Cyber Crime and Cyber Terrorism

69
 
Case study
WINDOWS EVENT LOGS
Windows maintains a record of all application and system activities within event 
logs. These are entries created automatically by the operating system and can pro-
vide significant information about chronological actions performed by users and the 
system. This will include user logons and offs; file access; account creation; services 
that are running; and the installation of drivers. They are typically used to perform 
troubleshooting activities on the computer: these can be found in 
%SystemRoot%\
Windows\system32\config
.
WINDOWS REGISTRY
The Windows registry is a database storing settings for a computer defining all the us-
ers; applications; and hardware installed on the system; and any associated settings, 
allowing the system to be configured correctly at boot-up. The registry is stored in a 
format that requires decoding to be read; there are numerous tools that can do this. 
Once opened it provides a wealth of information including, but is in no way limited 
to, evidence of the applications and files a user has opened; what devices were con-
nected; and the IP addresses used.
RESTORE POINTS
Microsoft Windows provides a service known as restore points, the version of 
Windows determines what these actually contain. The simple purpose of restore 
points is to snapshot the computer, at a predefined date and time, or when an event 
occurs (such as the installation of software), so that it can be restored by the user 
if an error occurs. The restore points contain snapshots of the Windows Registry; 
system files; LNK files and with later versions of Windows they can also include 
incremental backups of user files. This can provide an invaluable resource for an 
investigation, as it will provide historic information such as applications that are no 
longer installed. Windows XP has a default retention period of 90 days for restore 
points, whereas later versions are only limited by the amount of disk space permitted 
to be used by them.
CASE STUDY
Following reports of customers being mis-sold legal-based documentation, a high-
tech investigation was requested by a legal practice. Arrangements were made to 
attend the premises of the organization under investigation, legal proceedings meant 
that the organization had no idea that this was to happen—preventing malicious data 
destruction. A legal stipulation was enforced, intended to reduce loss of revenue for 
the business, which meant that digital devices could not be removed from the prem-
ises. Pre-search intelligence identified that up to 20 staff worked at the premises at 

Download 5,67 Mb.

Do'stlaringiz bilan baham: