 Welcome back everyone try hack me just came out with a Windows forensics room and I've had a look at it. I've used try hack me for a while and I really like it. The Windows forensics room specifically covers Windows registry analysis. It's a really interesting room to look at and I'm glad that they're finally doing more with digital forensics. So today's going to be a walkthrough of their Windows forensics room. So to get started, I'm on try hack me.com slash room. Windows forensics one already logged in and this is a free room at least for now. So you should have access to it. No problem. Just going to jump right in here. We don't have to start an attack box or anything like that. Although they will have one. I think a little bit later. Let's go ahead and with task one. So introduction to Windows forensics. If you've been watching my channel at all, you've probably heard me talk about forensic artifacts before. Is my computer spying on me? A lot of people think their computer is spying on them and there are a lot of analytics and trackers built into many different operating systems these days, especially Microsoft Windows. But most of the time it's about user preferences when running the system. So Windows and especially the Windows registry keeps track of a lot of user activities that way the user can easily access those later or Windows can preload things that it thinks the user is going to use. Basically, we just read a couple of things and then what is the most used desktop operating system right now? Most used desktop operating system right now is Microsoft Windows. However, mobile really took over desktop several years ago. And so it's not the most popular operating system anymore, but Microsoft Windows is still the most popular desktop operating system. Let's go ahead and try that. Okay, what's the term used to define a piece of evidence of human activity? Piece of evidence of human activity. I'm guessing they're talking about forensic artifacts. And if you read this, you hear the word artifact. It refers to essential pieces of information that provide a piece of human activity. Really, it doesn't matter if it's necessarily human activity or not. It's an artifact is anything that is used to build up your evidence. If you have some sort of claim that you're trying to prove, you're looking for evidence to support that claim. Artifacts are anything that can potentially contain that evidence. So if you're trying to prove, for example, that the sky is blue, then an artifact would be related to that, whether it was necessarily human activity or not. But I understand what they're trying to say with this. It's kind of easier to conceptualize if it's like a user action. And really whenever we're looking in Microsoft Windows, especially desktop, most of the time we're looking for those artifacts because they're related to human actions. So let's start artifact. Next, getting into Windows registry. All right, we got a couple tools here. An overview of the Windows registry. You can think of the Windows registry like a database that keeps track of all of the settings in Windows. So whether you're changing your background image or whether you're going to a website, the Windows registry will have several different registry keys that are updated whenever you make any type of action. All of them are stored in different registry hives. And basically they're going through each of the different registry hives here. Each hive contains different information from the system. So it depends what you're looking for, which hive you're more likely to find it in. And sometimes you'll have information across different hives as well. But if you're looking at it on your own system, you can use regedit.exe, but be careful about this because if you do start changing registry keys, you can break Windows. So if you're running it on your own system and not a test system, be careful. And then they're going through all of the different hives and interesting things that might be in there. So what we normally do in digital forensic investigations is access the registry hives offline. And for that, we're getting, for example, a suspect hard drive and then we're parsing out that hard drive and looking at the file system. Once we reconstruct the file system, then we get full paths just like you would have whenever you're looking at a suspect's computer while it's on. And then we have to look, for example, in C drive Windows system 32 config for the majority of the system hives. And then we also have NT user and user class dot dat that are usually found in the C users username. And then you'll have your NT user dot dat and then app data local Microsoft Windows is usually where you'll find the user class. They're going over the locations of these hives because they contain so much information and they're extremely relevant to pretty much every investigation you're going to do. So one of the first things you want to look for whenever you're doing an investigation of Windows computers is where are the hives and start to parse those hives out? What's the short form for H key local machine? Shorten it by just doing HK to stand for H key. That way we know it's a key in the Windows system and then take the first letter from the next word. So we have H key, HK, LM. So let's try that. HK, LM, K. What's the path of the five main registry hives, default SAM security software and system? Notice this has nothing to do with the user per se. Basically they don't contain the user's settings. So we're looking for the system settings and I can already see here that there's probably a drive number. This is a little bit misleading because this is probably asking for, for example, C drive. So like C drive slash Windows. The problem is you don't have to install Windows in the C drive. You can install it in another drive. So don't always assume that it's going to be in C drive, but 99% of your cases it's going to be. So we're just going to do it here. So we're looking at C drive slash Windows, if I spell it right, slash system 32 slash config. This is where our registry hives are normally located. Let's try that. What is the path for the amcache hive? The amcache hive stores information about programs that were run. And let's look at the format here. It looks like probably they're looking for the system folder. So C drive Windows, assuming it's installed in C drive. And then they have the dot here with the three afters. So most likely they're actually looking for the hive file itself, not just the path. All right, so let's do C drive Windows. That's our system folder, or at least the default system folder. We have app compact and then we have programs amcache.hve. Let's try that. And that's it. See, they also listed up here as well. So you could have just copied that one. Okay. I shouldn't have typed it out. So next going to Windows registry. We are looking here at a couple different tools that they have available, several open source tools. This winder is the system directory. So for example, it would be C drive Windows in most cases, but you can change the location. So you do need to try to parse out the Windows registry to understand where the Windows system folder is installed. It's one of the first things you should do before assuming C drive. And then we have Cape, a really nice tool. And I think that's what they prefer for this exercise. Autopsy, another awesome tool. I use this all the time for investigations. FTK imager for doing acquisitions. FTK imager is really good for acquisitions as well as the hex viewer and the file viewer. So if you just want to do a really quick investigation in Windows, you can use FTK imager to do almost everything as keyword searching, hex views, a lot of things. And it can also acquire not only disks but RAM. So there's access data registry viewer. Access data just got bought by another company. I don't remember what their name is, but the registry viewer is very interesting. The problem with it is you can only load one archive at a time, but it is pretty good for doing research on Windows registry changes. There's also Zimmerman's Registry Explorer, excellent tool. Also for just exploring obviously the registry and doing searches through it. So another great tool and a little bit more powerful. And then Reg Ripper is kind of the de facto standard for registry analysis. It's a collection of scripts for parsing out different data types. And Reg Ripper is actually built into autopsy. So if you're running autopsy that was listed above, you'll already kind of get Reg Ripper. But if you want to be able to customize it a little bit more, you can run Reg Ripper by itself. They just say study the tools. Okay, so basically download some interesting tools. And if you subscribe to this channel, I will be talking about all those tools. I already have videos on FTK imager, autopsy, and a couple of the other tools I will get into more later. So like and subscribe if you want to see more of that. So we know where the registry hives are located in Windows. We have tools that can parse them out. Now we're going to start extracting some system information and system accounts. And this is where registry analysis gets really interesting. Unfortunately, a lot of the investigators that I work with don't think about analyzing the registry that's been changing recently. But a lot of investigators still don't really include the Windows registry explicitly in their investigations. They'll just do file system analysis, for example, looking in the user's folders. But the registry tells you not only about which files are on the system, but how the user was interacting with them. Now you can get some of that user information just by doing disk analysis. But really, if you want user action analysis, the Windows registry is the place to look. We have the operating system version. We're looking in the software key or the software hive. Microsoft slash Windows NT slash current version. Current version has a lot of really good data. So they're getting the registered computer name. If the system is on and you're in a live environment, you can see it in the properties menu. But if we're looking for the computer name in the suspect system in a post-mortem analysis, we're looking at the system hive current control set, control computer name, computer name key. So this registry key and then we have the, for example, computer name. Same for time zone information in modern systems, especially modern file systems. Time stamps are saved in UTC. And the time zone of the system that you're looking at is used to calculate the offset on the fly. Older file systems like fat store the time stamps directly and they don't do calculation. The thing to think about whenever looking at time zones is file time stamps on hard drives. What is the file system that that data is stored on? That's really the interesting question here. So if we need to get that time zone information that we know what that offset would actually be. Network interfaces, even if you're using DHCP and really most people are these days, you're going to get that DHCP lease and that lease is going to be stored or some lease information is going to be stored in the Windows registry. Whenever the DHCP IP address changes, then obviously the old address is going to be lost in the registry and then we have to look at, for example, registry backups or shadow copies or something like that. Just because it's not in the current version of the registry doesn't mean we can't get it back somehow. Auto starting programs, especially if you're analyzing malware, you really want to be looking in auto start locations because malware has to get persistence somehow. So it wants to try to insert itself into these auto start locations. So you really want to check them and see what binaries are being executed for auto start. So the SAM hive and user information, basically account information, login information, group information, anything to do with the security access management of the user is going to be found in SAM. So what's the current build number of the machines whose data is being investigated? If we're talking about build number, we're looking at system information. So let's see what screenshots they had up there. So we are in software Microsoft Windows and T current version and we select current version. It kind of looks like a folder dropdown and it contains a bunch of different keys. So we're in software Microsoft Windows and T current version. So we select the current version key and we see all of these values under current version. We're looking for current build and 19044 is the current build and current build number. So let's just try 19044. 19044, okay. Which control set can contains the last known good configuration? So we're looking for control set and under system select last known good. Last known good is set to control set one. So let's go ahead and try that. Next, what's the computer name of the computer? All right, this is also under probably system properties. So system current control set control computer name, computer name. We have the computer name key, THM-4N6. You'll also see forensics spelled 4N6, okay. So THM-4N6, THM-4N6. All right, what's the value of the time zone key name? So time zone keys we saw earlier. So system current control set control time zone information time zone key name send Pakistan standard time. So let's try, so let's try Pakistan standard time. Okay, what's the DHCP IP address? The IP address that was given by DHCP the last time this system was up. We're looking at network interfaces. So system current control set services TCP IP parameters interfaces. So it looks like they've already selected an interface here and then we have the DHCP IP address and it's 192.168.158. All right, we also have subnet mask default gateways at least times how long it's going to take. Let's try 192.168.158. 192.168.158. What's the RID of the guest user account? Okay, so some user account information. We have the SAMHive user information at SAM domains account users and we are looking at groups users. I have the guest account and I'm looking for the user ID which is 501. We also have another account THM4N6 which is 1001. Whenever you see anything over 1,000 this is a non built-in account. Everything under 1,000 is a built-in account. So our guest account is 501. So it's built in. Okay, so now we're getting into uses or knowledge of files folder. Okay, so we're looking at things like recent files but we're still in the Windows registry. We are getting more into into user.dat So user activities specifically and in this case they're looking at in the user's recent docs. So these are the things that their user has recently accessed. Shellbags are a super interesting location for information. You can do a lot in reconstructing. For example, the way that folders looked all the icons in the folders even after like a USB has been removed you can reconstruct everything except the data that was in that USB stick. It's super interesting location to learn more about. Okay, so when was easy tools opened? In this case, we're probably looking at links. So let's look at recent files. So into user.dat software Microsoft Windows current version explore recent docs. We're in the recent docs and we're looking for easy tools. Easy tools was opened on 2021-1201 at 1,300-34. So let's go ahead and try that. Yeah, okay, that looks like the right format. So 2021-13,134. Okay, all right, next. At what time was my computer last interacted with? So we're looking for the last interaction time. I'd say it's probably Shellbags and then it's my computer. So we have the value of my computer in Shellbags and we have a last interaction time on 1201-1306-47. So 2021-1306-47. What's the absolute path of the file opened using notepad.exe? So here we have the open slash save and last visited dialogue in our use. So whenever that dialogue box pops up asking you where you want to save something. Of course, that is also saved in the Windows registry. So it remembers where which directory you in for the last time you want to save or for the next time you want to save something. So we're in NT user software Microsoft Windows current version Explorer calm dialogue 32 and then last visited PID MRU or open save PID MRU. This is probably the open save. So if we take a look at the last visited PID MRU we have notepad.exe executed the open save dialogue and then it's looking for the absolute path C drive program files. Amazon EC2 config service settings. You can kind of tell it's probably program files because there's a space there as well. EC2 config service settings. EC2 config service settings. Okay, there we go. That was coming from the open saved and last visited dialogue MRU's. MRU stands for most recently used list. When was this file opened? Okay, so we go back and then it was opened on 2021 11 30 10 56 19. Let's try that. There we go. Okay, so you the user we get a lot of things like which program were they using? What were they doing with the program and what time were they doing it? Now, once you start to combine these things you can build a timeline of events for different files and folders that have been accessed and what programs they were using while they did that whenever you create that timeline you really see the story of what was going on around the time whenever you're investigating. User assist user assist is interesting because it keeps track of how many times programs were executed. You got to be a little bit careful with user assist. I've seen it off by quite a bit sometimes depending on how fast a program is executed. Yeah, just sometimes the number isn't updated. Sometimes it's updated twice. It's a little bit finicky. So don't trust user assist 100% but it can give you a pretty good idea. Last execution time seems to be accurate but the run counter doesn't seem to be super accurate and then the focus count seems to be pretty good actually. So into user.dat software Microsoft Windows current version Explorer user assist and then the GUID and then count. So we're looking at for example the run counter here. They talk about the background activity monitor. So how many times was file explorer launched? That would be in user assist and we get to the count key. That's probably way too small to see but we have file explorer link and it says it was run 26 times. So let's go ahead and try that. File explorer run 26 times. Okay, what's another name for shim cache? It's probably app compatibility cache. Let's take a look. Let's look at it. Also called application compatibility cache app combat cache. I bet that's it. App combat cache, shim cache. Which of the artifacts also saves shall one hashes of the executed programs? That would probably be in amcache. Yep, here we have the shall one. So just amcache. All right, which of the artifacts saves the full path of the executed programs and then that is probably the background activity monitor. It even gives us the hard disk volume two for example instead of C drive. So the logical mapping, it gives us the physical disk for the background activity monitor. So they want BAM slash DAM, BAM slash DAM. Okay, what they're actually trying to do if you notice we're basically looking up where all of these different things are and there's a lot of different locations with artifact information. One of the things you start to do whenever you start investigations is start memorizing the locations of the most common artifacts. So for example, user assist, very common artifact. And if you know exactly where it's located, you can find it much quicker whenever you're analyzing it with a tool. A lot of tools now might just pull out user assist directly and show it to you. But for tools that don't, you might explicitly have to say where it's located. Basically, I think they're trying to get you familiar with a bunch of different artifact types and where they're located and this is exactly what you should be doing whenever you first begin. Now it's a little bit tedious to try to remember all of them and all of the information that's in there. So we have cheat sheets, of course, that we produce. Sands has some really good cheat sheets for artifact locations like this. External devices, USB device forensics, we use this a lot. So we use this in real investigations a lot. So device information or device identification can be found in system, current control set, enum, USB store and current control set, enum, USB. And then you can kind of see we have timestamps, for example, and depending on which view you have, it looks like this view, this is probably some of the easy tools. This view is taking in some information about, for example, when the USB stick was first seen, when it was installed, first installed, last connected. So we can actually see first connection times, last connection times. And if you're building a timeline and you have other sources of information, you might be able to reconstruct different times that that USB stick had been inserted, USB device had been inserted into the system. You can also see things like device name, serial number, manufacturer, timestamps associated with it. Just be careful about this timestamp. This timestamp is probably the timestamp of the key itself, which means that it can be updated. But then we have, for example, the last connected time, 11, 24, 18, 40, that's after our key update time. So it's a bit odd. I don't know what this timestamp key here is, but then we have installed first installed, last connected. That's probably what we're interested in anyway. Yeah, so I don't know what this tool is. Otherwise I could hopefully tell you what that timestamp is. So here we have the current control set, enum, USB store, VIN, product version, serial number properties, and then an ID. And the number value represents the information like first connected