Reference no: EM133184207

LAB: 06

This lab focuses on Windows forensics registry analysis.

Objective:
• Learn windows registry

Leaning Activities:
At the end of these activities, you should understand:
• Windows registry
• Understand how to navigate registry keys
• Regedit display of Windows Registry hive
• How to collect artifacts

Tools to use:
-Mantooth.e01
- Regedit
- Registry Viewer

Task 1:
1.1 First download Mantooth.e01

1.2 Open new case in Autospy

1.3 Add data image file Mantooth.e01

1.4 Autospy will process the image file as evidence source (This might take few minutes)

Let's start by finding registry hives with the imager file

1.5 In the Autospy go to Windows/System32/config

1.6 Now you will see a list of file, select System

1.7 Autospy will parse the registry file into the pane in the bottom (under Application) You will see a list of folders

1.8 Open ‘ControlSet001->Control->TimeZoneInformation', Select the ‘TimeZoneInformation'
The configuration information will be parsed in the Metadata pane.

What is the time zone? __________________________
(Take a screenshot of this result)

Task-2:

Track USB serial number

2.1 Navigate to the System Hive (Windows/System32/config)

2.2 SelectControlSet0001→ Enum→ USBSTOR
You will see a lot of information regarding to connected USB devices, Scan disks, IPods +etc. There are sub keyslisted, the number indicate the serial number (if it has one).
Ex:

Here you can see two USB Devices have been installed on this machine, a Seagate FreeAgent device and a Generic device (Generic device is not that uncommon, the Serial number will help you to track the USB device through the artefacts).

Both of these devices have a unique serial from their respective manufacturers. This can be seen by the &0 or &1 at the end of the serial number. If instead the second character is an & then the device does not have a unique serial number and Windows has issued one which is unique to the local system only.

2.3 Select ControlSet0001→ Enum→ USB
There are Vendor ID and Product ID are listed (Ex: VID_05DC&PID_A410)

Task 3:

Track USB drive letter

3.1 Navigate to the Software Hive, then go to Microsoft→ Windows Portable Devices→ Devices
3.2 Findwhat drive letter was associated to the USB drive with label ‘WASHER'? _________
(Take a screenshot of this result)
Why is it important to know the Drive number/letter (like F:) of a connected device? ___________
Where could this come in handy during a forensic investigation? _____________________

Task 4:
Track networks
4.1 Navigate to the Software Hive, then go to Microsoft-->Windows NT -->CurrentVersion->NetworkList-->Signatures-->Managed and highlight the key, on the right we should see a Dns Suffix.
(Take a screenshot of this result)

4.2 Now, select Unmanaged Managed and highlight the key, on the right we should see a Dns Suffix
(Take a screenshot of this result)

Note:
managed = computer on a domain
unmanaged = computer not on a domain
4.3 Make a note on the "DefaultGatewayMac', Are the MAC address same? ________________ Why?

Task 5:
Track Recent activities
5.1 Navigate to /img_Mantooth.E01/vol_vo2/Users/WesMantooth/AppData/Roaming/Microsoft/Windows/Recent
5.2 Now, Scroll through some of the recent files listed here, see if you can find any which are
associated to USB drives.(Take a screenshot of this result)

5.3 Are there any files which may be of interest during our forensic investigation? ________

Task 6:
Registry Analysis with Registry Viewer
The Windows registry provides a lot of information about the system, the machine and the users. Now we will work to select and extract the most useful elements for the purposes of our analysis.
6.1 Download Access Data, Registry Viewer (https://accessdata.com/product-download/registry-viewer-2-0-0)
6.2 Once installed, you can launch the program and a window will appear with the following warning:

Click No and run Registry Viewer in demo mode.
In the new window that will open, click OK and finally you will have access to the operating interface of the tool.

6.3 In this task, we will need to export registry hives from Autopsy in Task1. Export the following registry hives:

• SYSTEM
• SOFTWARE
• SECURITY
• NTUSER.DAT

6.4To import a file just click on File→Open and select an extracted hive file.

6.5 We choose the Software file previously extracted with FTK Imager to continue our analysis.
6.6 To import a file just click on File→Open and select an extracted hive file.
6.7 In the upper left panel, note the hive Software represented as a PC and, under it, the keysrepresented as folders. In the lower left, Key Properties are shown. Note the Last Written Timeproperty, which corresponds
to 12/02/2008 20:11:57.
If we scroll down and select the key Arcobat Reader and the subkey Installer, we can see the stored values, specifically, version, the installation path and the default directory of the tool.
You may have noticed that we are using the demo version of the Registry Viewer. This is because although the features are obviously more limited than the full version (no Common Areas shown and the inability to generate reports), Registry Viewer demo is still a powerful and very useful tool for analyzing the registry.

6.8 What is the OS version? _____________________________
(Hint: SOFTWARE\Microsoft\WindowsNT\CurrentVersion)
6.9 When was this OS installed? ____________________________________
6.10 Who is the registered owner?__________________________________
6.11What is the model and manufacturer? _______________________
(Hint: SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation)
6.12 To find useful information about the installed printers, you can look at the subkeys stored at this path:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\
What is the printer driver name?_____________________________
Note: To verify it, just highlight the hexadecimal value stored in the Shutdown- Time value and then right-click and select Show Hex Interpreter Window.
6.13 What is the computer name? ________________________________
(Hint: SYSTEM\ControlSet001\Control\ComputerName\ComputerName)
6.14 What is the time zone?
(Hint: SYSTEM\ControlSet001\Control\TimeZoneInformation)
6.15 When is the last shutdown time?________________
(Hint: SYSTEM\ControlSet001\Control\Windows\)

Task 7:
The SAM hive can provide some interesting statistical information about the local users and the machine's use.
To see how many accounts are recorded, we can move to the SAM\Domain\Account\Users and count the subkeys present. Each subkey represents a user, its name is formed by four zeros followed by the hexadecimal
representation of the user's relative identifier (RID): the Administrator account has a RID of 500, so the stored key is named 00001F4, where 01F4 is the hexadecimal translation of 500, the first user's account created has a RID of 1001, so the stored key name is 0309 and so on.

Task 8:
If we want to collect as much data as possible from an installed application, we must look at the following key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
We will see a list of subkeys identified by the application's product code GUID. If we need to find a certain application, we can select the key Uninstall on Edit→Find and type a specific term to make a search only restricted to our key. For example, let's try to find some information about the AOL.

Task 9:
Registry Analysis with Registry Viewer
Windows Registry extraction with FTK Imager or Regedit
There are several ways to perform an extraction from the Windows Registry, let's see some of the most useful. On a running machine, you can perform a backup of the registry using the Windows Graphical Interface or using the command shell or PowerShell. In the first way, just launch the regedit command in the cmd shell to open the graphical version of the registry.
9.1 To export the entire registry right-click on the computer icon and select "export" to save a .reg file in a folder of your choice.

9.2 Open "Access Data FTK Imager"
9.3 Click on "Add Evidence Item" button
9.4 Select "Logical Drive" radio button
9.5 Select source drive.
9.6 Scan "MFT" by expanding "Evidence Tree".
Go to windows/system32/config/.
9.7 Export registry file by clicking "Export Files" button. Select the destination folder of your choice.

Reflective statements (end-of-exercise):
You should reflect on these questions:

1. Which registry key holds the list of URLs the currently logged on user typed into Internet Explorer?

2. Which registry key would you use to discover the SID associated with a particular user?

3. Which registry hives holds information about installed applications, settings; along with information about any hardware that has ever been connected to the computer including the type of bus, total size of available memory, list of currently loaded device drivers and information about Windows?

4. Assume you have copies of the registry files, SAM, SECURITY and SOFTWARE, In other words these files are NOTin an image. Which program would you use to inspect the files?

Attachment:- Forensics registry analysis.rar