# **Intro**
Digital Forensics is an essential part of Cyber Security that involves a lot of computer's knowledge and skills. But I guess the most notable would probably be Forensic Artifacts, important pieces of information that can be considered as evidence for any investigations. First and foremost, registry is the most basic artifact we should know and in this report, I'd like to introduce Windows Registry to you guys. I learn the basis of registry from ~~[Tryhackme Forensics lab](https://tryhackme.com/r/room/windowsforensics1)~~. Now I would share you guys what I've learned from this lab.
# **Windows Registry**
## Structure of the registry
Windows Registry has 2 factors: `Keys` and `Values`, Values are the data stored in Keys. There is a new definition: `Registry Hive` is a group of Keys, subkeys and values stored in a single file on disk. On finding `regedit.exe` or `Registry Editor` on Windows, we will see these 5 main registry hives (aka root keys):
> Here is the table that let you know more about these 5 root keys :face_with_monocle:
| REGISTRY ROOT KEY | DESCRIPTION |
| -------- | -------- |
| **HKEY_USERS** | As know as `HKU`, contains all the actively loaded user profiles on the computer. |
| **HKEY_CURRENT_USERS** | Also be abbreviated `HKCU` and the subkey of `HKU`, contains the root of the configuration information for the user who is currently logged on|
| **HKEY_LOCAL_MACHINE** | A.k.a `HKLM`, contains the configuration information particular to the computer (for any users)|
|**HKEY_CLASSES_ROOT**|A subkey of `HKEY_LOCAL_MACHINE\SOFTWARE`. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This key is sometimes abbreviated as `HKCR`.|
|**HKEY_CURRENT_CONFIG**|Contains information about the hardware profile used by the local computer at system startup.|
Besides, we must know that the majority of these hives are located in `C:\Windows\System32\Config` and they are:
1. **DEFAULT** (mounted on `HKEY_USERS\DEFAULT`)
1. **SAM** (mounted on` HKEY_LOCAL_MACHINE\SAM`)
1. **SECURITY** (mounted on `HKEY_LOCAL_MACHINE\Security`)
1. **SOFTWARE** (mounted on `HKEY_LOCAL_MACHINE\Software`)
1. **SYSTEM** (mounted on `HKEY_LOCAL_MACHINE\System`)
Before continuing, I wanna introduce you some extensions relating to their parent hives:
| Extensions | Description |
| -------- | -------- |
| none | A complete copy of the hive data. |
| `.alt` | A backup copy of the critical `HKEY_LOCAL_MACHINE\System` hive. Only the System key has an `.alt` file. |
| `.log ` | A transaction log of changes to the keys and the value entries in the hive. |
| `.sav` | A backup copy of a hive |
The following table lists the standard hives and their supporting files:
| Registry Hive | Supporting files |
| -------- | -------- |
| **HKEY_CURRENT_CONFIG** | System, System.alt, System.log, System.sav |
|**HKEY_CURRENT_USER**| Ntuser.dat, Ntuser.dat.log|
|**HKEY_LOCAL_MACHINE\SAM**|Sam, Sam.log, Sam.sav|
|**HKEY_LOCAL_MACHINE\Security**|Security, Security.log, Security.sav|
|**HKEY_LOCAL_MACHINE\Software**|Software, Software.log, Software.sav|
|**HKEY_LOCAL_MACHINE\System**|System, System.alt, System.log, System.sav|
|**HKEY_USERS\DEFAULT**|Default, Default.log, Default.sav|
---
## Some recommended tools to work with registry
As I said above, we can view the registry through the `Registry Editor`. However, the forensically correct method is to acquire a copy of this data and perform analysis on that. Another problem is that we are not be able to copy the registry hives from `%WINDIR%\System32\Config` due to it is a restricted file. That's why I have this content:)) to recommend you to use some tools to do tackle with this problem:
### **KAPE**
KAPE is a live data acquisition and analysis tool which can be used to acquire registry data. It is primarily a command-line tool but also comes with a GUI. The below screenshot shows what the KAPE GUI looks like. We have already selected all the settings to extract the registry data using KAPE in this screenshot. We will learn more about collecting forensic artifacts using KAPE in a dedicated KAPE room. Here is its GUI.
### **AutoSpy**
[Autopsy](https://www.autopsy.com/) gives you the option to acquire data from both live systems or from a disk image. After adding your data source, navigate to the location of the files you want to extract, then right-click and select the Extract File(s) option. It will look similar to what you see in the screenshot below.
### **FTK Imager**
[FTK Imager](https://www.exterro.com/digital-forensics-software/ftk-imager) is similar to Autopsy and allows you to extract files from a disk image or a live system by mounting the said disk image or drive in FTK Imager. Below you can see the option to Export files as highlighted in the screenshot.
### **Registry Viewer**
As we can see in the screenshot below, AccessData's Registry Viewer has a similar user interface to the Windows Registry Editor. There are a couple of limitations, though. It only loads one hive at a time, and it can't take the transaction logs into account.
### **Registry Explorer**
[Eric Zimmerman](https://ericzimmerman.github.io/#!index.md) has developed a handful of tools that are very useful for performing Digital Forensics and Incident Response. One of them is the Registry Explorer. It looks like the below screenshot. It can load multiple hives simultaneously and add data from transaction logs into the hive to make a more 'cleaner' hive with more up-to-date data. It also has a handy 'Bookmarks' option containing forensically important registry keys often sought by forensics investigators. Investigators can go straight to the interesting registry keys and values with the bookmarks menu item. We will explore these in more detail in the upcoming tasks.
### **Reg Ripper**
[RegRipper](https://github.com/keydet89/RegRipper3.0) is a utility that takes a registry hive as input and outputs a report that extracts data from some of the forensically important keys and values in that hive. The output report is in a text file and shows all the results in sequential order. RegRipper is available in both a CLI and GUI form which is shown in the screenshot below.
## Access to the registry
For Wins 7 and above, a user's profile directory is located in `C:\Users\<username>` where the hives are:
1. `NTUSER.DAT` mounted on `HKEY_CURRENT_USER` when a user logs in, located in the directory `C:\Users\<username>`
1. `USRCLASS.DAT` mounted on `HKEY_CURRENT_USER\Software\CLASSES`, located in the directory `C:\Users\<username>\AppData\Local\Microsoft\Windows`
> Remember to set your view to display hidden items to see these two hives.
Besides, there are 3 definitions we should know:
* **Amcache**: located in `C:\Windows\AppCompat\Programs\Amcache.hve`, it's a very important hive that take responsibility for saving information programs that were recently run on the system.
* **Transaction Logs**: Windows often uses transaction logs when writing data to registry hives like a journal, often have the latest changes in the registry that haven't made their way to the registry hives themselves. The transaction log for each hive is stored as a `.LOG` file in the same directory as the hive itself and having the same name as the registry hive. For example, the transaction log for the `SAM` hive will be located in `C:\Windows\System32\Config` in the filename `SAM.LOG`. Sometimes, there can be multiple transaction logs with extension `.LOG1`, `.LOG2`. Pay attention to the transaction logs when you perform a registry forensics
* **Backups**: These are the backups of the registry hives located in the `C:\Windows\System32\Config` directory. The backups of the registry hives are copied to the `C:\Windows\System32\Config\RegBack` directory every ten days. It might be an excellent place to look if you suspect that some registry keys might have been deleted/modified recently.
## System information and system account
When we start performing forensic analysis, the first step is to find out about the system information. This part will cover gathering information related to a machine's System and Account information.
### 1. **OS Version**
The registry key `SOFTWARE\Microsoft\Windows NT\CurrentVersion` will help us to find information about OS version. This is how Registry Explorer shows this registry key:
### 2. **Current Control Set**
* The hives containing the machine’s configuration data used for controlling system startup are called Control Sets. Commonly, we will see `ControlSet001` and `ControlSet002` in the `SYSTEM` hive on a machine, but in most case, `ControlSet001` will point to the Control Set that the machine booted with while `ControlSet002` will be the `LastKnownGood` configuration. Their location will be: `SYSTEM\ControlSet001` and `SYSTEM\ControlSet002`.
* Windows creates a volatile Control Set when the machine is live, called the CurrentControlSet (`HKLM\SYSTEM\CurrentControlSet`). For getting the most accurate system information, this is the hive that we will refer to. We can find out which Control Set is being used as the `CurrentControlSet` by looking at this registry value `SYSTEM\Select\Current` .
* Similarly, the `LastKnownGood` configuration can be found using the following registry value`SYSTEM\Select\LastKnownGood`
### 3. **Computer Name and Time Zone Information**
It's important to establish a computer name and what time zone the computer is located in while performing forensics analysis. With these below registry key, we can see information about computer name and time zone respectively:
`SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
`SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
### 4. **Network Interfaces and Past Networks**
The following registry key will give a list of network interfaces on the machine we are investigating and let's take a look at the example figure: `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
As you can see, each Interface is represented with a unique identifier (GUID) subkey, which contains values relating to the interface’s TCP/IP configuration. This key will provide us with information like IP addresses, DHCP IP address and Subnet Mask, DNS Servers, and more. This information is significant because it helps you make sure that you are performing forensics on the machine that you are supposed to perform it on.
The past networks a given machine was connected to can be found in the following locations:
`SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged`
`SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed`
### 5. **Autostart Programs (Autoruns)**
The following registry keys include information about programs or commands that run when a user logs on:
`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
`SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`
`SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run`
`SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
The following registry key contains information about services:
`SYSTEM\CurrentControlSet\Services`
Notice the Value of the `Start key` in the screenshot below.
In this registry key, if the start key is set to `0x02`, this means that this service will start at boot.
### 6. **SAM hive and user information:**
The **SAM** hive contains user account information, login information, and group information. This information is mainly located in `SAM\Domains\Account\Users`.
The information contained here includes the relative identifier `(RID)` of the user, number of times the user logged in, last login time, last failed login, last password change, password expiry, password policy and password hint, and any groups that the user is a part of.
## Evidence of execution
### 1. **Recent Files**
Windows maintains a list of recently opened files for each user. As we might have seen when using Windows Explorer, it shows us a list of recently used files. This information is stored in the NTUSER hive and can be found on the following path `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`
Registry Explorer allows us to sort data contained in registry keys quickly. For example, the Recent documents tab arranges the Most Recently Used `(MRU)` file at the top of the list and the older ones later.
Another interesting piece of information in this registry key is that there are different keys with file extensions, such as `.pdf`, `.jpg`, `.docx` etc. These keys provide us with information about the last used files of a specific file extension. So if we are looking specifically for the last used PDF files, we can look at `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pdf`
### 2. **Office Recent Files**
Similar to the Recent Docs maintained by Windows Explorer, Microsoft Office also maintains a list of recently opened documents. This list is also located in the `NTUSER` hive and can be found in `NTUSER.DAT\Software\Microsoft\Office\VERSION`. Remember that the version number for each Microsoft Office release is different. You can find a list of version [here](https://learn.microsoft.com/en-us/microsoft-365-apps/deploy/install-different-office-visio-and-project-versions-on-the-same-computer#office-releases-and-their-version-number). Starting from Office 365, Microsoft now ties the location to the user's [live ID](https://www.microsoft.com/en-us/security/blog/2008/05/07/what-is-a-windows-live-id/). The recent files can be found at `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU`
### 3. **ShellBags**
When any user opens a folder, it opens in a specific layout. Users can change this layout according to their preferences. These layouts can be different for different folders. This information about the Windows 'shell' is stored and can identify the Most Recently Used files and folders. Since this setting is different for each user, it is located in the user hives. We can find this information on the following locations:
`USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
`USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU`
`NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
`NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
Registry Explorer doesn't give us much information about `ShellBags`. However, another tool from Eric Zimmerman's tools called the `ShellBag Explorer` shows us the information in an easy-to-use format. We just have to point to the hive file we have extracted, and it parses the data and shows us the results.
### 4. **Open/Save and LastVisited Dialog MRUs**
When we open or save a file, a dialog box appears asking us where to save or open that file from. It might be noticed that once we open/save a file at a specific location, Windows remembers that location. This implies that we can find out recently used files if we get our hands on this information. We can do so by examining the following registry keys
```!
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
```
```!
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
```
### 5. **Windows Explorer Address/Search Bars**
Another way to identify a user's recent activity is by looking at the paths typed in the Windows Explorer address bar or searches performed using the following registry keys, respectively.
`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`
### 6. **UserAssist**
Windows keeps track of applications launched by the user using Windows Explorer for statistical purposes in the User Assist registry keys. These keys contain information about the programs launched, the time of their launch, and the number of times they were executed. However, programs that were run using the command line can't be found in the User Assist keys. The User Assist key is present in the NTUSER hive, mapped to each user's GUID. We can find it at the following location:
`NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`
### 7. **ShimCache**
* ShimCache is a mechanism used to keep track of application compatibility with the OS and tracks all applications launched on the machine. Its main purpose in Windows is to ensure backward compatibility of applications, that's why it's also called Application Compatibility Cache `(AppCompatCache)`.
* It stores file names, file size and last modified time of the executables.
* Registry Explorer doesn't parse ShimCache data in a human-readable format, so we'd better use `AppCompatCache Parser` which takes the SYSTEM hive as input, parses the data, and outputs a CSV file like this:
We also use this command to run the AppCompatCache Parser Utility
```!
AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>
```
The output can be view by EZviewer.
### 8. **AmCache**
The `AmCache` hive is an artifact related to `ShimCache`. This performs a similar function to ShimCache, and stores additional data related to program executions. This data includes execution path, installation, execution and deletion times, and SHA1 hashes of the executed programs. This hive is located in the file system at: `C:\Windows\appcompat\Programs\Amcache.hve`. Information about the last executed programs can be found at `Amcache.hve\Root\File\{Volume GUID}\`
### 9. **BAM/DAM**
* Background Activity Monitor or `BAM` keeps a tab on the activity of background applications. Similar Desktop Activity Moderator or `DAM` is a part of Microsoft Windows that optimizes the power consumption of the device. Both of these are a part of the Modern Standby system in Microsoft Windows.
* In the Windows registry, the following locations contain information related to `BAM` and `DAM`. This location contains information about last run programs, their full paths, and last execution time.
* `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}`
* `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}`
## External Devices
When performing forensics on a machine, often the need arises to identify if any USB or removable drives were attached to the machine. If so, any information related to those devices is important for a forensic investigator. In this task, we will go through the different ways to find information on connected devices and the drives on a system using the registry.
### **Device Identification**
`SYSTEM\CurrentControlSet\Enum\USBSTOR` and `SYSTEM\CurrentControlSet\Enum\USB` are two locations keep track of USB keys plugged into a system. These locations store the vendor id, product id, and version of the USB device plugged in and can be used to identify unique devices.
### **First/Last Time**
Similarly, the following registry key tracks the first time the device was connected, the last time it was connected and the last time the device was removed from the system:
```!
SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\####
```
In this key, the the `####` sign can be replaced by the following digits to get the required information:
| Value | information |
| -------- | -------- |
| 0064 | First Connection time |
| 0066 | Last Connection time |
| 0067 | Last removal time |
Although we can check this value manually, as we have seen above, Registry Explorer already parses this data and shows us if we select the `USBSTOR` key.
### **USB Volumn Name**
The device name of the connected drive can be found at the following location: `SOFTWARE\Microsoft\Windows Portable Devices\Devices`
We can compare the GUID we see here in this registry key and compare it with the Disk ID we see on keys mentioned in device identification to correlate the names with unique devices.
# Practice
## **Scenario:**
```!
One of the Desktops in the research lab at Organization X is suspected to have been accessed by someone unauthorized. Although they generally have only one user account per Desktop, there were multiple user accounts observed on this system. It is also suspected that the system was connected to some network drive, and a USB device was connected to the system. The triage data from the system was collected and placed on the attached VM. Can you help Organization X with finding answers to the below questions?
```
| No | Question |
|:---:| ------------------------------------------------------------------ |
| 1 | How many user created accounts are present on the system? |
| 2 | What is the username of the account that has never been logged in? |
| 3 | What's the password hint for the user `THM-4n6`? |
|4|When was the file `Changelog.txt` accessed?|
|5|Find the complete path from where the `python 3.8.2` installer was run? |
|6|When was the USB device with the friendly name `USB` last connected? |
Let me introduce a lab in short. We have the information of the machine we use:
```
Username: THM-4n6
Password: 123
```
Once we log in, we will see two folders on the Desktop named `triage` and `EZtools`. The `triage` folder contains a triage collection collected through `KAPE`, which has the same directory structure as the parent. This is where our artifacts will be located. The `EZtools` folder contains Eric Zimmerman's tools, which we will be using to perform our analysis. You will also find RegistryExplorer, EZViewer, and AppCompatCacheParser.exe in the same folder.
## Solutions
OK first, I start `Tryhackme` Virtual Machine
Now I enter the folder `EZtools` then open `Registry Explorer`
Now, let's check accounts and users. As I said above, in the `System information and system account` part, the `SAM` hive contains user account information, login information, and group information. Now we load the `SAM` hive from `C:\Windows\System32\Config`
OK check the user and we see
Note that `Administrator`, `DefaultAccount`, `Guest` and `WDAGUtilityAccount` are the default account available on the system, so that we only have 3 user created accounts are present on the system. (*Question 1*)
Let's double click on folder `Users`. Then we need to find the account has never been logged in. Take it easy, just check the last time that these accounts have been logged in and we notice that data of `thm-user 2` is not displayed and that's the answer for *question 2*.
And from this screenshot, we can see the answer for question 3 is `count`.
Question 4 asks about the time file `Changelog.txt` was changed and we apply this
Search .txt and we receive answer for question 4
Question 5 apply the path I shared at `UserAssist`
Then we find the answer for question 5.
The last question we can find solution according to this
Sign in with Wallet
Connect another wallet