SOLUTIONS
\nTASK 1 - PROFILING THE SYSTEM USED
\nBefore we start answering the questions, one of the important things to do, if you recall the Windows Registry part of the course, is check the ControlSet. So, in order to analyze the Windows registry correctly, our first check should be to identify what was the active ControlSet.
\nTo do that, let us first open Windows Registry Explorer, which is the tool that we will use to solve this task. You can find it inside \"C:\\DFP\\Tools\\Windows\\RegistryExplorer_RECmd\", and then double-click on \"RegistryExplorer.exe.\" After doing that, I assume you got the following:
\n![\"1\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/1.png\")
Now, since we need to know the ControlSet, this key can be found within the Windows SYSTEM registry hive, so we need to load it. Do that by going to File -> Load offline hive and navigate to the location of the SYSTEM hive (C:\\DFP\\Labs\\Module6\\Lab14\\WindowsRegistry) and press the Open button.
\nAfter doing that, you will get something like the following:
\n![\"2\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/2.png\")
Now you need to expand the first row, and then you need to navigate all the way through SYSTEM until you reach the \"Select\" key, as seen in the snapshot below.
\n![\"3\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/3.png\")
Now if we** check the content of the **Current value, we see it holding the value 1. Now, since we have the ControlSet, we know which direction to steer our investigation wheel inside the SYSTEM keys. Let's move on and start answering some questions.
\n[Important note:] Since we only have one here it's easy, but you if you have more than one, this is a really important step to check before proceeding.
\n- \n
- What is the name of the computer? \n
[Answer:]
\nNow, in order to answer that, we need to check for the ComputerName value to find the answer. This is easily done by going to Bookmarks -> Common -> ComputerName. If you check the right pane as seen in the snapshot below, you will notice that it is \"4ORENSICS\". \n![\"4\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/4.png\")
- \n
- The forensic image was handed to you with no label about what operating system was running, so make sure you check that. \n
[Answer:] This information is very important for us to continue our investigation. Let us check the Operating system version used and other important information. Before we can find this answer, I need you to add the Windows SOFTWARE registry to Windows Registry Explorer. After doing that, I need you to navigate to:
\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
\nThe table below could help you:
\n| Operating System | \nVersion number | \n
|---|---|
| Windows 10 and Windows Server 2016 | \n10.0 | \n
| Windows 8.1 and Windows Server 2012 R2 | \n6.3 | \n
| Windows 8 and Windows Server 2012 | \n6.2 | \n
| Windows 7 and Windows Server 2008 R2 | \n6.1 | \n
| Windows Server 2008 and Windows Vista | \n6.0 | \n
Now from the CurrentVersion value found and based on the table above, we can say that the system we are investigating is a Windows 8.1 or Windows Server 2012 R2, but if you check the value ProductName, you will find that we are dealing with a Windows 8.1 Enterprise. All this can be seen in the snapshot below:
\n![\"5\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/5.png\")
[Note:] I have removed one of the \"Value Type\" column from the output to make it easier to understand.
\n- \n
- What is the time zone used by this system and is daylight saving DST active or not? \n
[Answer:] Now, you need to pay attention to what will be done. First, the time zone information could be found by navigating to the location below:
\nSYSTEM\\ControlSet###\\Control\\TimeZoneInfromation
\nAnd since our ControlSet is 1, then the exact location would be:
\nSYSTEM\\ControlSet001\\Control\\TimeZoneInfromation
\nThe results we found were the following:
\n![\"6\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/6.png\")
This is the most important value to be used to establish time-related to UTC, and it is the one you need to use to determine whether daylight saving is active or not. Check this reference: http://kb.digital-detective.net/display/BF/Identification+of+Time+Zone+Settings+on+Suspect+Computer
\nSo, based on the ActiveTimeBias value found (420) and the StandardName value (@tzres.dll,-211), we can determine we have a PST8PDT or Pacific Daylight Time or just PDT time zone. If you're wondering where I managed to resolve @tzres.dll,-211 to PDT, then check this:
\nhttps://github.com/log2timeline/plaso/blob/master/plaso/winnt/time_zones.py
\nOr
\nhttp://www.nirsoft.net/dll_information/windows8/tzres_dll.html
\nNow, is DST active or not? Well, it sure is, and that's because ActiveTimeBias is 420 which when divided by 60 leads to 7 hours. And this means we have a UTC-7.
