Archive for November, 2010
Along with disabling autoplay/autorun, you may want to consider turning off the automount functionality of Windows systems requiring high security and is a decent secondary protection on a forensics workstation (you are using a hardware write blocker as well….right? ).
To disable automount (this has been tested under Windows 7) either:
- run diskpart and once at the prompt type: automount disable
- or, execute: mountvol /N
- or, set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MountMgr\NoAutoMount to 1 in the registry (you’ll see this entry change appropriately if you use one of the previously mentioned commands).
NOTE: the commands mentioned above will need you to “Run as an Administrator” in Windows 7.
I sometimes need a quick and easy way of determining a user’s Active Directory SID (for example, when performing forensics on the Recycle Bin). Yes, there are ways to find out a SID in ADUC (check out how here) – but I think that utilizing PowerShell is more efficient in this case.
To find a user’s SID, within PowerShell run the following (replacing <domain> and <user> with the appropriate information for your query):
$objUser = New-Object System.Security.Principal.NTAccount(<domain>,<user>) $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) $strSID.Value
To further enhance efficiency, I’ve actually wrapped this into a parametrized PowerShell script, which you can feel free to download here. Remember, that in order to get the script to run, you need to set your execution policy to “RemoteSigned” by running the following command: