Week 3 Technical Flashcards
What is the Windows Registry?
The Windows Registry is a hierarchical database that stores low-level settings for the operating system and applications that opt to use the registry, including kernel, device drivers, services, Security Accounts Manager, and user interface configurations.
What are some key registry files in Windows forensics?
SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT, and USRCLASS.DAT are key registry files, storing everything from user account information to system and software settings.
What information does the SAM registry hive contain?
The SAM hive contains all user accounts and their passwords, crucial for user management and security within Windows.
How can the SYSTEM registry hive be useful in forensics?
It stores system settings and configuration information, which can be crucial for understanding the hardware and service environment of the system.
What does the SOFTWARE registry hive store?
It holds software and Windows settings, often modified by application and system installers, providing insights into installed applications and user settings.
What are Control Sets in the Windows Registry?
Control Sets store configuration data used by Windows during system boot. Analyzing these can reveal system configurations at different times and help identify system changes related to forensic events.
What forensic tool is used to extract and analyze registry artifacts?
RegRipper is a popular tool for extracting and analyzing registry artifacts, using plugins to pull specific keys of interest.
What is the purpose of the NTUSER.DAT file in the Windows Registry?
NTUSER.DAT contains configuration data for the user currently logged on, storing user-specific settings and preferences.
What information can you find in the HKLM\SAM\Domains\Account\Users\Names key?
This key contains subkeys for each username, showing the Relative Identifier (RID) and related account information, important for user account analysis.
What is the significance of the USBSTOR key in the registry?
The USBSTOR key logs details about each USB storage device connected to the system, including device name, manufacturer, and serial number—valuable in tracing external device usage and potential data exfiltration.
What does the MountedDevices key in the registry indicate?
It contains mappings between USB devices and logical volume GUIDs or DOS drive letters, helping to determine which devices were assigned to specific drive letters.
How can the MountPoints2 registry key be forensically significant?
It shows volume GUIDs loaded under a specific user account, useful for identifying what user account was active when an external device was plugged in.
What can the analysis of Linkfiles reveal about USB device usage?
Linkfiles can indicate what files were accessed from a USB device, providing insights into the data transferred to and from the device.
What is the Prefetch folder, and how is it used in forensics?
The Prefetch folder is used to speed up application startups and contains files that store the name of the executable, the list of DLLs used, execution count, and last execution time—useful for determining application usage patterns.
What does the UserAssist key track in the Windows Registry?
It tracks the execution of applications, including the number of times an application has been launched and the last execution date and time, but only for applications launched via Windows Explorer.
