ComputerSecurityStudent (CSS) [Login] [Join Now]

|FORENSICS >> Windows Tools >> Audit Tools >> Current Page |Views: 29217

(Forensics: WinAudit Lesson 1)

{ System Inventory }

Section 0: Background Information
  1. Background
    • WinAudit is a great free tool, that will give you a comprehensive view of the components that make up your system, including hardware, software and BIOS.

  2. Lab Notes
    • In this lab we will do the following:
      1. Download WinAudit.
      2. Install WinAudit.
      3. Create Audit Report
      4. Interrogate Audit Report Sections.

  3. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.


Section 1: Power On Damn Vulnerable WXP-SP2
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player


  2. Start Up Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Edit virtual machine Settings
    • Note(FYI):
      • For those of you not part of my class, this is a Windows XP machine running SP2.


  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button


  4. Play Virtual Machine
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Play virtual machine


  5. Login to Windows
    • Instructions:
      1. Click on Administrator
      2. Type your password: <Supply Password>


  6. Open a Command Prompt
    • Instructions:
      1. Start --> All Programs --> Accessories --> Command Prompt


  7. Obtain Damn Vulnerable WXP-SP2's IP Address
    • Instructions:
      1. ipconfig
    • Note(FYI):
      • In my case, Damn Vulnerable WXP-SP2's IP Address
      • In your case, Damn Vulnerable WXP-SP2's IP Address might be different.


Section 2: Download and Install WinAudit
  1. Open Firefox
    • Instructions:
      1. Start --> All Programs --> Mozilla Firefox


  2. Download WinAudit
    • Instructions:
      1. Navigate to the below URL.
      2. Click Save File Radio Button
      3. Click the OK Button


  3. Save WinAudit
    • Instructions:
      1. Navigate to Desktop --> My Documents --> Downloads
      2. File name: WinAudit
      3. Click the Save Button.


  4. Download complete
    • Instructions:
      1. Click Tools --> Downloads
      2. Right Click on
      3. Open Containing Folder


  5. Extract All...
    • Instructions:
      1. Right Click on
      2. Click on Extract All...


  6. Extraction Wizard
    • Instructions:
      1. Click the Next Button


  7. Select Folder
    • Instructions:
      1. Click the Next Button


  8. Successfully Installed
    • Instructions:
      1. Click the Finish Button


Section 3: Download and Install WinAudit
  1. Install Winaudit
    • Instructions:
      1. Navigate to C:\tools\winaudit
      2. Right Click on WinAudit.exe
      3. Click on Open


  2. Open File - Security Warning
    • Instructions:
      1. Click the Run Button


Section 4: Audit Your Computer
  1. Audit Your Computer
    • Instructions:
      1. Click on Here (See Below).


Section 5: System Overview
  1. System Overview
    • Instructions:
      1. Click on System Overview.


Section 6: Installed Software
  1. Click on Installed Programs
    • Instructions:
      1. Go To: Installed Software --> Active Setup
    • Note(FYI):
      1. Notice you will see a list of programs.
      2. There will be a matrix for each program that will contain: Name, Vendor, Version, etc.


Section 4: Security Settings
  1. Internet Software


  2. Open Ports
    • Instructions:
      1. Go To: Security --> Open Ports
    • Note(FYI):
      • For each open port listed below, a table of information will display the following data:  Protocol, Address, Name, Connection State, Process Name, Manufacture, etc.


  3. Security Settings
    • Instructions:
      1. Go To: Security --> Security Settings
    • Note(FYI):
      • Below you can see various basic security settings: Screen Saver, Password Length, Password Age, Internet Explorer, etc.
      • Notice the following issues: (1) the screen saver password is not set, (2) automatic updates are turned off, (3) minimum password length can be set to nothing, (4) lockout attempts are disabled, (5) ActiveX is allowed, etc. 


  4. Shared Permissions
    • Instructions:
      1. Go To: Security --> Shared Permissions
    • Note(FYI):
      • Below there are three folders that are shared: (1) ADMIN$, C$, and IPC$.
      • The entire Hard drive is shared out to everyone.


  5. Windows Firewall
    • Instructions:
      1. Go To: Security --> Windows Firewall
    • Note(FYI):
      • Notice that the Firewall is not enabled.  In addition, both Remote Assistance and Remote Desktop are enabled.


Section 5: Running Programs
  1. Running Programs
    • Instructions:
      1. Go To: Running Programs
    • Note(FYI):
      • This section produces a list of running programs.
      • Notice that both telnet and vnc are running.  Telnet is susceptible to sniffer attacks.  VNC could be a problem if authentication is not set.


Section 6: Hardware Devices
  1. Hardware Devices
    • Instructions:
      1. Go To: Hardware Devices
    • Note(FYI):
      • Notice under the Hardware device tree their is a list of devices and peripherals.
      • For a Forensics investigation, you will need take physical pictures of all peripheral devices attached to the computer.  Then you will need to collect a software inventory, like below, where you record the device type, description, manufacture, driver version, etc.


Section 7: Save the WinAudit Report
  1. Save WinAudit Report
    • Instructions:
      1. Go To: File --> Save


  2. Saving
    • Instructions:
      1. Navigate to Desktop --> My Documents
      2. Filename: WXPSP2-20121219
        • Remember to change your date, where the format is YYYYMMDD.  (YYYY = year, MM = month, DD = day).
      3. Save as type: CSV
        • I chose CSV (Comma Separated Value) because this format can easily be parsed into stuffed into a database in a hurry.
      4. Click the Save Button


Section 8: Proof of Lab
  1. Open a Command Prompt
    • Instructions:
      1. Start --> All Programs --> Accessories --> Command Prompt


  2. Proof of Lab
    • Instructions:
      1. cd "My Documents"
      2. dir WXPSP2-20121219.csv
        • Remember that your filename will probably be different.
      3. date /t
      4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth