WEBVTT

1
00:00:01.940 --> 00:00:09.785
Welcome to Course to section two
of Windows registry forensics.

2
00:00:09.785 --> 00:00:14.910
In this section we're going to cover
preparing our examination environment.

3
00:00:14.910 --> 00:00:20.640
Were going to be setting up specialized
software to view the registry files.

4
00:00:20.640 --> 00:00:25.998
The first thing I'd like everybody to do
is go ahead and go to this link and you

5
00:00:25.998 --> 00:00:32.061
can download this document here, and it's
going to be called Software_Tools.txt.

6
00:00:33.140 --> 00:00:36.847
And what we're going to use this document
for is to go to all the websites where we

7
00:00:36.847 --> 00:00:40.290
can download these tools, we're
going to need to examine the registry.

8
00:00:40.290 --> 00:00:44.684
So once you download the document you can
simply copy and paste the addresses into

9
00:00:44.684 --> 00:00:48.051
your internet browser instead
of having to type them all out.

10
00:00:49.140 --> 00:00:53.143
If you don't already have seven
zip installed on your computer,

11
00:00:53.143 --> 00:00:55.200
please go ahead, copy that out.

12
00:00:55.200 --> 00:00:59.230
Go to that website and download seven
zip because we're going to need it for

13
00:00:59.230 --> 00:01:01.751
some of the tools we're
going to be extracted.

14
00:01:07.640 --> 00:01:14.040
The first website we're going to go to
is going to be the sleuthkit autopsy.

15
00:01:14.040 --> 00:01:19.563
So go ahead and copy and
paste that into your browser,

16
00:01:19.563 --> 00:01:24.361
it's going to bring you
to the autopsy website.

17
00:01:26.940 --> 00:01:30.805
You can go ahead and download from here,
when you click on that,

18
00:01:30.805 --> 00:01:34.470
it's going to bring you to either 64 or
32-bit download.

19
00:01:34.470 --> 00:01:38.858
For Windows there is a Lennox product,
but hopefully you're working

20
00:01:38.858 --> 00:01:44.780
in a Windows environment because a lot of
these tools will only work on Windows.

21
00:01:44.780 --> 00:01:50.361
So you go ahead and download and install
that, the installer will walk you through.

22
00:01:54.240 --> 00:01:57.960
Once you've completed that,

23
00:01:57.960 --> 00:02:02.680
go ahead and go to the next web address,

24
00:02:02.680 --> 00:02:07.544
github.com to give you the add-ons for

25
00:02:07.544 --> 00:02:11.851
those tools if you would like them.

26
00:02:16.640 --> 00:02:22.916
So you would go ahead and
copy paste that in your browser.

27
00:02:29.640 --> 00:02:33.487
And that's going to take you
out to the additional modules,

28
00:02:33.487 --> 00:02:35.931
the 3rd party modules for autopsy.

29
00:02:38.820 --> 00:02:42.126
And then you would download the zip file,
and

30
00:02:42.126 --> 00:02:46.565
follow the directions here on
how to install those modules.

31
00:02:55.547 --> 00:02:57.348
Once you've completed that,

32
00:02:57.348 --> 00:03:00.751
the next website we're going to
go out to is Eric Zimmerman.

33
00:03:05.040 --> 00:03:06.842
And here are his tools, okay?

34
00:03:10.840 --> 00:03:13.983
We're going to take a few tools from here,

35
00:03:13.983 --> 00:03:17.570
we're going to start
with the AmcacheParser.

36
00:03:17.570 --> 00:03:23.400
So you go ahead and click on it, and
you'd see the AmcacheParser.zip come up.

37
00:03:23.400 --> 00:03:26.374
You would say that and
then walk through the installer,

38
00:03:26.374 --> 00:03:28.341
you're going to have to extract that.

39
00:03:28.341 --> 00:03:33.592
And this is where seven zip comes
in because these programs will not

40
00:03:33.592 --> 00:03:38.951
extract well with the Windows extractor,
so please use seven zip.

41
00:03:42.140 --> 00:03:46.615
We're going to take
the AppCompactcacheParser,

42
00:03:46.615 --> 00:03:51.751
follow the same procedures you did for
AmcacheParser.

43
00:03:55.820 --> 00:04:02.729
Then we're going to scroll down here, and
we're going to extract Registry Explorer.

44
00:04:07.140 --> 00:04:12.705
And then we're going to
extract ShellBagExplorer.

45
00:04:19.240 --> 00:04:25.012
So go ahead,
once you just click on the links,

46
00:04:25.012 --> 00:04:30.786
you download unzip them,
extract the files,

47
00:04:30.786 --> 00:04:34.940
and walk through the setup.

