Windows Forensics - Registry - Advanced Three-Day Instructor-Led Course For more information contact

Page created by Laura Wilson
 
CONTINUE READING
Windows Forensics - Registry
   Advanced • Three-Day Instructor-Led Course
   For more information contact: info@syntricate.com

   This advanced Syntricate training course provides the knowledge and skills necessary to use AccessData®
   products to conduct forensic investigations on the Microsoft® Windows® registry. Participants will learn where and
   how to locate registry artifacts using Forensic Toolkit® (FTK®), FTK Imager, Registry Viewer® and Password
   Recovery Toolkit® (PRTK®).

   Prerequisites:

   This hands-on course is intended for forensic investigators with experience in forensic case work and a basic
   working knowledge of FTK, FTK Imager, Registry Viewer, and PRTK. Prior familiarity with the Microsoft Regedit
   utility is also helpful.

   To obtain the maximum benefit from this course, you should meet the following requirements:
                  • Able to understand course curriculum presented in English
                  • Attendance at the AccessData Forensic BootCamp and Windows Forensics course or equivalent
                    experience with FTK and PRTK
                  • Previous investigative experience in forensic case work
                  • Knowledge of Microsoft Windows environment

   Class Materials and Software:

   You will receive the associated materials prior to the course.

   During this three-day course, participants will review the following:

             • Use FTK Imager to obtain a clean copy of the Windows registry
             • Backup individual registry keys, registry files, and whole registry sets
             • Use a Regular Expression to carve registry key names from unallocated space
             • Identify and locate potential trace evidence in the regf and hbin blocks
             • Use the SAM file to identify system user accounts, user information and properties, user logon password
               information, user profiles, and group membership
             • Use the SYSTEM file to identify computer name, time zone, last shutdown time, network connections,
               and hardware information
             • Use the SECURITY file to identify current and archived system passwords, if present.
             • Break the SECURITY file passwords in PRTK
             • Use the SOFTWARE file to identify USB volume serial numbers in Windows Vista, recycle bin settings,
               user profiles, wireless connections, printer information, evidence of uninstalled software, application
               restrictions, autologon settings, and cached password settings
             • Identify individual application settings such as Internet Explorer (IE) main settings; IE use count; Internet
               Account Manager; URL history; IE5 history settings; MSN accounts; mount points and mapped drives;
               and FTP site settings

                                                                                                             (Continued on other side)

Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.
Windows Forensics - Registry
   Advanced • Three-Day Instructor-Led Course
   For more information contact: info@syntricate.com

Module  1: Introduction
 (Continued)                                                                   Module 3: Registry 201
Topics:                                                                        Objectives:
        • Introductions                                                                • Define the Windows Registry structure and
        • Class materials and software                                                 function
        • Prerequisites                                                                • List Registry issues that can cause
        • Class outline                                                                problems with individual applications and in
        • Helpful Information                                                          booting the system
Lab:                                                                                   • List the forensic benefits of the Registry
        • Use the Windows registry, rather than Windows                                • Identify the hives that make up the Registry
        Explorer, to configure Explorer settings                                       and list the types of information associated
        • Install the following AccessData software:                                   with each hive
             o FTK Imager                                                              • Identify where the user’s NTUSER.DAT file
             o Registry Viewer                                                         is located
             o PRTK                                                                    • Identify the standard Registry data types
                                                                                       • Navigate the Registry in regedit32
Module 2: Registry Utilities                                                           • Navigate the Registry in Registry Viewer
Objectives:                                                                            • Define the Registry block structure
        • Use Regedit or Regedit32 to view and edit                                    • Identify the seven data structures in the
        Registry settings                                                              hbin blocks that define the Registry keys,
        • List four ways to back up the Registry                                       subkeys, and values
        • Backup individual keys and values                                            • Track a subkey to its values
        • List four ways to restore .reg files                                         • Recover deleted data in the Registry and
        • Create a hive backup                                                         Registry slack
        • Export Registry keys and values to a text file                       Lab:
        • Create a set of restore points                                               • Compare registry structure in Registry
        • Modify subkey permissions                                                    Viewer and Regedit
        • Export Registry files from FTK                                               • Locate and view registry files in FTK
        • Use FTK Imager to harvest live Registry files                                Imager
        • Use Registry Viewer to search Registry values                                • Navigate through the regf and hbin blocks
        • Generate Registry reports in Registry Viewer                                 in the SAM file to locate key values
Lab:                                                                                   • Use FTK Imager to search for a user in the
        • Backup the registry using Windows utilities                                  registry via key name
        • Create a restore point                                                       • Use FTK Imager to search for a value in
        • Use FTK Imager to obtain a clean copy of the                                 the registry
        workstation’s registry files
        • Use Regedit to back up, delete, and restore
        subkeys
        • Use Regedit to edit subkey permissions

Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.
Windows Forensics - Registry
   Advanced • Three-Day Instructor-Led Course
   For more information contact: info@syntricate.com

  (Continued)

Module 4: Preliminary Reports                                                  Lab:
Objectives:                                                                              • Navigate the following subkeys in the
        • Generate a preliminary case report (PCR)                                       NTUSER.DAT file:
        • List the Registry information that should be                                        o Internet Explorer
        included in a PCR                                                                     o Office 2007 MRUs
        • Describe how data is added to standard                                              o UserAssist
        reports                                                                          • Viewing TypedURLsTime anomalies
        • List the types of information that can be                                      • Use registry data to break a user’s logon
        included in summary reports                                                      password
        • List the benefits of summary reports                                           • Use mount point data and the
Lab:                                                                                     NTUSER.DAT file to determine which user
        • Create a Standard Report in Registry Viewer                                    accessed a USB drive
        • Create a Summary Report in Registry Viewer                                     • Recover local search terms through
        • Create a Summary Report in Registry Viewer                                     Windows 8.1
        using wildcards                                                                  • Associating local searches with the IE
        • Create a preliminary report in FTK                                             webcache

Module 5: NTUSER.DAT Artifacts                                                 Module 6: SAM Artifacts
Objectives:                                                                    Objectives:
        • Use the following registry components to track                               • Describe the function of the SAM file
        patterns of user behavior:                                                     • Describe the Windows management of
            o NTUSER.DAT                                                               account permissions
            o Recently typed URLs in the browser                                       • Describe the components that make up the
            o Recently viewed documents                                                Security Identifier (SID)
            o Protected storage information that                                       • Describe the components of the Relative
                potentially contains Web login names,                                  Identifier (RID)
                passwords, form data, and search queries                               • Identify Registry artifacts associated with
            o Internet Explorer information                                            users and groups
            o Mount points and mapped drives                                           • Associate users to groups
            o Microsoft Office artifacts                                       Lab:
                     o Office MRUs                                                     • Use the SAM file to translate SIDs
                     o Date and time of file access                                    • Recover user account information from the
                     o Trusted locations                                               SAM file including Windows 8 Live Accounts
                     o Resiliency and auto recover                                     • Use the SAM file to break a user’s logon
                     o Location in file last visited                                   password
            o UserAssist                                                               • Use the SAM file to recover group
            o Uninstalled software                                                     information
            o Local search terms
            o $Recycle.Bin
            o BitLocker To Go

Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.
Windows Forensics - Registry
   Advanced • Three-Day Instructor-Led Course
   For more information contact: info@syntricate.com

 (Continued)

Module 7: SYSTEM Registry File Part 1                                          Module 8: SYSTEM Registry File Part 2
Objectives:                                                                    Objectives:
        • Identify where the SYSTEM file is located         in                         • USB device tracking
        the Registry                                                                   • USB drive identification through Windows
        • Describe the function of the SYSTEM file                                     • Mounted Devices Manager
        • List what type of data is stored in the SYTEM file                           • Date and time drive last mounted
        • Identify the four subkeys that make up the                                   • Date and time drive first mounted
        SYSTEM control set                                                             • Logged on user who inserted device
        • Use the SYSTEM file to recover the following                                 • Windows Portable Devices key
        information:                                                                   • Use of link files to identify devices
             o The correct time zone setting on a                                      • Identification of USB external drives
                  Windows XP or Vista machine                                          • Behavior of cameras and other devices
             o Whether a Vista system’s default setting                                • Windows 2000 and XP USB connections
                  that disables the last accessed date/time                            • Determining the order of USB drive
                  has not been turned back on                                          insertion
             o The computer name                                                       • USB event logs
             o The last shutdown time                                          Lab:
             o Mounted devices for HDDs                                                • Simulate real world tracking of devices
             o Hardware information, including                                         • Track a device from Windows to all of the
                  floppydisks, hard disk drives, mass                                  available dates and times and associations
                  storage devices, and printers                                        in Windows 2000, Windows XP, Vista,
             o Services available to the system                                        Windows 7 and Windows 8
             o How memory is configured, where the                                     • Track device behavior of different devices
                  swap file is located, and Prefetch settings                          such as cameras, iPads, iPhones, and other
        • Link a USB device to a specific computer                                     devices
Lab:                                                                                   • Viewing Windows event logs for associated
        • Use the SYSTEM file to identify time zone                                    devices in Windows Vista, Windows 7 and
        information, computer name, and last shutdown                                  Windows 8
        time
        • Use the SYSTEM file, link files and log files to                     Module 9: SECURITY Artifacts
        identify information on specific USB drives                            Objectives:
        • Use the SYSTEM file to identify a system’s                                   • Identify where the SECURITY file is located
        DHCP name server, DHCP IP address, and                                         • Describe the function of the SECURITY file
        Hostname                                                                       • List what type of data is stored in the
                                                                                       registry
                                                                                       • Distinguish between permissions, policies,
                                                                                       and rights
                                                                                       • Identify what types of passwords can be
                                                                                       recovered from the SECURITY file
                                                                                       • Recover cached passwords
                                                                               Lab:
                                                                                       • Use the SECURITY file to identify
                                                                                       information on a target system
                                                                                       • Use PRTK to recover passwords stored in
                                                                                       the SECURITY file

Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.
Windows Forensics - Registry
   Advanced • Three-Day Instructor-Led Course
   For more information contact: info@syntricate.com

 (Continued)

Module 10: SOFTWARE Artifacts                                                          Module 11: Other Registry Files
Objectives:                                                                    Objectives:
        • Identify where the SOFTWARE file is located in                               • Use the UsrClass.dat file to recover
        the Registry                                                                   information on launched executables
        • Describe the function of the SOFTWARE                                        • Use the Amcache.hve file from Windows 8
        file                                                                           to find the following information on the target
        • List what type of data is stored in the                                      system:
        SOFTWARE file                                                                       o Launched executables
        • Describe the function of the Vista                                                o Drive information from launched
        ReadyBoost feature and identify what                                                     binaries
        information it stores in the SOFTWARE file                                          o Identification information from
        • Use the SOFTWARE file to recover the                                                   launched binaries
        following information:                                                              o Determining use of portable apps
             o Evidence of uninstalled software                                             o Checking application compatibility
             o Startup locations used to load applications                                       settings by the user
                  or executable files during the boot process                               o Check for launched applications in
             o The Class Identifiers (CLSIDs) for                                                the event logs
                  operating system objects such as                                     • Check individual settings.dat application
                  applications and ActiveX controls                                    registry files in Windows 8 for potential
             o The Service Set Identified (SSID) used to                               artifacts
                  identify the user’s wireless connections                     Lab:
             o Winlogon and Autologon information                                      • Tracking launched executables in the
             o Recycle Bin properties                                                  MuiCache (UsrClass.dat)
             o Printer information                                                     • Following application associations in the
        • Create a File Types report in Registry Viewer                                Windows 8 Amcache.hve registry file
        • List the two types of wireless artifacts found in                                 o Documenting launched application
        Windows XP                                                                               details of drive and location
        • Identify where wireless artifacts are found in                                    o Drive associations with Mounted
        Windows Vista                                                                            Devices
        • Determination of installed Metro Apps                                             o Hash tracking of launched
        • Tracking launch of portable applications in                                            executables
        Windows 8
Lab:
        • Use the SOFTWARE file to identify user
        information on a target system such as the last
        logged on user and the time the user shut down
        the system
        • Use the SOFTWARE file to identify uninstalled
        software, wireless connections, recycle bin
        settings, and printer information

Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.
You can also read