User Account

All Pages

Where could this come in handy during forensic investigation

Assignment Help Other Subject
Reference no: EM133184207

LAB: 06

This lab focuses on Windows forensics registry analysis.

Objective:
• Learn windows registry

Leaning Activities:
At the end of these activities, you should understand:
• Windows registry
• Understand how to navigate registry keys
• Regedit display of Windows Registry hive
• How to collect artifacts

Tools to use:
-Mantooth.e01
- Regedit
- Registry Viewer

Task 1:
1.1 First download Mantooth.e01

1.2 Open new case in Autospy

1.3 Add data image file Mantooth.e01

1.4 Autospy will process the image file as evidence source (This might take few minutes)

Let's start by finding registry hives with the imager file

1.5 In the Autospy go to Windows/System32/config

1.6 Now you will see a list of file, select System

1.7 Autospy will parse the registry file into the pane in the bottom (under Application) You will see a list of folders

1.8 Open ‘ControlSet001->Control->TimeZoneInformation', Select the ‘TimeZoneInformation'
The configuration information will be parsed in the Metadata pane.

What is the time zone? __________________________
(Take a screenshot of this result)

Task-2:

Track USB serial number

2.1 Navigate to the System Hive (Windows/System32/config)

2.2 SelectControlSet0001→ Enum→ USBSTOR
You will see a lot of information regarding to connected USB devices, Scan disks, IPods +etc. There are sub keyslisted, the number indicate the serial number (if it has one).
Ex:

Here you can see two USB Devices have been installed on this machine, a Seagate FreeAgent device and a Generic device (Generic device is not that uncommon, the Serial number will help you to track the USB device through the artefacts).

Both of these devices have a unique serial from their respective manufacturers. This can be seen by the &0 or &1 at the end of the serial number. If instead the second character is an & then the device does not have a unique serial number and Windows has issued one which is unique to the local system only.

2.3 Select ControlSet0001→ Enum→ USB
There are Vendor ID and Product ID are listed (Ex: VID_05DC&PID_A410)

Task 3:

Track USB drive letter

3.1 Navigate to the Software Hive, then go to Microsoft→ Windows Portable Devices→ Devices
3.2 Findwhat drive letter was associated to the USB drive with label ‘WASHER'? _________
(Take a screenshot of this result)
Why is it important to know the Drive number/letter (like F:) of a connected device? ___________
Where could this come in handy during a forensic investigation? _____________________

Task 4:
Track networks
4.1 Navigate to the Software Hive, then go to Microsoft-->Windows NT -->CurrentVersion->NetworkList-->Signatures-->Managed and highlight the key, on the right we should see a Dns Suffix.
(Take a screenshot of this result)

4.2 Now, select Unmanaged Managed and highlight the key, on the right we should see a Dns Suffix
(Take a screenshot of this result)

Note:
managed = computer on a domain
unmanaged = computer not on a domain
4.3 Make a note on the "DefaultGatewayMac', Are the MAC address same? ________________ Why?

Task 5:
Track Recent activities
5.1 Navigate to /img_Mantooth.E01/vol_vo2/Users/WesMantooth/AppData/Roaming/Microsoft/Windows/Recent
5.2 Now, Scroll through some of the recent files listed here, see if you can find any which are
associated to USB drives.(Take a screenshot of this result)

5.3 Are there any files which may be of interest during our forensic investigation? ________

Task 6:
Registry Analysis with Registry Viewer
The Windows registry provides a lot of information about the system, the machine and the users. Now we will work to select and extract the most useful elements for the purposes of our analysis.
6.1 Download Access Data, Registry Viewer (https://accessdata.com/product-download/registry-viewer-2-0-0)
6.2 Once installed, you can launch the program and a window will appear with the following warning:

Click No and run Registry Viewer in demo mode.
In the new window that will open, click OK and finally you will have access to the operating interface of the tool.

6.3 In this task, we will need to export registry hives from Autopsy in Task1. Export the following registry hives:

• SYSTEM
• SOFTWARE
• SECURITY
• NTUSER.DAT

6.4To import a file just click on File→Open and select an extracted hive file.

6.5 We choose the Software file previously extracted with FTK Imager to continue our analysis.
6.6 To import a file just click on File→Open and select an extracted hive file.
6.7 In the upper left panel, note the hive Software represented as a PC and, under it, the keysrepresented as folders. In the lower left, Key Properties are shown. Note the Last Written Timeproperty, which corresponds
to 12/02/2008 20:11:57.
If we scroll down and select the key Arcobat Reader and the subkey Installer, we can see the stored values, specifically, version, the installation path and the default directory of the tool.
You may have noticed that we are using the demo version of the Registry Viewer. This is because although the features are obviously more limited than the full version (no Common Areas shown and the inability to generate reports), Registry Viewer demo is still a powerful and very useful tool for analyzing the registry.

6.8 What is the OS version? _____________________________
(Hint: SOFTWARE\Microsoft\WindowsNT\CurrentVersion)
6.9 When was this OS installed? ____________________________________
6.10 Who is the registered owner?__________________________________
6.11What is the model and manufacturer? _______________________
(Hint: SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation)
6.12 To find useful information about the installed printers, you can look at the subkeys stored at this path:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\
What is the printer driver name?_____________________________
Note: To verify it, just highlight the hexadecimal value stored in the Shutdown- Time value and then right-click and select Show Hex Interpreter Window.
6.13 What is the computer name? ________________________________
(Hint: SYSTEM\ControlSet001\Control\ComputerName\ComputerName)
6.14 What is the time zone?
(Hint: SYSTEM\ControlSet001\Control\TimeZoneInformation)
6.15 When is the last shutdown time?________________
(Hint: SYSTEM\ControlSet001\Control\Windows\)

Task 7:
The SAM hive can provide some interesting statistical information about the local users and the machine's use.
To see how many accounts are recorded, we can move to the SAM\Domain\Account\Users and count the subkeys present. Each subkey represents a user, its name is formed by four zeros followed by the hexadecimal
representation of the user's relative identifier (RID): the Administrator account has a RID of 500, so the stored key is named 00001F4, where 01F4 is the hexadecimal translation of 500, the first user's account created has a RID of 1001, so the stored key name is 0309 and so on.

