Registry

Question 1

4 Root Keys of Registry

Answer 1

HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS

Question 2

Offline Registry File Location

Answer 2

\%WINDIR%\system32\config

Question 3

Hives Contain

Answer 3

Keys - Folders

Values - Data stored in key

Question 4

5 Hive Files

Answer 4

Default
SAM
Security
System
Software

Question 5

Hive File Location in registry

Answer 5

HKEY_LOCAL_MACHINE

Question 6

SYSTEM Hive contains

Answer 6

HKEY_LOCAL_MACHINE\SYSTEM
hardware config data
services config data
raw device names for volumes and hard drives
raw device names for USB keys

Question 7

SOFTWARE Hive contains

Answer 7

HKEY_LOCAL_MACHINE\SOFTWARE
applications config data
windows programs/products config data

Question 8

NTUSER.DAT Hive contains

Answer 8

slew of user activity

config/environment settings

Question 9

SAM Hive contains

Answer 9

HKEY_LOCAL_MACHINE\SAM

local user and group accounts

Question 10

SECURITY Hive

Answer 10

password policies
membership and group info
other security information used by SAM and OS

Question 11

What Systems run RegIdleBackup

Answer 11

Vista
Windows 7
Windows 8
Server 2008

Question 12

How often does RegIdleBackup run

Answer 12

Every 10 days

Question 13

What does RegIdleBackup do

Answer 13

Every 10 days, backs up SAM, DEFAULT, SYSTEM SOFTWARE and SECURITY hives

Question 14

Where does RegIdleBackup store hives

Answer 14

%WinDir%\System32\Config\RegBack

Question 15

Shadow Copy or RegIdleBackup is disabled usually because of what reasons

Answer 15

Processing
Storage Space
This is not necessary

Question 16

NTUSER.DAT is stored where on Windows XP file system

Answer 16

c:\Documents and Settings\NTUSER.dat

Question 17

NTUSER.DAT is stored where on Vista/Win7/Win8 file system

Answer 17

C:\Users\NTUSER.dat

Question 18

USRCLASS.DAT was added to what OS

Answer 18

Vista
Win7
Win8

Question 19

Where is USRCLASS.DAT found

Answer 19

c:\Users\AppData\Local\Microsoft\Windows\USRCLASS.DAT

Question 20

USRCLASS.DAT is mainly used for what

Answer 20

Aid in virtualized registry root for User Account Control (UAC)

Question 21

What is VirtualStore key

Answer 21

Where the UAC virtualized registry is

Question 22

Registry can enumerate what file info

Answer 22

last files searched on hard drive
last typed URLs in browsers
last command executed
files that were opened
last saved files to windows system

Question 23

NTUSER.DAT is found where in registry

Answer 23

HKEY_USER (more than 1 user logged in) or HKEY_CURRENT_USER (currently logged in user)

Question 24

Registry key help investigations by having what

Answer 24

last write time

last time of modification

Question 25

What data can be stored in a registry value

Answer 25

strings binary (hex) integers lists

Question 26

Registry last write time is stored in what format

Answer 26

UTC

Question 27

When talking about times in registry a common mistake is to do what

Answer 27

Not pay attention to UTC or time zone of local machine

Question 28

Registry Viewer by Access Data is used for what

Answer 28

Working with Registry Data forensics

Question 29

RegRipper by Harlan Carvey is used for what

Answer 29

Working with Registry Data Forensics

Question 30

SAM Hive has what information about a user?

Answer 30

``` How often user logged in User last login time Last failed login Password Policy SID to User ```

Question 31

Where can the OS version be found for a windows system

Answer 31

HKLM/Software/Microsoft/WindowsNT/CurrentVersion/

Question 32

Where do you find the current control set being used

Answer 32

HKLM/System/Select

Question 33

Where do you find computer name in control set

Answer 33

System/CurrentControlSet/Control/ComputerName/ComputerName Used to link log files and computer name

Question 34

Where Identify Current Time zone

Answer 34

HKLM/CurrentControlSet/Control/TimeZoneInformation

Question 35

Where do you find network interface cards

Answer 35

System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

Question 36

What important information can be found in the registry containing Interfaces data

Answer 36

``` IP Address / gateway / subnet mask If DHCP was configured DHCP address that was assigned DHCP servers IP Address Interface GUID ```

Question 37

Windows Vista/Win7/Win8 have this useful forensics data point disabled by default

Answer 37

Last Access Timestamp

Question 38

Where is Last Access Timestamp disabled

Answer 38

SYSTEM\CurrentControlSet\Control\Filesystem\NtfsDisableLastAccessUpdate set to 0x1 which is disabled

Question 39

Where is interface history found

Answer 39

SOFTWARE\Microsoft\Windows_NT\CurrentVersion\NetworkList\Signature\Unmanaged or \Managed SOFTWARE\Microsoft\Windows_NT\CurrentVersion\NetworkList\Nia\Cache

Question 40

What is Name Type key value for Wireless

Answer 40

0x47

Question 41

What is Name Type key value for Wired

Answer 41

0x06

Question 42

What is Name Type key value for Broadband

Answer 42

0x17

Question 43

What tool converts DateLastConnected and DateFirstConnected Key

Answer 43

DeCode