48
00:04:34.940 --> 00:04:41.128
Once you do have all that done,

49
00:04:41.128 --> 00:04:47.554
what I'd like you to go ahead and

50
00:04:47.554 --> 00:04:51.839
do is run autopsy, so

51
00:04:51.839 --> 00:04:57.340
we can get that started.

52
00:04:57.340 --> 00:05:02.961
So once you've downloaded, install all
the tools, go ahead and run autopsy.

53
00:05:21.140 --> 00:05:25.814
Once you get that started,
I'd like you to go out and download.

54
00:05:32.125 --> 00:05:35.140
Locking codes, registry browser.

55
00:05:35.140 --> 00:05:39.313
So again you would copy that
into your search bar, and

56
00:05:39.313 --> 00:05:44.151
you download in the stall locking codes,
registry browser.

57
00:05:48.440 --> 00:05:53.729
You need to click here,
its registry browser version 3.11a.

58
00:05:55.847 --> 00:06:00.420
And again you would
follow the same process,

59
00:06:00.420 --> 00:06:04.993
you're going to download,
extract that, and

60
00:06:04.993 --> 00:06:10.040
install it, walk through the installer.

61
00:06:10.040 --> 00:06:16.885
Once we finished registry browser, you
want to go ahead and install RegRipper.

62
00:06:25.940 --> 00:06:30.035
And github, you can either
Kelowna download, we go ahead and

63
00:06:30.035 --> 00:06:31.310
download the zip.

64
00:06:31.310 --> 00:06:36.788
When you click on that it's going to do
the exact same thing as another zip files,

65
00:06:36.788 --> 00:06:39.640
extract them using seven zip.

66
00:06:39.640 --> 00:06:43.353
Walk through the installers,

67
00:06:43.353 --> 00:06:49.493
then we're going to go to
access datas ftk-imager,

68
00:06:49.493 --> 00:06:53.651
and paste that into your browser.

69
00:06:56.320 --> 00:07:00.251
What you're going to come to from there,
it's the download site.

70
00:07:01.540 --> 00:07:05.232
When you hit this download now button,
it's going to take you to another page

71
00:07:05.232 --> 00:07:08.001
where you're going to have to
fill out your information.

72
00:07:09.940 --> 00:07:15.990
Once you fill out your information, make
sure you click yes to Opt in to email or

73
00:07:15.990 --> 00:07:20.780
you won't get the email with
the link to download ftk imager.

74
00:07:20.780 --> 00:07:26.115
So you are going to have to check yes,
you can unsubscribe later on.

75
00:07:26.115 --> 00:07:31.211
And once you've done that,
what you're going to do is you're going to

76
00:07:31.211 --> 00:07:37.501
get an email from access data, you would
click the link to download fbk-imager.

77
00:07:40.040 --> 00:07:43.504
It'll take you out and it is the exact
same process here, it's a zip,

78
00:07:43.504 --> 00:07:46.461
download and extract it, and
walk through the installer.

79
00:07:53.340 --> 00:07:56.761
The next thing we're going to need is
decode from digital-detective.net.

80
00:08:03.820 --> 00:08:05.737
This is what it's going to look like.

81
00:08:12.091 --> 00:08:16.962
You're going to click on download decode,
and again you're going to have

82
00:08:16.962 --> 00:08:21.761
the same zip file, you will extract
it using seven zip, install it.

83
00:08:25.740 --> 00:08:29.973
Then we just have one more piece
of software we need, which is

84
00:08:29.973 --> 00:08:35.940
going to be the Karen Hasher because
we're going to need to do some hashing.

85
00:08:35.940 --> 00:08:39.854
So once you copy and
paste it your browser,

86
00:08:39.854 --> 00:08:44.440
we're going to come to Karen Hasher site.

87
00:08:44.440 --> 00:08:48.337
Please pick the first one,

88
00:08:48.337 --> 00:08:53.080
the new setup and the same thing,

89
00:08:53.080 --> 00:08:58.851
you're going to extract it, install it.

90
00:09:01.540 --> 00:09:04.609
And once we've done all that,

91
00:09:04.609 --> 00:09:09.696
go ahead back out to that link,
that DropBox link.

92
00:09:09.696 --> 00:09:14.395
And we're going to download
the Windows 10 virtual machine image,

93
00:09:14.395 --> 00:09:17.040
that dot VMDK-image.

94
00:09:17.040 --> 00:09:21.109
And if you already created
a case in autopsy,

95
00:09:21.109 --> 00:09:26.261
we're going to go ahead and
add that to our case in autopsy.

96
00:09:29.340 --> 00:09:31.445
And in the next section,

97
00:09:31.445 --> 00:09:37.468
we're going to take a look at these
files as they exist in the file system.

98
00:09:37.468 --> 00:09:41.156
And we're going to export the files out,
so

99
00:09:41.156 --> 00:09:46.351
we can examine them with some
of the tools we just downloaded.