MOD D08: System Enumeration Flashcards
Graphical User interface tool on windows that enables authorized users to make changes to the registry
regedit
Which is not a forensically relevant key in the windows registry?
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKLM\S0FTWARE\Google
- HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
HKLM\S0FTWARE\Google
This hive contains the general configuration for hardware
- HKEY_LOCAL_MACHINE\HARDWARE
- HKLM
- HKEY_CLASSES_ROOT\DeviceDisplayObject\HardwareId
- HKCR
HKLM (? - I got this one wrong)
If I wanted to find information about USBs that were plugged into a windows machine; what registry would I begin with?
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\USBSTOR
This registry key focuses on services that run on the Windows system.
HKLM\SYSTEM\CurrentControlSet\Services
This key contains special information that includes user passwords thats on windows machine
- HKLM\SAM
- /etc/shadow
- HKU
- C:\Windows\System32
HKLM\SAM
When referencing this registry “HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\Internet Explorer”; Software is a _____ to AppDataLow
Subkey
This hive contains specific configuration and information on users within the machine. Each user is stored contextually as a SID.
- HKLM
- HKCU
- HKCR
- HKCC
- HKU
- HKUR
- HKLU
HKU
This hive contains the configuration for the user who is currently logged on.
- HKLM
- HKCU
- HKCR
- HKCC
- HKU
- HKUR
- HKLU
HKCU
This hive contains a list of extensions and their object class registration
- HKLM
- HKCU
- HKCR
- HKCC
- HKU
- HKUR
- HKLU
HKCR
(HKEY_CLASSES_ROOT)
This hive contains information about the current hardware profile of the local computer system.
- HKLM
- HKCU
- HKCR
- HKCC
- HKU
- HKUR
- HKLU
HKCC
(HKEY_CURRENT_CONFIG)
The capture of a system in a known good state for reference as to what normal/typical behavior, structure and attributes at a given point in time.
Baseline
A system administrator is collecting a massive amount of information on a single system to compare it to a known good state. The process the administrator is doing is called what?
enumeration
When on the windows command line, what command will list processes with the particular name of: Explorer.exe
tasklist /fi “IMAGENAME eq explorer.exe”
This Command line command will list all running processes (Excluding WMIC)
tasklist
This standard command line command will display connections on the system.
- net
- net /?
- net statistics
- netstat
- netcat
- netscan
- netview
netstat
These external tools are technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.
sysinternals
On command line, this command will map sysinternals tools to a shared drive to access for later use.
net use * \live.sysinternals.com/tools
Which of the following is not a sysinternals tool available?
- disk2vhd.exe
- du64.exe
- junction.exe
- notmyfault.exe
- ported.exe
- pslist.exe
- pssuspend.exe
- ZoomIt.exe
- movefile.exe
ported.exe
Which of the following is not a sysinternals tool available?
- Dbgview.exe
- accesschk.exe
- graftable.exe
- sdelete.exe
- psfile.exe
- livekd.exe
- ctrl2cap.exe
- ADExplorer.exe
- Bginfo.exe
graftable.exe
I want to observe a process starting and stopping and follow the child processes created. Which of the following sysinternals tool will most easily provide me with what I want?
- tasklist.exe
- procexp.exe
- proctree.exe
- livekd.exe
- psgetsid.exe
procexp.exe
Sysinternals command that will show detailed listing of all TCP and UDP endpoints on your system.
tcpview.exe
Most sysinternals tools when initially ran on command line will display a banner/user agreement to the gui. If you want to bypass it you need to include what?
/accepteula
