added more details about registry forensics
This commit is contained in:
parent
6fba5dd86d
commit
8270936b02
|
|
@ -3,6 +3,7 @@
|
|||
* [Windows Forensics Cheat Sheet](https://user-images.githubusercontent.com/58165365/157232143-3c8785ec-164b-4843-bde8-9d9a22350159.png)
|
||||
|
||||
## Regedit Keys
|
||||
|
||||
* HKEY_CURRENT_USER (HKCU), inside HKU
|
||||
* HKEY_USERS (HKU)
|
||||
* HKEY_LOCAL_MACHINE (HKLM)
|
||||
|
|
@ -12,6 +13,7 @@
|
|||
* HKEY_CURRENT_CONFIG
|
||||
|
||||
## Paths
|
||||
|
||||
* `C:\Windows\System32\Config`
|
||||
* Default -> `HKEY_USERS\DEFAULT`
|
||||
* SAM -> `HKEY_LOCAL_MACHINE\SAM`
|
||||
|
|
@ -27,23 +29,36 @@
|
|||
* `C:\Windows\AppCompat\Programs\Amcache.hve`
|
||||
|
||||
### Transaction Logs
|
||||
|
||||
* Transaction `<name of registry hive>.LOG` of the registry hive
|
||||
* Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered.
|
||||
|
||||
Saved inside the same directory which is `C:\Windows\System32\Config`, as the
|
||||
hive which was altered.
|
||||
|
||||
### Backups
|
||||
|
||||
* Saved every ten days
|
||||
* Look out for recently deleted or modified keys
|
||||
* `C:\Windows\System32\Config\RegBack`
|
||||
|
||||
## Data Acquisition
|
||||
* Tools
|
||||
|
||||
Multiple tools with their own strengths and weaknesses should be chosen to acquire
|
||||
the registry data, no matter if it is a live or a copied acquisition. Commonly
|
||||
used tools are the following ones.
|
||||
|
||||
* [Autopsy](https://www.autopsy.com/)
|
||||
* [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve`
|
||||
* [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree
|
||||
* `Registry Viewer`
|
||||
* `Zimmerman's Registry Explorer`, uses transaction logs as well
|
||||
* ` AppCompatCache Parser`
|
||||
* `RegRipper`, cli and gui
|
||||
* [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve` when `Obtain Protected Files` has been chosen, copy them manually as an export from the file tree of the chosen image
|
||||
|
||||
[KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape),
|
||||
preserves directory tree.
|
||||
|
||||
Following parts of EZTools should be taken note of.
|
||||
|
||||
* Registry Viewer
|
||||
* Zimmerman's Registry Explorer, uses transaction logs as well
|
||||
* AppCompatCache Parser
|
||||
* RegRipper, cli and gui
|
||||
|
||||
## System Information
|
||||
* OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
|
||||
|
|
@ -167,3 +182,10 @@ Function Compare-AutoRunsBaseLine 14.0 Au
|
|||
Function Get-PSAutorun 14.0 Aut...
|
||||
|
||||
Function New-AutoRunsBaseLine 14.0 Aut...
|
||||
```
|
||||
|
||||
### Clean a Dirty Hive
|
||||
|
||||
If a hive is loaded by a tool and the tool complains about a dirty hive, the
|
||||
transaction log of said hive has to be loaded as well. Extract it via FTK or
|
||||
KAPE alongside the hive itself.
|
||||
|
|
|
|||
Loading…
Reference in New Issue