# 1. Windows Forensics 1

## Task 1: Introduction to Windows Forensics

### Overview of Computer Forensics
Computer forensics is a vital branch of cybersecurity focused on gathering and analyzing evidence from computers. It is part of the broader field of **Digital Forensics**, which encompasses all types of digital devices. Applications include:
- Legal investigations (civil or criminal cases)
- Corporate investigations
- Incident and intrusion analysis

#### Example Case: BTK Serial Killer
Digital forensics played a key role in solving the BTK case by analyzing a floppy disk containing deleted metadata, leading to the arrest of the killer after years of inactivity.

### Importance of Windows Forensics
- **Microsoft Windows** holds ~80% of the desktop market share, making it the most widely used desktop operating system.
- Understanding Windows forensics is critical for forensic investigators due to its extensive usage in both private and enterprise environments.

### Forensic Artifacts
Artifacts are digital traces or evidence of user activity, much like fingerprints or tools at a physical crime scene. Examples on a Windows system include:
- Registry entries
- User profile data
- Application-specific files

Investigators analyze these artifacts to reconstruct user actions on a system.

### Is Your Computer Spying on You?
- Windows tracks user activity to personalize the experience, such as desktop layouts, browser bookmarks, and application usage.
- While not explicitly designed for spying, this information is invaluable for forensic investigations.

**Questions**:

1. What is the most used Desktop Operating System right now?
   - **Answer**: Microsoft Windows

## Task 2: Windows Registry and Forensics

### Overview of the Windows Registry
The Windows Registry is a critical system component that stores configuration data for:
- Hardware
- Software
- User profiles and preferences
- Recently used files and connected devices

This information is invaluable for forensic analysis to track user and system activity. The registry can be accessed and edited using the built-in `regedit.exe` utility.

### Structure of the Registry
The registry is organized into **Keys** and **Values**:
- **Registry Keys**: Act like folders that store configuration settings.
- **Registry Values**: Contain the data stored in the keys.
- **Registry Hives**: Groups of keys, subkeys, and values saved as individual files on the disk.

#### Root Keys
The Windows Registry has five main root keys:
1. **HKEY_CURRENT_USER (HKCU)**  
   - Stores configuration data specific to the currently logged-in user (e.g., folders, screen colors, Control Panel settings).  
2. **HKEY_USERS (HKU)**  
   - Contains all active user profiles on the computer. HKCU is a subkey of HKU.  
3. **HKEY_LOCAL_MACHINE (HKLM)**  
   - Contains configuration data for the system, applicable to all users.  
4. **HKEY_CLASSES_ROOT (HKCR)**  
   - Ensures the correct program opens files in Windows Explorer. This key merges data from:
     - HKLM\Software\Classes (default settings for all users)
     - HKCU\Software\Classes (user-specific settings).  
5. **HKEY_CURRENT_CONFIG (HKCC)**  
   - Stores information about the current hardware profile used during startup.

### Accessing the Registry
1. Press **Windows Key + R** to open the Run prompt.
2. Type `regedit.exe` and press Enter.
3. The Registry Editor opens, displaying the root keys in a tree view on the left and their values on the right.


**Questions**:

1. What is the short form for HKEY_LOCAL_MACHINE?  
   - **Answer**: HKLM


## Task 3: Accessing Registry Hives Offline

### Overview
When accessing a live Windows system, the registry can be opened and edited with `regedit.exe`. However, when working with a disk image, forensic analysts need to know where registry hives are stored on disk.

### Registry Hive Locations
#### Main Registry Hives
These are stored in the **C:\Windows\System32\Config** directory:
1. **DEFAULT**: Mounted on `HKEY_USERS\DEFAULT`
2. **SAM**: Mounted on `HKEY_LOCAL_MACHINE\SAM`
3. **SECURITY**: Mounted on `HKEY_LOCAL_MACHINE\Security`
4. **SOFTWARE**: Mounted on `HKEY_LOCAL_MACHINE\Software`
5. **SYSTEM**: Mounted on `HKEY_LOCAL_MACHINE\System`

#### User-Specific Hives
Found in a user's profile directory (**C:\Users\<username>\**):
1. **NTUSER.DAT**: Mounted on `HKEY_CURRENT_USER` when the user logs in. Located in `C:\Users\<username>\`.
2. **USRCLASS.DAT**: Mounted on `HKEY_CURRENT_USER\Software\CLASSES`. Located in `C:\Users\<username>\AppData\Local\Microsoft\Windows\`.

These files are **hidden** by default.

#### Amcache Hive
The **Amcache Hive** is stored in the following path:  
- **C:\Windows\AppCompat\Programs\Amcache.hve**  
It contains information on programs recently executed on the system.

### Transaction Logs and Backups
- **Transaction Logs**:
  - Found in the same directory as the registry hives, with extensions like `.LOG`, `.LOG1`, `.LOG2`.
  - Example: `SAM.LOG` is the transaction log for the SAM hive.
  - Useful for retrieving recent changes not written to the registry hives.

- **Registry Backups**:
  - Located in **C:\Windows\System32\Config\RegBack**.
  - Backups are created every 10 days and can help retrieve deleted or modified keys.

### Questions and Answers

1. What is the path for the five main registry hives, DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM?
   - **Answer**: C:\Windows\System32\Config  

2. What is the path for the AmCache hive?
   - **Answer**: C:\Windows\AppCompat\Programs\Amcache.hve 


## Task 4: Data Acquisition

### Overview
Data acquisition is a fundamental step in forensic investigations, ensuring evidence is preserved without alteration. The process involves creating a copy of data from either a **live system** or a **disk image** to perform in-depth analysis. For sensitive files such as registry hives, direct access is restricted, so specialized tools are employed to extract them.

### Challenges in Acquiring Registry Data
The registry hives located in **%WINDIR%\System32\Config** are system-protected files and cannot be accessed directly through standard copying methods. To overcome this, forensic experts rely on dedicated tools designed for secure data extraction.

### Tools for Data Acquisition

#### 1. **KAPE**
- **Description**: A live data acquisition and analysis tool.
- **Features**: Command-line and GUI options for extracting registry hives.
- **Use Case**: Extract registry data from live systems efficiently.

#### 2. **Autopsy**
- **Description**: Forensic tool to analyze live systems or disk images.
- **Features**: 
  - Add a data source.
  - Navigate to desired files.
  - Right-click to **Extract Files**.
- **Use Case**: Export registry hives and analyze them offline.

#### 3. **FTK Imager**
- **Description**: Imaging and extraction tool for live systems and disk images.
- **Features**: 
  - Mount and export registry files.
  - **Obtain Protected Files** option (live systems only).
- **Limitations**: Does not extract `Amcache.hve`.

### Key Registry Hive Paths
1. **System Hives**: Found in **C:\Windows\System32\Config**
   - DEFAULT, SAM, SECURITY, SOFTWARE, SYSTEM
2. **User Hives**:
   - **NTUSER.DAT**: `C:\Users\<username>\`
   - **USRCLASS.DAT**: `C:\Users\<username>\AppData\Local\Microsoft\Windows\`
3. **Amcache Hive**: `C:\Windows\AppCompat\Programs\Amcache.hve`

### Questions and Answers

1. How can you acquire restricted registry hives from a live system?
   - **Answer**: Use tools like KAPE, Autopsy, or FTK Imager to extract the files.

2. Which tool cannot extract the Amcache hive?
   - **Answer**: FTK Imager.


## Task 5: Exploring Windows Registry

### Overview
After extracting registry hives, analyzing their content is a critical step in forensic investigations. Since the Windows Registry Editor only works with live systems and cannot load exported hives, specialized tools are required to examine these files effectively. Here are three widely used tools for this purpose:

### Tools for Registry Analysis

#### 1. **Registry Viewer**
- **Description**: 
  - Developed by AccessData, Registry Viewer mimics the interface of the Windows Registry Editor.
  - Enables investigators to load individual registry hives for analysis.
- **Limitations**:
  - Can only load one hive at a time.
  - Does not process transaction logs, limiting its ability to reflect the most recent registry changes.
- **Best For**: Quick examination of single hives with a familiar interface.
- **Source**: [AccessData Registry Viewer](https://accessdata.com)

#### 2. **Zimmerman's Registry Explorer**
- **Description**:
  - A powerful tool created by Eric Zimmerman, specifically designed for Digital Forensics and Incident Response.
  - Offers an intuitive interface for viewing and analyzing registry hives.
- **Key Features**:
  - Supports loading multiple registry hives simultaneously.
  - Merges transaction logs with hives to create a more accurate and up-to-date view.
  - Includes a **Bookmarks** feature with shortcuts to forensically significant registry keys and values.
- **Best For**: Comprehensive registry analysis with transaction log integration.
- **Source**: [Registry Explorer by Eric Zimmerman](https://ericzimmerman.github.io/#!index.md)


#### 3. **RegRipper**
- **Description**:
  - A utility for extracting forensically relevant information from registry hives.
  - Outputs results in a text-based report format.
  - Available in both CLI and GUI forms.
- **Limitations**:
  - Does not merge transaction logs with hives.
  - Requires Registry Explorer preprocessing for the most accurate results.
- **Best For**: Generating automated reports of forensic data from registry hives.
- **Source**: [RegRipper on GitHub](https://github.com/keydet89/RegRipper3.0)

### Notes for the Task
For this room, we will focus on **Registry Explorer** and other tools by Eric Zimmerman. These tools allow for advanced registry analysis by integrating transaction logs and providing a clean, updated view of registry data.

### Next Steps
In upcoming tasks, we will explore how to use Registry Explorer's features, such as loading transaction logs and leveraging the bookmarks menu to locate critical forensic evidence quickly.

### Further Reading and Sources
1. [AccessData Registry Viewer](https://accessdata.com)  
2. [Registry Explorer by Eric Zimmerman](https://ericzimmerman.github.io/#!index.md)  
3. [RegRipper GitHub Repository](https://github.com/keydet89/RegRipper3.0)  
4. [Eric Zimmerman's DFIR Tools](https://ericzimmerman.github.io/#!tools.md)  
5. [Introduction to Registry Forensics](https://www.sans.org/tools/registry-forensics/)


## Task 6: System Information and System Accounts

### Overview
When conducting forensic investigations, extracting system information from the registry is a crucial step. This includes data about the operating system, control sets, computer name, time zone, network interfaces, and user accounts. This task outlines the key registry locations and explains how to retrieve this information.


### Key Registry Locations

#### 1. **Operating System Version**
- **Registry Path**: `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
- **Information Retrieved**:
  - Version of the operating system.
  - Build number (e.g., `19044`).

#### 2. **Control Sets**
- **Registry Paths**:
  - `SYSTEM\ControlSet001`  
  - `SYSTEM\ControlSet002`  
  - `SYSTEM\Select\Current` (indicates the active control set).
  - `SYSTEM\Select\LastKnownGood` (indicates the last known good configuration).
- **Details**:
  - Control Sets contain the system configuration used during startup.
  - Example: ControlSet001 is typically the active set, while ControlSet002 stores the last known good configuration.

#### 3. **Computer Name**
- **Registry Path**: `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
- **Information Retrieved**: The name of the computer being analyzed (e.g., `THM-4n6`).

#### 4. **Time Zone Information**
- **Registry Path**: `SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
- **Details**:
  - Time zone name (e.g., `Pakistan Standard Time`).
  - Important for understanding event timestamps in forensic timelines.

#### 5. **Network Interfaces**
- **Registry Path**: `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
- **Details**:
  - List of network interfaces on the machine.
  - Information includes DHCP IP address (e.g., `192.168.100.58`), subnet mask, and DNS servers.

#### 6. **Past Networks**
- **Registry Paths**:
  - `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged`
  - `SOFTWARE\Microsoft

#### 7. **Autostart Programs**
- **Registry Paths**:
  - `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
  - `SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
  - `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`
  - `SYSTEM\CurrentControlSet\Services`
- **Details**:
  - Programs or commands set to run at user login or system boot.
  - A service with a `Start` value of `0x02` will start at boot.

#### 8. **User Accounts**
- **Registry Path**: `SAM\Domains\Account\Users`
- **Details**:
  - User account information such as:
    - Relative Identifier (RID) (e.g., `501` for Guest).
    - Login details (e.g., last login time, failed login attempts).
    - Password policy and expiry information.
    - Group membership details.

### Questions and Answers

1. What is the Current Build Number of the machine?
   - **Answer**: `19044`

2. Which ControlSet contains the last known good configuration?
   - **Answer**: `1`

3. What is the Computer Name of the computer?
   - **Answer**: `THM-4n6`

4. What is the value of the TimeZoneKeyName?
   - **Answer**: `Pakistan Standard Time`

5. What is the DHCP IP address?  
   - **Answer**: `192.168.100.58`

6. What is the RID of the Guest User account? 
   - **Answer**: `501`

## Task 7: Usage or Knowledge of Files/Folders

### Overview
Forensic analysis can involve tracking recent user activity, including files opened, folders accessed, and dialog boxes interacted with. This data is often stored in Windows registry keys, particularly in the NTUSER hive. Below are key registry locations where such activity is logged, providing insights into user behavior.

### Key Registry Locations

#### 1. **Recent Files**
- **Registry Path**: `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`
- **Details**:
  - Stores the most recently used files by the user.
  - Organized by file extension (e.g., `.pdf`, `.docx`), allowing forensic analysts to check files based on type.
  - Shows the last opened time for each file.
  
#### 2. **Microsoft Office Recent Files**
- **Registry Path**: `NTUSER.DAT\Software\Microsoft\Office\VERSION`
  - `VERSION` corresponds to the version number of Office (e.g., `15.0` for Office 2013).
- **For Office 365**:
  - **Registry Path**: `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU`
  - Contains the path of the most recently used files tied to a user’s LiveID.

#### 3. **ShellBags**
- **Registry Paths**:
  - `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
  - `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
- **Details**:
  - Tracks folder layouts and browsing history.
  - Can be analyzed to identify recent folders accessed by a user, even if the folders were later deleted.

#### 4. **Open/Save and LastVisited Dialog MRUs**
- **Registry Paths**:
  - `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU`
  - `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`
- **Details**:
  - Tracks locations where users opened or saved files.
  - Can reveal paths and filenames associated with recent user actions.

#### 5. **Windows Explorer Address/Search Bars**
- **Registry Paths**:
  - `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
  - `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`
- **Details**:
  - Stores recently typed paths in the Windows Explorer address bar or search queries.
  - Can help uncover recent activity related to file navigation or search.

### Questions and Answers

1. When was EZtools opened?
   - **Answer**: `2021-12-01 13:00:34`

2. At what time was My Computer last interacted with?
   - **Answer**: `2021-12-01 13:06:47`

3. What is the Absolute Path of the file opened using notepad.exe?
   - **Answer**: `C:\Program Files\Amazon\Ec2ConfigService\Settings`

4. When was this file opened?
   - **Answer**: `2021-11-30 10:56:19`


## Task 8: Evidence of Execution

### Overview
In digital forensics, tracking user activity often involves analyzing artifacts related to the execution of applications. Windows maintains several registry keys and files that record information about program launches, file executions, and system activities. These include the **UserAssist**, **ShimCache**, **AmCache**, and **BAM/DAM** artifacts.

### Key Registry Locations and Artifacts

#### 1. **UserAssist**
- **Registry Path**: `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count`
- **Details**:
  - Tracks applications launched via Windows Explorer.
  - Records the number of times an application was executed and the last time it was launched.
  - Does **not** track applications run via the command line.

#### 2. **ShimCache (AppCompatCache)**
- **Registry Path**: `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
- **Details**:
  - Ensures backward compatibility of applications with the OS.
  - Tracks all applications executed on the machine.
  - Stores the file name, size, and last modified time of executables.
  - **AppCompatCache** is another name for ShimCache.

#### 3. **AmCache**
- **File Path**: `C:\Windows\appcompat\Programs\Amcache.hve`
- **Details**:
  - Similar to ShimCache, but provides more detailed execution information.
  - Stores execution path, installation times, deletion times, and SHA1 hashes of executed programs.
  - The registry location: `Amcache.hve\Root\File\{Volume GUID}\`.

#### 4. **BAM/DAM (Background Activity Monitor/Desktop Activity Monitor)**
- **Registry Paths**:
  - `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}`
  - `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}`
- **Details**:
  - Records background application activity and their execution times.
  - Optimizes power consumption on devices.
  - Stores the full path and last execution time of background applications.

### Questions and Answers

1. How many times was the File Explorer launched?
   - **Answer**: `26`

2. What is another name for ShimCache?
   - **Answer**: `AppCompatCache`

3. Which of the artifacts also saves SHA1 hashes of the executed programs?
   - **Answer**: `AmCache`

4. Which of the artifacts saves the full path of the executed programs?
   - **Answer**: `BAM/DAM`


## Task 9: External Devices/USB Device Forensics

### Overview
In forensic investigations, identifying connected USB or removable drives can provide critical insights into user activity. The registry stores valuable information about the connection, usage, and removal of such devices, which can be used to determine when and how devices were plugged into the system. In this task, we explore different registry locations that track the details of connected USB devices.

---

### Key Registry Locations

#### 1. **Device Identification**
- **Registry Paths**:
  - `SYSTEM\CurrentControlSet\Enum\USBSTOR`
  - `SYSTEM\CurrentControlSet\Enum\USB`
- **Details**:
  - These registry locations keep track of USB devices connected to the system.
  - Store device identifiers like **vendor ID**, **product ID**, and **version**.
  - Can also store the **time** when devices were plugged into the system.
  - Registry Explorer provides a user-friendly interface to view this information.

#### 2. **First/Last Connection Times**
- **Registry Path**:
  - `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\####`
- **Details**:
  - Tracks the **first time** the device was connected, **last connection time**, and the **last removal time**.
  - The `####` can be replaced with values:
    - `0064`: First Connection Time
    - `0066`: Last Connection Time
    - `0067`: Last Removal Time
  - Registry Explorer parses this information and displays it in a readable format.

#### 3. **USB Device Volume Name**
- **Registry Path**:
  - `SOFTWARE\Microsoft\Windows Portable Devices\Devices`
- **Details**:
  - Stores the **device name** for connected USB drives.
  - This name can be cross-referenced with the **Disk ID** from earlier registry keys to match unique devices.


### Questions and Answers

1. What is the serial number of the device from the manufacturer 'Kingston'?
   - **Answer**: `1C6f654E59A3B0C179D366AE&0`

2. What is the name of this device?
   - **Answer**: `Kingston Data Traveler 2.0 USB Device`

3. What is the friendly name of the device from the manufacturer 'Kingston'?**
   - **Answer**: `USB`


## Task 10: Hands-on Challenge

### Overview
In this task, we will practice our skills with registry forensics by analyzing a Windows VM that is suspected of unauthorized access. We will need to examine registry hives and other collected artifacts to answer a series of questions. The provided tools will help us analyze the data, including RegistryExplorer, EZViewer, and AppCompatCacheParser. 

The goal is to extract key pieces of information about the system's user accounts, USB device connections, and file access.

### Setup
We have access to a Windows VM with two folders on the Desktop:
- **triage**: Contains forensic data collected through KAPE.
- **EZtools**: Contains forensic tools like RegistryExplorer, EZViewer, and AppCompatCacheParser.

### Registry Hive Locations
The relevant registry hives and their paths are:
- **SAM Hive**: Stores user account information, including user names and password hashes. Located in `C:\Windows\System32\Config\SAM`.
- **SOFTWARE Hive**: Contains software installation information and system configuration. Located in `C:\Windows\System32\Config\SOFTWARE`.
- **SYSTEM Hive**: Contains system configuration settings. Located in `C:\Windows\System32\Config\SYSTEM`.
- **NTUSER.DAT**: This is a user-specific hive located in `C:\Users\<username>\NTUSER.DAT` and contains the current user's profile settings.
- **AmCache Hive**: Stores data on executed programs. Located in `C:\Windows\AppCompat\Programs\Amcache.hve`.

### Using RegistryExplorer
1. Open **RegistryExplorer** and load the relevant registry hives (`SAM`, `SOFTWARE`, `SYSTEM`, and `NTUSER.DAT`).
2. Follow the instructions in RegistryExplorer to integrate transaction logs and ensure clean hives are loaded.
3. Use the **USBSTOR** key to find information about connected USB devices.
4. Use the **UserAssist** or **ProfileList** keys to investigate user accounts and their login activity.

### Key Questions and Answers

1. How many user-created accounts are present on the system?
   - Answer: There are **3 user-created accounts**.

2. What is the username of the account that has never been logged in?
   - Answer: The username of the account that has never logged in is **thm-user2**.

3. What is the password hint for the user `THM-4n6`?
   - Answer: The password hint for `THM-4n6` is **"count"**.

4. When was the file 'Changelog.txt' accessed?
   - Answer: The file **'Changelog.txt'** was accessed on **2021-11-24 18:18:48**.

5. What is the complete path from where the Python 3.8.2 installer was run?
   - Answer: The Python 3.8.2 installer was run from **`Z:\setups\python-3.8.2.exe`**.

6. When was the USB device with the friendly name 'USB' last connected?**
   - Answer: The USB device with the friendly name 'USB' was last connected on **2021-11-24 18:40:06**.




