WEBVTT

1
00:00:01.740 --> 00:00:06.396
Hello and
welcome back to course two section four of

2
00:00:06.396 --> 00:00:09.221
Windows registry forensics.

3
00:00:09.221 --> 00:00:14.153
In this section, we're going to locate the
registry files and values within an image

4
00:00:14.153 --> 00:00:18.940
files, and we're going to learn how
to properly interpret these values.

5
00:00:18.940 --> 00:00:23.841
So we're going to locate the values
within the registry key file and

6
00:00:23.841 --> 00:00:27.329
we're going to properly
interpret the values.

7
00:00:27.329 --> 00:00:32.313
The tools we're going to need for
this section are going to be autopsy,

8
00:00:32.313 --> 00:00:38.240
decode, notepad and the Windows
calculator or any other calculator.

9
00:00:38.240 --> 00:00:42.524
So why don't we go ahead and launch
autopsy, make sure you right click and

10
00:00:42.524 --> 00:00:44.240
run as admin.

11
00:00:44.240 --> 00:00:45.977
So go ahead and launch autopsy now.

12
00:00:49.140 --> 00:00:53.440
Just a quick recap of what
we've covered up to this point.

13
00:00:53.440 --> 00:00:56.341
In section one,
we took a look at the live registry.

14
00:00:56.341 --> 00:01:00.877
In section two we prepared our environment
to examine the non-live registry files,

15
00:01:00.877 --> 00:01:04.040
utilizing the specialized
tools to be downloaded.

16
00:01:04.040 --> 00:01:08.659
And in section three we exported the
registry files using two different tools

17
00:01:08.659 --> 00:01:12.651
and in two different ways,
one with the full path and one without.

18
00:01:14.240 --> 00:01:16.586
I hopefully everybody has autopsy running.

19
00:01:19.040 --> 00:01:26.005
We're going to Create
a new case using autopsy.

20
00:01:27.400 --> 00:01:29.761
Double click new case.

21
00:01:31.340 --> 00:01:38.786
We could name the case Windows registry or
whatever you'd like to name it.

22
00:01:38.786 --> 00:01:39.690
Whatever you do name it,

23
00:01:39.690 --> 00:01:42.151
make sure it's something you're
going to be able to identify later.

24
00:01:43.240 --> 00:01:47.459
You can browse to where you want
to have the base directory and

25
00:01:47.459 --> 00:01:51.165
where the case state
is going to be stored.

26
00:01:51.165 --> 00:01:55.433
Case number, you can call it
whatever you'd like to call it.

27
00:01:58.124 --> 00:02:05.564
I'm going to call mine section four And
you can click finish.

28
00:02:05.564 --> 00:02:08.134
Now it is creating the case in autopsy.

29
00:02:13.740 --> 00:02:18.103
What type of file are we
going to add to our case?

30
00:02:18.103 --> 00:02:22.390
In this case we're going to add the disk
image of the virtual machine file.

31
00:02:22.390 --> 00:02:27.744
And again, we're going to be working with
that Windows 10 Virtual Machine File.

32
00:02:27.744 --> 00:02:33.730
Click next Will browse to where a file is.

33
00:02:37.140 --> 00:02:42.631
We'll select our file And
we'll click open.

34
00:02:49.640 --> 00:02:53.273
Now the time zone,
you don't really know the time zone yet

35
00:02:53.273 --> 00:02:57.203
because we haven't done that but
we are going to do that.

36
00:02:57.203 --> 00:03:00.750
So you can just leave
the time zone whatever it is.

37
00:03:00.750 --> 00:03:03.613
I am going to go ahead and
put mine at UTC,

38
00:03:03.613 --> 00:03:07.025
you can put yours at
whatever you would like.

39
00:03:15.510 --> 00:03:19.361
These are all the ingest
modules we have for autopsy.

40
00:03:20.640 --> 00:03:24.290
If you run all of these modules it
is going to take a long time for

41
00:03:24.290 --> 00:03:28.531
this case to process but we can
still view it while it's processing.

42
00:03:28.531 --> 00:03:33.167
So I would say go ahead and run the ingest
modules keyword searches is what

43
00:03:33.167 --> 00:03:37.132
we're going to run right now because
we're not keyword searching.

44
00:03:37.132 --> 00:03:41.948
And unless you have set it up for online
access, you're not going to be able to

45
00:03:41.948 --> 00:03:45.861
use the virus total and
we don't need the Android Analyzer.

46
00:03:47.140 --> 00:03:53.018
And I'm going to click next and
it's going to start working.

47
00:03:54.433 --> 00:03:59.129
Right now it's adding all the files so
this will just take a minute.

48
00:04:03.161 --> 00:04:07.403
Once it finished adding the files, it's
going to tell you that the data source has

49
00:04:07.403 --> 00:04:10.760
been added to the local database and
it's now being analyzed,

50
00:04:10.760 --> 00:04:12.241
you can just click finish.

51
00:04:16.757 --> 00:04:20.393
And what we really want to close
all this up if yours is open.

52
00:04:20.393 --> 00:04:24.866
What we're looking at is the data source,

53
00:04:24.866 --> 00:04:28.977
the windows, the MDK file right here.

54
00:04:31.340 --> 00:04:36.561
Now, just a quick note about your tools,

55
00:04:36.561 --> 00:04:41.781
you noticed when we
looked at FTK imager it

56
00:04:41.781 --> 00:04:47.613
showed us that volume
two was partitioned to.

57
00:04:47.613 --> 00:04:53.080
And we only had Two volumes on there.

58
00:04:53.080 --> 00:05:01.740
Here what we're seeing is this is
adding volumes for unallocated space.

59
00:05:01.740 --> 00:05:04.983
This is more of the layout as
would be seen on disk as far as

60
00:05:04.983 --> 00:05:06.711
the unallocated space goes.

61
00:05:11.140 --> 00:05:15.071
But the volume we actually want to
take is going to be volume three.

62
00:05:18.779 --> 00:05:21.240
We're going to expand volume three.

63
00:05:21.240 --> 00:05:23.956
We're going to navigate to the registry
files like we've done before,

64
00:05:23.956 --> 00:05:32.040
we're going to open up windows We're
going to navigate the system 32.

65
00:05:32.040 --> 00:05:33.942
We're going to open up system 32,

66
00:05:33.942 --> 00:05:36.575
and we're going to highlight
the config folder.

67
00:05:38.940 --> 00:05:41.610
I'm just going to move
this out of the way.

68
00:05:41.610 --> 00:05:47.644
If you want to know how to be able
to do that, what you can do is

69
00:05:50.067 --> 00:05:54.982
In view Sometimes if

70
00:05:54.982 --> 00:05:58.851
you're panes docked or undocked it'll
let you dock or undock the panes.

71
00:06:00.540 --> 00:06:05.191
So I'm just going to
move that out of the way

72
00:06:06.630 --> 00:06:11.624
And we're going to find The first file

73
00:06:11.624 --> 00:06:16.849
we're going to look at Is
going to be the system file.

74
00:06:22.940 --> 00:06:26.061
So we're going to go ahead and
click on the system file.

75
00:06:27.940 --> 00:06:32.894
And in your viewer pane You're
going to see the system

76
00:06:32.894 --> 00:06:37.061
file as it would be displayed
in the registry viewer.

77
00:06:38.140 --> 00:06:42.805
And we saw a little bit of this when we
saw our other two tools earlier today.

78
00:06:45.644 --> 00:06:51.775
Now There's only one of control set here,
but

79
00:06:51.775 --> 00:06:55.862
if you take a look at the select key, you
can see the current control set is one and

80
00:06:55.862 --> 00:06:59.360
the default control set is one, and
then our last known code as one.

81
00:06:59.360 --> 00:07:02.064
Normally like we saw on when
we examine the live registry,

82
00:07:02.064 --> 00:07:03.940
there'd be more than one control set and

83
00:07:03.940 --> 00:07:07.640
you would determine the current
control set by using the select key.

84
00:07:07.640 --> 00:07:09.990
But since we have one we
just have one to use.

85
00:07:09.990 --> 00:07:17.101
So we're going to go ahead and
expand control Set one control.

86
00:07:19.986 --> 00:07:23.546
We're going to scroll down

87
00:07:25.449 --> 00:07:30.500
To Microsoft.

88
00:07:36.340 --> 00:07:37.710
Excuse me, it's not in Microsoft.

89
00:07:37.710 --> 00:07:40.451
Going to scroll all the way down
the time zone, it's right here.

90
00:07:42.140 --> 00:07:45.352
So we're going to find
the time zone information and

91
00:07:45.352 --> 00:07:47.960
we can see how the tool displays it to us.

92
00:07:50.440 --> 00:07:57.329
We have our daylight bios which tells
us what are opposite is to daylight.

93
00:07:57.329 --> 00:08:04.770
We have the bios We have our daylight
start and our standard start.

94
00:08:04.770 --> 00:08:07.950
We have our time zone name,
which is Eastern standard time.

95
00:08:07.950 --> 00:08:09.163
And we have the active time bias.

96
00:08:14.720 --> 00:08:18.959
We can notice that there
is 60 seconds difference,

97
00:08:18.959 --> 00:08:25.020
60 minutes difference between
the active time bias and the bias.

98
00:08:25.020 --> 00:08:32.841
And that is because Daylight savings
time is enabled on this computer.

99
00:08:34.120 --> 00:08:36.467
And you can tell that by looking at this,

100
00:08:36.467 --> 00:08:40.141
because otherwise you wouldn't
have two different figures here.

101
00:08:41.420 --> 00:08:44.950
What we are very interested
in is our active time bias.

102
00:08:44.950 --> 00:08:52.600
So we're going to go ahead and we'll just
use our Windows calculator really quick.

103
00:08:52.600 --> 00:08:57.578
And we'll say 240 minutes
÷ 60 minutes gives us, so

104
00:08:57.578 --> 00:09:02.665
we have a 4 hour,- 4 right
now in Eastern standard time.

105
00:09:07.720 --> 00:09:13.462
And how we know when Eastern standard
time, how we read the start and

106
00:09:13.462 --> 00:09:18.622
stop key, is 2 bytes,
these 2 bytes of 00s are padding.

107
00:09:18.622 --> 00:09:23.020
You have the next two bites of OB 00.

108
00:09:23.020 --> 00:09:27.600
Now they're going to be read little
indian which means in the reverse order.

109
00:09:27.600 --> 00:09:30.820
So you'd read it 000b.

110
00:09:30.820 --> 00:09:32.640
And B.

111
00:09:32.640 --> 00:09:34.650
0B and x is 11.

112
00:09:34.650 --> 00:09:40.591
So we've had the 11th month and
now we have a 0, 1, 0, 0 again.

113
00:09:40.591 --> 00:09:43.020
Red little Indian.

114
00:09:43.020 --> 00:09:48.141
So we have 0, 0, 0,
1 which would indicate the first sunday.

115
00:09:49.820 --> 00:09:55.430
In november at 2 a.m.

116
00:09:55.430 --> 00:10:00.085
Because this is 0, 0 again this would be

117
00:10:00.085 --> 00:10:05.220
red 2 bites 0, 0, 0, 2 at 2 am.

118
00:10:05.220 --> 00:10:06.041
So 0B.

119
00:10:06.041 --> 00:10:10.467
Would be 11 which would be November,
0, 1 is a 1,

120
00:10:10.467 --> 00:10:18.220
which means the first Sunday in November
at 2 in the morning is the standard start.

121
00:10:18.220 --> 00:10:22.841
Daylight start.

122
00:10:25.120 --> 00:10:27.680
Same way 0, 3, 0, 0.

123
00:10:27.680 --> 00:10:32.768
You'd read that 0, 0, 0, 3 which would be

124
00:10:32.768 --> 00:10:37.605
the third month which would be March 0, 0,

125
00:10:37.605 --> 00:10:42.307
0, 2, 0, 0 would be read 0, 0, 0,

126
00:10:42.307 --> 00:10:47.397
2, the second sunday in March and
again at 0,

127
00:10:47.397 --> 00:10:51.520
0, 0, 2, which would be 2 a.m.

128
00:10:51.520 --> 00:10:58.541
So that is how we read daylight start and
daylight stop.

129
00:10:59.920 --> 00:11:03.250
And this is how we see
our active time bias and

130
00:11:03.250 --> 00:11:08.482
what our normal time bias would be,
what are daylight bias would be?

131
00:11:13.620 --> 00:11:19.035
Time zones are very important because
if you don't get the time zone right,

132
00:11:19.035 --> 00:11:24.195
a lot of the times in your artifacts can
be off and that can cause you a lot,

133
00:11:24.195 --> 00:11:29.269
a lot of problems as we're going to see
in one second when we take a look at

134
00:11:29.269 --> 00:11:34.515
the install date and time and knowing
how your tool is going to display this

135
00:11:34.515 --> 00:11:40.520
information to you is very important too,
we know that this computer.

136
00:11:40.520 --> 00:11:45.231
That we see has an active time by
us at 240 so we're at -4 from UTC.

137
00:11:47.220 --> 00:11:48.339
We know the starting to stop.

138
00:11:50.820 --> 00:11:55.505
So most of your tools will
allow you to go ahead and

139
00:11:55.505 --> 00:12:00.304
set the time zone within the tool,
we picked UTC so

140
00:12:00.304 --> 00:12:06.818
we can make the adjustment manually
if you'd like, a lot of times,

141
00:12:06.818 --> 00:12:13.220
if you have different pieces of
evidence in different time zones,

142
00:12:13.220 --> 00:12:18.650
sometimes UTC is the best way
to go throughout the case.

143
00:12:18.650 --> 00:12:21.831
It just makes it a lot easier
when you're creating a timeline.

144
00:12:24.820 --> 00:12:26.260
So let's get this out of the way.

145
00:12:26.260 --> 00:12:27.241
It's movable.

146
00:12:28.820 --> 00:12:33.858
We'll move it over and now we're going
to take a look at the software hive.

147
00:12:39.320 --> 00:12:43.594
We can move our window back into view,
you can make it as big as you want,

148
00:12:43.594 --> 00:12:45.470
which is really nice feature.

149
00:12:45.470 --> 00:12:46.231
I like that.

150
00:12:49.120 --> 00:12:51.800
Here we're going to expand Microsoft.

151
00:12:57.120 --> 00:13:01.125
We're going to now look at the install,
date and time and

152
00:13:01.125 --> 00:13:04.310
what type of operating
system is installed.

153
00:13:04.310 --> 00:13:07.000
Because that will also make a big
difference when we're examining

154
00:13:07.000 --> 00:13:08.220
the registry.

155
00:13:08.220 --> 00:13:09.414
So I'm going to expand Microsoft.

156
00:13:15.920 --> 00:13:19.150
Windows and T not Windows, Windows and T.

157
00:13:19.150 --> 00:13:20.051
And highlight current version.

158
00:13:24.620 --> 00:13:29.159
And we can see here what
are operating system is,

159
00:13:29.159 --> 00:13:35.041
it's Windows 10 pro,
we can see the release idea 1703.

160
00:13:36.920 --> 00:13:39.281
There can be subtle
differences between releases.

161
00:13:40.520 --> 00:13:42.961
We see that the registered
owner is Windows user and

162
00:13:42.961 --> 00:13:45.191
there's no registered organization value.

163
00:13:45.191 --> 00:13:46.501
These are user created values.

164
00:13:46.501 --> 00:13:50.941
If they're not entered by the user
they will just say value not set.

165
00:13:52.420 --> 00:13:57.641
But what we want to take
a look at is the install date.

166
00:14:01.000 --> 00:14:01.940
The install date.

167
00:14:01.940 --> 00:14:06.441
It's showing it to us in x and
it's showing us a numeric value.

168
00:14:07.920 --> 00:14:09.631
What I want you to do
is just highlight that.

169
00:14:10.820 --> 00:14:12.103
Hit control C on your computer.

170
00:14:16.420 --> 00:14:17.641
Bring up note pad.

171
00:14:18.720 --> 00:14:22.367
Because I'm not going to type that
all out who controlled the and

172
00:14:22.367 --> 00:14:24.920
it will copy the whole thing.

173
00:14:24.920 --> 00:14:29.741
What we want to take is just
the numbers between the parentheses.

174
00:14:31.920 --> 00:14:33.780
So we just want to copy this number.

175
00:14:33.780 --> 00:14:34.941
We're going to copy it.

176
00:14:36.120 --> 00:14:38.420
You can go ahead and
minimize that if you want.

177
00:14:38.420 --> 00:14:42.770
Now we're going to use our tool decode and

178
00:14:42.770 --> 00:14:50.731
we're going to pace that value into decode
when I leave it set at UTC for now.

179
00:14:52.620 --> 00:14:54.490
Now what type of value is this?

180
00:14:54.490 --> 00:14:56.241
This is a unique numeric value.

181
00:14:59.820 --> 00:15:03.968
There are different values in the registry
like we talked about in section 1, but

182
00:15:03.968 --> 00:15:04.941
this value is new.

183
00:15:04.941 --> 00:15:11.067
Unix numeric value and
we're going to decode it and

184
00:15:11.067 --> 00:15:19.341
we get a date of Saturday March
18th 2017 at 04 01 20 UTC.

185
00:15:23.520 --> 00:15:25.621
And it's going to get don't close dcode.

186
00:15:25.621 --> 00:15:27.741
Just move it out of the way for a second.

187
00:15:29.220 --> 00:15:30.930
I'm going to go to the results tab here.

188
00:15:32.220 --> 00:15:37.241
And we look at the date and time here.

189
00:15:40.020 --> 00:15:41.620
We can see that it matches.

190
00:15:41.620 --> 00:15:43.061
The format is a little different.

191
00:15:43.061 --> 00:15:45.251
It's giving you 2017 and then the month.

192
00:15:45.251 --> 00:15:47.820
So it's a year, month day.

193
00:15:47.820 --> 00:15:49.931
Set a day, month, year.

194
00:15:51.120 --> 00:15:54.031
You can change the state format and
autopsy.

195
00:15:55.420 --> 00:15:58.920
I do believe you can change
the date format and decode.

196
00:15:58.920 --> 00:15:59.850
I think you're stuck with that.

197
00:15:59.850 --> 00:16:04.869
So we can tell that this
results pane is showing

198
00:16:04.869 --> 00:16:09.125
us information in universal time ETC.

199
00:16:09.125 --> 00:16:13.654
Now when you're dealing with a real
examination you must figure out,

200
00:16:19.130 --> 00:16:23.116
The active time bias which we did,
which would be minus 4.

201
00:16:26.386 --> 00:16:31.321
So we could go ahead and
pick minus 4, hit Decode again.

202
00:16:31.321 --> 00:16:33.295
And It also tracked the four hours for us.

203
00:16:37.054 --> 00:16:41.387
And the other thing you must get
be able to determine is whether or

204
00:16:41.387 --> 00:16:44.516
not it was in day later
standard time at the time

205
00:16:44.516 --> 00:16:47.981
it was seized because that's
going to make a difference.

206
00:16:47.981 --> 00:16:54.053
The state those March 18th 2017
fall within daylights time or

207
00:16:54.053 --> 00:16:58.742
standard start time because
that's going to mean make

208
00:16:58.742 --> 00:17:03.126
a difference whether it's minus 4 or
minus 5.

209
00:17:03.126 --> 00:17:06.287
Because if it were daylight
time it would be minus 5,

210
00:17:06.287 --> 00:17:08.267
standard time would be minus 4.

211
00:17:08.267 --> 00:17:13.163
So these are the things that you need
to be able to determine in order to get

212
00:17:13.163 --> 00:17:18.227
the correct dates and times when you're
examining the Windows registry or

213
00:17:18.227 --> 00:17:22.837
any other Windows artifact or
any other artifacts for that matter.

214
00:17:22.837 --> 00:17:27.720
You have to be able to get
the correct dates and times.

215
00:17:27.720 --> 00:17:35.053
And that's one way we
could take a look at that.

216
00:17:35.053 --> 00:17:39.844
And the other thing you want to
make sure you know is how your tool

217
00:17:39.844 --> 00:17:42.343
is interpreting these values.

218
00:17:42.343 --> 00:17:47.538
We know now that this is giving it
to us in UTC time and I can tell you

219
00:17:47.538 --> 00:17:53.991
from trying it out on this particular
application of autopsy that no matter what

220
00:17:53.991 --> 00:17:59.710
time zone you set it to it's going to
give you the registry values in UTC.

221
00:18:04.820 --> 00:18:09.181
So that's something
important you want to know.

222
00:18:09.181 --> 00:18:13.278
Another thing I want to
show you really quickly.

223
00:18:18.919 --> 00:18:21.389
If we take a look at the hex
view of this file and

224
00:18:21.389 --> 00:18:24.772
we are going to go into the structure
of registry files later on.

225
00:18:24.772 --> 00:18:32.244
But you can see,
let it starts with this reg.

226
00:18:32.244 --> 00:18:37.539
Yeah, REG and that's a good indication

227
00:18:37.539 --> 00:18:43.003
that you're looking at a registry file.

228
00:18:43.003 --> 00:18:49.605
If we look at the file metadata tab,
I do like this feature an autopsy.

229
00:18:49.605 --> 00:18:57.671
It will give you master file table
information on the file itself.

230
00:18:57.671 --> 00:19:02.971
It's a little bit beyond the scope of
this course, but it does contain that.

231
00:19:02.971 --> 00:19:07.838
So that is a nice feature.

232
00:19:07.838 --> 00:19:12.267
But one of the first things you need to do
when you're examining is you have to find

233
00:19:12.267 --> 00:19:13.389
out your time zone.

234
00:19:13.389 --> 00:19:16.068
So we know what we're looking at for
times in the files,

235
00:19:16.068 --> 00:19:19.544
especially if we're going to generate
reports, you generate reports and

236
00:19:19.544 --> 00:19:22.576
you're not in the right time zone,
you'll be doing it twice.

237
00:19:22.576 --> 00:19:27.148
And we also need to know what operating
system is installed because there will be

238
00:19:27.148 --> 00:19:31.379
differences between the Windows 7
registry in the Windows 8 registry in

239
00:19:31.379 --> 00:19:33.032
the Windows 10 registry.

240
00:19:33.032 --> 00:19:36.348
This course,
I'm going to mainly focus on Windows 10.

241
00:19:36.348 --> 00:19:40.964
I will demonstrate some
stuff with Windows 7 and

242
00:19:40.964 --> 00:19:45.355
we will talk about Windows 8 a little bit,
but

243
00:19:45.355 --> 00:19:50.422
the main focus is going to be
on Windows 10 as the newest

244
00:19:50.422 --> 00:19:54.723
Operating System from Microsoft right now.

245
00:19:54.723 --> 00:19:59.934
In the next section, we're going to
start examining the NTuser..hive and

246
00:19:59.934 --> 00:20:04.317
going into a lot of the artifacts
we can find within that hive and

247
00:20:04.317 --> 00:20:10.041
we're going to interpret them and I'll
show you how to accurately interpret them.

248
00:20:10.041 --> 00:20:15.812
Show you where the data is stored and
how it gets populated into the registry.