From ca0a46fbef563900386a7350c8ababc8b83c690b Mon Sep 17 00:00:00 2001 From: webbreacher Date: Sun, 29 Dec 2013 12:09:57 -0500 Subject: [PATCH] Added the contents of files.md to blind.md since it really belongs there. --- presence/windows/blind.md | 15 +++++++++++++++ presence/windows/files.md | 21 --------------------- 2 files changed, 15 insertions(+), 21 deletions(-) delete mode 100644 presence/windows/files.md diff --git a/presence/windows/blind.md b/presence/windows/blind.md index bafbc91..8a67efd 100644 --- a/presence/windows/blind.md +++ b/presence/windows/blind.md @@ -12,3 +12,18 @@ The files below are things to pull when all you can do is to blindly read. Examp | `%SYSTEMROOT%\repair\SAM`
`%SYSTEMROOT%\System32\config\RegBack\SAM` | Stores user passwords in either an [LM hash](https://en.wikipedia.org/wiki/LM_hash) and/or an [NTLM hash](https://en.wikipedia.org/wiki/NTLM) format. The SAM file in \repair is locked, but can be retrieved using forensic or [Volume Shadow copy methods](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html). | | `%SYSTEMROOT%\repair\system`
`%SYSTEMROOT%\System32\config\RegBack\system` | This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or [Volume Shadow copy methods](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html). | | `%SYSTEMDRIVE%\autoexec.bat` | autoexec.bat is a startup script that executes at startup. As [Webopedia states](http://www.webopedia.com/TERM/A/autoexec_bat.html), “Stands for automatically executed batch file, the file that DOS automatically executes when a computer boots up. This is a convenient place to put commands you always want to execute at the beginning of a computing session. For example, you can set system parameters such as the date and time, and install memory-resident programs.” | +| `%SYSTEMDRIVE%\pagefile.sys` | This file is used by the operating system when there is not enough RAM (memory) in the system. It is a large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size. | +| `%SYSTEMROOT%\repair\SAM`
`%SYSTEMROOT%\System32\config\RegBack\SAM` | These files store the LM and NTLM hashes for local users. Using [Volume Shadow Copy](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html) or [Ninja Copy](http://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/) you can retrieve these files. | +| `%SystemDrive%\inetpub\logs\LogFiles` | IIS 7.x web server log file location. | +| `%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat` | Internet Explorer web browser history file (http://support.microsoft.com/kb/322916) | +| `%USERPROFILE%\ntuser.dat` | User-level Windows registry settings (http://technet.microsoft.com/en-us/library/cc758618(v=WS.10).aspx) | +| `%WINDIR%\System32\drivers\etc\hosts` | System hosts file for local translation of host names to IP addresses. | +| `%WINDIR%\debug\NetSetup.log` | Shows issues when computers are joined to a domain. http://technet.microsoft.com/en-us/library/cc961817.aspx | +| `%WINDIR%\iis[version].log` where [version] = 6, 7, or 8 | Internet Information Service (IIS web server) log files. | +| `%WINDIR%\repair\sam`
`%WINDIR%\repair\system`
`%WINDIR%\repair\software`
`%WINDIR%\repair\security` | System registry hives. https://en.wikipedia.org/wiki/Windows_Registry | +| `%WINDIR%\system32\CCM\logs\*.log` | Windows SCCM (System Center Configuration Manager) log files (http://technet.microsoft.com/en-us/library/bb892800.aspx) | +| `%WINDIR%\system32\config\AppEvent.Evt`
`%WINDIR%\system32\config\SecEvent.Evt` | Windows Event Logs. | +| `%WINDIR%\system32\config\default.sav`
`%WINDIR%\system32\config\security.sav`
`%WINDIR%\system32\config\software.sav`
`%WINDIR%\system32\config\system.sav` | Backup Windows registry files (http://forensics.wikia.com/wiki/Windows_registry_entries) | +| `%WINDIR%\system32\logfiles\httperr\httperr1.log` | IIS 6.x web server error logs. | +| `%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log` where YYMMDD = year month day | Web server log files. | +| `unattend.txt, unattend.xml, sysprep.inf` | Used in the automated deployment of Windows images and can contain user accounts. | \ No newline at end of file diff --git a/presence/windows/files.md b/presence/windows/files.md deleted file mode 100644 index c9fb1c8..0000000 --- a/presence/windows/files.md +++ /dev/null @@ -1,21 +0,0 @@ -# Windows Important Files - -Files that can yield passwords or other intel about the system, network or users. - -| File | Description / Importance | -| -------- | ------------------------ | -| `%SYSTEMDRIVE%\pagefile.sys` | This file is used by the operating system when there is not enough RAM (memory) in the system. It is a large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size. | -| `%SYSTEMROOT%\repair\SAM`
`%SYSTEMROOT%\System32\config\RegBack\SAM` | These files store the LM and NTLM hashes for local users. Using [Volume Shadow Copy](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html) or [Ninja Copy](http://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/) you can retrieve these files. | -| `%SystemDrive%\inetpub\logs\LogFiles` | IIS 7.x web server log file location. | -| `%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat` | Internet Explorer web browser history file (http://support.microsoft.com/kb/322916) | -| `%USERPROFILE%\ntuser.dat` | User-level Windows registry settings (http://technet.microsoft.com/en-us/library/cc758618(v=WS.10).aspx) | -| `%WINDIR%\System32\drivers\etc\hosts` | System hosts file for local translation of host names to IP addresses. | -| `%WINDIR%\debug\NetSetup.log` | Shows issues when computers are joined to a domain. http://technet.microsoft.com/en-us/library/cc961817.aspx | -| `%WINDIR%\iis[version].log` where [version] = 6, 7, or 8 | Internet Information Service (IIS web server) log files. | -| `%WINDIR%\repair\sam`
`%WINDIR%\repair\system`
`%WINDIR%\repair\software`
`%WINDIR%\repair\security` | System registry hives. https://en.wikipedia.org/wiki/Windows_Registry | -| `%WINDIR%\system32\CCM\logs\*.log` | Windows SCCM (System Center Configuration Manager) log files (http://technet.microsoft.com/en-us/library/bb892800.aspx) | -| `%WINDIR%\system32\config\AppEvent.Evt`
`%WINDIR%\system32\config\SecEvent.Evt` | Windows Event Logs. | -| `%WINDIR%\system32\config\default.sav`
`%WINDIR%\system32\config\security.sav`
`%WINDIR%\system32\config\software.sav`
`%WINDIR%\system32\config\system.sav` | Backup Windows registry files (http://forensics.wikia.com/wiki/Windows_registry_entries) | -| `%WINDIR%\system32\logfiles\httperr\httperr1.log` | IIS 6.x web server error logs. | -| `%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log` where YYMMDD = year month day | Web server log files. | -| `unattend.txt, unattend.xml, sysprep.inf` | Used in the automated deployment of Windows images and can contain user accounts. | \ No newline at end of file