In course 6, we're talking about the Windows registry, and in this module, module 4, we're going to talk about some common forensic artifacts found in the registry. Talking about the SAM hive file, and SAM stands for security account manager. SAM, is a root key of the HKEY LOCAL MACHINE hive key. The file path to the SAM file within an image would be, Under the root Windows\System32\config and then we would see the SAM file. To create a user account, we can do that through control panel, user accounts or manage, local users and groups. The SAM file is protected and not able to be edited when you're viewing it through the live machine and Regedit. The SAM file stores and organizes information about every user on the system such as, login information, login password, hashes, and group information. There are built in accounts like administrator, default account, and guest. And then we have the user created account, so we can see the user name of Ivan, Deejo, and new user, and new user 2. User B user, created accounts and the built in accounts would be the administrator, default, and the guest. When we view the SAM registry hive and a registry tool, it's going to look like it does on the slide. We're going to have SAM, and underneath SAM we're going to have domains, and underneath domains, we're going to have a sub folder called accounts. When expand that, we're going to see users, then we expand users and we're going to see names. This is how we resolve a user name to a user security ID, that are known as a SID. The security ID can be broken down into three parts, the issuing authority, the machine or domain ID, and then the rid, or relative identifier, which identifies each individual user on the system. In Windows 10, user created accounts start with the rid 1001, in Windows 7 and below, they start with the user account 1000. The software hive. The software hive is also a root key of the HKEY LOCAL MACHINE hive, and you can find it down the same file path, the root or C:\Windows\System32\config, and then we can see the software file. The software file which will show us things such as, installed programs and applications, the type of operating system, and the operating system installed date, information about wireless networks that may have been connected to by the machine. We can see file association like default applications. We can see login information, and we can also see attached devices. User logon information, will be in a subkey named Winlogon. And the file path after that is Microsoft\WindowsNT\CurrentVersion\Winlo- gon. Subkey name is LogonUI, and the file path to that, is under Microsoft\Windows\CurrentVersion\Authenti- cation\LogonUI. These are 2 subkeys where we can find user logon information such as the last logon user. There are also auto start locations, and software hard file. And these are programs that will run it start up, when you build it into Windows without any interaction from the user. There are two subkeys here, the run and the run once subkey. The paths of the run key is under Microsoft\Windows\CurrentVersion\Run, malware can be hidden in this key for persistence and it will start every time the system is rebooted. The software hive, is going to show us installed programs and applications under the subkey called uninstalled, and the path to that Microsoft\Windows\CurrentVersion\Uninst- all. And these are going to show us all the programs that actually installed on the system. Even if the program has been deleted, you will still see it under the uninstall key. We'll also see the operating system installed date and time, and the release ID. This is the subkey named currentversion, and the location is Microsoft\WindowsNT\CurrentVersion. So you see the type of file system, whether it's Windows 10, Windows 7, you'll see the build number, and the release ID. The system file, some of the artifacts we can find within the system file can determine the current control set, we can find a computer name, the last shutdown time, settings for the crash dump, and the location of the crash dump on the file system, services are set to run, whether or not the page file is being cleared at shutdown. We can see prefetch settings, last access file time settings, and we can also see the time zone information, or the system time, the time that that computer is currently set to. Now to determine the current controls set, we need to use the select key. And the select he is right under the group. So in the system hive, would expand the root and highlight the select key. And we would look at the value name current, and this will tell us whether it's 1 or 2, is usually control set 1, and 2 is usually the less known good for recovery purposes. But the current value tells us which control set was loaded as the current control set when the system was left shut down. The system time, will be under the subkey name Timezone Information. And the path to that is going to be, the current ControlSet\Control\TimeZoneInformation. The value name we're going to look at is, Time Zone Key Name. And this will tell us the time zone that the computer is set to. This is what it would look like in a registry viewer. And we can see when we look at time zone key name, and we see Eastern Standard Time. So that's the time zone, that the computer was set to when it was shut down. And also right beneath time zone key name, we see active time bias. This was the active time bias, since at the time the computer was last shut down. We can see that we do have daylight time, and that -60. Standard time bias, we can see at the top as bias, and that's 300 minutes from UTC time. And we can also see when daylight time starts and when standard time starts. We also have a subkey in the system file called Computer Name, and this will tell us the name of the computer. And that's located in the ControlSet001\Control\ComputerName. And the value name is ComputerName. Now the computer name can be given by the manufacturer or the user can change the computer name to one specific to them. We also have a subkey called Memory Management. This is what determines whether or not the page file is cleared at shutdown. And the page file, again, is one of those spot files that spots information from random access memory. So this may be a location on the hard drive where we can get information that was once stored in RAM. The path to that is called ControlSet001\Control\Session Manager\Memory Management. Now, when we look at the value, ClearPageFileAtShutdown, a value of 0 indicates that the page file is not being cleared at shutdown. If there was a value of 1, the value of 1 indicates that the page file is being cleared at shutdown. We also have in the system file a location called Services. And services is an auto start location. This is another location that starts without user interaction when we boot into Windows, and this lists the services that run at startup. This is also a possible location for persistent malware. So if you're doing incident response, you would want to check here under Services,and you'd also want to check the run in the i for malware. The last shutdown time, which is the last time the computer was shut down, not pulling the plug, but went through a full shutdown. The location for that is going to be ControlSet001\Control\Windows. The value name is going to be Shutdown Time and the time format is in 64-bit Little Endian Windows file time. And we can decode that time with our decoder? The system file also contains the crash dump settings in a subkey named CrashControl. The location would be under the ControlSet001 being the current control set, Control, CrashControl. The value name we want to look at is Dumpfile and MinidumpDir. These subkeys give us the location within the file system where the dump file is located. In the system file, we're going to find information on USB connected devices and mounted volumes. There are two subkeys, USBSTORE and Mounted Devices. The file path to USBSTORE would be the current control set, in this case, 001, Enum\USBSTOR is the location for USBSTORE. Location for Mounted Devices going to be off of the Root\MountedDevices. When we look at the USBSTOR key and expand it, we can see the serial numbers highlighted in blue, outlined in red here beneath the device descriptions. Those would be the serial numbers of the devices that were attached to the system. If we expand the property subkey, we're going to see some GUIDs beneath it. If we look at the GUID beginning with 83 DA, we can see keys starting with 003, 00A, 0064, 0065, 0066 and 0067. The 0064 subkey gives us the first install date and time of that particular USB device. The 0065 subkey will give us the last install date and time of that USB device. The 006 subkey will give us the last time the device was attached to the system, the last arrival date and time, and the 0067 tells us when that USB device was last removed from the system, last removal date. So we can get quite a bit of information about each of these USB devices, the serial numbers and four dates and times regarding the device being connected and disconnected from the system. We look at MountedDevices and this is mapping devices to drive letters, but it's not just USB device, this is any volume mounted to the system. So if you mounted a true volume or a virtual hard drive, it would also show up in the MountedDevices subkey. We can see this is what it would look like viewing it through a registry tool. And we can see we have DoS device E. And if you look to the right in DoS device E past the number sign, we see a serial number for a USB device. The NT user hive will contain information like recently accessed documents, typed URLs, user assist, run and run once, and a Word Wheel query. Now the run and run once keys in this hive, a specific program set to run at startup for that particular user. When we looked at it in the software file, that was programs that were set to run and start up system wide. Typed URLs are URLs that are typed into the Internet Explorer address bar. So this only applies to Internet Explorer and this becomes populated when a user types or uses the auto complete function to type a web address into the Internet Explorer address bar. And the paths of this file is going to be Software\Microsoft\InternetExplore\TypedU- RLs. Word Wheel query keeps track of searches conducted by the user from the start menu and within the Windows Explorer. It's going to contain an MRU order, most recently used order, a key last access date and time, and the search term that was typed by the user. And the file path for this is Software\Microsoft\Windows\CurrentVersion- \Explorer\WordWheelQuery. The recent docs subkey tracks recently used documents, and these documents were accessed by the specific user whose NT user hive you're viewing. It also has recent docs broken down by file extension. And the file path to recent docs is going to be software Microsoft Windows current version Explorer recent docks. UserAssists key maintains a list of items such as programs shortcuts and control panel Apple IDs, that a user has access. And it's put here for ease abuse by the user. So it makes these programs accessible from the start menu. So the more you use a program it will become included in this list. It will be accessible from the start menu for convenience. The file path of this particular he is software Microsoft Windows current version Explorer user assist. And this is specific to each particular user because it's in the nt user dot high file. So we can see what documents that user had recently accessed the run and run. One sub key. These are programs that are again set to run and start up with any interaction from the user. The user may not even be with their running. These programs are specific to that user. So when that user logs into the system, these programs will run and the path to that sub key is going to be software Microsoft. Windows. Current version run now that we've talked about all these artifacts, were going to do a walk through and take a look at them in the Windows registry. The items were going to need our the exported registry files that we exported from our forensic image, our Windows VM DK file and our registry Explorer, our specialized tools to view the registry end of block and this walkthrough. We're going to take a look at the registry files, some of the rhetoric files that we exported during our previous walkthrough. And we're going to look at them and take a look at the artifacts we talked about throughout this course. We're going to start with the Sand file, which is the one up here SAM file right at the top. We're going to expand it would expand route, expand SAM and expand domain accounts. And then users underneath users you can see separate folders identified by each user's rid relative identifier and it's written in hexi decimal. Now we're going to spend names. Now what we're doing here is resolving a user name to a user relative identifier. I'm going to start with Ivan. Okay. So we select Ivan and we look over to the right under values and then we look down to the type viewer and we can see in the value type The Hexi decimal rid of three E 9 which converts to decimal 1001. So Ivan's relative identify where those last four digits on his sid are going to be 1001. And this will help us identify the Ivan user in other places on the system, such as the recycle bin. So this would be how we would resolve a user name to a user's read using the SAM file. Now we can go ahead and take a look at exodus Imo 39 that folder under users. And we do see under we have a value name called force password reset. And that is zero. So there are no force password resets for the Ivan user. And then we have a user password hint. We can highlight that. And down in the esky we can see that the user's password hint is our goal. And this would be the same for another user. If we choose D joe the user name. De joe we can see in the value type that that users grid and hexi decimal is three EA and their decimal 1002. We can go ahead and take a look at three EA. And we can see they do not have a force password reset. They do have an internet user name and we can see the email address associated with that internet user name. They have an internet security identifier and they have an internet you ID unique identifier. So we have an internet user name for the user. De joe we didn't have with the user Ivan. Now let's take a look at the software file. So we're going to go ahead and expand the software file. Going to expand route. We're going to expand Microsoft. We're going to scroll down to Windows and T expand Windows and T. And we're going to highlight current version. This is going to show us information relating to the operating system, tells us where the system route is. Under C. Windows. Mhm. It gives us our current build number, the addition ideas professional. It gives us are installed date and that's in you next time and we'll convert that in a second, it tells us the product name is Windows 10 pro and the release ID is 1903. So let's go ahead and convert that installed day. We want to click on it, highlight it right click and we're going to copy the value data. So we're copying that value data this time is in UNIX. We want to convert it, we're going to use decode, we're going to right click paste. So we've pasted the value data in there. Now we're going to hit decode, we decode it. We're going to scroll down till we see you next time and we see UNIX seconds. UTC time and unique seconds local time. So the UTC time, It's going to be 2020 0202 At 21 57. And the local time is going to be the same date. But the time is going to be 1657-02. And that's because of the time zone I'm currently in is central time and that is -5 hours from UTC time. So that's how we would decode the date and time for the install date. So we now know the different users rids their relative identifiers has been resolved to their user names. We know what type of operating system. We're looking at the version, the release I'd in the installed date and time and the path to the operating system, which will usually be see Windows. Now, let's take a look at some wireless network information staying under Windows and T. We're going to expand the current version and we're looking for network list. We're going to scroll down until we find network list with a highlight network list. And you can see it lists the different networks that the device was attached to, and we can see a first connected and a last connected time for these networks. So it shows us the network's first connection and last connection time. And it shows us a Gateway Mac address. All this can be very useful information and our investigation to know which networks the computer connected to, when they first connected, when it was last connected, and the Gateway Mac address of that network. We can see they're all wired networks. The next thing we're going to take a look at is user login information. And we talked about it in the course, but we're going to take a look at it here. It's going to be under Microsoft Windows. So we're going to scroll back up close Windows NT and we're going to expand the Windows Folder. We're going to go to Microsoft Windows, Currentversion. We're going to expand Currentversion. And we're going to expand authentication. Once we've expanded authentication, we're going to expand Logonui. I we're going to go ahead and highlight it. We can see when we look, it tells us the last logged on user's SED. Now this is another place where knowing the user's rid is going to be important to identify that user. And when we looked at the SAM file, we saw that the User 1001 was Ivan sort of telling us that Ivan is the last logged on, user logged on SAM user Ivan. So we know that Ivan was the last logged on user and we also have a key last write time. So we know when Ivan was last logged on, which was 2020 03 17 and he was the last user to log on to this computer. Now we're going to take a look at file association. So under route, we want the classes sub key. We're going to expand classes and we can see whole bunch of file extensions. Now, what this key shows us is the default program to open these types of files. So if I were to look at something like a D O C X, it's going to tell me it's a doc file and it's going to tell me it's open with list. There is really not a default program set here. There's a list. So it could be word pad or it could be libre office. Now, if we take a look at pdf's, locate pdf's, expand it and open with and pdf's are set, it does have a default program because this says open with product IDs and it is chrome. So pd's are set to open with chrome. They actually have a default program set. Whereas documents do not, they have a list. So you can open a document, either word pad or leave our office. We're going to take a look at attached devices. Now we're going to look for the key sub key portable devices. So that's going to be in Microsoft Windows portable devices. So again, I'm going to scroll to the top and close this up. I'm going to go to Microsoft Windows and we're going to look at the portable devices sub key. Once we've located our portable devices sub key, we're going to go ahead and expand it and we see devices, we're going to drill down and underneath there, we see a list of devices. And if you hover over there you can see the device name and we can see the device serial number. This right here, starting with 07 would be this devices serial number. This device this here this 158 this is the devices serial number. If we click on it, we can see the friendly name of the device. It's called hack tools. This one friendly name does not have a real friendly name, but we can see it was mounted as drive F. We can see that this one was mounted asdrive G and it is a Kingston data traveler that appears to just be a generic USB flash drive. And this device has a friendly name of max storage and that would be the serial number. We also have a last write time on this keys. Keys last write time should be the last time the device was attached to the system. So we have serial numbers. We may have a friendly name if the volume was given a name by the user, such as Mac, such as mac storage and hack tools. And we do see drive letters for the other volumes that do not have a volume label. Our user created volume label. We can see that one was mounted as drive G and one was mounted his drive F. And we can see the last times that they were attached to the system in the last right times on these keys so we can get some information also on USB connected devices in the software file. We're going to take a look at programs that were installed on the system and the software file and the path to that is going to be Microsoft. Windows Current version Uninstall will navigate there under the root under Microsoft. When scroll down to Windows. We're going to expand Windows, we're going to expand current version and we're looking for the uninstalled sub key, going to expand uninstall. And we're going to see information about the programs that were installed on the system and scroll through and look at the information. We can see the program name, where the path the install location, the path to where the file is installed, the application. We can see the version and the display name as you scroll through. You can see the install source and the program name, the publisher and what its display name is. And this is C++ run time each of these liquids over here in the key name sub folder. These grids will be the same for every we were office heavy C++ run time for that particular growth and library. You can see the installed dates and again, that would be in UNIX and we would have to decode that the same way we did. We install date and time again the install dating UNIX. You usually have a display version. You're going to have the uninstalled string where the path to uninstall is. You have the installed source and you'll have the display name. This is VM ware tools we're looking at. So all this information can be very useful in your investigation if somebody says I didn't have a certain program installed on my computer because even if they've deleted the program from the computer. You can still find information in the uninstall key. Now we're going to take a look at the auto start location and that's going to be Microsoft Windows current version run programs under the run key start when you boot into Windows and this particular run key is located in the software file. So this is system wide settings for programs to run its start up, there is also a run key in the NT user and that would be user specific programs set to run at startup. But this run key and software is a system wide setting. So we're going to look at Microsoft Windows current version. Run and we're in Microsoft Windows current version. But we want to see the run key and there is the run key. And when we highlight the run key, we can see the programs that are set to run and start up security, health, the inbox tray and VM ware user processes. So you can see these programs are set to run at startup. Malware can be installed in this key for persistence and then that malware will continue to run every time the system is rebooted, every time you log back into Windows. So this can be a location for malware, you should also check the Run once key directly under Run, there's nothing there, but that could also be a location for malware. Next, we're going to take a look at the system high file, they're going to expand system, and we're going to take a look at the current control set. So we're going to expand route, now, there's only one control set on this particular virtual machine but usually there's two. How you determine what was the last used control set of the current control set, is you highlight the select key. When you highlight the select key, you look at the user data and it's going to tell you that the current control set is control set one, in this case it's also the last known good. Usually the last known good will be control set to if you have more than one control set on the system. So now we're going to take a look at the computer name. So we're going to stay in control set one, expand it, we're going to expand control and we're going to look for computer name. We're going to highlight computer name, go ahead and expand computer name, and underneath it you'll see computer name again. This tells us the name of the computer, and this is the name of my computer, desktop and then it has a number and some letters after it. Now when you're examining multiple computers, computer name can be very important, you always want to document that as part of your report. Let's take a look at the last shutdown time, and that's going to be in control set one, control and then Windows. So we're in control set one control and scroll down to Windows and we're going to take a look at the last shutdown time. We see shutdown time right here, and again, this is something that's going to need to be decoded, it's in hexadecimal. It's 8 bytes long, so it's 64 bit Windows file time. So what we can do here is copy value data and we can use our decode to decode it. You're going to have to take out the dashes, decode does not like the dashes. Once you have removed the dashes, we want to make sure we tell it it's hexadecimal and it is going to be a little Indian. So hexadecimal little Indian, and then we decode, now we're looking at Windows file time and we can see Windows file time. So it's telling us that the last shutdown time, because that's what looking at, was 2020/03/16 at 23:07:25. Now, that's local time, and we can see it's offset from UTC by -4 hours. The UTC time Would be +4 hours, so it's going to be 2020 03:17 at 03:07:25. So when you add four to this, you will get The following day at three o'clock in the morning, 3:07 and 25 seconds. So that's how we would decode that, it is hexadecimal little Indian, and it is Windows file time. It's 64 bit Windows file time, but you'd select Windows file time, and it gives it to you in both the local time and you can see the time offset, and in UTC time. We want to now take a look at the crash dump settings, crash dump can be saved and that's going to depend on the registry settings. So that happens when you get like the blue screen of death in your computer crashes, it will dump part of the memory into what's called the crash dump. And that would be another place you'd look for to find memory RAM, random access memory on the hard drive itself. So that would be under control set one, control, crash control. So we're in control set one control Windows [COUGH] So control set one control and we're looking for crash control. I like crash control And we can see the location of the dump file. Crash control is enabled and we have a dump file, and the path is a system route and the dump file is going to be named memory.dmp and it's going to dump the memory. Now crash control settings vary, it is enabled. Anything but a zero in here means it's enabled. Depending on which settings and options the user chooses and how much of the memory they want to dump into this memory dump file will determine the number of the setting. But if there's a number other than zero in here, it means that it is enabled and it will tell you the location of the memory dump and then you can analyze that with something like volatility or another memory tool. Now we're going to take a look at services set to run at startup and that's going to be under the root control set one and services. So under the root control set one, we expand services. These are all the services that are set to run at startup, and you can see this quite a few things running when you start up Windows, and this happens by just logging in. So you definitely want to take a look here if you're looking for malware, you see all the different services that run automatically at startup. >> It should be a good place for persistence to have malware that will persist after reboot. So definitely take a look at services. You can see it's quite a few things running at startup. Quite a few services. Now, we're going to check the setting for clear page file at shutdown. Page file is another one of those swap files with Random Access Memory, RAM volatile memory. So this is another location on the hard drive where we may be able to recover some information from RAM. And the location of this is control set one, control session manager, memory management. So ,we going to take a look at it. Control set one control. Now we want to look at sessions, Cross that one control. We want to look at sessions. Source we're going to expand sessions manager, And