ACCESSDATA® FORENSICS Windows 7 Registry Artifacts

Slides:



Advertisements
Similar presentations
Secure File Transfer Protocol (SFTP) With Secure Copy (SC) What is a Secure File Transfer Protocol with Secure Copy???
Advertisements

Welcome to Keyboarding Pro DELUXE ® Get Started Get Started Create Your Student Record Create Your Student Record The Main Menu The Main Menu Send Files.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
HNA-Drive Familiarization Presentation. From the address bar in your preferred internet browser, navigate to Site supports: Internet.
Installing SAS 9.3 Raymond R. Balise Health Research and Policy.
Installing SAS 9.3 Raymond R. Balise Health Research and Policy.
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
Microsoft Windows Vista Chapter 6 Customizing Your Computer Using the Control Panel.
The sequence of folders to a file or folder is called a(n) ________.
Week:#14 Windows Recovery
WINDOWS XP BACKNEXTEND 1-1 LINKS TO OBJECTIVES Starting Windows Using the Taskbar, opening & switching programs Using the Taskbar, opening & switching.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
Installing New Software Dean Steichen Sept
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Operating Systems Day 3. Changing Date & Time 1.Double click on digital clock on the notification area of a task bar (Click start button, Click control.
Operating System & Application Files BACS 371 Computer Forensics.
MS System Setup Securing A System. Use Automatic Updates For a workstation or server, schedule the updates to occur regularly. –Control panel click on.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Copyright 2007, EMC Paradigm Publishing Inc. WINDOWS XP BACKNEXTEND 1-1 LINKS TO OBJECTIVES Starting Windows Using the Taskbar, opening & switching programs.
Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.
OS and Application Files BACS 371 Computer Forensics.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Microsoft Office Illustrated Fundamentals Unit B: Understanding File Management.
With Internet Explorer 8© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 Go! with Internet Explorer 8 Getting Started.
© 2008 The McGraw-Hill Companies, Inc. All rights reserved. M I C R O S O F T ® Preparing for Electronic Distribution Lesson 14.
With Windows 7 Comprehensive© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Windows 7 Comprehensive.
Introduction to. What is Office 365 Office 365 is the same Office you already know and use every day. Office 365 is powered by “the cloud” which is a.
For SharePoint 2010 In This Presentation: Connect Overview Connect Requirements Connect Installation Connect Initial Launch Explore SharePoint Upload.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
Chapter 7 Working with Files.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Configuring the MagicInfo Pro Display
Classroom User Training June 29, 2005 Presented by:
Tutorial 11 Installing, Updating, and Configuring Software
XP New Perspectives on Introducing Microsoft Office XP Tutorial 1 1 Introducing Microsoft Office XP Tutorial 1.
Hands-On Microsoft Windows Server 2008
Tutorial 1 Getting Started with Adobe Dreamweaver CS3
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
1 Chapter Overview Configuring and Troubleshooting the Display Configuring Power Management Configuring Operating System Settings Configuring and Troubleshooting.
Troubleshooting Windows Vista Security Chapter 4.
Module 7: Fundamentals of Administering Windows Server 2008.
Gorman, Stubbs, & CEP Inc. 1 Introduction to Operating Systems Lesson 4 Microsoft Windows XP.
Copyright © 2008 Pearson Prentice Hall. All rights reserved. 11 Committed to Shaping the Next Generation of IT Experts. Windows XP Robert Grauer, Lynn.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Computing Fundamentals Module Lesson 3 — Changing Settings and Customizing the Desktop Computer Literacy BASICS.
Exploring Microsoft Office 2007
Lesson 9: Windows Management Ms. Tracy Digital Literacy.
Review Windows XP/Vista/7. OS: Operating System The major tasks working on a operating system and Office 2010: Using GUI: The starting interface is desktop.
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
Introduction to EBSCOhost Tutorial support.ebsco.com.
Windows 10 & Office 2016 Presented By: Cody Pierson & Patrick Wall.
Return to the Office 2007 web page Lesson 3: Managing Computer Files.
IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.
Computer Literacy BASICS: A Comprehensive Guide to IC 3, 5 th Edition Lesson 3 Windows File Management 1 Morrison / Wells / Ruffolo.
ACCESSDATA® FORENSICS Windows 7 Registry Introduction
HOW TO INSTALL WINDOWS 7? This step-by-step guide demonstrates how to install Windows 7 Ultimate. The guide is similar for other versions of Windows 7.
Copyright © 2008 Pearson Prentice Hall. All rights reserved. 11 Committed to Shaping the Next Generation of IT Experts. Windows.
1 Lesson 9 Windows Management Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Windows Server 2003 { First Steps and Administration} Benedikt Riedel MCSE + Messaging
Computer Literacy BASICS
Copyright © 2008 Pearson Prentice Hall. All rights reserved.
Tutorial Introduction to support.ebsco.com.
Microsoft Office Illustrated Fundamentals
Windows Operating System
Tutorial Introduction to help.ebsco.com.
Presentation transcript:

ACCESSDATA® FORENSICS Windows 7 Registry Artifacts Introduction ACCESSDATA® FORENSICS Windows 7 Registry Artifacts Forensic Analysis Incident Response eDiscovery Information Assurance

Module Objectives Registry files of forensic importance NTUSER.DAT SAM SYSTEM SOFTWARE SECURITY

NTUSER.DAT – Typed URLs Addresses either typed or copied into the Browser address bar Tracks up to the last 25 entered Last one entered is on top

MRUs – Recent Docs Stored by extension Stores last 10 of each extension type (0-9) Creates new extension subkey if new file type

Windows 7 Displays 5 subkey sets MRUs – ComDlg32 Windows 7 Displays 5 subkey sets CIDSizeMRU FirstFolder LastVisitedPidlMRU LastVisitedPidlMRULegacy OpenSavePidlMRU

ComDlg32 – CIDSizeMRU This subkey track applications globally 592 byte values Little data beyond the application name/extension

ComDlg32 – FirstFolder Tracks the general install location of applications In some instances, will point to a user location

ComDlg32 – LastVisitedPidlMRU Tracks application used to access a file Tracks location file existed It does not track the specific file Registry Viewer.exe: J:\ _WIN7 3 Day\ test regback

Legacy tracks 32 bit application data LastVisitedPidlMRULegacy Windows Legacy tracks 32 bit application data

Note: The MRU list is stored in hex while the value name is in decimal MRUs – ComDlg32 Stored by extension Stores last 20 (0-19) Creates new extension subkey if new file type Note: The MRU list is stored in hex while the value name is in decimal

ComDlg32 – OpenSavePidlMRU It makes a difference to these values as to where the document was External Drives show drive letter at offset 23

ComDlg32 – OpenSavePidlMRU User created locations are also displayed at offset 23 However known paths to Windows are not displayed This file was stored at My Documents

This was a document on the “Desktop” ComDlg32 – OpenSavePidlMRU This was a document on the “Desktop” It archives the path statement from there without identifying the Desktop origins This was in “My Documents” and the 12,560 byte value identifies the full path at the end Paths are relative; This file was off the Desktop and the path statement starts with the first folder from the Desktop Many use a GUID to designate the application and GUIDs for the path statement General behavior: if no value exists will create. If one does exist, will modify path accessed

Pointer to an Item Identifier List PIDL Shell Folders User Created Folders PIDL – Pointer to an Item Identifier List MS has virtual or “shell” folders My Computer My Documents Stored with a series of values (Item IDs - each object) rather than a path as they don’t exist in the file system

MRUs – RunMRUs Stored commands from the Run box Stores last 10 (a-j)

MRUs – MS Office 2007 / 2010 File MRU in Office 2007 records 50 of the last accessed docs Functional in Excel, PowerPoint, and Word (2010 included Access)

MRUs - MS Office 2007 / 2010 Office 2007 has a date / time identifier in the MRU 64-bit Windows date / time stamp identifying: Excel – Last opened by user PowerPoint – Last saved by user Word – Last opened by user Note: This date stamp is stored in Unicode and in a Big Endian format. Registry Viewer currently does not have a converter that can read the values.

Copy and decode the format to view the date / time of save MRUs – MS Office 2007 / 2010 Copy and decode the format to view the date / time of save

Windows 7 – Start > Searches

Windows 7 – Start > Searches Set the folders to index at: Control Panel > Indexing Options Registry WorkingSetRules displays both default and user created index locations

TypedPaths – Windows Explorer NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Windows 7 – UserAssist Different GUIDs from previous versions CEBFF5CD-ACE2-4F4F-9178-9926F41749EA F4E57C4B-2036-45F0-A9AB-443BCFE33D9F GUIDs also used to identify paths Offsets have changed Number of application launches Last date/time launched Session ID has been removed The count value now starts at “1” instead of “5”

Windows 7 – UserAssist Different GUIDs for the Count Subkeys ROT13 Encryption Date and Time of Last Launch – Offsets 60-67 Number of Launches – Offsets 4-7

Protected Storage Storage1 – Queries and Form data Storage2 – Stored Logon Passwords

Data Protection Application Programming Interface Protected Storage Encrypted using the Windows DPAPI Cryptographic system uses: User’s logon password Protect folder URL or query header Data Protection Application Programming Interface

Cracking Protected Storage DPAPI Export from Image: NTUSER.DAT of suspect (stored encrypted data) SAM and SYSTEM Files (for logon password) Low History index.dat file (for website passwords) User’s Protect folder (DPAPI encryption keys) Attack user’s logon password Dropping the SAM file into PRTK Point PRTK to the SYSTEM file Create an empty text file to parse results to

NTUSER.DAT Protected Storage Attack - PRTK Cracking Protected Storage DPAPI NTUSER.DAT Protected Storage Attack - PRTK Protect Folder Logon Password index.dat History Results - Text File

UsrClass.dat - MuiCache Windows 7 Windows XP

D&T Synch via Internet – File Sys

SYSTEM\ControlSet###\services\W32Time\Parameters / Type D&T Synch via Internet - Registry Type = NTP (enabled) Type = NoSync (disabled) SYSTEM\ControlSet###\services\W32Time\Parameters / Type

