Windows Forensics- Registry Notes
Notes on Windows Forensics video
Note: cheat sheet has been attached to video
but:No guarantee a forensic artefact will remain across operating system updates!
Introduction to the registry
The registry contains a Tonne of things providing forensic information, it is a giant database.
On disc it is found in system32/config; it can be found on a live system
These files are protected unless you use the correct methods
Registry contains hives, which in turn contain; Default, SAM, Security, software, system-
Registry contains hives, which in turn contain; Default, SAM, Security, software, system-
Regback- contains backups of these
User profile can be found in the file NTUSER.DAT and contains a wealth of information!
Files can be gained through ftk imager and then viewed in regedit
x
Reg Explorer software
Loading NTUSER.DAT
Shows deleted records
Expand upon rootShows deleted records
Then software
Microsoft
Windows
Current version
Explorer
There you will see the following files
/ComDlg32
\LastVisitedPiflMRU
\OpenSavePidlMRU
\RecentDocs
\RunMRU
\TypedPaths
\UserAssist
ComDlg32- MRU= Most Recently Used
\LastVisitedPiflMRU- binaries used to open or save files, paths for files
\OpenSavePidlMRU- last path browsing to do that function
\RecentDocs- link files recently opened, can show recent interactions with system
\RunMRU- shows what was most recently run
\TypedPaths- shows recently typed, useful for stuff which has since been deleted
\UserAssist- when a program was executed and how many times
Sometimes encryption such as Rot 13 is used
- B becomes N etc as everything moves 13 letters accross
- B becomes N etc as everything moves 13 letters accross
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
Programs that can be specified to start upon log in, important for malware
Also exists on current user
Shell Bags
HKCU\SOFTWARE\Microsoft\Windows\Shell
\BagMRU
\Bags
When you visit a path and customise the icons, position, size, sorting method etc
Stored in shell bags
Forensic importance: These persist for things that have long since been deleted!!
Find deleted trees, said path did exist on the system
Shows when modified, date etc
Shellbags explorer
HKCU\SOFTWARE\Classes
Insert%USERPROFILE%\AppData\Local\Microsoft\Windows\UserClass.dat
Added in Windows 7- record configuration information from user processes that do not have access to write to the standard registry hive
USB Devices
USBSTOR and USB provide losts of information
Currentcontrolset only seen on live system! Is controlset001
002, 003 etc may be more than one- look at select path, current value will tell you
ENUM/
USB STOR
USB
USBSTOR tells you how many removable medias been plugged in
Gives you serial number- may be globally unique
Also shows you last write time stamp- last time it was connected
Looking at USB key
Vid and pid
Find more specific model of device by matching these to database
Software hive-
Windows/portable devices/devices
Friendly name- the name of the volume for flash drive plugged in
System/mounted devices
Match up serial number
Look guid identifier
EMDMgmt
Only in use if device not SSD
Can show history of voume serial number which is diff to serial number
Shows number of times device was formatted, previous names etc
Volume GUID
Helps find user who mounted
Going to this shows
Volume guid will show who mounted
System properties
Will see first install and removal
Last connected time 8 and later
Make sure to do timezone
Under this but services folder- Lanmanserver- shares
Will show shares on system
Back to control- Filesystem
NTFS Disable last access update-
If 1 means disabled
Access time stamps such as MacB are off by default
Means time stamps should not be updated everytime files accessed
Services- TCpip
Network information
Go to parameters, interfaces, will show IP address etc
Important info !
Network location awareness
Last write time of key is last time pc connected to a network
Network list-
Unmanaged- MAC address
DNS suffix- e.g corporate network
First network
Profile GUID- take note of this one
Going on progiles-
Pick one that matches the GUID
nametype- 6 is wireless, wired 47 and more
Date last connected is shown
Shown in UTC which can then be decoded
LNK File Analysis
DO NOT IGNORE
Contain a wealth of data
Metadata file
Creates its own links, very useful!
Shows paths of file, size, serial volume number
Using software can analyse to show
Pre-fetch and superfetch
Will show application execution
Includes things run from command line as well
Shows things that have been run
Number of times etc
Software for it
Final thing
Pre-fetch parameters
Shows if enabled
Comments
Post a Comment