Task 8:
If we want to collect as much data as possible from an installed application, we must look at the following key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
We will see a list of subkeys identified by the application's product code GUID. If we need to find a certain application, we can select the key Uninstall on Edit→Find and type a specific term to make a search only restricted to our key. For example, let's try to find some information about the AOL.

Task 9:
Registry Analysis with Registry Viewer
Windows Registry extraction with FTK Imager or Regedit
There are several ways to perform an extraction from the Windows Registry, let's see some of the most useful. On a running machine, you can perform a backup of the registry using the Windows Graphical Interface or using the command shell or PowerShell. In the first way, just launch the regedit command in the cmd shell to open the graphical version of the registry.
9.1 To export the entire registry right-click on the computer icon and select "export" to save a .reg file in a folder of your choice.

9.2 Open "Access Data FTK Imager"
9.3 Click on "Add Evidence Item" button
9.4 Select "Logical Drive" radio button
9.5 Select source drive.
9.6 Scan "MFT" by expanding "Evidence Tree".
Go to windows/system32/config/.
9.7 Export registry file by clicking "Export Files" button. Select the destination folder of your choice.

Reflective statements (end-of-exercise):
You should reflect on these questions:

1. Which registry key holds the list of URLs the currently logged on user typed into Internet Explorer?

2. Which registry key would you use to discover the SID associated with a particular user?

3. Which registry hives holds information about installed applications, settings; along with information about any hardware that has ever been connected to the computer including the type of bus, total size of available memory, list of currently loaded device drivers and information about Windows?

4. Assume you have copies of the registry files, SAM, SECURITY and SOFTWARE, In other words these files are NOTin an image. Which program would you use to inspect the files?

Attachment:- Forensics registry analysis.rar

Reference no: EM133184207

Questions Cloud

Simulate a real-life penetration testing : Simulate a real-life penetration testing on a windows 2016 domain controller. This lab was customized specially for you using the detection Lab
Several types of home mortgages in the debt market : There are several types of home mortgages in the debt market. Briefly describe fixed and variable rate mortgages the focus on balloon-payment mortgage and discu
Explain the relationships between the variables : Question 1: "In an applied research context you do not need to explain the relationships between the variables in your conceptual model." Discuss this statement
Key components of the organizational strategic plan : What are the key components of the Organizational Strategic Plan that you see having the great impact on an organization? How did you arrive at those conclusion
Where could this come in handy during forensic investigation : Where could this come in handy during a forensic investigation - Navigate to the Software Hive, then go to Microsoft-->Windows NT -->CurrentVersion->NetworkList
What is the triple bottom line : What is the triple bottom line? Imagine that you are the consultant hired by the University trying to improve its overall performance. Discuss how and why you w
Question on group composition : Group composition refers to the characteristics of the members that make up a team. This group composition impacts the effectiveness of the team. Each member of
Evp of strategic development : Your cousin Vinny works for a small manufacturing company in Windsor, CT. His business card has his title as EVP of Strategic Development, but that is a little
Privacy breaches and health care leaders : Discuss laws that apply to health care leaders who are part of a privacy breach as defined by HIPAA. From research, provide an actual example of a privacy breac

Reviews

Write a Review

Other Subject Questions & Answers

  Common nervous system disorders

Top three common nervous system disorders. For each disorder: what are the signs, symptoms, treatments, and occurrences.

  After returning from a shopping trip

After returning from a shopping trip with his mother, little Tommy reported, “I goed to the store and eated candy.” Why might a behaviorist such as B. F. Skinner have had some difficulty explaining Tommy's incorrect grammatical construction?

  What is the theory behind reverse psychology

Conduct a literature review (see Bem, 2016). You will review and summarize relevant theory and research in order to defend a particular position (your thesis).

  Common access card deployment strategy

CYB610 - IT Systems Architecture. Network security and threat table. Common Access Card deployment strategy, e-mail security strategy.

  Determine three to five driving forces

Determine three to five (3-5) driving forces that fueled international policy decisions involving the international incidents you outlined previously. (Consider treaties, exit strategies, elections, wars, etc.)

  Conduct the ethical analysis of a situation

Conduct the ethical analysis of a situation provided by them and approved by the tutor. This assessment contributes to learning outcomes a and b.

  Effects of aerobics on depression of individuals

The effects of aerobics on depression of individuals in a beginning aerobics class. If group guidance techniques affects the self-esteem of children whose parents have recently divorced. The relationship between scores on the graduate record exam and..

  Discuss suitable ways to ensure transfer of training

Management Question - Discuss suitable ways to ensure transfer of training

  Discuss room awaiting an invasive pelvic procedure

Alma Faulkenberger is an 85-year-old female outpatient sitting in the waiting room awaiting an invasive pelvic procedure

  Prepare a Compensation plan on Coca-Cola

Prepare a Compensation plan on Coca-Cola. Evaluate the existing compensation plan to determine if it is the most appropriate for your company

  Discusss about the critcal procedure in criminal process

Discuss two of the procedures that you believe are the most critical procedures in the criminal process. Provide a rationale for your response. Are private defense attorneys more efficient than court-appointed defense attorneys or are court-appoin..

  Describe an implementation strategy for each content area

Describe three engaging activities that may be incorporated into lessons. Describe an implementation strategy for each content area.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd