Windows Forensics - Registry - Advanced Three-Day Instructor-Led Course For more information contact
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Windows Forensics - Registry Advanced • Three-Day Instructor-Led Course For more information contact: info@syntricate.com This advanced Syntricate training course provides the knowledge and skills necessary to use AccessData® products to conduct forensic investigations on the Microsoft® Windows® registry. Participants will learn where and how to locate registry artifacts using Forensic Toolkit® (FTK®), FTK Imager, Registry Viewer® and Password Recovery Toolkit® (PRTK®). Prerequisites: This hands-on course is intended for forensic investigators with experience in forensic case work and a basic working knowledge of FTK, FTK Imager, Registry Viewer, and PRTK. Prior familiarity with the Microsoft Regedit utility is also helpful. To obtain the maximum benefit from this course, you should meet the following requirements: • Able to understand course curriculum presented in English • Attendance at the AccessData Forensic BootCamp and Windows Forensics course or equivalent experience with FTK and PRTK • Previous investigative experience in forensic case work • Knowledge of Microsoft Windows environment Class Materials and Software: You will receive the associated materials prior to the course. During this three-day course, participants will review the following: • Use FTK Imager to obtain a clean copy of the Windows registry • Backup individual registry keys, registry files, and whole registry sets • Use a Regular Expression to carve registry key names from unallocated space • Identify and locate potential trace evidence in the regf and hbin blocks • Use the SAM file to identify system user accounts, user information and properties, user logon password information, user profiles, and group membership • Use the SYSTEM file to identify computer name, time zone, last shutdown time, network connections, and hardware information • Use the SECURITY file to identify current and archived system passwords, if present. • Break the SECURITY file passwords in PRTK • Use the SOFTWARE file to identify USB volume serial numbers in Windows Vista, recycle bin settings, user profiles, wireless connections, printer information, evidence of uninstalled software, application restrictions, autologon settings, and cached password settings • Identify individual application settings such as Internet Explorer (IE) main settings; IE use count; Internet Account Manager; URL history; IE5 history settings; MSN accounts; mount points and mapped drives; and FTP site settings (Continued on other side) Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Windows Forensics - Registry Advanced • Three-Day Instructor-Led Course For more information contact: info@syntricate.com Module 1: Introduction (Continued) Module 3: Registry 201 Topics: Objectives: • Introductions • Define the Windows Registry structure and • Class materials and software function • Prerequisites • List Registry issues that can cause • Class outline problems with individual applications and in • Helpful Information booting the system Lab: • List the forensic benefits of the Registry • Use the Windows registry, rather than Windows • Identify the hives that make up the Registry Explorer, to configure Explorer settings and list the types of information associated • Install the following AccessData software: with each hive o FTK Imager • Identify where the user’s NTUSER.DAT file o Registry Viewer is located o PRTK • Identify the standard Registry data types • Navigate the Registry in regedit32 Module 2: Registry Utilities • Navigate the Registry in Registry Viewer Objectives: • Define the Registry block structure • Use Regedit or Regedit32 to view and edit • Identify the seven data structures in the Registry settings hbin blocks that define the Registry keys, • List four ways to back up the Registry subkeys, and values • Backup individual keys and values • Track a subkey to its values • List four ways to restore .reg files • Recover deleted data in the Registry and • Create a hive backup Registry slack • Export Registry keys and values to a text file Lab: • Create a set of restore points • Compare registry structure in Registry • Modify subkey permissions Viewer and Regedit • Export Registry files from FTK • Locate and view registry files in FTK • Use FTK Imager to harvest live Registry files Imager • Use Registry Viewer to search Registry values • Navigate through the regf and hbin blocks • Generate Registry reports in Registry Viewer in the SAM file to locate key values Lab: • Use FTK Imager to search for a user in the • Backup the registry using Windows utilities registry via key name • Create a restore point • Use FTK Imager to search for a value in • Use FTK Imager to obtain a clean copy of the the registry workstation’s registry files • Use Regedit to back up, delete, and restore subkeys • Use Regedit to edit subkey permissions Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Windows Forensics - Registry Advanced • Three-Day Instructor-Led Course For more information contact: info@syntricate.com (Continued) Module 4: Preliminary Reports Lab: Objectives: • Navigate the following subkeys in the • Generate a preliminary case report (PCR) NTUSER.DAT file: • List the Registry information that should be o Internet Explorer included in a PCR o Office 2007 MRUs • Describe how data is added to standard o UserAssist reports • Viewing TypedURLsTime anomalies • List the types of information that can be • Use registry data to break a user’s logon included in summary reports password • List the benefits of summary reports • Use mount point data and the Lab: NTUSER.DAT file to determine which user • Create a Standard Report in Registry Viewer accessed a USB drive • Create a Summary Report in Registry Viewer • Recover local search terms through • Create a Summary Report in Registry Viewer Windows 8.1 using wildcards • Associating local searches with the IE • Create a preliminary report in FTK webcache Module 5: NTUSER.DAT Artifacts Module 6: SAM Artifacts Objectives: Objectives: • Use the following registry components to track • Describe the function of the SAM file patterns of user behavior: • Describe the Windows management of o NTUSER.DAT account permissions o Recently typed URLs in the browser • Describe the components that make up the o Recently viewed documents Security Identifier (SID) o Protected storage information that • Describe the components of the Relative potentially contains Web login names, Identifier (RID) passwords, form data, and search queries • Identify Registry artifacts associated with o Internet Explorer information users and groups o Mount points and mapped drives • Associate users to groups o Microsoft Office artifacts Lab: o Office MRUs • Use the SAM file to translate SIDs o Date and time of file access • Recover user account information from the o Trusted locations SAM file including Windows 8 Live Accounts o Resiliency and auto recover • Use the SAM file to break a user’s logon o Location in file last visited password o UserAssist • Use the SAM file to recover group o Uninstalled software information o Local search terms o $Recycle.Bin o BitLocker To Go Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Windows Forensics - Registry Advanced • Three-Day Instructor-Led Course For more information contact: info@syntricate.com (Continued) Module 7: SYSTEM Registry File Part 1 Module 8: SYSTEM Registry File Part 2 Objectives: Objectives: • Identify where the SYSTEM file is located in • USB device tracking the Registry • USB drive identification through Windows • Describe the function of the SYSTEM file • Mounted Devices Manager • List what type of data is stored in the SYTEM file • Date and time drive last mounted • Identify the four subkeys that make up the • Date and time drive first mounted SYSTEM control set • Logged on user who inserted device • Use the SYSTEM file to recover the following • Windows Portable Devices key information: • Use of link files to identify devices o The correct time zone setting on a • Identification of USB external drives Windows XP or Vista machine • Behavior of cameras and other devices o Whether a Vista system’s default setting • Windows 2000 and XP USB connections that disables the last accessed date/time • Determining the order of USB drive has not been turned back on insertion o The computer name • USB event logs o The last shutdown time Lab: o Mounted devices for HDDs • Simulate real world tracking of devices o Hardware information, including • Track a device from Windows to all of the floppydisks, hard disk drives, mass available dates and times and associations storage devices, and printers in Windows 2000, Windows XP, Vista, o Services available to the system Windows 7 and Windows 8 o How memory is configured, where the • Track device behavior of different devices swap file is located, and Prefetch settings such as cameras, iPads, iPhones, and other • Link a USB device to a specific computer devices Lab: • Viewing Windows event logs for associated • Use the SYSTEM file to identify time zone devices in Windows Vista, Windows 7 and information, computer name, and last shutdown Windows 8 time • Use the SYSTEM file, link files and log files to Module 9: SECURITY Artifacts identify information on specific USB drives Objectives: • Use the SYSTEM file to identify a system’s • Identify where the SECURITY file is located DHCP name server, DHCP IP address, and • Describe the function of the SECURITY file Hostname • List what type of data is stored in the registry • Distinguish between permissions, policies, and rights • Identify what types of passwords can be recovered from the SECURITY file • Recover cached passwords Lab: • Use the SECURITY file to identify information on a target system • Use PRTK to recover passwords stored in the SECURITY file Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Windows Forensics - Registry Advanced • Three-Day Instructor-Led Course For more information contact: info@syntricate.com (Continued) Module 10: SOFTWARE Artifacts Module 11: Other Registry Files Objectives: Objectives: • Identify where the SOFTWARE file is located in • Use the UsrClass.dat file to recover the Registry information on launched executables • Describe the function of the SOFTWARE • Use the Amcache.hve file from Windows 8 file to find the following information on the target • List what type of data is stored in the system: SOFTWARE file o Launched executables • Describe the function of the Vista o Drive information from launched ReadyBoost feature and identify what binaries information it stores in the SOFTWARE file o Identification information from • Use the SOFTWARE file to recover the launched binaries following information: o Determining use of portable apps o Evidence of uninstalled software o Checking application compatibility o Startup locations used to load applications settings by the user or executable files during the boot process o Check for launched applications in o The Class Identifiers (CLSIDs) for the event logs operating system objects such as • Check individual settings.dat application applications and ActiveX controls registry files in Windows 8 for potential o The Service Set Identified (SSID) used to artifacts identify the user’s wireless connections Lab: o Winlogon and Autologon information • Tracking launched executables in the o Recycle Bin properties MuiCache (UsrClass.dat) o Printer information • Following application associations in the • Create a File Types report in Registry Viewer Windows 8 Amcache.hve registry file • List the two types of wireless artifacts found in o Documenting launched application Windows XP details of drive and location • Identify where wireless artifacts are found in o Drive associations with Mounted Windows Vista Devices • Determination of installed Metro Apps o Hash tracking of launched • Tracking launch of portable applications in executables Windows 8 Lab: • Use the SOFTWARE file to identify user information on a target system such as the last logged on user and the time the user shut down the system • Use the SOFTWARE file to identify uninstalled software, wireless connections, recycle bin settings, and printer information Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
You can also read