Using the SIFT workstation to gain registry information

Using the SIFT workstation to gain registry information

SANS challenge- http://www.4n6k.com/2015/05/forensics-quickie-ntuserdat-analysis.html

So, given the image, we have to answer the following:

1. What was the most recent keyword that the user vibranium searched using Windows Search for on the nromanoff system?

2. How many times did the vibranium account run excel.exe on the nromanoff system?

3. What is the most recent Typed URL in the vibranium NTUSER.DAT?

Before beginning, we will be using the tool Regripper, which is built in to the SIFT workstation. It presents the following options:

1. Using the following command, we believe the word is Alloy

Note our command said on the registry hive NTUSER.dat only use the plugin wordwheelquery

We found this because searches using windows search are found in the registry key which is WordWheelQuery

2. User assist key should contain this information

So, using the userassist plugin we get all the programs that have been run

To look for excel, we use the grep -I function, because it will only return results with the word excel in them

Using man grep tells us more about grep

It informs us that -I means we are not searching for case sensitive

3)

So, we said to reglookup to only user the path we’ve typed and print what it known on the NTUSER.DAT file