500.2 - Windows Registry

Question 1

<p>Overall System Hives</p>

Answer 1

<p>- SAM - Local user acounts &amp;amp; groups (not admin)

- SECURITY - Security info utilized by SAM &amp;amp; the OS (password policy, group memberships)
- SYSTEM - Hardware and service config, raw device names &amp;amp; drive (USB keys)
- SOFTWARE - All application settings
- AMCACHE.HVE - Application Compatibility &amp;amp; Tracking exe's
- NTUSER.DAT - Config &amp;amp; enviromental settings (SPECIFIC user activity)</p>

Question 2

<p>Root Keys</p>

Answer 2

<p>- HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY-LOCAL_MACHINE (S,S,S&amp;amp;S), HKEY_USERS</p>

Question 3

<p>Backup Hives</p>

Answer 3

<p>- SAM, DEFAULT, SYSTEM, SOFTWARE, &amp;amp; SECURITY

- %WinDir%\System32\Config\ RegBack
- RegIdleBackup</p>

Question 4

<p>User Registry Hives</p>

Answer 4

<p>- NTUSER.DAT - SPECIFIC user activity - (HKEY_CURRENT_USER)

- C:\doc &amp;amp; settings\username\NTUSER.dat &amp;amp; C:\username\NTUSER.dat
- USRCLASS.DAT - Program exe by user - - folders opened and closed
- Virtualized in Registry in NTUSER.DAT/Software/Classes &amp;amp; HKCU/Software/Classes
- C:users\username appdata\local\microsoft\windows\userclass.dat</p>

Question 5

<p>Reg. Keys and Values</p>

Answer 5

<p>- Keys: Similar to folders (keys) &amp;amp; subfolders (subkeys) - Produces a folder | directory hierarchy - Values: Data stored within a key - Data in the form of Stings, binary data, integers, lists - Most valuable forensic data is found</p>

Question 8

Offline Registry Viewing

Answer 8

• Offline - NTUSER.DAT
  
  • NTUSER.DAT\software\microsoft\windows\currentversion\run
• Online - HKCU
  
  • HKCU\software\microsoft\windows\currentversion\run

Question 9

Registry Hive Transaction Logs

Answer 9

• Most recent Hive activity not written in Registry (1hr)
  
  • .Log1
  • .Log2

Question 10

Registry Key Last Write Time

Answer 10

• All KEYS have

- Time stored in UTC

Question 11

Most Recently Used Lists (MRU)

Answer 11

• Provides the order of artifact (newest to oldest)

- (0,16,18,1,15,13,14)

Question 12

Deleted Registry Keys/Values

Answer 12

• Regs Hives have unallocated space for deleted files
• Keys that are possible recovery
  
  • Keys
  • Values
  • Timestamps

Question 13

cafae.exe

Answer 13

• Automates Registry extraction

Question 14

SAM

Answer 14

• Username
  
  • Relative ID or RID = a #
  • Login Info - Last login, failed login, logon count, password policy, acct. creation
  • Groups info - Admins, users, RDP users

** Local Accounts Only - NOT domain accounts

Question 15

Profile Local Users

Answer 15

• Lists the local accounts of the system & their equivalent security IDs
• Discover the username & RID (helps map ID # to usernames)
• SAM\Domains\Accounts\Users\
• Last Login
• Last failed login
• Logon count
• Password policy
• Account creation time

Question 16

SAMInside

Answer 16

• Used to determine if a password is Empty (31D6CFE0D16AE931B7)
• Is the password required
• Has NTLMv2 Password
• Has LanManager Password

Question 17

Examining System Configurations

Answer 17

• Systems
• Software
• Security

Question 18

ID Microsoft OS Version

Answer 18

• Determine Versions, Service pack, install date/time, OS
  
  • Install date in EPOCH TIME (convert to hex)
  • Install time is in Win time
• Key Location:
  
  • SOFTWARE\Microsoft\Windows NT\Current Version

Question 19

Identify CurrentControlSets

Answer 19

• Identifies which control set is current
• Contains info about the systems config settings
• “Data # 1 = “Last Known Good Set”
  
  • CurrentControlSet001 - Controlset that just booted
  • CurrentControlSet002 - Last known good version
• Key Location:
  
  • SYSTEM\Select\Current

Question 20

Computer Name

Answer 20

• SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

Question 21

Time Zone Information (UTC Time)

Answer 21

• Found in the Cuurent Good control set

- SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Question 22

NTFS Last Access Time On/Off

Answer 22

• Updates when the system touches a file -> not always when a user accessed a file
  
  • NtfsDisabledLastAccessUpdate -> 0x1 = Timestamps are off
• Key Location:
  
  • SYSTEM\CurrentControlSet\Control\Filesystem

Question 23

Network Interfaces

Answer 23

• Identifies the computers network interface card
• TCP/IP info configured, IP, gateway, DCHP IP (subnet mask DHCP server IP)
• Key Location:
  
  • SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

Question 24

Historical Networks

Answer 24

• Identify Network that the computer has been connected to
• Network List Keys
• Ntwrks, Domain, SSID,MAC, LOC Awareness

Question 25

ProfileGuid

Answer 25

• Determine First & Last network in SOFTWARE Hive (Network Profile Key)

Question 26

Network Profiles Key

Answer 26

• Idenitfy the types of Ntwrks & wireless SSIDs - Local Time
  
  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Networklist\Profiles (Win10)
  • Wireless = 0x47
  • Wired = 0x06
  • Broadband (3g) = 0x17

Question 27

Geo-Location of MAC Address/SSID

Answer 27

wigle.net

Question 28

Shares and Offline caching (CSC)

Answer 28

• Lists the open network shares on the local system
• Lists Flags and configuration settings
• Key Location:
  
  • SYSTEM\CurrentControlSet\Services\Lamanserver\Shares\

Question 29

System Boot Autostart Programs

Answer 29

• Determine programs that will start automatically
• if Start Key is set 0x2 then service will start @ boot
• Key Location:
  
  • SYSTEM\CurrentControlSet\Services

Question 30

TypedPaths

Answer 30

• Manually Typed paths in the Start menu and Explorer Bar
• Key Location:
  • NTUSER.DAT\Software\Microsoft\CurrentVersion\Explorer\TypedPaths

Question 31

RecentDocs via Registry Explorer

Answer 31

• Most Recent used Docs
• Key Location:
  • NTUSER.DAT\Software\Microsoft\CurrentVersion\Explorer\RecentDocs

Question 32

Microsoft Office RecentDocs

Answer 32

• Provides the specific version of Microsoft Office used
• Tracks last docs saved - Located in (FileMRU)
• O365/LiveID syns all devices
• Key Location:
  
  • NTUSER.DAT\Software\Microsoft\Office\Version

Question 33

Win7/8/10 Search History

Answer 33

• WordWheelQuery - Win7 records searches of programs/files (Start menu & Explorer folder/ Search) - Prove File Knownledge
  
  • Win 8/8 - Explorer Search Bar
• Key Location:
  
  • NTUSER.DAT\Software\Microsoft\CurrentVersion\Explorer\WordWheelQuery

Question 34

Office 365/2013 File MRU Keys

Answer 34

• File Path, Last opened, Last closed (reading location)

- Key Location:

Question 35

LastVisitedMRU

Answer 35

• Last file path opened & exe used

Question 36

OpenSaveMRU

Answer 36

• Save/Open shell dialogue box & last file opened/save by a specfic extension

Question 37

Last Visited

Answer 37

• exe used by app to open files in OpenSaveMRU

Question 38

Office 365/2013 File MRU Keys

Answer 38

• File Opening / Creation
• File Path, Last opened, Last closed (reading location)
• Place MRU just shows the folder location where the file was opened

Question 39

Last Commands Executed (WinXP - 8)

Answer 39

• Tracks cmds exe from the RUN dialog box (RunMRU)

Question 40

UserAssist KeyTracks

Answer 40

• Shows that last time of execution as well as the number of times a program was execute
• Located in the NTUSER.dat hive
• Last run time, Run count, Name of GUI, Focus time (how long open), Focus Count (activity)

Question 41

Application Compatibility Cache

Answer 41

• checks to see if the application needs to be “shimmed” (properties applied) to run an applications on the current OS
• Detect program capability challenges when a program launches (choose the right mode/OS)
• looks at the AppCompactCache reg key to see if a program needs shimming
• ShimCache
• Tracks a files last las mod data, file path, file size, and when it was exe
• XP +
• Different Modes = Shims
• Located in the System hive

Question 42

AppCompactCache

Answer 42

• Figuring out if a program needs shimming for compatibility
• exe’s last mod date, file path, & fize … last executed (XP)
• Reads the Shim Cache stored in Win reg
• AppCompactCache exe History - ShimCacheParser.py

Question 43

Application Compatibility Cache:

Answer 43

• Entry for every exe run, full path, file’s standardinfo, last mod time, disk volume, SHA1 hash
• Can attribute actions to specific users
• Amcache.hve