(Re)boot/ Wake-On-Lan : the user can boot / reboot a system if the user is authorized to do so, or can send Wake-On-Lan (WOL) packages to a system.If enabled, this provides the user with functionality to remotely boot a system. The fact that there is a portable version of Advanced IP Scanner, that it has a GUI and that the tool supports a variety of ways to interact with identified systems probably contributes to it popularity. Forensic tracesĪIS leaves traces on a host system when it is executed. This section describes the traces that are created during usage of the AIS tool and more specifically, the Windows registry keys that are being created. Do note that for both the portable version as well as the installer version, the same traces are created in the Windows registry. Data is more specifically stored at the following location:Ĭomputer\HKEY_USERS\\SOFTWARE\famatech\advanced_ip_scanner 3.1 AIS registry keysĪfter the installation of AIS, keys and subkeys are created in the HKEY_USERS hive of the user under which account AIS was installed. The mentioned registry keys are created, by both the installer version of AIS and the portable version, after the first usage of the application and subsequently some (sub)keys are updated after using AIS. While looking at it graphically, multiple keys and subkeys are created as shown in Figure 2. 3.2 The ‘advanced_ip_scanner’ keys and subkeys The most relevant traces from a forensic perspective are either stored under the ‘ advanced_ip_scanner ’, or the ‘ State ’ key.įigure 2 – Overview of keys created with regards to AIS.
If we look at the subkeys of the advanced_ip_scanner key, we are presented with the keys as shown in T able 2. This table shows the name and type of the subkeys, together with the value (data) of the subkey, a comment with what the subkey represents and what the function is within AIS.
0 kommentar(er)
