500.2 - Windows Registry Flashcards
(43 cards)
<p>Overall System Hives</p>
<p>- SAM - Local user acounts &amp; groups (not admin)
- SECURITY - Security info utilized by SAM &amp; the OS (password policy, group memberships)
- SYSTEM - Hardware and service config, raw device names &amp; drive (USB keys)
- SOFTWARE - All application settings
- AMCACHE.HVE - Application Compatibility &amp; Tracking exe's
- NTUSER.DAT - Config &amp; enviromental settings (SPECIFIC user activity)</p>
<p>Root Keys</p>
<p>- HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY-LOCAL_MACHINE (S,S,S&amp;S), HKEY_USERS</p>
<p>Backup Hives</p>
<p>- SAM, DEFAULT, SYSTEM, SOFTWARE, &amp; SECURITY
- %WinDir%\System32\Config\ RegBack
- RegIdleBackup</p>
<p>User Registry Hives</p>
<p>- NTUSER.DAT - SPECIFIC user activity - (HKEY_CURRENT_USER)
- C:\doc &amp; settings\username\NTUSER.dat &amp; C:\username\NTUSER.dat
- USRCLASS.DAT - Program exe by user - - folders opened and closed
- Virtualized in Registry in NTUSER.DAT/Software/Classes &amp; HKCU/Software/Classes
- C:users\username appdata\local\microsoft\windows\userclass.dat</p>
<p>Reg. Keys and Values</p>
<p>- Keys: Similar to folders (keys) &amp; subfolders (subkeys) - Produces a folder | directory hierarchy - Values: Data stored within a key - Data in the form of Stings, binary data, integers, lists - Most valuable forensic data is found</p>
Offline Registry Viewing
- Offline - NTUSER.DAT
- NTUSER.DAT\software\microsoft\windows\currentversion\run
- Online - HKCU
- HKCU\software\microsoft\windows\currentversion\run
Registry Hive Transaction Logs
- Most recent Hive activity not written in Registry (1hr)
- .Log1
- .Log2
Registry Key Last Write Time
- All KEYS have
- Time stored in UTC
Most Recently Used Lists (MRU)
- Provides the order of artifact (newest to oldest)
- (0,16,18,1,15,13,14)
Deleted Registry Keys/Values
- Regs Hives have unallocated space for deleted files
- Keys that are possible recovery
- Keys
- Values
- Timestamps
cafae.exe
- Automates Registry extraction
SAM
- Username
- Relative ID or RID = a #
- Login Info - Last login, failed login, logon count, password policy, acct. creation
- Groups info - Admins, users, RDP users
** Local Accounts Only - NOT domain accounts
Profile Local Users
- Lists the local accounts of the system & their equivalent security IDs
- Discover the username & RID (helps map ID # to usernames)
- SAM\Domains\Accounts\Users\
- Last Login
- Last failed login
- Logon count
- Password policy
- Account creation time
SAMInside
- Used to determine if a password is Empty (31D6CFE0D16AE931B7)
- Is the password required
- Has NTLMv2 Password
- Has LanManager Password
Examining System Configurations
- Systems
- Software
- Security
ID Microsoft OS Version
- Determine Versions, Service pack, install date/time, OS
- Install date in EPOCH TIME (convert to hex)
- Install time is in Win time
- Key Location:
- SOFTWARE\Microsoft\Windows NT\Current Version
Identify CurrentControlSets
- Identifies which control set is current
- Contains info about the systems config settings
- “Data # 1 = “Last Known Good Set”
- CurrentControlSet001 - Controlset that just booted
- CurrentControlSet002 - Last known good version
- Key Location:
- SYSTEM\Select\Current
Computer Name
- SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Time Zone Information (UTC Time)
- Found in the Cuurent Good control set
- SYSTEM\CurrentControlSet\Control\TimeZoneInformation
NTFS Last Access Time On/Off
- Updates when the system touches a file -> not always when a user accessed a file
- NtfsDisabledLastAccessUpdate -> 0x1 = Timestamps are off
- Key Location:
- SYSTEM\CurrentControlSet\Control\Filesystem
Network Interfaces
- Identifies the computers network interface card
- TCP/IP info configured, IP, gateway, DCHP IP (subnet mask DHCP server IP)
- Key Location:
- SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Historical Networks
- Identify Network that the computer has been connected to
- Network List Keys
- Ntwrks, Domain, SSID,MAC, LOC Awareness
