公司网站招聘模板,html手机网站开发后端,常用网站开发模式,给公司申请网站用自己的账号难度#xff1a;5/10考察技能: Windows admin, Autopsy 使用场景#xff1a;分析USB设备使用情况Autopsy使用注意#xff1a;用管理员打开#xff0c;在实际分析时注意先复制一个镜像文件#xff0c;保存好原文件常用的Windows USB 取证的位置:Windows XP:Registry Key: U…难度5/10考察技能: Windows admin, Autopsy 使用场景分析USB设备使用情况Autopsy使用注意用管理员打开在实际分析时注意先复制一个镜像文件保存好原文件常用的Windows USB 取证的位置:Windows XP:Registry Key: USB-related information is stored in:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\SetupAPI Logs: C:\WINDOWS\setupapi.logWindows 7 had a few changes:SetupAPI Logs moved to: C:\WINDOWS\INF\setupapi.dev.logThe category Windows Portable Devices was added: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices\DevicesWindows 8/8.1 added:DeviceClasses: Additional device information may be found under:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClassesWindows 10 and Windows 11:The category Device Container ID was added:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbccgpHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbhub其他取证位置:Windows Event Logs:System event logs may contain entries related to USB device insertions and removals.Event Viewer path: Applications and Services Logs\Microsoft\Windows\DriverFrameworks-UserMode\OperationalWindows Prefetch:USB-related executables may be found in C:\Windows\Prefetch\.Mounted Devices:Mounted device artifacts: HKEY_LOCAL_MACHINE\SYSTEM\MountedDevicesUserAssist:Tracks user interaction with USB devices in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist.挑战场景
A highly confidential document has been stolen from Prime Minister’s laptop and has been sold in the Dark Web. Can you help the intelligence services figure out how this happened?
1. 计算机名称是什么 What is the computer name?我们可通过在结果面板中查看操作系统信息来获取终端主机名。在标黄的SYSTEM条目中即可找到主机名。2. 操作系统安装时间 When was the OS installed?从上图SOFTWARE条目中同样可获取系统安装日期。3. 计算机时区设置 What is the Timezone of the computer?通过分析TimeZoneInformation注册表键值可确定时区。Autopsy会自动导出注册表配置单元以加速取证分析。 TimeZon 4. 首个连接的USB大容量存储设备序列号 What is the serial number of the first USB mass storage device connected?从系统注册表配置单元的USBSTOR键值中可获取该信息。最后一个或者在提供的regripper文件里面找RegRipper 是一个用于注册表取证的开源工具主要用于在Windows系统中分析注册表数据。5. 首个USB大容量存储设备厂商名称 What is the vendor name of the first USB mass storage device?上上图有6. 首个USB设备首次连接时间系统本地时间 When was the first USB mass storage device connected for the first time? (system local time)在windows/inf目录下的setupapi.dev.log日志文件中可找到该记录。或者在提供的regripper文件里面找7. 特定USB存储设备的卷标 What is the Volume Label of the unique USB mass storage device?卷标信息存储于软件注册表配置单元中通过之前获取的序列号即可定位。8. 找出使用过USB设备的用户及其SID Find the user that used the USB Device. What is the user’s SID?通过系统注册表中MountedDevices键值获取设备GUID后进行关键词搜索即可关联用户。在提取内容→操作系统用户账户→PM→属性中可查看用户SID。9. 该USB设备最后分配的盘符 What is the last drive letter assigned to the USB device?继续分析第7题提供的截图即可获得该信息。10. 被窃取的文件名是什么 What is the filename of the document stolen?综合所有取证证据后通过提取内容→最近文档中的LNK文件即可立即锁定被盗文档。