now we're going to look at memory management. And we can see the top value clear page file at shutdown, the data column shows us a zero. So, the page file is not set to clear at shut down. And it shows you that the paging files, Is located in the root and its Pagefile.sys. And it shows existing Pagefile, is under C, is under the root Pagefile.sys. So, there is a Pagefile.sys there, that can be examined and you may find information from RAM, Random Access Memory. Now, let's move on to the NTUSER.DAT Hive. So scroll to the top, go ahead and just close up system and let's look at the NTUSER.DAT Hive. Now, every user on the system has their own NTUSER.DAT Hive, this is Ivan's NTUSER.DAT Hive. When you're exporting NTUSER.DAT Hives, it's a good idea to know who's Hive somewhere in the file name. Or you can get confused. So, the first thing we're going to look at is, we're going to look at recent docs. Documents that were recently used by this particular user. And the file path is going to be underneath the route, Software, Microsoft Windows Current version, We need to go down to Explorer, Expand Explorer, Underneath the Explorer, we're going to find recent docs. When we highlight this key, this particular tool gives us a very nice breakdown of the recent documents. You can see the recent documents, you can see their MIU position. Now we expand recent docs key, you can see that they're broken down by file type. We can see extensions for JPGs, PDFs, Power points, ZIP files, So they're broken down by document type. Each of these sub keys for document type does have its own key last write time. When we're looking at the recent docs key as a whole, you're going to see some of them will have the last write time, and that's coming from the last write time Of each particular file type. And you can scroll down, you can see that all the recent documents, and if something is showing up in here, it was accessed by a user. So if somebody says, I didn't know that was on my computer and it's showing up in recent docks, it was accessed by that particular user. If we take a look at PDFs, We can see when the last PDF was accessed, And what it was. And then it goes down. You can see MIU position 0 is the most recent one, down to MIU position 18 would be the least recent one. That's how you read the MIU orders from top to bottom. So, the 0 is always going to be the most recent, the higher numbers will be least recent or prior to that date, that less right key date time. But if you're interested in PDFs, you could check there, you can look at doc's, You can look at HTMLs, All your different file types, or you can look at the recent docs key as a whole. The next thing we're going to talk about is typed URLs sub key. URLs that are typed into the search bar, the Windows Explorer search bar. No. So we're going to go into Software Microsoft Internet Explorer typed URLs. And these are typed into the Internet Explorer search bar. So if you're using IE and you type a search term into the search bar, or something is completed by auto complete, it will show up in typed URLS. But if you're using another browser, it's not going to, this is a Internet Explorer feature only. So we can take a look at software Microsoft. And now we're looking for Internet Explorer, expand Internet Explorer and we're looking for tight URLs. We only see one URL,type there. What doesn't look like this particular user used Internet Explorer as his main browser. So we would want to look for other browser information elsewhere in the system. We're going to take a look at the run and run one ski in the end to user dot that high file and this key is user specific. In other words, these are programs set to run it start up for that particular user and the path of that is going to be under software Once we expand the root of the Nt user dot dad. Hi, we're going to be under software Microsoft Windows current version. And then we're looking for the run key. R-U-N key. Here's the run key. And for the Ivan user we can see that one drive and google drive sync are set to run at startup. So if we're doing an investigation, we know we've got a one drive and play and a google drive and play and it gives us the locations to those executed bals. We can gain some additional information about our case that we know now that we need to look for a one drive and that there's a google drive sync going on. So we want to check for google drive also. Now we're going to take a look at Word wheel query and Word wheel query deals with search terms typed into the Windows Explorer Bar by the user and the Windows Explorer, not the Internet Explorer. So you're searching within the file system for a file and that's going to be under Software Microsoft, Windows current version, which is where we are. So we're going to scroll up and find Explorer. I'm going to expand Explorer and we're going to scroll down to find word wheel query and we can see two things in ward, real query. We've got electric grid in drugs. So at some point in time I haven't either brought up a file Explorer and searched for these in this box here or he searched down at the bottom in the Windows search pain. So we know he was interested in electric grid and drugs. Again, the position order zero would be the most recent, followed by one. This can be very helpful in an investigation to find out what the user was searching for and within their own system gives us an indication what was going on with that particular user. And that concludes our windows registry walkthrough. So we've got taken a look at quite a bit of information in this walkthrough, both system wide settings and user specific settings. There's a lot more to the registry. But this is just a basic overview of the Windows registry.
