy

A free program that can be used to analyze forensic images.