nour taher huwio - section 1 - 20200619

The file "RegistryFiles-1.zip" was downloaded from eLearning and the contents of the compressed
file were extracted to the desktop. A command prompt was opened on a Windows computer. The
following command was typed at the prompt to launch the Registry Editor: "regedit". When the
Registry Editor was launched, all keys were ensured to be collapsed. The Regedit window appeared
identical to the reference image.

In the Regedit window, HKEY_LOCAL_MACHINE was left-clicked on, highlighting it without opening
it. From the main menu, "File" was selected and then "Load Hive…" was chosen from the pull-down
menu.
The directory on the desktop containing the Registry files retrieved from the website was browsed
to. The file named SOFTWARE was selected. When loading the file, a prompt appeared to enter a
name in the “Load Hive” window. The name “TEST” was entered and the “OK” button was clicked.
HKEY_LOCAL_MACHINE was expanded, resulting in the loaded hive appearing with the name TEST.
The logon banner contained within the Windows Registry of the TEST hive was confirmed by
navigating down to the following Registry key:
HKEY_LOCAL_MACHINE\TEST\Microsoft\Windows\CurrentVersion\Policies\System.

After navigating down to the key, the path was displayed in the lower left corner of the screen.
Two keys were noticed: legalnoticecaption and legalnoticetext.
The former would contain the text value, which appears in the title bar of the consent banner.
The latter is the actual message contained within the body of the consent banner.

The consent banner displayed on this computer was identified as follows:

No consent banner is displayed based on the empty values in this Registry file. (In this hive, the
consent banner has been removed, and nothing will be displayed at logon. The absence of the
banner may cause legal concerns during the examination of corporate assets. In this example, the
absence of data is a finding.)

To identify the installation information for the versions of Windows, the following key was
navigated to:

HKEY_LOCAL_MACHINE\TEST\Microsoft\Windows NT\CurrentVersion.
What is the name of the Windows product?
The name of the Windows product is Windows 7 Professional.

What is the product ID number?

The product ID number is 00371-868-0000006-85715.

In what directory on the system is the operating system running?

The operating system is running in the directory C:\Windows.

When was the operating system installed?

The operating system was installed on November 23, 2010 at 14:46:59 GMT.

The Registry keys were collapsed. The key named TEST was clicked on. From the main menu, "File"
was selected, and then "Unload Hive…" was chosen.
The file "RegistryFiles-1.zip" was downloaded, and its contents were extracted onto the computer's
desktop. Additionally, Windows Registry Recovery was downloaded, and its executable was
extracted from the compressed file, then placed on the desktop. Following this, Windows Registry
Recovery was launched. From its main menu, the "File" option was selected, followed by "Open,"
and the SYSTEM Registry hive was chosen. This sequence of actions resulted in the appearance of
the Windows Registry Recovery window.

On the menu on the left side of the screen, the “Services and Drivers” button was clicked. This
action resulted in a list of services located in the SYSTEM hive being displayed.
On the menu on the left side of the screen, the “Network Configuration” button is clicked.
In the right frame, the “TCP/IP” tab is clicked. This action displays the network information from the
Registry, including the IP address.
The DHCP assigned IP address of 192.168.1.4 is listed, along with the date the lease was obtained
(0x4CFD7EF5 = 1291681525 (UNIX Epoch Time) = December 7, 2010 at 00:25:25 GMT) and the date
the lease expired (0x4CFED074 = 1291767924 (UNIX Epoch Time) = December 8, 2010 at 00:25:24
GMT).

From the main menu, "File" was selected, and then "Open" was chosen. The SAM file was browsed to
and loaded.
After loading the SAM file, the “SAM” button was clicked on the left side of the window.
Subsequently, on the right side of the window, the “Groups and Users” tab was clicked. This action
displayed the list of user accounts and groups.
The file named “RegistryFiles-1.zip” was downloaded, and its contents were extracted to the
desktop of the computer.
RegRipper was downloaded, and the contents of the compressed file were extracted to the
desktop.
RegRipper was launched by double-clicking on rr.exe.
After launching the application, the RegRipper window appeared.

The file named “RegistryFiles-1.zip” was downloaded, and its contents were extracted to the
desktop of the computer.
RegRipper was downloaded, and the contents of the compressed file were extracted to the
desktop.
RegRipper was launched by double-clicking on rr.exe.
After launching the application, the RegRipper window appeared.
The text file with the results was opened.
Based on the output, the "typed URLs" entered into Internet Explorer by the user of this account can
be found in the Registry key: Software\Microsoft\Internet Explorer\TypedURLs.
Make a copy of the registry files named SYSTEM and NTUSER.dat from your system to the desktop of
the computer.

Extract the artifacts from the two files, SYSTEM and NTUSER.dat.

What was the IP address assigned to the computer?

192.168.1.4

How many USB storage devices were connected to this computer?

2 USB storage devices were connected to this computer.
ControlSet00
ControlSet002

Search through the NTUSER.dat file. When was the last Adobe Acrobat PDF opened and what was its
name?
Google Update automatically launches and runs on computers using the
NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\Run Registry key. Is Google
Update installed on this computer and, if so, from where does the executable run

What were the “Typed Paths” (not “Typed URLs”) found in the NTUSER.dat file and when was the
last path entered?
Typed paths not found