WEBVTT 0:00:03.300000 --> 0:00:06.660000 Registry Explorer is a tool that was developed by Eric Zimmerman. 0:00:06.660000 --> 0:00:09.800000 Looking at the evolution of Registry Explorer, you'll be amazed at the 0:00:09.800000 --> 0:00:12.800000 number of improvements and features Eric has incorporated. 0:00:12.800000 --> 0:00:16.500000 He still continuously updates and adds new features to the tool. 0:00:16.500000 --> 0:00:19.860000 I highly recommend you use this unique tool, especially when you are going 0:00:19.860000 --> 0:00:22.040000 to investigate the Windows Registry. 0:00:22.040000 --> 0:00:25.600000 Before we start using Registry Explorer, please know that you will need 0:00:25.600000 --> 0:00:27.220000 the .NET version. 0:00:27.220000 --> 0:00:30.520000 When you go to Eric's website to download the software, you'll see the 0:00:30.520000 --> 0:00:32.640000 requirements for it. 0:00:32.640000 --> 0:00:37.380000 At the time of this recording, I'm using version 0.9.0.0. 0:00:37.380000 --> 0:00:41.080000 Depending on when you watch this, you may be working with a newer version, 0:00:41.080000 --> 0:00:43.640000 as Eric frequently revises the tool. 0:00:43.640000 --> 0:00:48.440000 Before we start our investigation, we need to extract the registry files. 0:00:48.440000 --> 0:00:53.780000 Let's start FTK Imager and add our evidence file, the forensic image. 0:00:53.780000 --> 0:00:59.480000 My goal is to show you the tool and how to use its features. 0:00:59.480000 --> 0:01:12.120000 So, let's go to the Windows folder here, and then to System32, as this 0:01:12.120000 --> 0:01:15.980000 is the normal location where we can find the Windows Registry files. 0:01:15.980000 --> 0:01:18.180000 And now, let's select Config. 0:01:18.180000 --> 0:01:23.980000 Now we can start selecting the files we want. 0:01:23.980000 --> 0:01:30.100000 Let's select SAM, Security, Software, and System. 0:01:30.100000 --> 0:01:35.240000 Now, let's right-click and select Export Files, and then choose the destination 0:01:35.240000 --> 0:01:39.280000 where we'd like to export them. 0:01:39.280000 --> 0:01:49.920000 We receive a pop-up that tells us that we've exported four files that 0:01:49.920000 --> 0:01:52.140000 we can now analyze. 0:01:52.140000 --> 0:01:55.960000 Because Windows Registry files are protected files, I want to make one 0:01:55.960000 --> 0:01:57.300000 important call-out. 0:01:57.300000 --> 0:02:00.200000 When working on a live system and you want to extract the Windows Registry 0:02:00.200000 --> 0:02:04.240000 files only, using the Obtain System Files button will allow you to obtain 0:02:04.240000 --> 0:02:08.860000 system files. You can then specify the files you want. 0:02:08.860000 --> 0:02:13.160000 For instance, the first option here is for the login password recovery, 0:02:13.160000 --> 0:02:17.320000 which won't extract a lot, only the profile and the system hive. 0:02:17.320000 --> 0:02:21.880000 While the second option extracts all of the registry hives and the profiles. 0:02:21.880000 --> 0:02:26.760000 So now let's go to the Register Explorer tool and upload the offline files. 0:02:26.760000 --> 0:02:34.260000 For this video, I will be uploading these two, Software and System. 0:02:34.260000 --> 0:02:38.360000 Depending on the size, this could take a little bit of time. 0:02:38.360000 --> 0:02:42.680000 Now the files are uploaded, and as you can see, whenever you click on 0:02:42.680000 --> 0:02:46.900000 a hive, you can see the bookmarks change based on your current selection. 0:02:46.900000 --> 0:02:50.480000 For example, if we select System and then go to Bookmarks, we can see 0:02:50.480000 --> 0:02:52.020000 that there are 24. 0:02:52.020000 --> 0:02:59.340000 If we select Software and go to Bookmarks, there are 15 prepared for us. 0:02:59.340000 --> 0:03:01.720000 This doesn't mean that this is a static list. 0:03:01.720000 --> 0:03:05.420000 We do have the option to manage this, as well as add keys. 0:03:05.420000 --> 0:03:09.160000 So, if you find a new key and you want it to be added to the tool, you 0:03:09.160000 --> 0:03:12.400000 can upload it to Eric's shared directory on his GitHub account. 