more event logs added, more details about domain user information added

Forensics/Windows Event Logs.md

@@ -38,11 +38,15 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
 * **4723**: Attempt to change an account password. The user attempts to change their password
 * **4724**: Attempt to reset the account password. The user attempts to reset the password of another account
 * **4725**: Account disable
-* **4726**: Account removal
+* **4726**: Account removed from systemved from system
 * **4728**: Attempt to add an account to a global security group
 * **4729**: Attempt to remove an account from a global security group
+* **4738**: User account properties were changed
+* **4740**: User account was locked after repeated attempt of access
 * **4756**: Attempt to add an account to a universal security group
 * **4757**: Attempt to remove an account from a universal security group
+* **4768**: Kerberos TGT request
+* **4771**: Kerberos pre-auth failure
 
 ### Account Logon
 

Forensics/Windows Registration.md

@@ -14,12 +14,9 @@
 
 ## Paths
 
-These parts of the registries are called hives. They can be found under the
+These parts of the registries are called hives. They can be found under  `C:\Windows\System32\Config`.
-following path.
-
-* `C:\Windows\System32\Config`
 * Default -> `HKEY_USERS\DEFAULT`
-    * SAM -> `HKEY_LOCAL_MACHINE\SAM`
+* SAM contains account names/status/groups, hashed password, login timestamps -> `HKEY_LOCAL_MACHINE\SAM`
 * SECURITY -> `HKEY_LOCAL_MACHINE\Security`
 * SOFTWARE -> `HKEY_LOCAL_MACHINE\Software`
 * SYSTEM -> `HKEY_LOCAL_MACHINE\System`
@@ -31,6 +28,9 @@ following path.
 
 * `C:\Windows\AppCompat\Programs\Amcache.hve`
 
+* `C:\Windows\security\database\` 
+    * `secedit.sdb`, access control configuration
+
 ### Transaction Logs
 
 * Transaction `<name of registry hive>.LOG` of the registry hive
@@ -64,6 +64,7 @@ Following parts of EZTools should be taken note of.
 * RegRipper, cli and gui
 
 ## System Information
+
 * OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
 * Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
 * Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
@@ -160,6 +161,33 @@ GUIDs can be found in the following folder.
 
 * `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`
 
+## Network
+
+Network configuration can be found in the following path.
+
+* `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetworkList`
+
+## Domain Account Information
+
+The NT Directory Services `NTDS.dit` hive is an active directory database which contains information about the domain users.
+
+Information stored about the domain users are for example, their full name, the username the Security identifier (SID),(domain & local) group memberships, hashed passwords for  user accounts, login timestamps, last set password, expiration time of the current password, security policies, OUs and connections to other domains.
+
+To get information out of the `NTDS.dit` hive, it has to be exported along with the SYSTEM hive to get the boot key of the system for decryption.
+
+Use `ntdsutil` tool to export a snapshot of the information.
+
+```sh
+C:\Windows\system32\ntdsutil.exe "activate instance ntds" "ifm" "create full C:\Windows\Temp\NTDS" quit quit
+```
+
+Export the boot key of the system and use it for decryption.
+
+```sh
+$BootKey = Get-BootKey -SystemHivePath 'C:\Windows\Temp\NTDS\registry\SYSTEM'
+Get-ADDBAccount -All -DBPath 'C:\Windows\Temp\NTDS\NTDS.dit' -BootKey $BootKey
+```
+
 ## Shim Cache
 
 Application Compatibility, AppCompatCache