Windows Forensics, part 2

Question 1

What hives do you find in the Registry? (5)

Answer 1

• SAM
• SYSTEM
• SECURITY
• SOFTWARE
• NTUSER.DAT

Question 2

What do you find in the SAM hive?

Answer 2

User info “database”
F value = timestamps
V= user name, RID

Question 3

What do you find in the SECURITY hive?

Answer 3

security policy settings, contains system SID (security ID)

Question 4

What do you find in the SYSTEM hive?

Answer 4

Vast amount of system info and config info

Question 5

What do you find in the SOFTWARE hive?

Answer 5

software/OS config. and info.
example:
Allow X to be run or not, disable functionality Y in X..

Question 6

What do you find in the NTUSER.dat ?

Answer 6

File created upon user creation, timestamps and preferences

Question 7

Where is the registry located in windows?

Answer 7

C:\Windows\System32\config

Question 8

What hives to you find in the Event Logs? (3 + 2)

Answer 8

• System
• Application
• Security
• Setup
• Forwarded events

Question 9

What information can you find in the Event Logs?

Answer 9

• Date and time for events
• User account responsible for event
• Computer responsible for event
• usernames, computer names, IP addresses and applications related to the event
• Event ID

Question 10

What do you find under Local files? (8)

Answer 10

• Linked files
• Prefetched files
• Printer files
• Thumbnail.db
• Recycle bin
• Pagefile.sys
• Hiberfile.sys
• Installed programs

Question 11

What is a Linked file?

Answer 11

simply shortcuts with .LNK extension which points to another file or folder.
Link file has timestamps like create date, modified date and last accessed date.
They may also contain user ID and path to target

Question 12

What are prefetched files?

Answer 12

Files that contail .exe + DLL information of a program, speeds up the process. It has a maximum of 128 files, when reached it automatically deleted the 96 least used.

Question 13

Explain Installed files

Answer 13

Installed files on a computer might reveal info about programs that has been running on the computer in question.

Question 14

That is the thumbnail cache /thumbnails.db?

Answer 14

Automatically created in folder when user chooses to view in thumbnail view. It retains thumbnails of deleted files, beneficial for an examiner!

Question 15

What do you find in printer files?

Answer 15

Windows sends data to printer in RAW or Enhanced metafile formats, both formats result in creation of 2 complementary files if system is set to spool print jobs

Question 16

What can you find in the Recyle Bin?

Answer 16

deleted files are not really deleted, but moved to the recycle bin. When moved the file is renamed with a prefix D for deleted, followed by original drive location, incremented number and original file extension.
example: Dc3.txt

Question 17

What is Pagefiles?

Answer 17

Pagefile.sys keeps the data swapped out of RAM (Random Access Memory)
You might find passwords, email addresses and IP addresses

Question 18

What is Hibernation files?

Answer 18

Similar to Pagefile.sys, as an active swap space hiberfil.sys is a repository for contents of RAM when a system i hibernated.

Question 19

What can you find out from Restore Points?

Answer 19

• reveal connection to a specific domain
• examine the data contained in registry hives backed up in past RPs to find domain information
• Help in making time line of the connection to the specified domain

Question 20

What is a shadow copy?

Answer 20

a technology that can create a backup or snapshot of a system, files or folders even when they are in use