0:03:12.400000 --> 0:03:17.400000 And if he finds it useful, he will merge it with a tool. 0:03:17.400000 --> 0:03:21.000000 Having system selected, let's go back to Bookmarks and under Common. 0:03:21.000000 --> 0:03:22.920000 Let's select Computer Name. 0:03:22.920000 --> 0:03:25.840000 Sometimes you may have a lot of computers and perhaps you're investigating 0:03:25.840000 --> 0:03:29.860000 a computer name, or you want to know a specific computer name. 0:03:29.860000 --> 0:03:33.920000 Clicking on Computer Name here brings up the values, and the value we 0:03:33.920000 --> 0:03:36.440000 clicked on, Computer Name is the key. 0:03:36.440000 --> 0:03:39.720000 And if we go to the values area to the right, we have the value name, 0:03:39.720000 --> 0:03:41.020000 which is also Computer Name. 0:03:41.020000 --> 0:03:45.380000 And we also have its data, which we can see here, and a bit below under 0:03:45.380000 --> 0:03:49.820000 Type Viewer. So, this is actually the computer name of the system we are 0:03:49.820000 --> 0:03:55.080000 investigating. Let's look at another example, OS Information. 0:03:55.080000 --> 0:04:00.020000 We now see the details displayed for the operating system, which shows 0:04:00.020000 --> 0:04:03.940000 us things like number of processors, the OS name, and the path to where 0:04:03.940000 --> 0:04:10.440000 it is stored. Whenever you click on an entry line, we can see the details 0:04:10.440000 --> 0:04:14.260000 below. They are displayed in different formats. 0:04:14.260000 --> 0:04:18.220000 Here, we can see the details for the model of the processor. 0:04:18.220000 --> 0:04:22.960000 So, going back to Bookmarks, we have several options we can choose from. 0:04:22.960000 --> 0:04:24.720000 We'll go through a couple of them. 0:04:24.720000 --> 0:04:26.480000 Let's select File System. 0:04:26.480000 --> 0:04:30.240000 Immediately, we see the file system details here. 0:04:30.240000 --> 0:04:34.640000 For example, here is NTFS Disable Last Access Update. 0:04:34.640000 --> 0:04:39.980000 By default, it is set to 1, which means NTFS is disabling the Last Access 0:04:39.980000 --> 0:04:43.260000 Update. Let's look at another option. 0:04:43.260000 --> 0:04:45.440000 Let's select Firewall Policy this time. 0:04:45.440000 --> 0:04:50.940000 If we expand this, we can see the policies that we have. 0:04:50.940000 --> 0:04:54.340000 Let's click on Domain Profile, and then, Logging to see the values it 0:04:54.340000 --> 0:04:59.140000 provides. Here we see Log File Path and, under Data, we can see where 0:04:59.140000 --> 0:05:01.020000 it's actually being logged. 0:05:01.020000 --> 0:05:05.880000 Now, let's go to Mounted Devices. 0:05:05.880000 --> 0:05:10.120000 Here, we can see the devices that have been mounted on this file system. 0:05:10.120000 --> 0:05:14.100000 We can see that there were two devices, the C and the D. 0:05:14.100000 --> 0:05:18.860000 Moving on, we also have the option to see Time Zone Information. 0:05:18.860000 --> 0:05:21.960000 I will go into more detail later about this option when we use the Decode 0:05:21.960000 --> 0:05:30.660000 Tool. Now, let's select Software, and then go back to Bookmarks. 0:05:30.660000 --> 0:05:32.780000 Here we see some useful information. 0:05:32.780000 --> 0:05:36.700000 For example, if we wanted to know more about the current version NT, we 0:05:36.700000 --> 0:05:39.040000 could select this option. 0:05:39.040000 --> 0:05:42.360000 And here, we can see the product name, and that it is a Windows Server 0:05:42.360000 --> 0:05:48.380000 2008 standard. We can also see where the system root is installed. 0:05:48.380000 --> 0:05:50.120000 Here we have the Installation Date. 0:05:50.120000 --> 0:05:53.840000 We'll come back to this particular point, as it is a very important date. 0:05:53.840000 --> 0:05:57.200000 Further up, we also have the current version, which is the version of 0:05:57.200000 --> 0:06:02.300000 Windows. Scrolling down, we see the Service Pack currently installed. 0:06:02.300000 --> 0:06:06.440000 There are a lot of details we can find within this particular key. 0:06:06.440000 --> 0:06:08.860000 Let's now check out Network Cards. 0:06:08.860000 --> 0:06:15.620000 We can now see what network cards are attached to the system. 0:06:15.620000 --> 0:06:18.760000 There's a lot of information that's presented to us. 0:06:18.760000 --> 0:06:21.680000 Just note that we don't have to memorize everything. 0:06:21.680000 --> 0:06:26.160000 We can make bookmarks. 0:06:26.160000 --> 0:06:29.600000 For instance, if there's an entry that didn't have a bookmark, you can 0:06:29.600000 --> 0:06:33.260000 simply right-click it and select Add Bookmark. 0:06:33.260000 --> 0:06:37.680000 Now we can enter the following information to add it. 0:06:37.680000 --> 0:06:41.000000 Let's take a look at current NT version again and create a bookmark from 0:06:41.000000 --> 0:06:53.180000 one of the entries there. 0:06:53.180000 --> 0:07:27.140000 Venet Basic Let's go ahead and right click and select End Bookmark. 0:07:27.140000 --> 0:07:29.660000 Now we can enter the details for this bookmark. 0:07:29.660000 --> 0:07:31.760000 We have the option to select the category. 0:07:31.760000 --> 0:07:33.840000 We can even type in the category. 0:07:33.840000 --> 0:07:37.120000 For example, I'll type in VMStuff. 0:07:37.120000 --> 0:07:44.820000 Here we have the short description, VirtualBox Guest Editions. 0:07:44.820000 --> 0:07:55.600000 And below that, we can enter the long description and then save. 0:07:55.600000 --> 0:07:59.640000 Now if we go to the bookmarks, we now have our newly added bookmark under 0:07:59.640000 --> 0:08:03.200000 User Created. Let's test it. 0:08:03.200000 --> 0:08:07.660000 Let's go back to software and then use our bookmark. 0:08:07.660000 --> 0:08:09.740000 It takes us directly there. 0:08:09.740000 --> 0:08:13.400000 So, as you can see, creating bookmarks is quite easy, which can be helpful 0:08:13.400000 --> 0:08:17.040000 during an investigation, especially if this key will be checked numerous 0:08:17.040000 --> 0:08:19.620000 times for a number of different hives. 0:08:19.620000 --> 0:08:23.000000 So, it may be useful to add it as a key. 0:08:23.000000 --> 0:08:28.260000 Also, if we go back to the top menu and select View and then Messages, 0:08:28.260000 --> 0:08:30.920000 we can see the messages that were applied when the file was uploaded to 0:08:30.920000 --> 0:08:35.680000 the tool. So, it tells us what was done and if there was an error. 0:08:35.680000 --> 0:08:41.320000 Let's go back and select Plugins, which is something that is unique to 0:08:41.320000 --> 0:08:48.620000 this tool, but very useful. 0:08:48.620000 --> 0:08:52.640000 For instance, let's say that we didn't know what Run, MRU was, or Recent 0:08:52.640000 --> 0:08:56.840000 Documents. When selecting it, we see very helpful information about the 0:08:56.840000 --> 0:09:01.160000 plugin, like the author details, the key path where this is found, and 0:09:01.160000 --> 0:09:03.880000 its version number, as it could be updated. 0:09:03.880000 --> 0:09:08.660000 We also have the GUID, plus the short and long description, so even if 0:09:08.660000 --> 0:09:11.960000 you don't know what Recent Documents is, you can check out the plugin, 0:09:11.960000 --> 0:09:15.240000 and from the short description, we now know that it displays recently 0:09:15.240000 --> 0:09:18.160000 open documents by extension. 0:09:18.160000 --> 0:09:23.880000 So, if we want to learn more, we can come here. 0:09:23.880000 --> 0:09:45.700000 Moving on, we also have the Help option in the menu. 0:09:45.700000 --> 0:09:48.920000 Under Options, we can say whether we want to recover deleted keys and 0:09:48.920000 --> 0:09:51.500000 values that you may want to carve out. 0:09:51.500000 --> 0:09:54.020000 You can even change the skin of the tool. 0:09:54.020000 --> 0:10:02.240000 Under Tools, we have a Find option, which I'll come back to later. 