1
00:00:00,320 --> 00:00:00,710
Hello.

2
00:00:00,710 --> 00:00:07,880
In this lecture, we're going to do the registry analysis with the previously infected Windows image

3
00:00:08,150 --> 00:00:09,320
virtual memory here.

4
00:00:09,320 --> 00:00:16,430
So information, information about every user setting program and the Windows operating system itself

5
00:00:16,430 --> 00:00:18,530
can be found within the registry.

6
00:00:18,680 --> 00:00:24,650
Even hashed passwords can be found in the registry, in the Windows Registry analysis.

7
00:00:24,650 --> 00:00:34,280
And we're going to use the two two plugins for using this HIVE scan in in next lectures.

8
00:00:34,280 --> 00:00:39,920
We're going to do more detailed and like advanced registry analysis here.

9
00:00:39,920 --> 00:00:45,350
But it's just an this is not this is just an intermediate level of registry analysis.

10
00:00:45,770 --> 00:00:52,490
The first plugin we're going to use the hive scan and second is the hive list.

11
00:00:52,490 --> 00:00:56,150
So let's start with hive scan here, Enter.

12
00:00:56,150 --> 00:00:59,870
And yeah, also I want to notify that you have to.

13
00:01:00,980 --> 00:01:04,220
Specify the profile of nowhere.

14
00:01:04,530 --> 00:01:05,360
No, no, no, no, no, no.

15
00:01:06,140 --> 00:01:06,830
Here.

16
00:01:07,750 --> 00:01:08,380
I've scan.

17
00:01:09,770 --> 00:01:10,430
Okay.

18
00:01:11,390 --> 00:01:16,430
So this is the output and the numbers are presented here.

19
00:01:16,430 --> 00:01:23,630
Location of hives on the hard disk so we can find more information on the register, more information

20
00:01:23,630 --> 00:01:26,450
about registry in Wikipedia here.

21
00:01:26,450 --> 00:01:28,760
Let's look look at details here.

22
00:01:29,540 --> 00:01:31,550
Windows Registry.

23
00:01:33,980 --> 00:01:39,560
Wikipedia here and yeah, it can tell us some examples here.

24
00:01:39,560 --> 00:01:40,010
Yeah.

25
00:01:40,040 --> 00:01:49,910
As you can see, this is the list of standard standard register values and here are the valid registries.

26
00:01:50,630 --> 00:01:52,850
Belongs to what and what is inside them.

27
00:01:52,850 --> 00:01:59,810
For example, in our local machine we have aggregated local machine store settings that are specific

28
00:01:59,810 --> 00:02:01,460
to the local computer.

29
00:02:01,490 --> 00:02:10,810
We have users contains sub keys correspond to the for each user profile actively loaded on the machine

30
00:02:10,910 --> 00:02:11,710
thought users.

31
00:02:11,720 --> 00:02:15,860
Hives are usually only loaded for currently logged in users.

32
00:02:15,860 --> 00:02:22,460
So now I'm going to open the windows here and change the windows while we're going to.

33
00:02:22,490 --> 00:02:26,930
We are searching about this information in registry here.

34
00:02:26,930 --> 00:02:29,240
So let's open open the windows here.

35
00:02:29,510 --> 00:02:30,050
Yeah.

36
00:02:30,080 --> 00:02:35,520
While Windows is opening, I'm going to are we going to read more here?

37
00:02:35,520 --> 00:02:37,620
We also have performance data.

38
00:02:37,620 --> 00:02:44,880
Current user, as the name suggests, is stores, the settings that are specific to the currently logged

39
00:02:44,880 --> 00:02:45,780
in users.

40
00:02:45,810 --> 00:02:47,670
There are more examples here.

41
00:02:47,670 --> 00:02:52,800
Register is just a big file that contains windows.

42
00:02:53,550 --> 00:02:56,520
Settings and other information about the system.

43
00:02:56,520 --> 00:02:59,820
So let's change our change here.

44
00:02:59,850 --> 00:03:01,950
Let's make yeah.

45
00:03:02,430 --> 00:03:04,790
Windows here.

46
00:03:04,800 --> 00:03:05,150
Yeah.

47
00:03:05,190 --> 00:03:06,060
Create.

48
00:03:07,960 --> 00:03:08,380
And.

49
00:03:08,380 --> 00:03:08,860
Yeah.

50
00:03:09,660 --> 00:03:10,470
That's for sure.

51
00:03:10,470 --> 00:03:12,570
It's gonna work.

52
00:03:14,300 --> 00:03:16,010
Okay, Perfect.

53
00:03:16,890 --> 00:03:19,410
Let's make the screen bigger here.

54
00:03:19,500 --> 00:03:20,040
Yeah.

55
00:03:21,320 --> 00:03:22,720
Can you see it?

56
00:03:22,730 --> 00:03:24,290
Yeah, you can see it.

57
00:03:24,290 --> 00:03:27,050
Okay, let's open our windows here.

58
00:03:34,970 --> 00:03:39,440
And here this is the our Windows machine for our learning purposes.

59
00:03:39,560 --> 00:03:46,970
Now we can open the registry and just then look at the registry, what these files are, what those

60
00:03:46,970 --> 00:03:49,340
parameters are in order to open the registry.

61
00:03:49,370 --> 00:03:52,190
You just enter the regedit here.

62
00:03:52,310 --> 00:04:00,680
If you if you are using older Windows versions or if you write here rec here and it doesn't show anything,

63
00:04:00,680 --> 00:04:05,890
you can regedit.exe here or MSI here you can.

64
00:04:05,900 --> 00:04:07,700
It's the same actually.

65
00:04:07,940 --> 00:04:08,420
Yeah.

66
00:04:08,420 --> 00:04:09,650
And click yes.

67
00:04:10,430 --> 00:04:17,900
And here, as you can see, this is our registry editor program in Windows.

68
00:04:17,900 --> 00:04:20,000
So let's improve.

69
00:04:20,030 --> 00:04:22,370
Let's increase the font size a bit.

70
00:04:22,370 --> 00:04:27,050
And that's, you know, it's too much here even for the lecture.

71
00:04:27,630 --> 00:04:28,470
Yes.

72
00:04:29,430 --> 00:04:30,780
Uh, 14 is okay.

73
00:04:30,780 --> 00:04:33,690
And as you can see here, there we have the.

74
00:04:35,010 --> 00:04:39,210
Here information settings parameters.

75
00:04:39,690 --> 00:04:46,770
Here, for example, shows the what AVI files opens by default.

76
00:04:46,770 --> 00:04:47,550
For example.

77
00:04:47,550 --> 00:04:48,030
Here.

78
00:04:48,030 --> 00:04:48,600
Here.

79
00:04:50,020 --> 00:04:51,340
As you can see here.

80
00:04:55,700 --> 00:04:56,270
Here.

81
00:05:01,300 --> 00:05:01,870
Here.

82
00:05:02,020 --> 00:05:03,100
So.

83
00:05:04,690 --> 00:05:07,840
Now we're going to learn more in.

84
00:05:08,140 --> 00:05:10,330
Learn more about registry in next lectures.

85
00:05:10,330 --> 00:05:16,540
But for now, we're going to just analyze it and look the plugins that we're going to use with the.

86
00:05:18,190 --> 00:05:19,600
Uh, volatility framework.

87
00:05:19,600 --> 00:05:20,350
So.

88
00:05:21,510 --> 00:05:30,930
This is the Hives hive list of hive scan of registries here and print it out so I can later I can share

89
00:05:30,930 --> 00:05:34,980
it with you on the attachments section of this lecture.

90
00:05:34,980 --> 00:05:37,800
And last we have hive list.

91
00:05:38,520 --> 00:05:46,050
So for more, this is the this is for more detailed information on registry hives and location within

92
00:05:46,050 --> 00:05:46,590
the RAM.

93
00:05:46,590 --> 00:05:49,230
So the hive list plugin can be used here.

94
00:05:49,260 --> 00:05:56,580
The Hive list plugin here command shows the details of virtual and physical address with more easily

95
00:05:56,580 --> 00:05:57,480
readable plaintext.

96
00:05:57,480 --> 00:06:01,260
So as its name suggests, you can't read anything from it.

97
00:06:01,260 --> 00:06:08,730
Like you, you can't get details from it if you are not advanced forensics and analytics here.

98
00:06:08,730 --> 00:06:15,210
But with this here, you can get the directories of the registry files here as here.

99
00:06:16,640 --> 00:06:16,950
Mhm.

100
00:06:16,970 --> 00:06:17,540
Okay.

101
00:06:18,230 --> 00:06:31,100
So more information on the registry can be found in the official Microsoft registry here named Docs.microsoft.com.

102
00:06:33,120 --> 00:06:39,600
Uh, and us Windows win 32.

103
00:06:40,360 --> 00:06:43,330
Sysinfo and registry.

104
00:06:44,210 --> 00:06:44,930
Has.

105
00:06:46,800 --> 00:06:47,400
Highs.

106
00:06:49,240 --> 00:06:53,200
And as you can see, there is a more information about the registry hives.

107
00:06:53,200 --> 00:06:57,940
And as you can see in in previously we we see.

108
00:06:58,840 --> 00:07:02,050
We serve the we serve the here.

109
00:07:05,940 --> 00:07:07,890
Okay, let's.

110
00:07:08,490 --> 00:07:09,150
Okay.

111
00:07:09,480 --> 00:07:16,110
So do you use explains what is like folder like icons means.

112
00:07:16,830 --> 00:07:25,380
So for example, the current config means the system files and supported files.

113
00:07:25,380 --> 00:07:28,140
Local machine samsam dot save.

114
00:07:28,170 --> 00:07:36,200
This is the local machine security here and other information can be found here and the Microsoft's

115
00:07:36,210 --> 00:07:37,170
official.

116
00:07:39,450 --> 00:07:40,290
Website.