\n- \n
- What is the installation date for this system? (hint: use DCode.exe to figure it out).\n[Answer:] This is found in the snapshot we saw before, let's add it again below: \n
![\"7\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/7.png\")
So, we have the value 1466498265!
\nEasy; we can use the DCode.exe tool here present at [C:\\DFP\\Tools\\Time] to convert this number into a timestamp. You can find the tool inside the tools directory. BUT wait a minute! We need to adjust the time using the time zone we just found. So, make sure in the \"Add Bias\" field you select UTC-7 because this is the time zone this computer was working in. Before pressing the Decode button, please keep in mind that Windows uses Unix 32 bit here for the InstallDate value, so make sure you select the \"Unix: Numeric Value.\" Finally, enter the value we want to decode, and with that done, we have the following after pressing Decode:
\n![\"8\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/8.png\")
The answer is:
\nTue, 21 June 2016 01:37:45 -07:00
\nThat was easy, right?
\n- \n
- To whom was this system registered, and what was the system's root directory? \n
[Answer:] This system was registered to a person named \"Hunter,\" and the system root directory is C:\\Windows which could be found from the path below:
\nMicrosoft\\Windows NT\\CurrentVersion
\nCheck the snapshot below:\n![\"8.1\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/8.1.png\")
- \n
- When was this system last shutdown? \n
Shutdown time is found in: SYSTEM\\ControlSet001\\Control\\Windows\\ShutdownTime
\nIt is a Windows FILETIME (64 bit)
\nAnswer = 2016-06-21 01:34:49 (UTC)
\nAnswer = Tue Jun 21 01:34:49 2016 (UTC)
\nAnswer = Tue Jun 21 08:34:49 2016 (UTC-7/Local Time)
\nExtra: To find the Installation date, we need to check the following: SAM\\Domains\\Account\\F
\nOffset 8-15 holds value
\nIt is using Windows FILETIME (64 bit)
\nAnswer = 2013-08-22 14:45:11 (UTC\ufeff)
\nNote: The InstallDate or other registry keys no longer are valid to use as an Installation date, since they only reflect the time of updates/upgrades/etc/long story short
\n- \n
- Check the system's firewall and see if RDP was enabled or not.\n [Answer:] We should always check the Windows Firewall and Remote Desktop, just in case. The Firewall and Remote Desktop settings are found under: \n
SYSTEM\\ControlSet###\\Services\\SharedAccess\\Parameters\\FirewallPolicy
\nSYSTEM\\ControlSet###\\Control\\TerminalServer
\nAnd since we are working under ControlSet001, then we need to go here:
\nSYSTEM\\ControlSet001\\Services\\SharedAccess\\Parameters\\FirewallPolicy
\nSYSTEM\\ControlSet001\\Control\\TerminalServer
\nMake sure you check the firewall for both profiles (domain and public). If you don't know how to reach that, then we could go to Tools -> Find and then write the keyword you are looking for. You can see that in the snapshot below.
\n![\"9\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/9.png\")
After that, all you need to do is double-click on the result you want to display under Windows Registry Explorer. Now from the left-hand pane, we can see after expanding the tree and selecting DomainProfile, that we found the following:
\n![\"10\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/10.png\")
This clearly says that the firewall is enabled. By checking the PublicProfile, we get this:
\n![\"11\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/11.png\")
And again, this means that the firewall is enabled (value 1 here represents true which means it is enabled).
\nNow, by going to the \"SYSTEM\\ControlSet001\\Control\\TerminalServer\" location and checking the fDenyTSConnection value, we can determine if RDP is enabled or not. From the value found, we can say that it is true, the RDP is not allowed.
\n![\"12\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/12.png\")
- \n
- What was the name of the last user that logged into the system?**\n [Answer:] This is the final answer related to general system configurations, after that we'll move on network-related stuff. Again, since we don't know where we could find this information, we could use Registry Explorer's find capabilities (Tools Find) to search for the name of the last logged on user. This could be found in the value \"**LastLoggedOnUser.\" You can see the results after searching below: \n
![\"13\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/13.png\")
So, the last user who logged into the system was \"Hunter,\" and we could even see his SID (S-1-5-21-2489440558-2754304563-710705792-1001).
\nNow, we need to start answering the questions related to networking stuff, so let's get that done too.
\n- \n
- What was the GUID of the active network interface, and what is the IP address given to this machine? \n
[Answer:] To answer this, I need you to navigate to the following location: SYSTEM\\ControlSet###\\Services\\Tcpip\\Parameters\\Interfaces\\{GUID}\\
\nWhich means, in our case:\n*SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Interfaces\\{GUID}\\ *
\nAs we can see from the snapshot below, the GUID for the active interface is: 8CB9FBF6-AE23-4E1C-AA0A-EE23CB4FE736. Which means the full path is: ControlSet001\\Services\\Tcpip\\Parameters\\Interfaces\\{8CB9FBF6-AE23-4E1C-AA0A-EE23CB4FE736}
\n![\"14\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/14.png\")
Now, if you check the values found within that key, you can find that the computer was given an IP Address which was 10.0.2.15 from the DHCP Server which had the IP Address 10.0.2.2, as seen in the figure above.
\n- \n
- What was the DHCP Server's IP address, and default gateway? \n
[Answer:] We answered the DHCP server part in the previous question. Now for the default gateway, we can find it be going down a little in the same page under the value named \"DhcpDefaultGateway.\" The result is also 10.0.2.2 as seen in the figure below:
\n![\"15\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/15.png\")
- \n
- \n
When was the leased time obtained, and when will it end?\n [Answer:] Now to check this we need you to be focused a little bit more. We need to check the following values:
\n \n - \n
LeaseObtainedTime
\n \n - \n
Lease
\n \n - \n
LeaseTerminatesTime
\n \n
![\"16\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/16.png\")
The first value gives us an answer about what was the leased time for this interface. It shows 1466475852. To convert it using epoch time, we can use the following website:
\nhttps://www.epochconverter.com/
\nGo to the first option \"Convert epoch to human readable date and vice versa,\" add the value in the field and click \"Timestamp to Human date.\" Now, since we found that this computer has a UTC-7 timestamp or PDT, make sure you click on the GMT URL found at the end of the line saying, \"Your time zone:\" to adjust the used timestamp. It will take you to another page, just search for the -07:00 or PDT to get the following final result: Jun 20 2016 19:24:12
\nOr you can go to this page directly: https://www.epochconverter.com/timezones?q=1466475852&tz=UTC
\nSo, based on that, the lease was obtained at \"Jun 20 2016 19:24:12\".
\nTo check when does this lease terminate, we can either use the value in LeaseTerminatesTime and follow the same procedure we did for the lease obtained, or just add the value in Lease to LeaseObtainedTime. Another way is to divide that number you found in the Lease which is 86400 by 1440 (seconds per day), and that gives us one day. To conclude, the answer is 1-day.
\n[Note:] you can also check that on the epochconverter website.
\nTask 2 - EXPORTING REGISTRY HIVES AND CREATING BOOKMARKS
\nLet's get this task done quickly as it is very easy thanks to Windows Registry Explorer. In order to export the registry hives into other formats for referencing or analysis using another tool, all you need to do is go to File -> Export \"Registry hives\" and then choose the file format you want. That's it!
\nNow, in order to create a bookmark, follow the steps below:
\n- \n
- \n
To add a bookmark, all you need to do is right-click on the key of interest, and then select \"Add bookmark\" or press F4 on your keyboard.
\n \n - \n
A menu like the one seen in the figure below will pop-up.
\n \n
![\"17\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/17.png\")
- \n
- \n
Fill in the fields:
\na. Category: to what category does this registry entry belong to.
\nb. Name: the name of the registry key.
\nc. Key path: the full path to this registry key.
\nd. Short description: give this bookmark a short description.
\ne. Long description: write full details of this bookmark. For example; what it does, why it is important and stuff like that. Anything that will help an analyst understand its benefit.
\n \n - \n
When you finish, press the \"Save\" button.
\n \n
Now, to use your new bookmark, all you need to do is select the exact hive that this bookmark belongs to (assuming you closed Registry Explorer, or you navigated to another location), then go to Bookmarks -> User created and finally select the one you want.
\nTask 3 - Analyzing the Windows Registry: SAM Hive
\nWe will be solving this task using another tool named RegRipper present at [C:\\DFP\\Tools\\Others\\RegRipper2.8-master], so that you know that there are different options to be used out there. So, let us start analyzing the Windows SAM file, to extract user information from there. This will help us with checking different stuff based on his/her SID. I assume you already know how to extract the Windows SAM file from a system, as it is given to us this time, so let us proceed with answering the questions.
\nTo use RegRipper, all we need to do is load the SAM file, specify a location to store the generated report, and then select the profile required, which is sam here. After that, all you need to do is press the Rip it button. This could be seen in the snapshot below:
\n![\"18\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/18.png\")
I have attached the generated report to the Appendix of this document, so please check it if you didn't manage to generate one for some reason. Now we can move on and start answering the questions.
\n- \n
- Check how many users does this machine have and who are they? \n
[Answer:] We have the following:
\na. Administrator
\nb. Guest
\nc. Hunter
\nBut, please note that the account is disabled for both Administrator and Guest
\n- \n
- What is the SID and RID of our user of interest? \n
[Answer:] Since both Administrator and Guest are disabled accounts, and since we know our suspect is using the user account named \"Hunter,\" the SID is \"S-1-5-21-2489440558-2754304563-710705792-1001\". This means that his/her RID is \"1001\".
\n- \n
- When was the user's profile created? \n
[Answer:] It was created on Tue Jun 21 08:37:43 2016.
\n- \n
- Is there any other evidence you can use to validate your answer? \n
[Answer:] This user is a member of the Administrators group, which means he has administrative privileges. Additionally, the Administrators group last update was \"Tue Jun 21 08:37:43 2016\", which is the exact same time the user account was created and added to that group.
\n- \n
- When did he/she last logged into the system? \n
[Answer:] The last login that for this user was \"Tue Jun 21 01:42:40 2016\".
\n- \n
- How many times has he/she logged into the system? \n
[Answer:] From the Login count, we can see that he/she logged into the system 3 times.
\n- \n
- Where could we find his/her password user hint and what is it? \n
[Answer:] We can find it from the \"Password Hint\" settings, and it was \"What do you do?\".
\nTask 4 - PROFILING USER ACTIVITY using NTUSER.DAT
\nWe have a good base of information about the user of interest, so in this task, we will be chasing other Windows artifacts that could be found in different Windows registry files, especially as we said in the NTUSER.DAT file, which is the file that holds most of the user account's configurations and settings.
\nIn this task, I am going back to using Eric Zimmerman's Windows Registry Explorer, feel free to use whatever Windows Registry tool you want.
\nLet us begin answering the questions we have:
\n- \n
- What applications are installed on this machine? \n
[Answer:] To answer that question, we could check the following location: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths
\nAfter navigating there, I assume you found a lot of keys there, as seen in the snapshot below:
\n![\"19\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/19.png\")
So, to form a list we will just need to go through them. I'm going to cheat a little here and use RegRipper and then get the list from there (the results of ripping SOFTWARE using RegRipper is attached as an Appendix to the end of this lab manual).
\nI assume you found a lot of applications; so I am just going to mention those that are suspicious and leave out the applications that are from Microsoft and others like Java, Python, Adobe Acrobat Reader, Notepad++, 7zip, Google Chrome, etc.
\nThose that look suspicious are:
\na. BCWipe.exe - C:\\Program Files (x86)\\Jetico\\BCWipe\\BCWipe.exe
\nb. ccleaner.exe - C:\\Program Files\\CCleaner\\CCleaner64.exe
\nc. Wireshark.exe - C:\\Program Files\\Wireshark\\Wireshark.exe
\nAn investigator must not rely on the \"App Paths\" subkeys only. There are lots of applications that won't be listed there! That means further investigation is always vital! For this task, we won't do that, as the aim is just to work with the artifacts in the Windows Registry.
\n- \n
- While doing the interviewing, one employee mentioned that there could be a remote administration tool (RAT) being used. Do some search to find that, as they had no idea of the application in specific, so try to figure out yourself. Use the Registry Explorer's searching capability to build a list of the most commonly used RATs. Did you find anything suspicious? \n
[Answer:] You have to build a list of tools that could be used to remotely administer a system, so what came in mind here was two things: VNC and TeamViewer. If we add the NTUSER.DAT file to Windows Registry Explorer and search around, we will find the following:
\n![\"20\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/20.png\")
And if we double click on the first entry (highlighted in red in the previous snapshot), we will get the following:
\n![\"21\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/21.png\")
So, it is clear that the user has used TeamViewer, and maybe this was the RAT tool mentioned to us. Anyway, let's wait a little, we should not stop at this point, as we said; the more evidence, the more bricks we have to build a solid case. We do not have enough information yet. So, let us move on and answer other questions.
\n- \n
- Check the applications that have been set to run at system startup. (hint: this could be done by searching for \"Run\" or \"Runonce\" registry values). How many applications did you find and what are they? \n
[Answer:] You can easily answer that by pressing ctrl+F to bring up the search screen, and then use both keywords to search for results, as follows.
\n![\"22\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/22.png\")
I double clicked on each of the entries starting from the first, especially since we do not know what exact value we could find the results in. Windows Registry Explorer comes really handy with its search capabilities in such cases.
\nNow, double-click on the entry that I've highlighted in the snapshot above in red, and proceed to the next step.
\nAs you see in the snapshot below, we found Skype, GoogleDrive, and CCleaner!
\n![\"23\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/23.png\")
So, to answer the question, we found three, and they were: Skype, GoogleDrive, and CCleaner.
\n- \n
- Is there any suspicious application among them? What is it, and why do you think so? \n
[Answer:] If the company's policy allows Skype, which lots of business environments today do, then, that Skype is okay. The same goes for GoogleDrive. But, for CCleaner? Why would you need that? It could be okay, and it could not be okay. So, I'm going with the hypothesis that CCLeaner isn't okay here.
\nCheck both LastVisitedPidlMRU and OpenSavePidlMRU to understand some of the user's activity related to applications and files. These Keys could be found in the NTUSER.DAT hive file. Then, answer the questions below. So, navigate inside NTUDER.DAT until you reach:
\n\\SOFTWARE\\Mircosoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSavePidlMRU
\n- \n
- How many documents did you find and what are they? \n
[Answer:] I found two, one .docx file and one .jpg file, as seen in the snapshot below:
\n![\"24\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/24.png\")
- \n
- Could you identify their locations? \n
[Answer:] Yes, they are:
\n- \n
- \n
My Computer\\C:\\Users\\Hunter\\Documets\\Welcome.docx
\n \n - \n
My Computer\\Documets\\home-network-design-networking-for-a-single-family-home-case-house-arkko-1433-x-792.jpg
\n \n - \n
Can you check their content, and is there anything suspicious about them?
\n \n
[Answer:] If we were working on the whole forensic image, then we would have to locate them and then check whether they are suspicious or not. Since we are not working on the whole forensic image in this case and we only have some/parts of it to analyze, we will assume they are suspicious and move on with our investigation.
\n- \n
- Which was the last opened file, and how did you prove that? \n
[Answer:] The last opened file was the \"Welcome.docx\" file. And the proof is from the \"Opened on\" date, which was \"2016-06-21 12:27:37\".
\n- \n
- Let us check the last opened applications. How many applications did you find, and what are they? \n
[Answer:] We see only one, which was chrome.exe.
\n- \n
- Check the RecentDocs that hold subkeys and values for LNK files. What did you find? \n
[Answer:] To solve this, we need to go to the following location:
\n*NTUSER.DAT \\Software \\Microsoft \\Windows \\CurrentVersion \\Explorer\\RecentDocs\\ *
\nThis is another great location to check for recently used documents and files that is stored within the registry as a subkey. The values inside these subkeys are LNK files that we haven't analyzed yet (you will do so later in the course). For now, just let's just check what we found here, which was:
\n- \n
- \n
Welcome.docx
\n \n - \n
home-network-design-networking-for-a-single-family-home-case-house-arkko-1433-x-792.jpg
\n \n - \n
Exfil (this was a directory)
\n \n - \n
Exfiltration_Diagram.png
\n \n - \n
dns-exfiltration-using-sqlmap-18-728.jpg
\n \n
There seems to be a lot going on this computer!!!
\nNow we need to move on to other questions related to the drives this user accessed or network shares etc. So, let us check what drives have been mounted on the system. Currently, we are only interested in listing the mounted devices; we will be doing further analysis later on when we get to the USB forensics lab
\nLet's navigate to SYSTEM\\MountedDevices as seen below:
\n![\"25\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/25.png\")
- \n
- How many devices did you find, and do you know what are they? \n
[Answer:] We actually found four volumes, which are: \n\\??\\Volume{32138f1e-3788-11e6-8250-806e6f6e6963} \n\\??\\Volume{32138f1f-3788-11e6-8250-806e6f6e6963} \n\\??\\Volume{fb7f938e-37a4-11e6-8254-080027d269d7} \n\\??\\Volume{fb7f93ec-37a4-11e6-8254-080027d269d7}
\nWe can't say much here, because we need to do further USB forensics, but what I can say, is there is a C: which is usually used for the operating system, a D: which is used to mount DVD drives, and the E: which could most probably be used to mount USB devices to it.
\n- \n
- Could you identify their drive letters? \n
[Answer:] Yes, they are C:, D:, and E:.
\nOur final step in this task will be to check the UserAssist keys and answer the questions given.
\nLet's start by navigating to the UserAssist location found within the NTUSER.DAT file:
\nNTUSER.DAT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
\nThe results could be seen below:
\n![\"26\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/26.png\")
- \n
- Now, check the UserAssist keys that start with \"CEBFF5CD\" in their GUID and end with \"49EA\". How many entries did you find in the Count subkey? \n
[Answer:] We found a total of 68 rows.
\n- \n
- What is the value name of any of the keys found? What encoding (some call it encryption!!!) are they using? \n
[Answer:] One sample is \"7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\\Aznc\\mraznc.rkr\" which is actually the \"Program Name{Program Files}\\Nmap\\zenmap.exe\" value. Thanks to Windows Registry Explorer, it converts it back automatically for you.
\nThis isn't encryption, it is only ROT13. More about ROT13 can be found here: https://en.wikipedia.org/wiki/ROT13
\n- \n
- What is the software application that was executed the most? \n
[Answer:] If we filter based on the \"Run Counter\" we find that Adobe Acrobat Reader was run 5 times. Anyway, we won't depend on this only, as we could check Prefetch files that we will analyze in the next upcoming labs.
\n- \n
- Let us check the software type over there. What type of software did you find (the nature of their usage)? \n
[Answer:] From the entries, we can see that the user was using a couple of different tools. Zenmap|Nmap for network scanning, Putty for remote administration, Dropbox, and GoogleDrive for maybe sharing files, Readers and Cleaners like CCleaner, and finally even Wiping tools. So, there is a lot, but all depends on the policy at the company and what is allowed and what isn't.
\n- \n
- Now I want you just to check the entries in the UserAssist subkey that start with \"F4E57C4B\" and end with \"3D9F\". This subkey contains LNK files (shortcuts), more on them in our next lab. For now, just answer the questions. How many times was the Google Chrome shortcut used? \n
[Answer:] It was run 3 times, as you can see in the snapshot below: \n![\"27\"](\"https://assets.ine.com/content/ptp/lab_14_windows_registry_analysis/27.png\")
- \n
- What was the last time he used Google Chrome? \n
[Answer:] It was last executed on 2016-06-21 01:43:24, but I highly recommend that you also check the prefetch files (we will show you how later on in the course).
\nAPPENDIX - RegRipper SAM Results for Task 3
\nsamparse v.20160203
\n(SAM) Parse SAM file for user & group mbrshp info
\nUser Information
\n\n
Username : Administrator [500]
\nFull Name :
\nUser Comment : Built-in account for administering the computer/domain
\nAccount Type : Default Admin User
\nAccount Created : Tue Jun 21 08:19:47 2016 Z
\nName :
\nLast Login Date : Tue Mar 18 10:20:36 2014 Z
\nPwd Reset Date : Tue Mar 18 10:20:39 2014 Z
\nPwd Fail Date : Never
\nLogin Count : 3
\n--> Password does not expire
\n--> Account Disabled
\n--> Normal user account
\nUsername : Guest [501]
\nFull Name :
\nUser Comment : Built-in account for guest access to the computer/domain
\nAccount Type : Default Guest Acct
\nAccount Created : Tue Jun 21 08:19:47 2016 Z
\nName :
\nLast Login Date : Never
\nPwd Reset Date : Never
\nPwd Fail Date : Never
\nLogin Count : 0
\n--> Password does not expire
\n--> Account Disabled
\n--> Password not required
\n--> Normal user account
\nUsername : Hunter [1001]
\nFull Name :
\nUser Comment :
\nAccount Type : Default Admin User
\nAccount Created : Tue Jun 21 08:37:43 2016 Z
\nName :
\nPassword Hint : What do you do?
\nLast Login Date : Tue Jun 21 01:42:40 2016 Z
\nPwd Reset Date : Tue Jun 21 08:37:43 2016 Z
\nPwd Fail Date : Tue Jun 21 12:53:04 2016 Z
\nLogin Count : 3
\n--> Password does not expire
\n--> Password not required
\n--> Normal user account
\nUsername : HomeGroupUser$ [1003]
\nFull Name : HomeGroupUser$
\nUser Comment : Built-in account for homegroup access to the computer
\nAccount Type : Custom Limited Acct
\nAccount Created : Tue Jun 21 08:40:06 2016 Z
\nName :
\nLast Login Date : Never
\nPwd Reset Date : Tue Jun 21 08:40:06 2016 Z
\nPwd Fail Date : Never
\nLogin Count : 0
\n--> Password does not expire
\n--> Normal user account
\n\n
Group Membership Information
\n\n
Group Name : Event Log Readers [0]
\nLastWrite : Thu Aug 22 14:45:11 2013 Z
\nGroup Comment : Members of this group can read event logs from local machine
\nUsers : None
\nGroup Name : Guests [1]
\nLastWrite : Tue Jun 21 08:14:47 2016 Z
\nGroup Comment : Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
\nUsers :
\nS-1-5-21-2489440558-2754304563-710705792-501
\nGroup Name : Network Configuration Operators [0]
\nLastWrite : Tue Mar 18 09:52:38 2014 Z
\nGroup Comment : Members in this group can have some administrative privileges to manage configuration of networking features
\nUsers : None
\nGroup Name : Performance Log Users [0]
\nLastWrite : Thu Aug 22 14:45:11 2013 Z
\nGroup Comment : Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer
\nUsers : None
\nGroup Name : Hyper-V Administrators [0]
\nLastWrite : Tue Mar 18 09:52:38 2014 Z
\nGroup Comment : Members of this group have complete and unrestricted access to all features of Hyper-V.
