csf1920 2 07 Operating - System - Forensics
csf1920 2 07 Operating - System - Forensics
Systems
} Windows files
https://support.microsoft.com/en-us/kb/256986
} System configuration
} Devices on the system
} User names
} Personal settings and browser preferences
} Web browsing activity
} Files opened
} Programs executed
} Application’s settings
} HKEY_CLASSES_ROOT (HKCR)
} Ensures the correct program opens when executed in Windows Explorer
} HKEY_CURRENT_USER (HKCU)
} Contains the profile (settings) of the user who is currently logged in
} HKEY_CURRENT_CONFIG (HCU)
} Information about the HW profile used by the computer during start up
} Location:
} HKLM\System\CurrentControlSet\Control\TimeZoneInformation
} Location:
} HKLM\Software\Microsoft\Win
dows NT\CurrentVersion\
NetworkList
Volume
serial number
\_??_USBSTOR#Disk&Ven_Best_Buy&Prod_Geek_Squad_U3&Rev_6.15#0C90195
032E36889&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}GEEKSQUAD_1414378827
Default user
Specific Windows
services
Currently signed
in user with its full
SID
RunMRU: When a
user types a
command into the
'Run' box via the
Start menu, the
entry is added to
this Registry key
} OpenSave MRU: tracks files that were opened / saved within a Windows shell dialog box
} Win7:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
} *key: tracks the most recent files of any extension input in an OpenSave dialog
} .???: stores file info from the OpenSave dialog by specific extension
} Example
} Wordpad.exe
was last run to
open file in
folder c:\temp
} Location:
} HKCU\Software\Microsoft\Office\VERSION
} Location:
} HKCU\Software\Microsoft\Se
archAssistant\ACMru\####
} Each time a new user logs on, a new hive is created for
that user with a separate file for the user profile
} User's app settings, desktop, environment, network connections, and
printers
} User profile hives are located under the HKEY_USERS key
} Location:
} C:\Users\<user>\AppData\Roaming\
Microsoft\Windows\Recent\
} Can also be found in other locations
HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
(ProfilePath)\Start Menu\Programs\Startup
} Installed programs
} Printer files
} Contain information about printing jobs
} Windows files
Program
Execution
File Opening /
Creation
Deleted File or
File Knowledge
} Secondary bibliography
} Windows forensic and security
https://articles.forensicfocus.com/2014/04/14/windows-forensics-and-security/
} Windows artifact analysis
https://uk.sans.org/posters/windows_artifact_analysis.pdf
} The evolution of Windows
https://businesstech.co.za/news/technology/94687/the-evolution-of-windows-1985-
to-2015/
} Data exfiltration and forensic analysis in a Microsoft Windows
environment
https://c.ymcdn.com/sites/www.issa.org/resource/resmgr/journalpdfs/feature1113.p
df