MOD D08: System Enumeration

Question 1

Graphical User interface tool on windows that enables authorized users to make changes to the registry

Answer 1

regedit

Question 2

Which is not a forensically relevant key in the windows registry?

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKLM\S0FTWARE\Google
• HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

Answer 2

HKLM\S0FTWARE\Google

Question 3

This hive contains the general configuration for hardware

• HKEY_LOCAL_MACHINE\HARDWARE
• HKLM
• HKEY_CLASSES_ROOT\DeviceDisplayObject\HardwareId
• HKCR

Answer 3

HKLM (? - I got this one wrong)

Question 4

If I wanted to find information about USBs that were plugged into a windows machine; what registry would I begin with?

Answer 4

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\USBSTOR

Question 5

This registry key focuses on services that run on the Windows system.

Answer 5

HKLM\SYSTEM\CurrentControlSet\Services

Question 6

This key contains special information that includes user passwords thats on windows machine

• HKLM\SAM
• /etc/shadow
• HKU
• C:\Windows\System32

Answer 6

HKLM\SAM

Question 7

When referencing this registry “HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\Internet Explorer”; Software is a _____ to AppDataLow

Answer 7

Subkey

Question 8

This hive contains specific configuration and information on users within the machine. Each user is stored contextually as a SID.

• HKLM
• HKCU
• HKCR
• HKCC
• HKU
• HKUR
• HKLU

Answer 8

HKU

Question 9

This hive contains the configuration for the user who is currently logged on.

• HKLM
• HKCU
• HKCR
• HKCC
• HKU
• HKUR
• HKLU

Answer 9

HKCU

Question 10

This hive contains a list of extensions and their object class registration

• HKLM
• HKCU
• HKCR
• HKCC
• HKU
• HKUR
• HKLU

Answer 10

HKCR

(HKEY_CLASSES_ROOT)

Question 11

This hive contains information about the current hardware profile of the local computer system.

• HKLM
• HKCU
• HKCR
• HKCC
• HKU
• HKUR
• HKLU

Answer 11

HKCC

(HKEY_CURRENT_CONFIG)

Question 12

The capture of a system in a known good state for reference as to what normal/typical behavior, structure and attributes at a given point in time.

Answer 12

Baseline

Question 13

A system administrator is collecting a massive amount of information on a single system to compare it to a known good state. The process the administrator is doing is called what?

Answer 13

enumeration

Question 14

When on the windows command line, what command will list processes with the particular name of: Explorer.exe

Answer 14

tasklist /fi “IMAGENAME eq explorer.exe”

Question 15

This Command line command will list all running processes (Excluding WMIC)

Answer 15

tasklist

Question 16

This standard command line command will display connections on the system.

• net
• net /?
• net statistics
• netstat
• netcat
• netscan
• netview

Answer 16

netstat

Question 17

These external tools are technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.

Answer 17

sysinternals

Question 18

On command line, this command will map sysinternals tools to a shared drive to access for later use.

Answer 18

net use * \live.sysinternals.com/tools

Question 19

Which of the following is not a sysinternals tool available?

• disk2vhd.exe
• du64.exe
• junction.exe
• notmyfault.exe
• ported.exe
• pslist.exe
• pssuspend.exe
• ZoomIt.exe
• movefile.exe

Answer 19

ported.exe

Question 20

Which of the following is not a sysinternals tool available?

• Dbgview.exe
• accesschk.exe
• graftable.exe
• sdelete.exe
• psfile.exe
• livekd.exe
• ctrl2cap.exe
• ADExplorer.exe
• Bginfo.exe

Answer 20

graftable.exe

Question 21

I want to observe a process starting and stopping and follow the child processes created. Which of the following sysinternals tool will most easily provide me with what I want?

• tasklist.exe
• procexp.exe
• proctree.exe
• livekd.exe
• psgetsid.exe

Answer 21

procexp.exe

Question 22

Sysinternals command that will show detailed listing of all TCP and UDP endpoints on your system.

Answer 22

tcpview.exe

Question 23

Most sysinternals tools when initially ran on command line will display a banner/user agreement to the gui. If you want to bypass it you need to include what?

Answer 23

/accepteula