Windows Registry

For this lab you will be using the forensic image "GuzmanImage.dd" that is located under /images/Guzman directory. This is a disk image which was altered to fit into Linuxzoo. It contains the whole directory structure and all the necessary files for this exercise.

Before you can start you should mount the NTFS partition within this image to have easy access to the specific files. You will need to create a loopback device /dev/loop100 and assign the partition to it then mount the loop100 device in /mnt. Do not forget to add "-o ro" in the mount command.

Firstly, what offset for the losetup command will you need?

Create the loopback with loop100, then mount the loopback as /mnt using the ro option.

Look in /mnt and check how many files/directories exist in that top level directory.

One normal user is defined in this image. What is the user's name?

Now we need to interrogate registry hives to discover what settings it contains. Make a directory called "evidence" in /home/caine and store the analysis in that directory. From the location /home/caine use the following commands to interrogate and output the settings:

rip -r /mnt/Users/Arnie/NTUSER.DAT -f ntuser > /home/caine/evidence/NTuserDataOut.csv

Get the SAM information (ignore the error):

rip -r /mnt/Windows/System32/config/SAM -f sam > /home/caine/evidence/SAMOut.csv

Gets system information:

rip -r /mnt/Windows/System32/config/SYSTEM -f system > /home/caine/evidence/SystemOut.csv

Get the Software Information (can take a few minutes):

rip -r /mnt/Windows/System32/config/SOFTWARE -f software > /home/caine/evidence/SoftwareOut.csv

As has been discussed in the lectures the time zone settings of any seized digital evidence needs to be know as well as whether any particular date is stored as a local time representation or as an epoch time representation. Therefore, for this forensic image we will attempt to identify the time zone.

Now we know which control set is active we can navigate to the relevant part of it to get the time zone information:

System\Control Set 001\Control\TimeZoneInformation

Hint: If you want to use grep for this then note that "Control Set 001" is "ControlSet001", and that since some control characters are in the file you need to use "-a" in the grep. The "\" character in grep usually indicates an escape sequence, so you need to use "\\" for "\" with the thing you are searching for in single quotes. If you want to see 10 lines after the matching registry key - use "-A 10".

So this might help

  grep -a -A10 'ControlSet001\\Control\\TimeZoneInformation' SystemOut.csv
  

What values exist for the TimeZone information?

The information regarding the local user accounts is stored in the SAM hive.

SAM\Domains\Account\Users\Names

Examine the content of the "Username" key and complete the following information for the one normal user account defined in the hive:

Let's have a look at other information related to the operating system, software and hardware. Use "Registry Quick Find Chart", which is located on Moodle, to find the right registry keys.

1. What is the operating system used on this computer?
   
2. When was it installed?
   
3. Who is the owner
   
4. How many network interfaces were used
   

and what were the IP addresses assigned by DHCP?

192.168.191.128	NoYes
192.168.191.254	NoYes
172.16.255.191	NoYes
192.168.1.121	NoYes
192.168.128.5	NoYes

5. What web browsers were installed on this machine?

   MOZILLA.EXE	NoYes
   IEXPLORE.EXE	NoYes
   SAFARI.EXE	NoYes
   Google Chrome	NoYes
   FIREFOX.EXE	NoYes

6. Was there any email application present?

   Hotmail	NoYes
   Outlook	NoYes
   Google Mail	NoYes
   Windows Mail	NoYes
   Mozilla Thunderbird	NoYes

Windows registry contains settings for the computer hardware, applications, services and users. As the operating system comes online, the four main Registry hives - Software, System, Security, and SAM - are read into memory. As the user authenticates his or her account, the specific NTUSER.DAT registry file within the user profile is brought online and user specific settings are read. The location of registry hives is as follow:

NTUSER.DAT - C:\Users\<user name>\

Earlier in the tutorial you exported the NTUSER.DAT file for Arnie into

  /home/caine/evidence/NTuserDataOut.csv
  

MRU Lists

A "Most Recently Used List" contains entries made due to specific actions performed by the user. There are numerous MRU list locations throughout various Registry keys. These lists are maintained in case the user returns to them in the future. Essentially, their function is similar to how the history and cookies act in a web browser.

\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Microsoft Windows does a very good job of tracking what documents a user has accessed, making them available in the Recent Documents menu. This list of documents can be very revealing about a user's activities. What you'll also notice is that the RecentDocs key has subkeys for each extension too. Each of those contains their own MRUListEx for the specific extension. So we have duplicate data. Files that appear in the top-level RecentDocs key, should also have an entry in their individual file extension subkey too. This means that a text file should appear in both RecentDocs and also RecentDocs.txt. Note, that there is also a subkey specific to folders.

Examine the content of the "Username" key and record the following information: Hint: there are lots of files under this key, therefore when you grep use "-A 100".

1. How many files did you find under RecentDocs?
   
2. Identify all text files by inspecting RecentDocs\.txt. How many text files did you find?
   
3. What is the inode of the "new list.txt" file?
   
4. Open this file and describe the content of it:
   Food shopping list Quiz questions Calorie count List of cars NASA launch dates Starwars characters

1. Identify all OpenOffice files by inspecting RecentDocs\.ods
   What is the first file in the list?
   
2. One other interesting file is the "The List.ods" file. However when you look at it's path, it existed only on a removable drive which is now unplugged. See if you can find this filename anywhere in the current disk image. What is the inode of this other version of the "The List.ods" file?
   
3. What is the path of the above file?
   
4. Using GUI (VNC connection) navigate to the location of the file and open it? What would you say this is about?
   Cafe ordering information Secret communications Password data Colour charts Driving licence centres Howto build a lightsabre
5. When was this entry created? You can view the time stamps by inspecting recentdocs_timeline v.20161112
   

  
    \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
  

This key maintains a list of recently opened or saved files via typical Windows Explorer-style common dialog boxes (i.e. Open dialog box and Save dialog box). For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser (including IE and Firefox) are maintained.

• From this registry entry, how many bmp images are shown?
  
• Find the entry concerning a bmp image with "Ali" somewhere in the title. Look at that bmp, identify the Manufacturer of the car in the picture, and look that entry up in the "The List.ods" file. In that row, what is the "Code-Name"?
  Manufacturer: Alpha Romero Aston Martin Audi Bentley BMW Bugatti Citroen Dodge Ferrari Fiat Ford Honda Hyundai Jaguar Jeep Kia Lamborghini Land Rover Lexus Maserati Mazda Mercedes-Benz Mini Nissan Peugeot Porsche Renault Rolls Royce Saab Subaru Suzuki Tesla Toyota Volkswagen Volvo
  Code-Name: Amanda Abby Ariana Betty Bailey Brittany Carla Darcy Fionna Franny Faith Hannah Haylie Jane Jade Kira Lucy Linda Lesley Margaret Maureen Mandy Mary Nigela Pauline Paris Rosanne Rachel Susan Sarah Sabrina Tina Teri Vanda Valerie Zoe

  
   \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
  

This key correlates to the previous OpenSavePidIMRU key to provide extra information. Whenever a new entry is added to the previous OpenSavePidlMRU key, registry value is created or updated in this key. Each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it.

1. What applications were used?
   

   chrome.exe	NoYes
   thunderbird.exe	NoYes
   Skype.exe	NoYes
   putty.exe	NoYes
   quickstego.exe	NoYes
   firefox.exe	NoYes
   PickerHost.exe	NoYes

2. Is there any application used that seem to be out of place?
   chrome.exe thunderbird.exe Skype.exe putty.exe quickstego.exe firefox.exe PickerHost.exe
3. What is the purpose of this application?
   Sets fire to foxes Turns paper to chrome Quickly draws stegosaurouses Helps design putty for windows Encodes messages in pictures Picks hosts to attack Thunder and lightning creator

  
  \Software\Microsoft\Internet Explorer\TypedURLs\
  

This Key correlates to URL's typed by user in Internet Explorer. The entries found within this location are web addresses entered through the address bar

• How many URLs were used in Internet Explorer, according to this entry?
  
• In your opinion, was IE ever used for anything?
  YesNo

  
    \Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count
  

The great thing about the UserAssist key is that it will list the last run time of an application and the total amount of times that it was executed. The values of these keys are not readable as they are ROT-13 encoded. You can easily decipher the entries by using tool located at http://rot13.com.

Another way to encode and decode is at the command line:

  echo 'uryybgurer' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
  

Fortunately regripper does this conversion automatically.

The GUID points to the type of application that is being utilized. There are two main GUIDs: ActiveDesktop {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} that shows the application executable and MS Internet Toolbar {F4E57C4B-2036-45F0-A9AB443BCFE33D9F} that refers to link files.

Figure 1: UserAssist Keys

Examine the content of the "UserAssist" key. Make sure you can display content of ActiveDesktop GUID.

1. When was the last time, and how many times was Chrome used?
   When: Count:
2. When was the last time, and how many times was notepad used?
   When: Count:
3. When was the last time, and how many times was Spotify used?
   When: Count:
4. When was the last time, and how many times was Quickstego used?
   When: Count:

Based on the lecture notes and USB key guide, locate all the USB drives used by Guzman.

For each USB drive record the following information:

• Product ID
• Vendor ID
• Version
• Drive letter
• Device Serial Number