time, last connected time, or last removal time. That's where they're getting that information. So I would say this timestamp is probably when the USB store key was updated, and then they're getting the connection times from everything else. And if it's a separate key, it kind of makes sense that it could be a slightly different time. So this might be, I don't know, I'd have to look at that further. Don't just trust what the tools are telling you. Make sure you're questioning things like that. Like, why is the last connected time after the timestamp update for this device? Like, how are those timestamps related? That's going to be really important information in a real case. What's the serial number of the device from the manufacturer of Kingston? Oh, no, do we have to type a serial number? Okay, so we have our device, Kingston, and that's the serial number, and it's quite long. Okay, so let's try that serial number. Yep, okay. What's the name of the device? It was also listed, Kingston Data Traveller 2.0 USB device. Okay, trying that device name. Yep. What's the friendly name of the device from the manufacturer, Kingston? All right. We have a volume name. That's usually the friendly name, and then, okay, yeah, it does say friendly name here. We don't really know which USB or new volume is the Kingston. We might be able to do it by timestamp, but those are both the same timestamp. Let's go ahead and check this. So I have the disk ID here, and this first disk, which is the Kingston, starts with E25192. I have the USB 3.0, and it starts with F529A. All right, so let's go ahead and look down here. The GUI ID again is E25192, and then F529A. So the Kingston E21192 has the same disk ID as this first entry value with the friendly name USB. So this is what I mean by multiple registry keys kind of interact with each other. You might have some information stored in one place, some information stored in another place, and then you have to get both pieces of information, especially IDs, before you can make sense of the other. So I would say the friendly name is USB. Okay. All right, now we're getting into the hands-on challenge. We'll see a few folders, triage, and easy tools. The triage folder contains the triage collection collected through CAPE, which has the same directory structure as the parent. So basically, where are the registry keys located? This is where artifacts are located. The easy tools folder contains some tools that we've been basically looking at. All right, and then we have a couple of different questions here. So let's go ahead and start this up. So I've written registry explorer up, and I'm going to load at the SAM hive. Let's go to file, load hive, and desktop triage system. The SAM hive is part of system, so I'm going to go into windows, system 32, config, and then we have SAM. Okay, so I've loaded up the SAM. I'm in root SAM domains account users, and then I have a couple of different things here. The resolution is not great. The user ID, so from the user accounts, how many user created accounts are present in the system? Remember what I said? If anything is above 1,000, or 1,001, you're going to be a user created account. So we have three user created accounts. Let's go ahead and try three. Okay, what's the username of the account that has never been logged in? So here we have total log in count, and this one has zero. So let's see what the username is. THM user 2, THM-user 2. THM-user 2. What's the password hint for THM-forensics? So THM-forensics is 1,001. And if we go over a little bit, we have the password hint. Let me expand that. And then the password hint just says count. So let's go ahead and try. COU2, that's probably it. All right, when was the file changelog.txt accessed? This is kind of an interesting question because I would be looking at both the disk and the registry. In our case right now, we have what looks like a logical acquisition. So they just copied out all of the files. I can't really trust any of the file system metadata. So we would be looking at the Windows registry to find changelog.txt. I also don't know which user they're talking about. So I'm just going to guess it's probably the admin user, the first user created account. So we're looking at changelog.txt. Let's go ahead and load up the intuser.dat for our main user account. And that would be at file, load hive. And then on the desktop, we have triage, C drive. Then we have users, THM-forensics, and then intuser.dat. Click open. Sequence numbers don't match. I would usually reconstruct this. I'm going to say no this time. And then do you want to load the dirty hive? Yes. All right, so now we have the intuser.dat for our main user loaded up. Let's go ahead and expand root. And then we're looking for software, Microsoft, Windows, current version, Explorer. And we should find recent docs. So now we have recent docs. Let's see if we have the changelog.txt. We have our text file, changelog link, changelog.txt. And then it was opened on 2021, 11, 24, 18, 18, 48. So let's go ahead and try that. 18, 24. I need to check that again. 48, 18, 18, 48. 