Intro to Windows Forensics: Windows Registry Artifacts - TryHackMe Walkthrough

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back everyone tryhackme just came out with a windows forensics room and i've had a look at it i've used tryhackme for a while and i really like it the windows forensics room specifically covers windows registry analysis it's a really interesting room to look at and i'm glad that they're finally doing more with digital forensics so today's going to be a walk-through of their windows forensics room so to get started i'm on tryhackme.com room windows forensics one already logged in and this is a free room at least for now so you should have access to it no problem just gonna jump right in here we don't have to start an attack box or anything like that although they will have one i think a little bit later let's go ahead and with task one so introduction to windows forensics if you've been watching my channel at all you've probably heard me talk about forensic artifacts before is my computer spying on me a lot of people think their computer is spying on them and there are a lot of analytics and trackers built into many different operating systems these days especially microsoft windows but most of the time it's about user preferences when running the system so windows and especially the windows registry keeps track of a lot of user activities that way the user can easily access those later or windows can preload things that it thinks the user is going to use basically we just read a couple things and then what is the most used desktop operating system right now most used desktop operating system right now is microsoft windows however mobile really took over desktop several years ago so it's not the most popular operating system anymore but microsoft windows is still the most popular desktop operating system let's go ahead and try that okay what's the term used to define a piece of evidence of human activity piece of evidence of human activity i'm guessing they're talking about forensic artifacts and if you read this if you hear the word artifact it refers to essential pieces of information that provide a piece of human activity really it doesn't matter if it's necessarily human activity or not it's an artifact is anything that is used to build up your evidence if you have some sort of claim that you're trying to prove you're looking for evidence to support that claim artifacts are anything that can potentially contain that evidence so if you're trying to prove for example that the sky is blue then an artifact would be related to that whether it was necessarily human activity or not but i understand what they're trying to say with this it's kind of easier to conceptualize if it's like a user action and really whenever we're looking in microsoft windows especially desktop most of the time we're looking for those artifacts because they're related to human actions so let's try artifact next getting into windows registry all right we got a couple tools here an overview of the windows registry you can think of the windows registry like a database that keeps track of all of the settings in windows so whether you're changing your background image or whether you're going to a website the windows registry will have several different registry keys that are updated whenever you make any type of action all of them are stored in different registry hives and basically they're going through each of the different registry hives here each hive contains different information from the system so it depends what you're looking for which hive you're more likely to find it in and sometimes you'll have information across different hives as well but if you're looking at it on your own system you can use regedit.exe but be careful about this because if you do start changing registry keys you can break windows so if you're running it on your own system and not a test system uh be careful and then they're going through all of the different hives and interesting things that might be in there so what we normally do in digital forensic investigations is access the registry hives offline and for that we're getting for example a suspect hard drive and then we're parsing out the hard drive and looking at the file system once we reconstruct the file system then we get full paths just like you would have whenever you're looking at a suspect's computer while it's on and then we have to look for example in c drive windows system32 config for the majority of the system hives and then we also have nt user and userclass.dat that are usually found in the c user's username and then you'll have your ntuser.dat and then app data local microsoft windows is usually where you'll find the user class they're going over the locations of these hives because they contain so much information and they're extremely relevant to pretty much every investigation you're going to do so one of the first things you want to look for whenever you're doing an investigation of windows computers is where are the hives and and start to parse those hives out what's the short form for hkey local machine shorten it by just doing h k to stand for h key that way we know it's a key in the window system and then take the first letter from the next word so we have h key h k l m so let's try that h k l m okay what's the path of the five main registry hives default sam security software and system notice this has nothing to do with the user per se basically they don't contain the users settings so we're looking for the system settings and i can already see here that there's probably a drive number this is a little bit misleading because this is probably asking for for example c drive so like c drive slash windows the problem is you don't have to install windows in the c drive you can install it in another drive so don't always assume that it's going to be in c drive but 99 of your cases it's going to be so we're just gonna do it here so we're looking at c drive slash windows if i spell it right slash system 32 config this is where our registry hives are normally located let's try that what is the path for the am cache hive the amp cache hive stores information about programs that were run and let's look at the format here it looks like probably they're looking for the system folder so c drive windows assuming it's installed in c drive and then they have the dot here with the three after so most likely they're actually looking for the hive file itself not just the path all right so let's do c drive windows that's our system folder or at least the default system folder we have app compat and we have programs am cash let's try that and that's it see they also listed up here as well so you could have just copied that one okay i shouldn't have typed it out so next going to windows registry we are looking here at a couple different tools that they have available several open source tools this winder is the system directory so for example it would be c drive windows in most cases but you can change the location so you do need to try to parse out the windows registry to understand where the windows system folder is installed it's one of the first things you should do before assuming c drive and we have cape a really nice tool and i think that's what they prefer for this uh this exercise autopsy another awesome tool i use this all the time for investigations ftk imager for doing acquisitions uh ftk image is really good for acquisitions as well as the hex viewer and the file viewer so if you just want to do a really quick investigation in windows you can use ftk imager to do almost everything it has keyword searching hex views a lot of things and it can also acquire not only disks but ram so there's access data's registry viewer access data just got bought by another company i don't remember what their name is but the registry viewer is very interesting the problem with it is you can only load one hive at a time but it is pretty good for doing research on windows registry changes there's also zimmerman's registry explorer excellent tool also for just just exploring obviously the registry and doing searches through it so another great tool and a little bit more powerful and then regripper is kind of the de facto standard for registry analysis it's a collection of scripts for parsing out different uh data types and redripper is actually built into autopsy so if you're running autopsy that was listed above you'll already kind of get redripper but if you want to be able to customize it a little bit more you can run register by itself they just say study the tools okay so basically download some interesting tools and if you subscribe to this channel i will be talking about all those tools i already have videos on ftk imager autopsy and a couple of the other tools i will get into more later so like and subscribe if you want to see more of that so we know where the registry hives are located in windows we have tools that can parse them out now we're going to start extracting some system information and system accounts and this is where registry analysis gets really interesting unfortunately a lot of the investigators that i work with don't think about analyzing the registry that's been changing recently but a lot of investigators still don't really include the windows registry explicitly in their investigations they'll just do file system analysis for example looking in the the user's folders but the registry tells you not only about which files are on the system but how the user was interacting with them now you can get some of that user information just by doing disk analysis but really if you want user action analysis the windows registry is the place to look we have the operating system version we're looking in the software key or the software hive microsoft slash windows nt current version current version has a lot of really good data so they're getting the the registered computer name if the system is on and you're in the live environment you can see it in the properties menu but if we're looking for the computer name in the suspect system in a post-mortem analysis we're looking at the system hive current control set control computer name computer name key so this registry key and then we have the for example computer name same for time zone information in modern systems especially modern file systems time stamps are saved in utc and the time zone of the system that you're looking at is used to calculate the offset on the fly older file systems like fat store the time stamps directly and they don't do calculations the thing to think about whenever looking at time zones is file timestamps on hard drives what is the file system that that data is stored on that's really the interesting question here so if we need to get that time zone information that we we know what that offset would actually be network interfaces even if you're using dhcp and really most people are these days you're going to get that dhcp lease and that lease is going to be stored or some lease information is going to be stored in the windows registry whenever the dhcpip address changes then obviously the old address is going to be lost in the registry and then we have to look at for example registry backups or shadow copies or something like that just because it's not in the current version of the registry doesn't mean we can't get it back somehow auto starting programs especially if you're analyzing malware you really want to be looking in auto start locations because malware has to get persistence somehow so it wants to try to insert itself into these auto start locations so you really want to check them and see what binaries are being executed for auto start so the same hive and user information basically account information login information group information anything to do with the security access management of the user is going to be found in sam so what's the current build number of the machines whose data is being investigated if we're talking about build number we're looking at system information so let's see what screenshots they had up there so we are in software microsoft windows and t current version and we select current version it kind of looks like a folder drop down and it contains a bunch of different keys so we're in software microsoft windows and t current version so we select the current version key and we see all of these values under current version we're looking for current build and 19044 is the current build and current build number so let's just try 19044 19044 okay which control set came contains the last known good configuration so we're looking for control set and under system select last known good last known good is set to control set one so let's go ahead and try that next what's the computer name of the computer alright so this is also under probably system properties so system current control set control computer name computer name we have the computer name key th four in six you'll also see forensics spelled four in six okay so thm dash four and six thm dash four in six all right what's the value of the time zone key name so time zone keys we saw earlier so system current control set control time zone information time zone key name it's in pakistan standard time so let's try so let's try pakistan standard time okay what's the dhcp ip address the ip address that was given by dhcp the last time this system was up we're looking at network interfaces so system current control set services tcp ip parameters interfaces so it looks like they've already selected an interface here and then we have the ip address and it's 192 168 158 all right we also have subnet mask default gateways lease times how long it's going to take let's try 192.168.158. 