The Real Hugo
Husk

Windows Registry

Regedit Keys

  • HKEY_CURRENT_USER (HKCU), inside HKU
  • HKEY_USERS (HKU)
  • HKEY_LOCAL_MACHINE (HKLM)
  • HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU
    • HKEY_CURREN_USER\Software\Classes for settings of interactive user
    • HKEY_LOCAL_MACHINE\Software\Classes to change default settings
  • HKEY_CURRENT_CONFIG

Paths

  • C:\Windows\System32\Config

    • Default -> HKEY_USERS\DEFAULT
    • SAM -> HKEY_LOCAL_MACHINE\SAM
    • SECURITY -> HKEY_LOCAL_MACHINE\Security
    • SOFTWARE -> HKEY_LOCAL_MACHINE\Software
    • SYSTEM -> HKEY_LOCAL_MACHINE\System

  • C:\Users\<username>\

    • NTUSER.DAT -> HKEY_CURRENT_USER , hidden file

  • C:\Users\<username>\AppData\Local\Microsoft\Windows

    • USRCLASS.DAT -> HKEY_CURRENT_USER\Sofware\CLASSES, hidden file

  • C:\Windows\AppCompat\Programs\Amcache.hve

Transaction Logs

  • Transaction <name of registry hive>.LOG of the registry hive
  • Saved inside the same directory which is C:\Windows\System32\Config, as the hive which was altered.

Backups

  • Saved every ten days
  • Look out for recently deleted or modified keys
  • C:\Windows\System32\Config\RegBack

Data Acquisition

  • Tools
    • Autopsy
    • FTK Imager, does not copy Amcache.hve
    • KAPE, preserves directory tree
    • Registry Viewer
    • Zimmerman's Registry Explorer, uses transaction logs as well
      • AppCompatCache Parser
    • RegRipper, cli and gui

System Information

  • OS Version -> SOFTWARE\Microsoft\Windows NT\CurrentVersion
  • Computer Name -> SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
  • Time Zone SYSTEM\CurrentControlSet\Control\TimeZoneInformation
  • Network Interfaces -> SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
  • Past connected networks -> SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged and SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed
  • Services -> SYSTEM\CurrentControlSet\Services
    • Service will start at boot with start key value 0x02
  • Users, SAM -> SAM\Domains\Account\Users

Control Sets

  • ControlSet001 -> last boot
  • ControlSet002 -> last known good

  • HKLM\SYSTEM\CurrentControlSet -> live

  • Can be found under:

    • SYSTEM\Select\Current shows the used control set
    • SYSTEM\Select\LastKnownGood

Autostart Programs

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Recent Files

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs, e.g. xml, pdf, jpg
  • Office files -> NTUSER.DAT\Software\Microsoft\Office\VERSION, NTUSER.DAT\Software\Microsoft\Office\15.0\Word
  • Office 365 -> NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU

ShellBags

  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

Last Open/Saved/Visited Dialog MRUs

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Explorer Address/Search Bars

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

User Assist

  • GUI applications launched by the user
  • NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count

Shim Cache

  • Application Compatibility, AppCompatCache
  • SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
  • Use AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>

AmCache

  • Information about recently run applications on the system
  • C:\Windows\appcompat\Programs\Amcache.hve
  • Last executed app -> Amcache.hve\Root\File\{Volume GUID}\
  • Saves SHA1 of the last executed app

Background Activity Monitor/Desktop Activity Moderator BAM/DAM

  • Saves full path of executed apps
  • SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
  • SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}

Devices

  • Identification
    • USB -> SYSTEM\CurrentControlSet\Enum\USBTOR, SYSTEM\CurrentControlSet\Enum\USB
  • Device name -> SOFTWARE\Microsoft\Windows Portable Devices\Devices
  • First time connected -> SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064
  • Last time connected -> SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066
  • Last removal time -> SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067