whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added more details about registry forensics

This commit is contained in:
gurkenhabicht 2024-04-05 16:54:02 +02:00
parent 6fba5dd86d
commit 8270936b02
1 changed files with 31 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
Forensics/Windows Registration.md
View File

@ -3,6 +3,7 @@
* [Windows Forensics Cheat Sheet](https://user-images.githubusercontent.com/58165365/157232143-3c8785ec-164b-4843-bde8-9d9a22350159.png) * [Windows Forensics Cheat Sheet](https://user-images.githubusercontent.com/58165365/157232143-3c8785ec-164b-4843-bde8-9d9a22350159.png)
## Regedit Keys ## Regedit Keys
* HKEY_CURRENT_USER (HKCU), inside HKU * HKEY_CURRENT_USER (HKCU), inside HKU
* HKEY_USERS (HKU) * HKEY_USERS (HKU)
* HKEY_LOCAL_MACHINE (HKLM) * HKEY_LOCAL_MACHINE (HKLM)
@ -12,6 +13,7 @@
* HKEY_CURRENT_CONFIG * HKEY_CURRENT_CONFIG
## Paths ## Paths
* `C:\Windows\System32\Config` * `C:\Windows\System32\Config`
* Default -> `HKEY_USERS\DEFAULT` * Default -> `HKEY_USERS\DEFAULT`
* SAM -> `HKEY_LOCAL_MACHINE\SAM` * SAM -> `HKEY_LOCAL_MACHINE\SAM`
@ -27,23 +29,36 @@
* `C:\Windows\AppCompat\Programs\Amcache.hve` * `C:\Windows\AppCompat\Programs\Amcache.hve`
### Transaction Logs ### Transaction Logs
* Transaction `<name of registry hive>.LOG` of the registry hive * Transaction `<name of registry hive>.LOG` of the registry hive
* Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered.
Saved inside the same directory which is `C:\Windows\System32\Config`, as the
hive which was altered.
### Backups ### Backups
* Saved every ten days * Saved every ten days
* Look out for recently deleted or modified keys * Look out for recently deleted or modified keys
* `C:\Windows\System32\Config\RegBack` * `C:\Windows\System32\Config\RegBack`
## Data Acquisition ## Data Acquisition
* Tools
Multiple tools with their own strengths and weaknesses should be chosen to acquire
the registry data, no matter if it is a live or a copied acquisition. Commonly
used tools are the following ones.
* [Autopsy](https://www.autopsy.com/) * [Autopsy](https://www.autopsy.com/)
* [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve` * [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve` when `Obtain Protected Files` has been chosen, copy them manually as an export from the file tree of the chosen image
* [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree
* `Registry Viewer` [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape),
* `Zimmerman's Registry Explorer`, uses transaction logs as well preserves directory tree.
* ` AppCompatCache Parser`
* `RegRipper`, cli and gui Following parts of EZTools should be taken note of.
* Registry Viewer
* Zimmerman's Registry Explorer, uses transaction logs as well
* AppCompatCache Parser
* RegRipper, cli and gui
## System Information ## System Information
* OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion` * OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
@ -167,3 +182,10 @@ Function Compare-AutoRunsBaseLine 14.0 Au
Function Get-PSAutorun 14.0 Aut... Function Get-PSAutorun 14.0 Aut...
Function New-AutoRunsBaseLine 14.0 Aut... Function New-AutoRunsBaseLine 14.0 Aut...
```
### Clean a Dirty Hive
If a hive is loaded by a tool and the tool complains about a dirty hive, the
transaction log of said hive has to be loaded as well. Extract it via FTK or
KAPE alongside the hive itself.