192.168. what's the rid of the guest user account okay so some user account information we have the same hive user information at sam domains account users and we are looking at groups users i have the guest account and i'm looking for the user id which is a five zero one we also have another account thm foreign six which is one zero zero one whenever you see anything over one thousand this is a non-built-in account everything under one thousand is a built-in account so that our guest account is five zero one so it's built in okay so now we're getting into uses or knowledge of files folder okay so we're looking at things like recent files but we're still in the windows registry we are getting more into into user.dat so user activities specifically and in this case they're looking at in the user's recent docs so these are the things that the user has recently accessed show bags are a super interesting location for information you can do a lot in reconstructing for example the way the folders looked all the icons in the folders even after like a usb has been removed you can reconstruct everything except the data that was in that usb stick it's super interesting location to learn more about okay so when was easy tools opened in this case we're probably looking at links so let's look at recent files so into user.dat software microsoft windows current version explore recent docs we're in the recent docs and we're looking for easy tools easy tools was opened on 2021 1201 at 1334. so let's go ahead and try that yeah okay that looks like the right format so 20 21 1334 okay all right next what at what time was my computer last interacted with so we're looking for the last interaction time i'd say it's probably shell bags and then it's my computer so we have the value of my computer in shell bags and we have a last interaction time on 1201 1306.47 but 2021 13.06 47. what's the absolute path of the file opened using notepad.exe so here we have the open slash save and last visit dialog mru so whenever that dialog box pops up asking you where you want to save something of course that is also saved in the windows registry so it remembers where which directory you in for last time you want to save for the next time you want to save something so we're in into user software microsoft windows current version explorer com dialog 32 and then last visited pid mru or open save pidmru this is probably the open save so if we take a look at the last visited pid mru we have notepad.exe executed the open save dialog and then it's looking for the absolute path uh c drive program files amazon ec2 config service settings you can kind of tell it's probably program files because there's a space there as well pc2 config service settings ec2 config service settings okay there we go that was coming from the open saved and last visited dialog mrus mru stands for most recently used list when was this file opened okay so we go back and then it was opened on 2021 11 30 10 56 19. let's try that there we go okay so you the user we get a lot of things like which program were they using what were they doing with the program and what time were they doing it now once you start to combine these things you can build a timeline of events for different files and folders that have been accessed and what programs they were using while they did that whenever you create that timeline you can really see the story of what was going on around the time whenever you're investigating user assist user assist is interesting because it keeps track of how many times programs were executed you got to be a little bit careful with user assist i've seen it off by quite a bit sometimes depending on how fast a program is executed yeah just sometimes the number isn't updated sometimes it's updated twice it's a little bit finicky so don't trust user assist 100 but it can give you a pretty good idea last execution time seems to be accurate but the run counter doesn't seem to be super accurate and then the focus count seems to be pretty good actually so into user.dat software microsoft windows current version explorer user assist and then the guid and then count so we're looking at for example the run counter here they talk about the background activity monitor so how many times was file explorer launched that would be in user assist and we get to the the count key that's probably way too small to see but we have file explorer link and it was says it was run 26 times so let's go ahead and try that file explorer run 26 times okay what's another name for shim cache it's probably app compatibility cache let's take a look let's look it up also called application compatibility cache app compat cache i bet that's it app compact cache shim cache okay which of the artifacts also saves sha-1 hashes of the executed programs that would probably be in am cache yep here we have the shot one so just m cash all right which of the artifacts saves the full path of the executed programs and then that is probably the background activity monitor it even gives us the hard disk volume 2 for example instead of c drive so the logical mapping it gives us the physical disk for the background activity monitor so they want b-a-m-d-a-m b-m-d-a-m okay what they're actually trying to do if you notice we're basically looking up where all of these different things are and there's a lot of different locations with artifact information one of the things you start to do whenever you start investigations is start memorizing the locations of the most common artifacts so for example user assist very common artifact and if you know exactly where it's located you can find it much quicker whenever you're analyzing it with the tool a lot of tools now might just pull out user assist directly and show it to you but for tools that don't you might explicitly have to say where it's located basically i think they're trying to get you familiar with a bunch of different artifact types and where they're located and this is exactly what you should be doing whenever you first begin now it's a bit tedious to try to remember all of them and all of the information that's in there so we have cheat sheets of course that we produce sans has some really good cheat sheets for artifact locations like this external devices usb device forensics we use this a lot so we use this in real investigations a lot um so device information or device identification can be found in system current control set enum usb store and control set enum usb and then you can kind of see we have time stamps for example and depending on which view you have it looks like this view this is probably some of the easy tools and this view is taking in some information about for example when the usb stick was first seen when it was installed first installed last connected so we can actually see first connection times last connection times and if you're building a timeline you have other sources of information you might be able to reconstruct different times that that usb stick had been inserted usb device had been inserted into the system you can also see things like device name serial number manufacturer timestamps associated with it just be careful about this like timestamp this timestamp is probably the timestamp of the key itself which means that it can be updated but then we have for example the last connected time 11 24 1840 that's after our key update time so it's a bit odd i don't know what this time stamp key here is but then we have installed first installed last connected that's probably what we're interested in anyway yep so i don't know what this tool is otherwise i could hopefully tell you what that timestamp is so here we have the current control set enum usb store then product version serial number properties and then an id the number value represents the information like first connected time last connected time or last removal time that's where they're getting that information so i would say this time stamp is probably when the usb store key was updated and then they're getting the connection times from everything else and if it's a separate key it kind of makes sense that it could be a slightly different time so this might be i don't know i'd have to i'd have to look at that further don't just trust what the tools are telling you make sure you're questioning things like that like why is the last connected time after the timestamp update for this device like how are those timestamps related that's going to be really important information in a real case what's the serial number the device from the manufacturer kingston oh no do we have to type a serial number okay so we have our device kingston and that's the serial number and it's quite long okay so let's try that serial number yep okay what's the name of the device it was also listed kingston data traveler 2.0 usb device okay trying that device name yep what's the friendly name of the device from the manufacturer kingston all right we have a volume name that's usually the friendly name and then okay it does say friendly name here we don't really know which usb or new volume is the kingston we might be able to do it by timestamp but those are both the same timestamp let's go ahead and check this so i have the disk id here and this first disk which is the kingston starts with e25192 i have the usb 3.0 and it starts with f529a all right so let's go ahead and look down here the gui id again is e25192 and then f529a so the kingston e2192 has the same disk id as this first entry value with the friendly name usb so this is what i mean by multiple registry keys kind of interact with each other you might have some information stored in one place some information stored in another place and then you have to get both pieces of information especially ids before you can make sense of the other so i would say the friendly name is usb okay all right now we're getting into the hands-on challenge we'll see a few folders triage and easy tools the triage folder contains the triage collection collected through cape which has the same directory structure as the parent so basically where are the registry keys located this is where artifacts are located the easy tools folder contains some tools that we've been basically looking at all right and then we have a couple different questions here so let's go ahead and start this up so i've write registry explorer up and i'm going to load the sam hive let's go to file load hive and desktop triage system the same hive is part of system so i'm going to go into windows system 32 config and then we have sam okay so i've loaded up the sam i'm in root sam domains account users and then i have a couple different things here the resolution's not great the user id so from the user accounts how many user created accounts are present in the system remember what i said if anything is above 1000 or 1001 you're going to be a user created account so we have three user created accounts let's go ahead and try three okay what's the username of the account that has never been logged in so here we have total login count and this one has zero so let's see what the username is thmuser2 thm user 2 dhm dash user 2. what's the password hint for thm forensics so thm forensics is one zero zero one and if we go over a little bit we have the password hint let me expand that and then the password hint just says count so let's go ahead and try co unt that's probably it all right when was the file changelog.txt accessed this is kind of an interesting question because i would be looking at both the disk and the registry in our case right now we have what looks like a logical acquisition so they just copied out all of the files i can't really trust any of the file system metadata so we would be looking at the windows registry to find changelog.txt i also don't know which user they're talking about so i'm just going to guess it's probably the the admin user the first user created account so we're looking at changelog.txt let's go ahead and load up the ntuser.dat for our main user account and that would be add file load hive and then and then on the desktop we have triage c drive then we have users thm4in6 and then ntuser.dat click open sequence numbers don't match i would usually reconstruct this i'm going to say no this time and then do you want to load the dirty hive yes all right so now we have the into user.dat for our main user loaded up let's go ahead and expand root and then we're looking for software microsoft windows current version explorer and we should find recent docs so now we have recent docs let's see if we have the changelog.txt we