\nUsers : None
\nGroup Name : IIS_IUSRS [1]
\nLastWrite : Thu Aug 22 14:45:11 2013 Z
\nGroup Comment : Built-in group used by Internet Information Services.
\nUsers :
\nS-1-5-17
\nGroup Name : Backup Operators [0]
\nLastWrite : Tue Mar 18 09:52:38 2014 Z
\nGroup Comment : Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
\nUsers : None
\nGroup Name : Users [2]
\nLastWrite : Tue Jun 21 08:37:43 2016 Z
\nGroup Comment : Users are prevented from making accidental or intentional system-wide changes and can run most applications
\nUsers :
\nS-1-5-4
\nS-1-5-11
\nGroup Name : Access Control Assistance Operators [0]
\nLastWrite : Tue Mar 18 09:52:38 2014 Z
\nGroup Comment : Members of this group can remotely query authorization attributes and permissions for resources on this computer.
\nUsers : None
\nGroup Name : Distributed COM Users [0]
\nLastWrite : Thu Aug 22 14:45:11 2013 Z
\nGroup Comment : Members are allowed to launch, activate and use Distributed COM objects on this machine.
\nUsers : None
\nGroup Name : Administrators [2]
\nLastWrite : Tue Jun 21 08:37:43 2016 Z
\nGroup Comment : Administrators have complete and unrestricted access to the computer/domain
\nUsers :
\nS-1-5-21-2489440558-2754304563-710705792-1001
\nS-1-5-21-2489440558-2754304563-710705792-500
\nGroup Name : Power Users [0]
\nLastWrite : Tue Mar 18 09:52:38 2014 Z
\nGroup Comment : Power Users are included for backwards compatibility and possess limited administrative powers
\nUsers : None
\nGroup Name : Cryptographic Operators [0]
\nLastWrite : Tue Mar 18 09:52:38 2014 Z
\nGroup Comment : Members are authorized to perform cryptographic operations.
\nUsers : None
\nGroup Name : Remote Management Users [0]
\nLastWrite : Thu Aug 22 14:45:11 2013 Z
\nGroup Comment : Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
\nUsers : None
\nGroup Name : Replicator [0]
\nLastWrite : Tue Mar 18 09:52:38 2014 Z
\nGroup Comment : Supports file replication in a domain
\nUsers : None
\nGroup Name : Performance Monitor Users [0]
\nLastWrite : Thu Aug 22 14:45:11 2013 Z
\nGroup Comment : Members of this group can access performance counter data locally and remotely
\nUsers : None
\nGroup Name : Remote Desktop Users [0]
\nLastWrite : Tue Mar 18 09:52:38 2014 Z
\nGroup Comment : Members in this group are granted the right to logon remotely
\nUsers : None
\nAnalysis Tips:
\n- \n
- \n
For well-known SIDs, see http://support.microsoft.com/kb/243330
\n \n - \n
S-1-5-4 = Interactive
\n \n - \n
S-1-5-11 = Authenticated Users
\n \n - \n
Correlate the user SIDs to the output of the ProfileList plugin
\n \n
APPENDIX - RegRipper SOFTWARE Results for Task 4
\nNot included due to file size.
", "flags": [], "min_points_to_pass": null, "access_type": "default", "user_status": "unstarted", "user_lab_status": null, "user_status_modified": null, "user_flags": [], "global_running_session": null }