Intro
When performing forensics, we will either encounter a live system or an image taken of the system. For the sake of accuracy, it is recommended practice to image the system or make a copy of the required data and perform forensics on it. This process is called data acquisition.
We will use The Following Tool For our investigation:–
https://ericzimmerman.github.io/#!index.md(Zimmerman’s Registry Explorer)
System Information and System Accounts Information:–
OS Version:
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Current control set:
The hives containing the machine’s configuration data used for controlling system startup are called Control Sets. Commonly, we will see two Control Sets, ControlSet001 and ControlSet002, in the SYSTEM hive on a machine. In most cases, ControlSet001 will point to the Control Set that the machine booted with, and ControlSet002 will be the last known good configuration. Their locations will be:
- SYSTEM\ControlSet001
- SYSTEM\ControlSet002
Computer Name:
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Time Zone Information:
SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Network Interfaces and Past Networks:
- SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed
Autostart Programs (Autoruns):
The following registry keys include information about programs or commands that run when a user logs on.
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SYSTEM\CurrentControlSet\Services
SAM hive and user information:
SAM\Domains\Account\Users