500.2 - Windows Registry Flashcards
<p>Overall System Hives</p>
<p>- SAM - Local user acounts &amp; groups (not admin)
- SECURITY - Security info utilized by SAM &amp; the OS (password policy, group memberships)
- SYSTEM - Hardware and service config, raw device names &amp; drive (USB keys)
- SOFTWARE - All application settings
- AMCACHE.HVE - Application Compatibility &amp; Tracking exe's
- NTUSER.DAT - Config &amp; enviromental settings (SPECIFIC user activity)</p>
<p>Root Keys</p>
<p>- HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY-LOCAL_MACHINE (S,S,S&amp;S), HKEY_USERS</p>
<p>Backup Hives</p>
<p>- SAM, DEFAULT, SYSTEM, SOFTWARE, &amp; SECURITY
- %WinDir%\System32\Config\ RegBack
- RegIdleBackup</p>
<p>User Registry Hives</p>
<p>- NTUSER.DAT - SPECIFIC user activity - (HKEY_CURRENT_USER)
- C:\doc &amp; settings\username\NTUSER.dat &amp; C:\username\NTUSER.dat
- USRCLASS.DAT - Program exe by user - - folders opened and closed
- Virtualized in Registry in NTUSER.DAT/Software/Classes &amp; HKCU/Software/Classes
- C:users\username appdata\local\microsoft\windows\userclass.dat</p>
<p>Reg. Keys and Values</p>
<p>- Keys: Similar to folders (keys) &amp; subfolders (subkeys) - Produces a folder | directory hierarchy - Values: Data stored within a key - Data in the form of Stings, binary data, integers, lists - Most valuable forensic data is found</p>
Offline Registry Viewing
- Offline - NTUSER.DAT
- NTUSER.DAT\software\microsoft\windows\currentversion\run
- Online - HKCU
- HKCU\software\microsoft\windows\currentversion\run
Registry Hive Transaction Logs
- Most recent Hive activity not written in Registry (1hr)
- .Log1
- .Log2
Registry Key Last Write Time
- All KEYS have
- Time stored in UTC
Most Recently Used Lists (MRU)
- Provides the order of artifact (newest to oldest)
- (0,16,18,1,15,13,14)
Deleted Registry Keys/Values
- Regs Hives have unallocated space for deleted files
- Keys that are possible recovery
- Keys
- Values
- Timestamps
cafae.exe
- Automates Registry extraction
SAM
- Username
- Relative ID or RID = a #
- Login Info - Last login, failed login, logon count, password policy, acct. creation
- Groups info - Admins, users, RDP users
** Local Accounts Only - NOT domain accounts
Profile Local Users
- Lists the local accounts of the system & their equivalent security IDs
- Discover the username & RID (helps map ID # to usernames)
- SAM\Domains\Accounts\Users\
- Last Login
- Last failed login
- Logon count
- Password policy
- Account creation time
SAMInside
- Used to determine if a password is Empty (31D6CFE0D16AE931B7)
- Is the password required
- Has NTLMv2 Password
- Has LanManager Password
Examining System Configurations
- Systems
- Software
- Security
ID Microsoft OS Version
- Determine Versions, Service pack, install date/time, OS
- Install date in EPOCH TIME (convert to hex)
- Install time is in Win time
- Key Location:
- SOFTWARE\Microsoft\Windows NT\Current Version
Identify CurrentControlSets
- Identifies which control set is current
- Contains info about the systems config settings
- “Data # 1 = “Last Known Good Set”
- CurrentControlSet001 - Controlset that just booted
- CurrentControlSet002 - Last known good version
- Key Location:
- SYSTEM\Select\Current
Computer Name
- SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Time Zone Information (UTC Time)
- Found in the Cuurent Good control set
- SYSTEM\CurrentControlSet\Control\TimeZoneInformation
NTFS Last Access Time On/Off
- Updates when the system touches a file -> not always when a user accessed a file
- NtfsDisabledLastAccessUpdate -> 0x1 = Timestamps are off
- Key Location:
- SYSTEM\CurrentControlSet\Control\Filesystem
Network Interfaces
- Identifies the computers network interface card
- TCP/IP info configured, IP, gateway, DCHP IP (subnet mask DHCP server IP)
- Key Location:
- SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Historical Networks
- Identify Network that the computer has been connected to
- Network List Keys
- Ntwrks, Domain, SSID,MAC, LOC Awareness
ProfileGuid
- Determine First & Last network in SOFTWARE Hive (Network Profile Key)
Network Profiles Key
- Idenitfy the types of Ntwrks & wireless SSIDs - Local Time
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\Networklist\Profiles (Win10)
- Wireless = 0x47
- Wired = 0x06
- Broadband (3g) = 0x17
Geo-Location of MAC Address/SSID
wigle.net
Shares and Offline caching (CSC)
- Lists the open network shares on the local system
- Lists Flags and configuration settings
- Key Location:
- SYSTEM\CurrentControlSet\Services\Lamanserver\Shares\
System Boot Autostart Programs
- Determine programs that will start automatically
- if Start Key is set 0x2 then service will start @ boot
- Key Location:
- SYSTEM\CurrentControlSet\Services
TypedPaths
- Manually Typed paths in the Start menu and Explorer Bar
- Key Location:
- NTUSER.DAT\Software\Microsoft\CurrentVersion\Explorer\TypedPaths
RecentDocs via Registry Explorer
- Most Recent used Docs
- Key Location:
- NTUSER.DAT\Software\Microsoft\CurrentVersion\Explorer\RecentDocs
Microsoft Office RecentDocs
- Provides the specific version of Microsoft Office used
- Tracks last docs saved - Located in (FileMRU)
- O365/LiveID syns all devices
- Key Location:
- NTUSER.DAT\Software\Microsoft\Office\Version
Win7/8/10 Search History
- WordWheelQuery - Win7 records searches of programs/files (Start menu & Explorer folder/ Search) - Prove File Knownledge
- Win 8/8 - Explorer Search Bar
- Key Location:
- NTUSER.DAT\Software\Microsoft\CurrentVersion\Explorer\WordWheelQuery
Office 365/2013 File MRU Keys
- File Path, Last opened, Last closed (reading location)
- Key Location:
LastVisitedMRU
- Last file path opened & exe used
OpenSaveMRU
- Save/Open shell dialogue box & last file opened/save by a specfic extension
Last Visited
- exe used by app to open files in OpenSaveMRU
Office 365/2013 File MRU Keys
- File Opening / Creation
- File Path, Last opened, Last closed (reading location)
- Place MRU just shows the folder location where the file was opened
Last Commands Executed (WinXP - 8)
- Tracks cmds exe from the RUN dialog box (RunMRU)
UserAssist KeyTracks
- Shows that last time of execution as well as the number of times a program was execute
- Located in the NTUSER.dat hive
- Last run time, Run count, Name of GUI, Focus time (how long open), Focus Count (activity)
Application Compatibility Cache
- checks to see if the application needs to be “shimmed” (properties applied) to run an applications on the current OS
- Detect program capability challenges when a program launches (choose the right mode/OS)
- looks at the AppCompactCache reg key to see if a program needs shimming
- ShimCache
- Tracks a files last las mod data, file path, file size, and when it was exe
- XP +
- Different Modes = Shims
- Located in the System hive
AppCompactCache
- Figuring out if a program needs shimming for compatibility
- exe’s last mod date, file path, & fize … last executed (XP)
- Reads the Shim Cache stored in Win reg
- AppCompactCache exe History - ShimCacheParser.py
Application Compatibility Cache:
- Entry for every exe run, full path, file’s standardinfo, last mod time, disk volume, SHA1 hash
- Can attribute actions to specific users
- Amcache.hve