Transition to 64-bit Windows Requires 32-bit backwards compatibility Requires a few tricks to run 32-bit apps File System 32-bit utilities are here: Windows\SysWOW64 System32 contains 64-bit utilities Registry 32-bit keysets are here: Wow6432Node located in these files: NTUSER.DAT SOFTWARE

SAM – Multiple Profile Issues 0x 000003F6 = 1014 decimal

SAM File Information Resolution of SID to User User Profiles/Names Password Hint User Tile (user icon)

Last Logon Time – Offsets 8-15 SAM File – F Value Properties RID – Offset 48-49 Last Logon Time – Offsets 8-15 Logon Count – Offset 66-67 F Value

SAM File – V Value Properties User Name Description User Full Name V Value

SAM File – Groups Administrative tool used to rights to a collection of users Custom Groups are located at: SAM\SAM\Domains\Account\Aliases Useful in corporate investigations to see if a person had specific rights to accomplish a task Or used to determine missing RIDs 1F4 1F5 3E8 3E9 3EA 3EB 3EC 3ED 500 501 1000 1001 1002 1003 1004 1005

SYSTEM File Computer Name Mounted Devices Time Zone Information Last Accessed Date / Time

Upon reboot, both values will change ComputerName Subkey Change of Computer Name ActiveComputerName Upon reboot, both values will change

SYSTEM File – MountedDevices Tracking HDDs in the image The current partition on the physical F Drive The persistent value remains even if the F Drive is overwritten

Drive ID listed in Mounted Devices is stored in the MBR at offset 440 SYSTEM File - MountedDevices Drive ID listed in Mounted Devices is stored in the MBR at offset 440

SYSTEM File – Time Zone Info 0 = Automatic Adjustment for Daylight Time is Turned ON 1 = Automatic Adjustment for Daylight Time is Turned OFF

SYSTEM File – Last Access Date SYSTEM Registry File

Last Access Date/Time 1 = Updating Disabled - Default 0 = Updating Enabled – Changed by User

SOFTWARE File Registered Owner Operating System Type Operating System Installation Date/Time

Last Logged On User Last logged on user Microsoft\Windows\CurrentVersion\Authentication\LogonUI Computer Name User Name Records the last written time as the system powers down

SSID – Service Set Identifier Wireless in Windows 7 SSID – Service Set Identifier \Microsoft\Windows NT\ CurrentVersion\NetworkList\Profiles\<guid> Category 0 = Public 1 = Home 2 = Work Managed 0=Unmanaged 1 = Managed

Date and Time Translation Year Month Day of Week Day of Month Hour Minutes Seconds D7 07 06 00 04 00 0E 00 10 00 1B 00 2A 00 AB 00 2007 June Thu 14th 16 : 27 : 42 NOTE: The time is displayed in local time to the machine 0=Sunday, 1=Monday, 2=Tuesday, etc.

MAC Address of remote system’s gateway Managed versus Unmanaged ProfileName MAC Address of remote system’s gateway Managed: Remote Server Unmanaged: Wireless Router

Media Access Control (MAC Address)

Date and Time Translation Before we start, let’s look at the dates and times of the Profiles subkey for comparative purposes The next series of slides will track this Verizon device through the Wireless keys

Date and Time Translation DateCreated: 10/ 21/ 2010 09: 02: 48 DateLastConnected: 01/ 19/ 2011 21: 34: 37 NOTE: This stored date and time is based on local machine time, not UTC

The Wireless subkey name is an ID number for the wireless connection Wireless Registration The Wireless subkey name is an ID number for the wireless connection Because this key is written during the original connection only, it retains the date and time of first connection

Note the header before the identifier Unmanaged The identifier can be traced from the Wireless subkey to the Unmanaged subkey Note the header before the identifier

The Unmanaged subkey provides: Profile GUID Description FirstNetwork DefaultGatewayMac Again, because this subkey is generally written to only during creation, it stores the first connection date and time

Profiles Since this key is subject to modification with each new connection, the last written time is indicative of the last connected time as well. The ProfileGuid in Unmanaged points to the devices information in the Profiles subkey

Wireless User HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\<guid>

At the bottom of the Wpad keys will be a series of MAC addresses Wireless User At the bottom of the Wpad keys will be a series of MAC addresses Once backtracked to the Unmanaged key, the ProfileGUID will allow checking the other user connections through this device This can be matched up to the MAC addresses listed in the Unmanaged keyset During testing, times did not match exactly but were close for the first connect time

Recycle Bin System File NTUSER.DAT File MaxCapacity – MB NukeOnDelete NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume MaxCapacity – MB NukeOnDelete 0=On 1=Off NTUSER.DAT File

SECURITY File Old password cache for domain storage Last logged on user password cache

Policy\Secrets\DefaultPassword Password Recovery Current Password Previous Password Policy\Secrets\DefaultPassword

Module Review Registry Files of forensic importance NTUSER.DAT SAM SYSTEM SOFTWARE SECURITY

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.