0:10:02.240000 --> 0:10:05.200000 If you want to save your work and come back to it later, you can go to 0:10:05.200000 --> 0:10:08.820000 File, Project, then Save. 0:10:08.820000 --> 0:10:26.020000 You can then name your file and select where you'd like to save it. 0:10:26.020000 --> 0:10:30.080000 So, let's close this and run Registry Explorer again. 0:10:30.080000 --> 0:10:39.600000 You do not have to load everything from scratch, just go back to File, 0:10:39.600000 --> 0:10:42.860000 Project, and then select Load. 0:10:42.860000 --> 0:10:46.020000 We can then select the file we want to load. 0:10:46.020000 --> 0:10:51.620000 The tool is now loading the file. 0:10:51.620000 --> 0:10:54.500000 This is very useful, especially when you have a couple of files and you 0:10:54.500000 --> 0:10:56.720000 don't want to load all of them. 0:10:56.720000 --> 0:11:00.840000 And, if we go to Bookmarks, we have the details we looked at earlier, 0:11:00.840000 --> 0:11:03.340000 as well as the bookmark we created. 0:11:03.340000 --> 0:11:11.200000 Okay, let's go back to Tools and then Find. 0:11:11.200000 --> 0:11:15.920000 As an example, say we want to search for a key for Shut Down. 0:11:15.920000 --> 0:11:21.260000 To the right, we can select if it's a key name, value name, value data, 0:11:21.260000 --> 0:11:25.580000 or value slack. We can also determine the search type, simple or regular 0:11:25.580000 --> 0:11:29.280000 expression. There are a lot of good features we can use. 0:11:29.280000 --> 0:11:31.800000 Let's go ahead and click on Search. 0:11:31.800000 --> 0:11:37.180000 When we double-click on one, it will take us to the entry of where it 0:11:37.180000 --> 0:12:07.220000 found this key. Let's go ahead and click on the other entries. 0:12:07.220000 --> 0:12:10.660000 Ctrl F will also bring the file window back up. 0:12:10.660000 --> 0:12:14.040000 Also, you can enter a list of things you want to search for. 0:12:14.040000 --> 0:12:17.480000 And, for things that you've already searched for, you can see it in the 0:12:17.480000 --> 0:12:19.440000 history drop-down below. 0:12:19.440000 --> 0:12:23.660000 So, let's go ahead and remove this one and search for Memory Management. 0:12:23.660000 --> 0:12:33.660000 Our search entries are displayed below, and now, if we go to the History 0:12:33.660000 --> 0:12:36.780000 drop-down menu, we have two on the list. 0:12:36.780000 --> 0:12:42.840000 If we go to Options menu, we can even clear recent searches. 0:12:42.840000 --> 0:12:47.220000 Looking at the Memory Management here, we can see its details to the right. 0:12:47.220000 --> 0:12:50.960000 And here, we can see the details for the pagefile.sis, which Microsoft 0:12:50.960000 --> 0:12:54.440000 uses to store Memory Management stuff, which is related to the virtual 0:12:54.440000 --> 0:13:01.000000 memory. At the top, we see a very useful key, Clear Page File at Shut 0:13:01.000000 --> 0:13:05.680000 Down. Currently, this option is not set, as it is set to zero, but if 0:13:05.680000 --> 0:13:10.880000 it was, when the system shuts down, it will clear the page file. 0:13:10.880000 --> 0:13:14.680000 And looking back at Paging Files, we can see where it's located, as well 0:13:14.680000 --> 0:13:17.580000 as the current existing page files. 0:13:17.580000 --> 0:13:20.920000 As you can see, when searching for Memory Management, there's a lot of 0:13:20.920000 --> 0:13:23.340000 useful information that you can find. 0:13:23.340000 --> 0:13:27.460000 One very important thing to know when analyzing the Windows Registry is 0:13:27.460000 --> 0:13:29.360000 the control set that is being run. 0:13:29.360000 --> 0:13:32.680000 That is, knowing which tree of keys under the registry is actually being 0:13:32.680000 --> 0:13:34.220000 used and updated. 0:13:34.220000 --> 0:13:38.320000 Again, this is extremely important. 0:13:38.320000 --> 0:13:43.740000 Here we see two control sets, Control Set 1 and Control Set 3. 0:13:43.740000 --> 0:13:48.120000 So, which one was the active one while the user was at his computer? 0:13:48.120000 --> 0:13:52.700000 To find this out, we need to go to Select, which has four keys, Current, 0:13:52.700000 --> 0:13:55.600000 Default, Failed, and Last Known. 0:13:55.600000 --> 0:14:00.240000 Current, which is one, means Control Set 1 was the control set that was 0:14:00.240000 --> 0:14:01.760000 actually being used. 0:14:01.760000 --> 0:14:05.240000 Again, it's extremely important to know the control set when you investigate 0:14:05.240000 --> 0:14:07.660000 key entries on the registry. 0:14:07.660000 --> 0:14:11.580000 If we look back at the values, and it failed, we can see that there were 0:14:11.580000 --> 0:14:13.520000 not any failed control sets. 0:14:13.520000 --> 0:14:20.900000 The default is also 1, and the Last Known Good is 3. 0:14:20.900000 --> 0:14:24.160000 You may have seen this when a system encountered a problem, and you had 0:14:24.160000 --> 0:14:25.680000 to reboot the machine. 0:14:25.680000 --> 0:14:28.880000 You would have been presented with an option asking if you want to revert 0:14:28.880000 --> 0:14:32.920000 to the Last Known Good settings, as we see here, this one is set to number 0:14:32.920000 --> 0:14:37.580000 3. Usually, you will be reverting back to number 3. 0:14:37.580000 --> 0:14:42.060000 Currently, in this investigation, the current control set is 1, which 0:14:42.060000 --> 0:14:46.140000 means that all the details are supposed to be under this key. 0:14:46.140000 --> 0:14:49.820000 One final thing I'd like to mention before the video concludes is the 0:14:49.820000 --> 0:14:52.360000 ability to export registry hives. 0:14:52.360000 --> 0:14:55.680000 We have a few options we can export as. 0:14:55.680000 --> 0:14:58.800000 Let's say that we want to export this as a PDF file. 0:14:58.800000 --> 0:15:00.900000 We have the option to do that. 0:15:00.900000 --> 0:15:08.500000 Now we can view it, and see all of the hives, and the details exported. 0:15:08.500000 --> 0:15:17.920000 This is very useful as you may want to add it to your final investigation. 0:15:17.920000 --> 0:15:21.120000 Let's export it as another format. 0:15:21.120000 --> 0:15:24.960000 Let's select the CSV, comma separated value option, and then view the 0:15:24.960000 --> 0:15:40.900000 output. Here we can see everything is comma separated, which allows us 0:15:40.900000 --> 0:15:56.220000 to import it into a tool to analyze later. 0:15:56.220000 --> 0:16:00.100000 As you can see, using Registry Explorer is extremely helpful when investigating 0:16:00.100000 --> 0:16:04.960000 the registry. Additionally, if you want more details, you can right-click 0:16:04.960000 --> 0:16:07.340000 and select technical details. 0:16:07.340000 --> 0:16:14.520000 For example, you can select any one of these to see exactly where they 0:16:14.520000 --> 0:16:17.180000 are located in the data structure. 0:16:17.180000 --> 0:16:22.740000 Under the full details, as text tab, we see more details and descriptions. 0:16:22.740000 --> 0:16:25.700000 And to the right, we have Hive Details. 0:16:25.700000 --> 0:16:30.240000 Every registry, as you already know, starts with just a registry signature, 0:16:30.240000 --> 0:16:34.420000 Redgef. So, everything is already analyzed for you, and you can go to 0:16:34.420000 --> 0:16:38.120000 technical details to find more information. 0:16:38.120000 --> 0:16:42.100000 Another feature I'd like to show you is the ability to export a value 0:16:42.100000 --> 0:16:46.760000 by simply right-clicking, selecting Export, and then Value Data. 0:16:46.760000 --> 0:16:48.780000 You can also copy a value too. 0:16:48.780000 --> 0:16:53.400000 You can even specify what you want to copy, the value summary, value name, 0:16:53.400000 --> 0:16:55.920000 value type, and value data. 0:16:55.920000 --> 0:17:00.640000 You'll be using Registry Explorer for your labs. 0:17:00.640000 --> 0:17:04.240000 And this concludes our video lesson on exploring the Windows Registry 0:17:04.240000 --> 0:17:06.600000 using Registry Explorer. 0:17:06.600000 --> 0:17:07.580000 Thanks for joining us.