have our text file changelog link change log txt and then it was opened on 2021 11 24 18 18 48. so let's go ahead and try that 18 24 i need to check that again 48 18 18 48 48 okay submit yep all right so next we're looking at what is the complete path where from where the python 382 installer was run so we're looking for whole paths so it could be the background could be the background but i see this is probably c drive so most likely we're looking at something like user assist so we can just go back in hopefully it's the same user i'm in recent docs right now so to get to user assist instead of recent docs we should just be able to scroll down go to user assist and then the guid let's just kind of search through here so i found count with some activities in it i'm going to scroll down and see if we find anything we have a couple different actions here notepad was run and we have d drive set up so we look like we're on the right path z drive setup also a network share in firefox installer from z drive python382 so the question was what's the complete path where python 382 was installed so inside user assist for the the default user we have count and then count has 48 and we have the z z drive setups python382 exe z drive setups python 3.8.2.exe okay submit yep when was the usb device with the friendly named usb last connected so we have a date time format it looks like usb devices are going to be related to system information so i'm going to file load hive and then we're going to instead of going users desktop triage c drive go back to windows system 32 config and then i'm looking for instead of software this time i'm going to look for system click open all right so now we have the system hive loaded click on root and then we are looking at probably current control set enum let's do current control set and then enum and then usb or usb store so we have usb and then what's the usb device with a friendly name uh when was it last connected so we're looking for usb and we don't see the friendly name here usb friendly name is probably in software so let's go ahead and open software okay so we have software and we need microsoft let's check windows portable devices that looks like it's probably our device so usb so here we have our friendly name is usb and then we have a gui id of e251921f and then now i'm back in the system config let's look at usb store and then i have e25192 and then the f so we have e215 this is our our interesting one it's the kingston again and what's the usb device when was it last connected last connected 2021 1124 20 21 11 24 18 40 06 18 40 06. nice in that case i mean it was a little bit confusing because usb store didn't have the friendly names we had to open up the software hive get the friendly name plus the gui id that was assigned and then go back to usb store sync them up via the disk id and then find the last connected from that and that's that's common whenever you're in the windows registry to have information that is related to each other that you need to sync like that now hitting the conclusion what we have here we have wasn't that interesting yeah it was pretty interesting windows registry is always interesting and i hope easier than what people think a lot of people think the windows registry is hard but it's really just a database and if you remember even half of the locations that were talked about in this room you can access so much additional information in your windows forensic investigations if it's hard to keep track of all of the artifacts very few people remember i don't think anyone remembers everything about it you have cheat sheets so they actually created a cheat sheet for this nice sans institute also makes cheat sheets that they release quite often or they update them every year basically everything that they were talking about they've covered in here so i would download this cheat sheet print it out put it up on your wall whenever you're doing your investigations just have a look at it because it is actually stuff that we use constantly now a lot of tools like like autopsy for example will automatically find uh registry hives and then try to parse them using regripper so you don't necessarily need the locations in your mind all the time but it's good to have them and it's good to be familiar with them and then sometimes you do have to go in and check things and verify things yourself all right so that should get us the windows forensics one it's a really interesting overview of windows registry if you've never done any type of windows registry analysis hey this is a great start read all of the documents that they have i kind of explained in a really quick overview the things that i commonly use i guess in investigations but they had a lot more detail that i didn't cover do practice going through and looking at windows registry if you have a windows computer it's worth taking your windows registry file obviously making a copy and then analyzing that copy and seeing what you can find because you know what activities you've done on your system and you can recover a lot of of different really interesting things even knowing these basics is an excellent way to start windows forensics don't forget the disk analysis part of things and whenever you're building these timelines they complement each other so if you find a weird timestamp on the on the hard drive you can use the windows registry to say whether that timeline makes sense and vice versa let me know if you have any questions and if you want to see more walkthroughs of different rooms on tryhackme or any other platform especially if they're related to digital forensics please let me know give it a like if you like these kind of videos and make sure you subscribe because i'm going to be posting tutorials on how to use each of the tools and i already have some tutorials on things like autopsy and ftk imager so i hope you enjoyed it thanks a lot you

Info

Channel: DFIRScience

Views: 21,233

Rating: undefined out of 5

Keywords: windows forensics walkthrough, Windows Registry Analysis, Windows Forensics, windows mru list, TryHackMe, Windows Registry, TryHackMe walkthrough, tryhackme windows forensics room, windows registry tutorial, windows registry malware, windows registry keys, tryhackme tutorial, tryhackme windows, userassist, shellbags, registry forensics, usbstor, kape, eztools, autopsy, ftk imager, windows digital foreniscs, windows registry hacks, regripper, incident response training, Threat hunting

Id: bhlGmjOaEl0

Channel Id: undefined

Length: 34min 49sec (2089 seconds)

Published: Tue Jan 25 2022