Beruflich Dokumente
Kultur Dokumente
AccessData’s
FTK
:
Windows
Registry
Article
I.
Section
1.01 Backing
up
a
.REG
file
Within
registry
right
click
and
select
export
Section
1.02 Acquiring
Registry
files
with
FTK
Imager
click
“Obtain
Protected
Files”
browser
to
Registry
files
select
Password
Recover
and
All
Registry
Files
radio
button
Section
1.03 Other
files
from
Windows
XP
image
within
FTK
Imager,
file>add
evidence
image
file
>
browse
to
image
c:\windows\system32\config
highlight
SAM,
SECURITY,
SOFTWARE
and
SYSTEM
export
NTUSER.DAT
too
Section
1.04 Viewing
Registry
Files
within
FTK
within
FTK
imager,
click
the
yellow
safe
to
obtain
the
registry
files
password
recovery
and
all
registry
files
the
yellow
box
procedure
only
works
on
LIVE
systems,
not
images
Section
1.05 Permissions
Hkey_Local_Machine\system\CurrentControlSet\enum\usbstor
“Full
Control”
isn't
checked,
therefore
the
sub
key
cannot
be
deleted
right
click
SAM
folder,
go
to
permissions
and
put
“Full
Control”
for
admin
in
Vista,
USBSTOR
can't
be
deleted
Section
1.06 NTUSER.DAT
XP
–
c:\documents
and
settings\username
Vista
–
c:\users\username
Section
1.07 Internal
clocks
• Microsoft
computers
are
defaulted
to
Pacific
Time.
• Dell
computers
are
defaulted
to
Central
(Texas)
time.
Page
|
1
FTK
|
Windows
Registry
Section
1.08 Within
the
Registry
Registry
files
are
constructed
from
two
types
of
building
blocks
‐File
Headers
regf
regf
blocks
offset
(pdf
off
website
for
cheat
sheet)
72
65
67
66
=
regf
in
HEX
offset
12‐19
is
the
date
it
was
last
modified
offset
48
begins
path
and
name
of
Registry
file
hbin
68
62
6e
=
hbin
header
in
HEX
offsets
20‐27
is
the
date
and
time
of
modification
Hkey_local_machine
holds
per
computer
information
sam,
system
,
software
and
security
hives
Hkey_classes_root
where
you
can
see
what
file
extensions
are
opened
by
what
program
specific
user
settings
come
from
Hkey_Current_User
*Hardware hive is created at startup but deleted at shutdown*
Article
II.
Section
2.01 To
access
the
SAM
file,
at
the
run
box
type:
##:##
/interactive
regedit
the
##:##
is
the
24‐hour
time
format
can
be
used
for
remotely
or
scheduling.
Can
be
used
to
view
SAM
when
a
user
is
active
on
the
computer
as
well
if
it's
pushed
down
via
the
network
Section
2.02 To
see
if
a
user
was
ever
deleted
from
the
system
go
to
the
SAM,
in
the
Unicode
pane
to
the
right,
right
click
and
select
“find”
type
in
the
username
you're
looking
for
if
it's
found,
highlight
the
80
characters
in
front
of
the
username
and
see
if
the
value
is
negative
or
positive
(negative
meaning
it
was
deleted)
positive
=
unallocated
Page
|
2
FTK
|
Windows
Registry
Section
2.03 Preliminary
Reports
via
Registry
Editor
accessdata.com
>
support
>
supplementary
files
>
RSR
files
(templates)
c:\program
files\accessdata\accessdata
registry
viewer\data
1. Open
FTK,
by
default
in
2.0
you
need
to
always
create
a
user
for
the
database
(oracle)
right
away
1. this
is
the
GOD
account
1. add
other
users
once
this
is
set
up
so
if
you're
in
a
shared
environment,
everyone
can
work
on
cases
without
worrying
about
someone
forgetting
or
deleting
cases
etc.
as
root
2. pw's
are
case
sensitive
2. If
you
run
a
report
from
within
registry
viewer,
you
have
to
add
the
reports
as
supplementary
evidence
within
FTK
if
you
run
it
standalone
1.
if
you
run
from
within
FTK,
there's
a
box
to
check
from
within
the
report
options
wizard
to
automatically
include
with
the
regular
report
3. From
within
the
preliminary
report
wizard,
you
can
choose
with
files
(SAM,
SYSTEM
etc)
to
process...therefore
you
don't
have
to
process
every
SAM
on
every
seized
computer
from
the
crime
scene
if
you
don't
have
to
4. In
registry
editor,
right
click
>
add
to
report
.
This
adds
registry
keys
to
report
1. ex.
‐
currentversion
key
to
display
computers
owner
info
1. can't
select
individual
entries
for
standard
report,
grab
everything
listed
2. not
a
good
idea
to
add
with
report
with
children
because
it
adds
more
garbage
to
the
report
and
then
you
have
to
research
everything
and
what
it
means
because
when
you
testify
in
court,
the
other
prosecutor's
going
to
grill
you
on
what
they
mean
or
why
it's
in
the
report.
1. Summary
report
allows
you
to
add
single
entries
instead
of
everything
listed
1. “selected
values”
2. can
use
wildcards
to
grab
multiple
values
5. Click
on
the
green
key
within
registry
viewer
to
go
to
the
“common
areas”
view
to
make
it
easier
to
find
information
1. wifi
info
not
included
in
here
2. registered
owner,
service
packs,
product
ID
etc.
3.
the
check
box
over
the
folder
signifies
it's
added
to
the
report
4. can
select
view
>
report
view.
In
case
you
want
to
quickly
verify
what
you
marked
for
the
report
already
5. report
>
generate
report
1. change
the
report
title
because
it
always
says
“Registry
Report”
2. if
outside
FTK,
save
it
to
a
folder
that
will
be
included
with
the
whole
report
3. check
“reduce
excess
data
output”
to
clear
up
some
binary
in
the
report
4. DO
NOT
check
“show
key
properties
only”
unless
you're
doing
the
SAM
file
because
it
clears
almost
all
data
in
report
display
5. the
“DWORD”
check
box
just
adds
the
file
and
date
underneath
the
columns
(InstallDate)
etc.
(a) Summary
reports
(single
values,
no
wildcards)
6. View
>
full
registry
7. Click
the
green
key
to
go
to
the
common
areas
Page
|
3
FTK
|
Windows
Registry
8. Report
>
define
summary
report
9. Change
title
to
something
like
“
Software
–
Registered
Owner
Information”
so
you
know
where
it
goes
10. Highlight
the
available
items,
click
the
match
any
item
so
it's
not
marked,
then
click
add
values
button
to
select
single
values
sort
it
then
save
and
close
11. Report
>
define
summary
report
1. click
the
report
the
preview
1. include
blank
values
so
you
know
if
something
was
missing
or
blank
in
registry
2. report
>
define
summary
report
1. click
the
generate
button
if
outside
FTK
Article
III.
(a) SAM
artifacts
12. sam
>
domains
>
accounts
>
users
(highlight
it)
1. report
>
define
summary
reports
2. change
title
to
SAM
‐
users
3. at
the
bottom
where
it
says
wildcard,
click
on
“use
current
selected
key”
4. select
any
of
the
user
folders
and
to
the
right
pane
you
see
the
“f”and
the
“v”
values
1. click
the
“match
any
item”
radio
button
to
the
right
2. click
“add
values”
3. save
and
close
4. when
you
generate
this
report,
check
“show
key
properties
only”
to
make
the
SAM
report
cleaner
13.
In
FTK,
overview
tab
>
file
category
1. OS
/
File
System
Files
>
Windows
Nt
Registry
2. click
on
the
file(s)
you
want
to
include
in
the
bottom
pane
3. file
>
report
4. highlight
registry
selections
1. check
“Include
user
generated
reports”
if
you
have
done
so
outside
FTK
5.
browse
to
where
you
are
exporting
reports
6. If
you
click
on
the
SAM
link
and
look
to
the
right,
the
Registry
key
is
a
hyperlink
–
EDIT
IT
OUT
in
HTML
or
else
if
you
click
it,
it
will
add
to
your
Registry
(b) SID
breakdown
7. Issuing
,
Machine/Network,
SID
(user
accounts,
custom
groups)
1. known
SID's
in
XP
(1003
is
usually
the
first
user
created
or
a
custom
group,
if
not
then
the
user
was
probably
deleted)
1. 500=admin
2. 501=guest
3. 1001
–
help
assistant
4. 1001
–
help
services
group
5. 1002
–
support
user
2. SID
helps
when
looking
at
the
Recycler
(recycle
bin)
and
see
who
was
deleting
and
Page
|
4
FTK
|
Windows
Registry
NTUSER.DAT
files
8. machine
SIT
is
stored
in
the
SAM
file
1. HKEY_local_machine\sam\sam\domains\account\v
9. F
key
in
SAM\domains\accounts\users\user
number
shows
SID,
logon
count,
last
logon
time
etc.
10. Microsoft
will
say
password
is
there
if
it's
left
blank
but
there
won't
be
a
password
or
hash...
so
to
verify
go
to
the
“v”
key.
14. Cracking
the
SAM
(because
might
had
EFS
files/folders)
1. Export
SAM
and
SYSTEM
files
from
image
2. export
full
text
index
(FTI)
as
a
dictionary
3. import
the
FTI
into
PRTK
4. drop
SAM
into
PRTK
and
point
to
system
file
5. SAM
passwords
in
XP
(hints)
1. SOFTWARE\microsoft\windows\currentversion\hints\username
6. SAM
passwords
in
VISTA
(hints)
1. sam\sam\domains\account\users
/userpasswordhint
15. If
you
change
or
remove
a
users
password
without
being
logged
in
as
the
user
himself,
all
EFS
files
will
be
lost
because
it
will
look
for
the
original
password
16. The
“v”
value
holds
the
user
name
etc.
(c) Indentifying
deleted
users
17.
SOFTWARE\microsoft\windows
nt
\
currentversion\profilelist
18. system
restore
points
(find
SID
number)
19. registry
slack
6.
If
the
username
is
changed,
the
SID
stays
the
same
–
profile
name
remains
the
same
(home
folder
etc.)
7. In
windows
2000,xp,2003
;
if
an
account
is
deleted,
the
sam
file
will
remove
the
info
but
the
SID
will
not
be
reused
8. Unique
groups
with
SIDS:
1. administrators
–
544
2. users
–
545
3. guests
–
546
4. power
users
‐
547
9. Hkey_local_machine\sam\sam\domains\builtin\aliases
1. Built
in
groups
(SID
is
in
hex
so
have
to
convert
it)
10. hkey_local_machine\sam\sam\domains\account\aliases
1. custom
groups
(SID
is
in
hex
so
have
to
convert
it)
11. hkey_local_machine\software\microsoft\windows\currentversion\group
policy\groupmembership
1. NTUSER
artifacts
(
to
determine
what
groups
the
user
is
a
member
of)
(d) SYSTEM
artifacts
2. time
zone
/
last
access
1. controlset##\control\TimeZoneInformation
2. is
daylight
time
autocorrecting
or
not
3. time
zone
setting
1. (1
=
disabled)
2. if
value
is
not
present,
system
is
autocorrecting
Page
|
5
FTK
|
Windows
Registry
4. BIOS
time
setting
3. computer
name
1. system\controlset###\control\computername\computername
4. last
shutdown
time
1. controlset###\control\Windows
5. mounted
devices
manager
1. creates
a
symbol
link
to
device
object
2. format
:
\??\Volume{GUID}\
1. to
verify
if
it’s
never
been
mounted
before
2. can't
always
tell
the
drive
letter
because
it
can
be
over
written
by
another
USB
device
1. can
search
for
links,
or
search
for
a
file
name
of
something
on
the
USB
device
to
try
and
see
what
the
device
letter
used
to
be
(e) USB
tracking
(pg221)
3. reference
to
try
and
see
the
firmware
or
what
USB
device
it
was
1.
www.linux‐usb.org
1. other
helpful
links
>
USB
vendor
ProductID
4. setupapi.log
(c:\WINNT
or
c:\Windows)
5. .lnk
files
can
show
paths
and
date/time
of
files
accessed
6. usb\vid_099&PID_234\234242342423423
1. VID=vendor
id
2. PID
=
product
ID
3. hardware
ID
7. Microsoft
has
usb
identification
software
to
download
8. computer
management>
device
manager
>
storage
volumes
>
rt.
Click,
properties,details
9. SYSTEM\mounteddevices
10. ParentIDPrefixes
with
“5,6
or
7&”
are
Microsoft
made
and
won't
help
(f) Hardware
information
11. SYSTEM\control
set\enum
1. SATA
drives
stored
under
IDE
2. firewire
stored
under
SCSI
12. LPTENUM
1. enumerates
printer
ports
(g) Services
13. SYSTEM\controlset##\Services
14. DHCP
15. tcpip\paramters
1. controlset##\services\tcpip\parameters
(h) Session
manager
16. is
prefetch
on
?
1. keeps
last
128
programs
used
1. can
tell
if
wiping
program
was
just
used
2. system\controlset##\control\session
manager\prefetchparameters
Page
|
6
FTK
|
Windows
Registry
1. “enableprefetcher”
2. “0”
is
off,
“1”
applications
only
,
“2”only
boot
fetch
,
“3”
application
and
boot
enabled
1. layout.ini
is
a
file
not
to
delete
because
it's
a
roadmap
for
Microsoft
with
defragging...
it
won't
be
re‐created
17. is
the
subkey
activated
for
page
swap
in
order
to
wipe
it
when
shut
down
1. System\controlset##\control\session
manager\memory
management
1. (0)
by
default
1. if
is
on
the
may
want
to
grab
memory
and
page
files
while
active
18.
previous
computer
names
can
be
found
in
unallocated
space
with
an
index
search
or
also
in
event
logs
and
restore
points
as
well
(restore
=
up
to
90
days)
(i) Identifying
USB
drives
19. system\currentcontrolset##\enum\usbstor
1. check
parentID
with
the
“mounteddevices”
key
to
the
left
pane
1. system\currentcontrolset##\mounteddevices
20. system\currentcontrolset##\enum\usb
(j) SECURITY
artifacts
6. hkey_local_machine\security
7. stores
local
security
policies
(user
rights,
password
policy,account
memberships)
1. good
info
for
internal
investigations
to
see
if
someone's
exceeding
powers
8.
password
caching
(stores
current
and
past)
1. domain
passwords
can
be
cached
as
well
(good
to
turn
off
for
laptops)
1. software\microsoft\windows
nt\currentversion\winlogon
1. cachedlogonscount
9. security\policy\secrets\defaultpassword
1. for
XP
SP3
12. Iin
PRTK,
when
cracking
the
cached/stored
passwords,
the
(*)
tells
us
there's
more
than
one
password.
1. Current
and
past
passwords
used
(k) SOFTWARE
artifacts
2. ReadyBoost
in
Vista
means
you
can
use
a
usb
device
to
extend
your
computer’s
memory
(page
file
memory)
1. SOFTWARE\microsoft\windowsnt\currentversion\emdmgmt
3. Microsoft\windows\currentversion\authentication\logonUI
1. last
logged
on
user
2. records
the
last
written
time
as
the
system
power
down
(l) Identifying
uninstalled
software
3. registry
slack
4. $MFT
5. software\classes
6. do
index
searches
7. 78
00
00
00
→
indicates
PGP
etc.
was
uninstalled
;
then
look
for
date
8. SOFTWARE\microsoft\windows\currentversion\uninstall\AppName
Page
|
7
FTK
|
Windows
Registry
(m) Startup
programs
(p.297)
9. hkey_local_machine\software\microsoft\windows\currentversion\run
1. runonce
2. runonceex
3. runservices
4. runservicesonce
10. SOFTWARE\microsoft\command
processor\auroRun
11. SYSTEM\controlset##\control\session
manager\bootexecute
12. SOFTWARE\microsoft\windows
nt\currentversion\winlogon\userinit
(n) Wireless
artifacts
13. SOFTWARE\microsoft\wzcsvc\parameters\interfaces
14. SOFTWARE\microsoft\EAPOL\parameters\interfaces\>GUID>
15. SOFTWARE\microsoft\windows
nt\currentversion\networklist
(o) Recycle
Bin
16. software\microsoft\windows\currentversion\explorer\bitbucket
(p)
Printer
entries
17. ntuser.dat\software\microsoft\windows
nt\currentversion\devices
18. software\microsoft\windowsnt\currentversion\print\printers\<printername>
(q) Recent
Docs
4. ntuser.dat\microsoft\windows\currentversion\explorer\recentdocs
(r)
Restore
points
5. c:\windows\system
volume
information
(s) ComDlg32
–
Common
dialog,
tracks
user
behavior
as
it
pertains
narrowly
to
the
open
and
save
as
dialog
boxes
for
Windows
utilities
6. ntuser.day\software\microsoft\windows\currentversion\explorer\ComDlg32
(t) Run
7. ntuser.dat\software\microsoft\windows\currentversion\explorer\runMRU
(u)
Vista
protected
storage
8. NTUSER.DAT\software\Microsoft\internet
explorer\intelliforms
13.
Add
keys
to
common
areas
for
later
searches
1. right
click
>
add
to
common
area
2. EAPOL,
wzcsvc
etc.
(v)
Vista
USB
devices
3. SOFTWARE\Microsoft\windows
nt\currentversion\edmgmt
(w)
VISTA
wireless
4. SOFTWARE\microsoft\windows
nt\currentversion\networllist\profiles\<GUID>
(x) To
tell
whether
or
not
the
person
burned
anything
onto
a
CD
5. Right
click
my
computer
>
manage
>
event
logger
>
system
Page
|
8
FTK
|
Windows
Registry
6. Event #’s 7036 & 7035 tell when the IMAP CD‐Burning Com service was started and stopped
(y) Finding
what
programs
were
run
before
the
CD
burning
was
done
1. User
Assist
file
a. Located
in
the
NTUSER.DAT
(Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
)
b. Can see what program or file was accessed, how many times and the last time
c. If there’s no entry or its deleted, try restore points close to the burn time.
2. Shortcut / Lnk files
a. XP – c:\documents and settings\<user>\start menu
b. Vista – c:\users\<user>\start menu
3. Prefetch Files
a. C:\Windows\Prefetch
i. Stores up to the last 128 programs used with the .pf file extension
1. www.forensicswiki.org\wiki\Prefetch
* RegRipper and Windows File Analyzer can help with parsing the information*
Article
IV. Misc.
Notes
• have
an
EI
into
the
USB
drive
if
you're
going
to
grab
the
registry
files
from
incident
response
via
FTK
imager
because
the
hardware
EI
number
will
change
• if
on
DHCP
and
system
is
shut
down,
good
chance
of
losing
IP
address...
is
a
chance
it's
in
the
registry
but
best
to
grab
the
registry
files
and
make
sure
• To
tell
whether
what
you’re
looking
at
is
deleted
or
not,
highlight
first
(4)
in
Unicode
before
the
“nk”,”vk”
etc.,
right
click
and
look
at
value..
(‐)
means
it
was
deleted
and
allocated
in
value
interpreter
...
can
also
put
in
a
scientific
calculator.
This
is
done
in
the
HEX
pane
and
looking
at
the
value
in
the
properties
pane.
Page
|
9