diff --git a/Forensics/Windows Registration.md b/Forensics/Windows Registration.md index f2fdae3..7e861b2 100644 --- a/Forensics/Windows Registration.md +++ b/Forensics/Windows Registration.md @@ -3,6 +3,7 @@ * [Windows Forensics Cheat Sheet](https://user-images.githubusercontent.com/58165365/157232143-3c8785ec-164b-4843-bde8-9d9a22350159.png) ## Regedit Keys + * HKEY_CURRENT_USER (HKCU), inside HKU * HKEY_USERS (HKU) * HKEY_LOCAL_MACHINE (HKLM) @@ -12,6 +13,7 @@ * HKEY_CURRENT_CONFIG ## Paths + * `C:\Windows\System32\Config` * Default -> `HKEY_USERS\DEFAULT` * SAM -> `HKEY_LOCAL_MACHINE\SAM` @@ -27,23 +29,36 @@ * `C:\Windows\AppCompat\Programs\Amcache.hve` ### Transaction Logs + * Transaction `.LOG` of the registry hive -* Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered. + +Saved inside the same directory which is `C:\Windows\System32\Config`, as the +hive which was altered. ### Backups + * Saved every ten days * Look out for recently deleted or modified keys * `C:\Windows\System32\Config\RegBack` ## Data Acquisition -* Tools - * [Autopsy](https://www.autopsy.com/) - * [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve` - * [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree - * `Registry Viewer` - * `Zimmerman's Registry Explorer`, uses transaction logs as well - * ` AppCompatCache Parser` - * `RegRipper`, cli and gui + +Multiple tools with their own strengths and weaknesses should be chosen to acquire +the registry data, no matter if it is a live or a copied acquisition. Commonly +used tools are the following ones. + +* [Autopsy](https://www.autopsy.com/) +* [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve` when `Obtain Protected Files` has been chosen, copy them manually as an export from the file tree of the chosen image + +[KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), +preserves directory tree. + +Following parts of EZTools should be taken note of. + +* Registry Viewer +* Zimmerman's Registry Explorer, uses transaction logs as well +* AppCompatCache Parser +* RegRipper, cli and gui ## System Information * OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion` @@ -167,3 +182,10 @@ Function Compare-AutoRunsBaseLine 14.0 Au Function Get-PSAutorun 14.0 Aut... Function New-AutoRunsBaseLine 14.0 Aut... +``` + +### Clean a Dirty Hive + +If a hive is loaded by a tool and the tool complains about a dirty hive, the +transaction log of said hive has to be loaded as well. Extract it via FTK or +KAPE alongside the hive itself.