48. Okay, submit. Yep. All right. So next we're looking at what is the complete path from where the Python 382 installer was run. So we're looking for whole paths. So it could be the background. But I see this is probably C drive. So most likely we're looking at something like user assist. So we can just go back in. Hopefully it's the same user. I'm in recent docs right now. So to get to user assist instead of recent docs, we should just be able to scroll down, go to user assist. And then the GUID, let's just kind of search through here. So I found count with some activities in it. I'm going to scroll down and see if we find anything. We have a couple of different actions here. Notepad was run and we have D drive set up. So we look like we're on the right path. Z drive set up. Also a network share in Firefox installer from Z drive. Python 382. So the question was, what's the complete path where Python 382 was installed? So inside user assist for the default user, we have count and then count has 48. And we have the Z drive set ups, Python 382 EXE. Z drive set ups, Python 3.8.2.EXE. Okay, submit. Yep, when was the USB device with a friendly named USB last connected? So we have a date time format it looks like. USB devices are going to be related to system information. So I'm going to file load hive and then we're going to, instead of going users, desktop, triage, C drive, go back to windows, system 32, config. And then I'm looking for, instead of software this time, I'm going to look for system, click open. All right, so now we have the system hive loaded, click on route. And then we are looking at probably current control set, enum, let's do current control set and then enum and then USB or USB store. So we have USB and then what's the USB device with a friendly name when was last connected? So we're looking for USB and we don't see the friendly name here. USB friendly name is probably in software. So let's go ahead and open software. Okay, so we have software and we need Microsoft. Let's check windows portable devices. That looks like it's probably our device. So USB, so here we have our friendly name is USB. And then we have a GUI ID of E251921F. And then now I'm back in the system config. Let's look at USB store and then I have E25192 and then the F. So we have E215. This is our interesting one. It's the Kingston again. And what's the USB device when was it last connected? Last connected, 2021, 11, 24, 2021, 11, 24, 18, 40, 06. 18, 40, 06. Nice. In that case, I mean, it was a little bit confusing because USB store didn't have the friendly names. We had to open up the software hive, get the friendly name plus the GUI ID that was assigned and then go back to USB store, sync them up via the disk ID and then find the last connected from that. And that's common whenever you're in the windows registry to have information that is related to each other that you need to sync like that. Now hitting the conclusion, what do we have here? We have, wasn't that interesting? Yeah, it was pretty interesting. Windows registry is always interesting and I hope easier than what people think. A lot of people think the windows registry is hard, but it's really just a database. And if you remember even half of the locations that were talked about in, in this room, you can access so much additional information in your windows forensic investigations. If it's hard to keep track of all of the artifacts, very few people remember, I don't think anyone remembers everything about it, you have cheat sheets. So they actually created a cheat sheet for this. Nice. Sands Institute also makes cheat sheets that they release quite often or they update them every year. Basically everything that they were talking about, they've covered in here. So I would download this cheat sheet, print it out, put it up on your wall whenever you're doing your investigations, just have a look at it because it is actually stuff that we use constantly. Now, a lot of tools like autopsy, for example, will automatically find registry hives and then try to parse them using Redripper. You don't necessarily need the locations in your mind all the time, but it's good to have them and it's good to be familiar with them. And then sometimes you do have to go in and check things and verify things yourself. All right. So that should get us the windows forensics one. It's a really interesting overview of windows registry. And if you've never done any type of windows registry analysis, hey, this is a great start. Read all of the documents that they have. I kind of explained in a really quick overview the things that I commonly use, I guess, in investigations, but they had a lot more detail that I didn't cover. Do practice going through and looking at windows registry. If you have a windows computer, it's worth taking your windows registry file, obviously making a copy and then analyzing that copy and seeing what you can find because you know what activities you've done on your system and you can recover a lot of different really interesting things. Even knowing these basics is an excellent way to start windows forensics. Don't forget the disk analysis part of things and whenever you're building these timelines, they complement each other. So if you find a weird timestamp on the hard drive, you can use the windows registry to say whether that timeline makes sense and vice versa. Let me know if you have any questions and if you want to see more walkthroughs of different rooms on TriHackMe or any other platform, especially if they're related to digital forensics. Please let me know. Give it a like if you like these kind of videos and make sure you subscribe because I'm going to be posting tutorials on how to use each of the tools and I already have some tutorials on things like autopsy and FTK imager. So I hope you enjoyed it. Thanks a lot.