We covered the process of conducting computer forensics under the context of examining a Windows operating system. We explained what are artifiacts and how to collect them. Additionally we mentioned some tools used to perform data acquisition and analysis. We also covered a practical scenario to demonstrate the process of analyzing an image of cloned disk and where to find related artifacts in the Registry. This was part of TryHackMe Windows Forenscis 1 SOC Level 1 track.

Get Computer Forensics Notes

The Complete Practical Web Application Penetration Testing Course

Challenge Description

Introduction to Windows Registry Forensics

Video Highlights

Computer forensics is an essential field of cyber security that involves gathering evidence of activities performed on computers. It is a part of the wider Digital Forensics field, which deals with forensic analysis of all types of digital devices, including recovering, examining, and analyzing data found in digital devices. The applications of digital and computer forensics are wide-ranging, from the legal sphere, where it is used to support or refute a hypothesis in a civil or criminal case, to the private sphere, where it helps in internal corporate investigations and incident and intrusion analysis.

A perfect example of Digital Forensics solving a criminal case is the BTK serial killer case. This case had gone cold for more than a decade when the killer started taunting the police by sending letters. The case took a major turn when he sent a floppy disk to a local news station that was later taken to into evidence by the police. The police were able to recover a deleted word document on the drive, and using the metadata and some other evidence, they pinpointed and arrested him.

Microsoft Windows is by large the most used Desktop Operating System right now. Private users and Enterprises prefer it, and it currently holds roughly 80% of the Desktop market share. This means that it is important to know how to perform forensic analysis on Microsoft Windows for someone interested in Digital Forensics. In this module, we will learn about the different ways we can gather forensic data from the Windows Registry and make conclusions about the activity performed on a Windows system based on this data.

When performing forensic analysis, you will often hear the word ‘artifact’. Forensic artifacts are essential pieces of information that provide evidence of human activity. For example, during the investigation of a crime scene, fingerprints, a broken button of a shirt or coat, the tools used to perform the crime are all considered forensic artifacts. All of these artifacts are combined to recreate the story of how the crime was committed.

In computer forensics, forensic artifacts can be small footprints of activity left on the computer system. On a Windows system, a person’s actions can be traced back quite accurately using computer forensics because of the various artifacts a Windows system creates for a given activity. These artifacts often reside in locations ‘normal’ users won’t typically venture to. For our purposes, these artifacts can be analyzed to provide the trial of activity for an investigation.

The Windows Registry is a collection of databases that contains the system’s configuration data. This configuration data can be about the hardware, the software, or the user’s information. It also includes data about the recently used files, programs used, or devices connected to the system. As you can understand, this data is beneficial from a forensics standpoint. Throughout this room, we will learn ways to read this data to identify the required information about the system.

The Windows registry consists of Keys and Values. When you open the regedit.exe utility to view the registry, the folders you see are Registry Keys. Registry Values are the data stored in these Registry Keys. A Registry Hive is a group of Keys, subkeys, and values stored in a single file on the disk.

Structure of the Registry:

The registry on any Windows system contains the following five root keys:

  1. HKEY_CURRENT_USER
  2. HKEY_USERS
  3. HKEY_LOCAL_MACHINE
  4. HKEY_CLASSES_ROOT
  5. HKEY_CURRENT_CONFIG

Here is how Microsoft defines each of these root keys. For more detail and information about the following Windows registry keys, please visit Microsoft’s documentation.

If you are accessing a live system, you will be able to access the registry using regedit.exe, and you will be greeted with all of the standard root keys we learned about in the previous task. However, if you only have access to a disk image, you must know where the registry hives are located on the disk. The majority of these hives are located in the C:\Windows\System32\Config directory and are:

  1. DEFAULT (mounted on HKEY_USERS\DEFAULT)
  2. SAM (mounted on HKEY_LOCAL_MACHINE\SAM)
  3. SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)
  4. SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)
  5. SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)

Hives containing user information:

Apart from these hives, two other hives containing user information can be found in the User profile directory. For Windows 7 and above, a user’s profile directory is located in C:\Users\<username>\ where the hives are:

  1. NTUSER.DAT (mounted on HKEY_CURRENT_USER when a user logs in)
  2. USRCLASS.DAT (mounted on HKEY_CURRENT_USER\Software\CLASSES)

The USRCLASS.DAT hive is located in the directory C:\Users\<username>\AppData\Local\Microsoft\Windows.

Some other very vital sources of forensic data are the registry transaction logs and backups. The transaction logs can be considered as the journal of the changelog of the registry hive. Windows often uses transaction logs when writing data to registry hives. This means that the transaction logs can often have the latest changes in the registry that haven’t made their way to the registry hives themselves. The transaction log for each hive is stored as a .LOG file in the same directory as the hive itself. It has the same name as the registry hive, but the extension is .LOG. For example, the transaction log for the SAM hive will be located in C:\Windows\System32\Config in the filename SAM.LOG. Sometimes there can be multiple transaction logs as well. In that case, they will have .LOG1, .LOG2 etc., as their extension. It is prudent to look at the transaction logs as well when performing registry forensics.

Registry backups are the opposite of Transaction logs. These are the backups of the registry hives located in the C:\Windows\System32\Config directory. These hives are copied to the C:\Windows\System32\Config\RegBack directory every ten days. It might be an excellent place to look if you suspect that some registry keys might have been deleted/modified recently.

Room Answers

What is the path for the five main registry hives, DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM?

What is the path for the AmCache hive?

What is the Current Build Number of the machine whose data is being investigated?

Which ControlSet contains the last known good configuration?

What is the Computer Name of the computer?

What is the value of the TimeZoneKeyName?

What is the DHCP IP address

What is the RID of the Guest User account?

When was EZtools opened?

At what time was My Computer last interacted with?

What is the Absolute Path of the file opened using notepad.exe?

When was this file opened?

How many times was the File Explorer launched?

What is another name for ShimCache?

Which of the artifacts also saves SHA1 hashes of the executed programs?

Which of the artifacts saves the full path of the executed programs?

What is the serial number of the device from the manufacturer ‘Kingston’?

What is the name of this device?

What is the friendly name of the device from the manufacturer ‘Kingston’?

How many user created accounts are present on the system?

What is the username of the account that has never been logged in?

What’s the password hint for the user THM-4n6?

When was the file ‘Changelog.txt’ accessed?

What is the complete path from where the python 3.8.2 installer was run?

When was the USB device with the friendly name ‘USB’ last connected?

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles